@ebowwa/mcp-nm 2.0.2 → 2.1.0

package/src/index.ts

@@ -12,6 +12,9 @@
  * - Binary diff: byte-level comparison
  * - Archive extraction: extract from .a files
  * - Binary patching: patch bytes, NOP sled, hex editor
+ * - Number conversion: hex, decimal, binary, octal, ASCII
+ * - macOS binary patching: code signing, quarantine, safe patch workflow
+ * - Patch management: persistent patch registry, auto-apply on binary updates
  */
 
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
@@ -22,6 +25,9 @@ import {
 } from "@modelcontextprotocol/sdk/types.js";
 import { exec } from "child_process";
 import { promisify } from "util";
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
 
 const execAsync = promisify(exec);
 
@@ -29,7 +35,7 @@ const execAsync = promisify(exec);
 const server = new Server(
   {
     name: "@ebowwa/mcp-nm",
-    version: "2.0.0",
+    version: "2.1.0",
   },
   {
     capabilities: {
@@ -1901,6 +1907,1229 @@ async function handleHexEditor(args: {
   }
 }
 
+// ============================================================================
+// macOS Binary Patching Tools
+// ============================================================================
+
+// Check if running on macOS
+function isMacOS(): boolean {
+  return process.platform === "darwin";
+}
+
+// --- Code signature info ---
+async function handleCodesignInfo(args: { filePath: string }) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Code signing tools are only available on macOS. This tool requires the 'codesign' utility."
+      }],
+      isError: true
+    };
+  }
+
+  try {
+    const results: string[] = [];
+    results.push(`Code Signature Info: ${args.filePath}`);
+    results.push("");
+
+    // Check if file exists and is a Mach-O
+    const { stdout: fileInfo } = await execAsync(`file "${args.filePath}"`);
+    if (!fileInfo.toLowerCase().includes("mach-o")) {
+      results.push("Warning: File does not appear to be a Mach-O binary");
+      results.push(`File type: ${fileInfo.trim()}`);
+    }
+
+    // Get code signature information
+    try {
+      const { stdout: signInfo } = await execAsync(`codesign -dv "${args.filePath}" 2>&1`);
+      results.push("Signature Details:");
+      results.push(signInfo.split("\n").map(line => `  ${line}`).join("\n"));
+    } catch (e) {
+      const output = e instanceof Error ? e.message : String(e);
+      if (output.includes("no signature") || output.includes("code object is not signed")) {
+        results.push("Status: NOT SIGNED");
+        results.push("  The binary has no code signature");
+      } else {
+        results.push(`Signature check: ${output}`);
+      }
+    }
+
+    // Check signature validity
+    try {
+      await execAsync(`codesign -v "${args.filePath}" 2>&1`);
+      results.push("");
+      results.push("Validity: VALID - Signature is intact");
+    } catch (e) {
+      const output = e instanceof Error ? e.message : String(e);
+      if (output.includes("not signed")) {
+        results.push("");
+        results.push("Validity: NOT SIGNED");
+      } else {
+        results.push("");
+        results.push(`Validity: INVALID - ${output}`);
+      }
+    }
+
+    // Get signature requirements
+    try {
+      const { stdout: reqs } = await execAsync(`codesign -dr - "${args.filePath}" 2>&1`);
+      if (reqs.trim() && !reqs.includes("no signature")) {
+        results.push("");
+        results.push("Designated Requirements:");
+        results.push(reqs.split("\n").map(line => `  ${line}`).join("\n"));
+      }
+    } catch {
+      // No requirements or not signed
+    }
+
+    return { content: [{ type: "text", text: results.join("\n") }] };
+  } catch (error) {
+    return {
+      content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
+      isError: true
+    };
+  }
+}
+
+// --- Remove code signature ---
+async function handleCodesignRemove(args: { filePath: string; createBackup?: boolean }) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Code signing tools are only available on macOS."
+      }],
+      isError: true
+    };
+  }
+
+  const createBackup = args.createBackup !== false;
+
+  try {
+    const results: string[] = [];
+    results.push(`Remove Code Signature: ${args.filePath}`);
+    results.push("");
+
+    // Create backup if requested
+    if (createBackup) {
+      const backupPath = `${args.filePath}.bak`;
+      await execAsync(`cp "${args.filePath}" "${backupPath}"`);
+      results.push(`Backup created: ${backupPath}`);
+    }
+
+    // Check current signature status
+    try {
+      const { stdout: signInfo } = await execAsync(`codesign -dv "${args.filePath}" 2>&1`);
+      results.push(`Previous signature: ${signInfo.split("\n")[0] || "signed"}`);
+    } catch {
+      results.push("Previous signature: not signed or invalid");
+    }
+
+    // Remove the signature
+    try {
+      await execAsync(`codesign --remove-signature "${args.filePath}"`);
+      results.push("Status: SUCCESS - Code signature removed");
+    } catch (e) {
+      const output = e instanceof Error ? e.message : String(e);
+      if (output.includes("no signature")) {
+        results.push("Status: NO ACTION - Binary was not signed");
+      } else {
+        throw new Error(`Failed to remove signature: ${output}`);
+      }
+    }
+
+    // Verify removal
+    try {
+      await execAsync(`codesign -v "${args.filePath}" 2>&1`);
+      results.push("Warning: Signature still present after removal");
+    } catch (e) {
+      if (e instanceof Error && e.message.includes("not signed")) {
+        results.push("Verification: Confirmed - Binary is now unsigned");
+      }
+    }
+
+    return { content: [{ type: "text", text: results.join("\n") }] };
+  } catch (error) {
+    return {
+      content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
+      isError: true
+    };
+  }
+}
+
+// --- Sign binary (ad-hoc or with certificate) ---
+async function handleCodesignSign(args: {
+  filePath: string;
+  certificate?: string;
+  force?: boolean;
+  createBackup?: boolean;
+  deep?: boolean;
+  options?: string;
+}) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Code signing tools are only available on macOS."
+      }],
+      isError: true
+    };
+  }
+
+  const force = args.force !== false;
+  const createBackup = args.createBackup === true;
+  const deep = args.deep === true;
+  const certificate = args.certificate || "-";  // "-" means ad-hoc signing
+
+  try {
+    const results: string[] = [];
+    results.push(`Sign Binary: ${args.filePath}`);
+    results.push("");
+
+    // Create backup if requested
+    if (createBackup) {
+      const backupPath = `${args.filePath}.bak`;
+      await execAsync(`cp "${args.filePath}" "${backupPath}"`);
+      results.push(`Backup created: ${backupPath}`);
+    }
+
+    // Build codesign command
+    const forceFlag = force ? "--force" : "";
+    const deepFlag = deep ? "--deep" : "";
+    const optionsFlag = args.options ? `--options ${args.options}` : "";
+
+    const cmd = `codesign -s ${certificate} ${forceFlag} ${deepFlag} ${optionsFlag} "${args.filePath}"`.replace(/\s+/g, " ").trim();
+
+    results.push(`Command: ${cmd}`);
+    results.push(`Signing with: ${certificate === "-" ? "ad-hoc signature" : certificate}`);
+
+    // Execute signing
+    await execAsync(cmd);
+    results.push("Status: SUCCESS - Binary signed");
+
+    // Verify the signature
+    try {
+      await execAsync(`codesign -v "${args.filePath}" 2>&1`);
+      results.push("Verification: VALID - Signature is intact");
+    } catch (e) {
+      results.push(`Verification: WARNING - ${e instanceof Error ? e.message : String(e)}`);
+    }
+
+    // Show new signature info
+    try {
+      const { stdout: signInfo } = await execAsync(`codesign -dv "${args.filePath}" 2>&1`);
+      const infoLine = signInfo.split("\n").find(l => l.includes("Identifier") || l.includes("Authority"));
+      if (infoLine) {
+        results.push(`New signature: ${infoLine.trim()}`);
+      }
+    } catch {
+      // Ignore
+    }
+
+    return { content: [{ type: "text", text: results.join("\n") }] };
+  } catch (error) {
+    return {
+      content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
+      isError: true
+    };
+  }
+}
+
+// --- Check quarantine status ---
+async function handleQuarantineCheck(args: { filePath: string }) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Quarantine tools are only available on macOS."
+      }],
+      isError: true
+    };
+  }
+
+  try {
+    const results: string[] = [];
+    results.push(`Quarantine Check: ${args.filePath}`);
+    results.push("");
+
+    // Check for com.apple.quarantine attribute
+    try {
+      const { stdout: quarantine } = await execAsync(`xattr -p com.apple.quarantine "${args.filePath}" 2>&1`);
+      if (quarantine.trim()) {
+        results.push("Status: QUARANTINED");
+        results.push("");
+        results.push("Quarantine data:");
+        results.push(`  ${quarantine.trim()}`);
+
+        // Try to decode quarantine info
+        try {
+          const { stdout: details } = await execAsync(`xattr -l "${args.filePath}" 2>&1`);
+          const quarantineSection = details.split("\n").filter(l =>
+            l.includes("quarantine") || l.includes("provenance")
+          );
+          if (quarantineSection.length > 0) {
+            results.push("");
+            results.push("Extended attributes:");
+            quarantineSection.forEach(l => results.push(`  ${l}`));
+          }
+        } catch {
+          // Ignore
+        }
+
+        results.push("");
+        results.push("Note: Quarantine prevents execution of downloaded files.");
+        results.push("Use bin_quarantine_remove to allow execution.");
+      } else {
+        results.push("Status: NOT QUARANTINED");
+        results.push("The file has no quarantine attribute.");
+      }
+    } catch (e) {
+      const output = e instanceof Error ? e.message : String(e);
+      if (output.includes("No such xattr") || output.includes("not found")) {
+        results.push("Status: NOT QUARANTINED");
+        results.push("The file has no quarantine attribute.");
+      } else {
+        throw new Error(`Failed to check quarantine: ${output}`);
+      }
+    }
+
+    // Also check for com.apple.provenance
+    try {
+      const { stdout: provenance } = await execAsync(`xattr -p com.apple.provenance "${args.filePath}" 2>&1`);
+      if (provenance.trim()) {
+        results.push("");
+        results.push("Provenance: PRESENT");
+        results.push("  File has provenance metadata (tracks download source)");
+      }
+    } catch {
+      // No provenance attribute
+    }
+
+    return { content: [{ type: "text", text: results.join("\n") }] };
+  } catch (error) {
+    return {
+      content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
+      isError: true
+    };
+  }
+}
+
+// --- Remove quarantine attributes ---
+async function handleQuarantineRemove(args: { filePath: string }) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Quarantine tools are only available on macOS."
+      }],
+      isError: true
+    };
+  }
+
+  try {
+    const results: string[] = [];
+    results.push(`Remove Quarantine: ${args.filePath}`);
+    results.push("");
+
+    let removedAny = false;
+
+    // Remove com.apple.quarantine
+    try {
+      await execAsync(`xattr -d com.apple.quarantine "${args.filePath}" 2>&1`);
+      results.push("Removed: com.apple.quarantine");
+      removedAny = true;
+    } catch (e) {
+      const output = e instanceof Error ? e.message : String(e);
+      if (output.includes("No such xattr") || output.includes("not found")) {
+        results.push("Skipped: com.apple.quarantine (not present)");
+      } else {
+        results.push(`Warning: Could not remove quarantine - ${output}`);
+      }
+    }
+
+    // Remove com.apple.provenance
+    try {
+      await execAsync(`xattr -d com.apple.provenance "${args.filePath}" 2>&1`);
+      results.push("Removed: com.apple.provenance");
+      removedAny = true;
+    } catch {
+      // Not present, ignore
+    }
+
+    // Remove com.apple.metadata:kMDItemWhereFroms
+    try {
+      await execAsync(`xattr -d com.apple.metadata:kMDItemWhereFroms "${args.filePath}" 2>&1`);
+      results.push("Removed: com.apple.metadata:kMDItemWhereFroms");
+      removedAny = true;
+    } catch {
+      // Not present, ignore
+    }
+
+    if (removedAny) {
+      results.push("");
+      results.push("Status: SUCCESS - Quarantine attributes removed");
+      results.push("The file should now be able to execute without quarantine warnings.");
+    } else {
+      results.push("");
+      results.push("Status: NO ACTION - No quarantine attributes found");
+    }
+
+    return { content: [{ type: "text", text: results.join("\n") }] };
+  } catch (error) {
+    return {
+      content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
+      isError: true
+    };
+  }
+}
+
+// --- Safe patch workflow (patch + resign + remove quarantine) ---
+async function handleSafePatch(args: {
+  filePath: string;
+  offset: number;
+  hexData: string;
+  createBackup?: boolean;
+}) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Safe patching tools are only available on macOS."
+      }],
+      isError: true
+    };
+  }
+
+  const createBackup = args.createBackup !== false;
+
+  try {
+    const results: string[] = [];
+    results.push(`Safe Patch Workflow: ${args.filePath}`);
+    results.push(`  Offset: 0x${args.offset.toString(16)} (${args.offset})`);
+    results.push(`  Data: ${args.hexData}`);
+    results.push("");
+
+    // Step 1: Create backup
+    if (createBackup) {
+      const backupPath = `${args.filePath}.bak`;
+      await execAsync(`cp "${args.filePath}" "${backupPath}"`);
+      results.push(`[1/4] Backup created: ${backupPath}`);
+    } else {
+      results.push("[1/4] Backup: SKIPPED (createBackup=false)");
+    }
+
+    // Step 2: Apply the patch
+    results.push("[2/4] Applying binary patch...");
+    const hexBytes = args.hexData.replace(/\s+/g, "");
+    const byteCount = hexBytes.length / 2;
+    const patchCmd = `printf '${hexBytes}' | dd of="${args.filePath}" bs=1 seek=${args.offset} count=${byteCount} conv=notrunc 2>/dev/null`;
+    await execAsync(patchCmd);
+    results.push(`      Patched ${byteCount} bytes at offset 0x${args.offset.toString(16)}`);
+
+    // Step 3: Remove old signature (invalidates the signature)
+    results.push("[3/4] Removing old code signature...");
+    try {
+      await execAsync(`codesign --remove-signature "${args.filePath}" 2>&1`);
+      results.push("      Old signature removed");
+    } catch (e) {
+      if (e instanceof Error && e.message.includes("no signature")) {
+        results.push("      No previous signature to remove");
+      } else {
+        results.push(`      Warning: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+
+    // Step 4: Re-sign with ad-hoc signature
+    results.push("[4/4] Applying ad-hoc signature...");
+    await execAsync(`codesign --force --sign - "${args.filePath}"`);
+    results.push("      Ad-hoc signature applied");
+
+    // Step 5: Remove quarantine attributes
+    results.push("[5/5] Removing quarantine attributes...");
+    try {
+      await execAsync(`xattr -d com.apple.quarantine "${args.filePath}" 2>&1`);
+      results.push("      Quarantine attribute removed");
+    } catch {
+      results.push("      No quarantine attribute present");
+    }
+
+    try {
+      await execAsync(`xattr -d com.apple.provenance "${args.filePath}" 2>&1`);
+      results.push("      Provenance attribute removed");
+    } catch {
+      // Ignore
+    }
+
+    // Final verification
+    results.push("");
+    results.push("Verification:");
+    try {
+      await execAsync(`codesign -v "${args.filePath}" 2>&1`);
+      results.push("  Code signature: VALID");
+    } catch (e) {
+      results.push(`  Code signature: WARNING - ${e instanceof Error ? e.message : String(e)}`);
+    }
+
+    // Check if executable
+    try {
+      const { stdout: fileInfo } = await execAsync(`file "${args.filePath}"`);
+      if (fileInfo.includes("executable")) {
+        results.push("  File type: Executable");
+      }
+    } catch {
+      // Ignore
+    }
+
+    results.push("");
+    results.push("Status: SUCCESS - Binary patched and ready to run");
+    results.push("Note: The binary is now signed with an ad-hoc signature.");
+    results.push("      Some apps may require proper code signing for full functionality.");
+
+    return { content: [{ type: "text", text: results.join("\n") }] };
+  } catch (error) {
+    return {
+      content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
+      isError: true
+    };
+  }
+}
+
+// --- Verify binary will run ---
+async function handleBinVerify(args: { filePath: string }) {
+  if (!isMacOS()) {
+    return {
+      content: [{
+        type: "text",
+        text: "Error: Binary verification tools are only available on macOS."
+      }],
+      isError: true
+    };
+  }
+
+  try {
+    const results: string[] = [];
+    const issues: string[] = [];
+
+    results.push(`Binary Verification: ${args.filePath}`);
+    results.push("");
+
+    // Check file exists and type
+    let isMachO = false;
+    try {
+      const { stdout: fileInfo } = await execAsync(`file "${args.filePath}"`);
+      results.push(`File type: ${fileInfo.trim()}`);
+      isMachO = fileInfo.toLowerCase().includes("mach-o");
+    } catch (e) {
+      return {
+        content: [{ type: "text", text: `Error: Cannot read file - ${e instanceof Error ? e.message : String(e)}` }],
+        isError: true
+      };
+    }
+
+    // Check permissions
+    try {
+      const { stdout: perms } = await execAsync(`ls -la "${args.filePath}"`);
+      const permLine = perms.split("\n").find(l => l.includes(args.filePath.split("/").pop() || ""));
+      if (permLine) {
+        results.push(`Permissions: ${permLine.split(/\s+/)[0]}`);
+        if (!permLine.includes("x")) {
+          issues.push("File is not executable (no execute permission)");
+        }
+      }
+    } catch {
+      results.push("Permissions: Unable to check");
+    }
+
+    results.push("");
+
+    // Check code signature (macOS specific)
+    if (isMachO) {
+      results.push("Code Signature:");
+      try {
+        const { stdout: signInfo } = await execAsync(`codesign -dv "${args.filePath}" 2>&1`);
+        const authority = signInfo.split("\n").find(l => l.includes("Authority"));
+        if (authority) {
+          results.push(`  Status: SIGNED (${authority.split(":")[1]?.trim() || "unknown authority"})`);
+        } else {
+          results.push("  Status: SIGNED (ad-hoc or unknown)");
+        }
+      } catch (e) {
+        const output = e instanceof Error ? e.message : String(e);
+        if (output.includes("not signed")) {
+          results.push("  Status: UNSIGNED");
+          issues.push("Binary is not code signed");
+        } else {
+          results.push(`  Status: INVALID - ${output}`);
+          issues.push("Code signature is invalid");
+        }
+      }
+
+      // Verify signature
+      try {
+        await execAsync(`codesign -v "${args.filePath}" 2>&1`);
+        results.push("  Validity: VALID");
+      } catch (e) {
+        const output = e instanceof Error ? e.message : String(e);
+        if (!output.includes("not signed")) {
+          results.push(`  Validity: INVALID - ${output}`);
+          issues.push("Code signature verification failed");
+        }
+      }
+    }
+
+    // Check quarantine
+    results.push("");
+    results.push("Quarantine:");
+    try {
+      const { stdout: quar } = await execAsync(`xattr -p com.apple.quarantine "${args.filePath}" 2>&1`);
+      if (quar.trim()) {
+        results.push("  Status: QUARANTINED");
+        issues.push("File is quarantined and may be blocked from running");
+      } else {
+        results.push("  Status: NOT QUARANTINED");
+      }
+    } catch {
+      results.push("  Status: NOT QUARANTINED");
+    }
+
+    // Check architecture compatibility
+    if (isMachO) {
+      results.push("");
+      results.push("Architecture:");
+      try {
+        const { stdout: arch } = await execAsync(`lipo -info "${args.filePath}" 2>&1`);
+        results.push(`  ${arch.trim()}`);
+
+        // Check if compatible with current system
+        try {
+          const { stdout: currentArch } = await execAsync(`uname -m`);
+          if (!arch.includes(currentArch.trim()) && !arch.includes("universal")) {
+            issues.push(`Binary may not be compatible with current architecture (${currentArch.trim()})`);
+          }
+        } catch {
+          // Ignore
+        }
+      } catch (e) {
+        results.push(`  Unable to determine: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+
+    // Summary
+    results.push("");
+    results.push("=== SUMMARY ===");
+    if (issues.length === 0) {
+      results.push("Status: READY TO RUN");
+      results.push("The binary should execute without issues.");
+    } else {
+      results.push("Status: ISSUES DETECTED");
+      results.push("");
+      results.push("Issues:");
+      issues.forEach((issue, i) => results.push(`  ${i + 1}. ${issue}`));
+      results.push("");
+      results.push("Suggested fixes:");
+      if (issues.some(i => i.includes("quarantined"))) {
+        results.push("  - Run: xattr -d com.apple.quarantine <file>");
+      }
+      if (issues.some(i => i.includes("not code signed") || i.includes("signature"))) {
+        results.push("  - Run: codesign --force --sign - <file>");
+      }
+      if (issues.some(i => i.includes("not executable"))) {
+        results.push("  - Run: chmod +x <file>");
+      }
+    }
+
+    return { content: [{ type: "text", text: results.join("\n") }] };
+  } catch (error) {
+    return {
+      content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
+      isError: true
+    };
+  }
+}
+
+// ============================================================================
+// Patch Management System
+// ============================================================================
+
+interface PatchEntry {
+  id: string;
+  offset: number;
+  originalBytes: string;
+  patchedBytes: string;
+  description: string;
+  createdAt: string;
+}
+
+interface BinaryPatchRecord {
+  binaryPath: string;
+  binaryName: string;
+  lastPatchedChecksum: string;
+  lastAppliedAt: string;
+  patches: PatchEntry[];
+}
+
+interface PatchManifest {
+  version: string;
+  createdAt: string;
+  updatedAt: string;
+  binaries: Record<string, BinaryPatchRecord>;
+}
+
+const PATCH_DIR = path.join(os.homedir(), ".claude", "patches");
+const MANIFEST_PATH = path.join(PATCH_DIR, "manifest.json");
+const BACKUPS_DIR = path.join(PATCH_DIR, "backups");
+const MANIFEST_VERSION = "1.0.0";
+
+// Ensure patch directory exists
+function ensurePatchDir(): void {
+  if (!fs.existsSync(PATCH_DIR)) {
+    fs.mkdirSync(PATCH_DIR, { recursive: true });
+  }
+  if (!fs.existsSync(BACKUPS_DIR)) {
+    fs.mkdirSync(BACKUPS_DIR, { recursive: true });
+  }
+}
+
+// Load manifest
+function loadManifest(): PatchManifest {
+  ensurePatchDir();
+  if (fs.existsSync(MANIFEST_PATH)) {
+    try {
+      const data = fs.readFileSync(MANIFEST_PATH, "utf-8");
+      return JSON.parse(data);
+    } catch {
+      // Return new manifest if corrupted
+    }
+  }
+  return {
+    version: MANIFEST_VERSION,
+    createdAt: new Date().toISOString(),
+    updatedAt: new Date().toISOString(),
+    binaries: {}
+  };
+}
+
+// Save manifest
+function saveManifest(manifest: PatchManifest): void {
+  ensurePatchDir();
+  manifest.updatedAt = new Date().toISOString();
+  fs.writeFileSync(MANIFEST_PATH, JSON.stringify(manifest, null, 2));
+}
+
+// Get file checksum
+async function getFileChecksum(filePath: string): Promise<string> {
+  try {
+    const { stdout } = await execAsync(`shasum -a 256 "${filePath}" | cut -d' ' -f1`);
+    return stdout.trim();
+  } catch {
+    return "unknown";
+  }
+}
+
+// Read bytes at offset
+function readBytesAtOffset(filePath: string, offset: number, length: number): string {
+  const fd = fs.openSync(filePath, "r");
+  const buffer = Buffer.alloc(length);
+  fs.readSync(fd, buffer, 0, length, offset);
+  fs.closeSync(fd);
+  return buffer.toString("hex").match(/.{2}/g)?.join(" ").toUpperCase() || "";
+}
+
+// Write bytes at offset
+function writeBytesAtOffset(filePath: string, offset: number, hexData: string): void {
+  const bytes = Buffer.from(hexData.replace(/\s+/g, ""), "hex");
+  const fd = fs.openSync(filePath, "r+");
+  fs.writeSync(fd, bytes, 0, bytes.length, offset);
+  fs.closeSync(fd);
+}
+
+// --- Register a patch ---
+async function handlePatchRegister(args: {
+  filePath: string;
+  patchId: string;
+  offset: number;
+  patchedBytes: string;
+  description: string;
+  captureOriginal?: boolean;
+}) {
+  try {
+    const results: string[] = [];
+    results.push(`Register Patch: ${args.patchId}`);
+    results.push(`Binary: ${args.filePath}`);
+    results.push(`Offset: 0x${args.offset.toString(16)} (${args.offset})`);
+    results.push("");
+
+    // Validate file exists
+    if (!fs.existsSync(args.filePath)) {
+      return {
+        content: [{ type: "text", text: `Error: File not found: ${args.filePath}` }],
+        isError: true
+      };
+    }
+
+    // Normalize hex data
+    const patchedBytes = args.patchedBytes.replace(/\s+/g, "").toUpperCase();
+    const byteLength = patchedBytes.length / 2;
+
+    // Capture original bytes if requested
+    let originalBytes = "";
+    if (args.captureOriginal !== false) {
+      try {
+        originalBytes = readBytesAtOffset(args.filePath, args.offset, byteLength);
+        results.push(`Original bytes: ${originalBytes}`);
+      } catch (e) {
+        return {
+          content: [{ type: "text", text: `Error: Could not read original bytes - ${e instanceof Error ? e.message : String(e)}` }],
+          isError: true
+        };
+      }
+    }
+
+    // Save backup of original bytes
+    const backupFileName = `${path.basename(args.filePath)}.offset_${args.offset}.bin`;
+    const backupPath = path.join(BACKUPS_DIR, backupFileName);
+    if (originalBytes) {
+      fs.writeFileSync(backupPath, Buffer.from(originalBytes.replace(/\s+/g, ""), "hex"));
+      results.push(`Backup saved: ${backupPath}`);
+    }
+
+    // Load and update manifest
+    const manifest = loadManifest();
+    const checksum = await getFileChecksum(args.filePath);
+
+    if (!manifest.binaries[args.filePath]) {
+      manifest.binaries[args.filePath] = {
+        binaryPath: args.filePath,
+        binaryName: path.basename(args.filePath),
+        lastPatchedChecksum: checksum,
+        lastAppliedAt: new Date().toISOString(),
+        patches: []
+      };
+    }
+
+    // Check if patch ID already exists
+    const existingIndex = manifest.binaries[args.filePath].patches.findIndex(p => p.id === args.patchId);
+    const newPatch: PatchEntry = {
+      id: args.patchId,
+      offset: args.offset,
+      originalBytes: originalBytes || "UNKNOWN",
+      patchedBytes: patchedBytes.match(/.{2}/g)?.join(" ") || patchedBytes,
+      description: args.description,
+      createdAt: new Date().toISOString()
+    };
+
+    if (existingIndex >= 0) {
+      manifest.binaries[args.filePath].patches[existingIndex] = newPatch;
+      results.push(`Updated existing patch: ${args.patchId}`);
+    } else {
+      manifest.binaries[args.filePath].patches.push(newPatch);
+      results.push(`Registered new patch: ${args.patchId}`);
+    }
+
+    saveManifest(manifest);
+
+    results.push("");
+    results.push("Patch registered successfully!");
+    results.push(`Manifest: ${MANIFEST_PATH}`);
+    results.push("");
+    results.push("To apply this patch, use: bin_patch_apply");
+
+    return { content: [{ type: "text", text: results.join("\n") }] };
+  } catch (error) {
+    return {
+      content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
+      isError: true
+    };
+  }
+}
+
+// --- Apply all registered patches ---
+async function handlePatchApply(args: {
+  filePath: string;
+  resign?: boolean;
+  removeQuarantine?: boolean;
+}) {
+  const isMac = isMacOS();
+  const resign = args.resign !== false && isMac;
+  const removeQuarantine = args.removeQuarantine !== false && isMac;
+
+  try {
+    const results: string[] = [];
+    results.push(`Apply Patches: ${args.filePath}`);
+    results.push("");
+
+    // Load manifest
+    const manifest = loadManifest();
+    const record = manifest.binaries[args.filePath];
+
+    if (!record || record.patches.length === 0) {
+      results.push("No registered patches found for this binary.");
+      results.push("");
+      results.push("To register a patch, use: bin_patch_register");
+      return { content: [{ type: "text", text: results.join("\n") }] };
+    }
+
+    // Check current checksum
+    const currentChecksum = await getFileChecksum(args.filePath);
+    results.push(`Current checksum: ${currentChecksum.substring(0, 16)}...`);
+    results.push(`Last patched checksum: ${record.lastPatchedChecksum.substring(0, 16)}...`);
+
+    if (currentChecksum === record.lastPatchedChecksum) {
+      results.push("Status: Binary appears to already have patches applied.");
+      results.push("Use force=true to re-apply anyway.");
+      return { content: [{ type: "text", text: results.join("\n") }] };
+    }
+
+    results.push("Binary has been updated - applying patches...");
+    results.push("");
+
+    // Create backup of entire binary
+    const backupPath = `${args.filePath}.prepatch`;
+    fs.copyFileSync(args.filePath, backupPath);
+    results.push(`Backup: ${backupPath}`);
+
+    // Apply each patch
+    let appliedCount = 0;
+    for (const patch of record.patches) {
+      try {
+        results.push(`Applying: ${patch.id}`);
+        results.push(`  Offset: 0x${patch.offset.toString(16)}`);
+        results.push(`  Bytes: ${patch.patchedBytes}`);
+
+        writeBytesAtOffset(args.filePath, patch.offset, patch.patchedBytes);
+        appliedCount++;
+        results.push("  Status: Applied");
+      } catch (e) {
+        results.push(`  Status: FAILED - ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+
+    // macOS: resign and remove quarantine
+    if (isMac && appliedCount > 0) {
+      results.push("");
+
+      if (resign) {
+        results.push("Re-signing binary...");
+        try {
+          await execAsync(`codesign --remove-signature "${args.filePath}" 2>&1`);
+          await execAsync(`codesign --force --sign - "${args.filePath}"`);
+          results.push("  Status: Re-signed with ad-hoc signature");
+        } catch (e) {
+          results.push(`  Warning: ${e instanceof Error ? e.message : String(e)}`);
+        }
+      }
+
+      if (removeQuarantine) {
+        results.push("Removing quarantine...");
+        try {
+          await execAsync(`xattr -d com.apple.quarantine "${args.filePath}" 2>&1`);
+          await execAsync(`xattr -d com.apple.provenance "${args.filePath}" 2>&1`);
+          results.push("  Status: Quarantine attributes removed");
+        } catch {
+          results.push("  Status: No quarantine to remove");
+        }
+      }
+    }
+
+    // Update manifest with new checksum
+    const newChecksum = await getFileChecksum(args.filePath);
+    record.lastPatchedChecksum = newChecksum;
+    record.lastAppliedAt = new Date().toISOString();
+    saveManifest(manifest);
+
+    results.push("");
+    results.push(`=== SUMMARY ===`);
+    results.push(`Patches applied: ${appliedCount}/${record.patches.length}`);
+    results.push(`New checksum: ${newChecksum.substring(0, 16)}...`);
+    results.push("Binary is ready to use.");
+
+    return { content: [{ type: "text", text: results.join("\n") }] };
+  } catch (error) {
+    return {
+      content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
+      isError: true
+    };
+  }
+}
+
+// --- Verify patches are applied ---
+async function handlePatchVerify(args: { filePath: string }) {
+  try {
+    const results: string[] = [];
+    results.push(`Verify Patches: ${args.filePath}`);
+    results.push("");
+
+    // Load manifest
+    const manifest = loadManifest();
+    const record = manifest.binaries[args.filePath];
+
+    if (!record || record.patches.length === 0) {
+      results.push("No registered patches found for this binary.");
+      return { content: [{ type: "text", text: results.join("\n") }] };
+    }
+
+    // Get current checksum
+    const currentChecksum = await getFileChecksum(args.filePath);
+    results.push(`Current checksum: ${currentChecksum.substring(0, 16)}...`);
+    results.push(`Expected checksum: ${record.lastPatchedChecksum.substring(0, 16)}...`);
+    results.push("");
+
+    // Check if binary was updated
+    if (currentChecksum !== record.lastPatchedChecksum) {
+      results.push("⚠️  Binary has been UPDATED since last patch.");
+      results.push("   Run bin_patch_apply to re-apply patches.");
+      results.push("");
+    } else {
+      results.push("✓ Binary checksum matches patched version.");
+      results.push("");
+    }
+
+    // Verify each patch by reading current bytes
+    results.push("Patch Status:");
+    let allApplied = true;
+    for (const patch of record.patches) {
+      try {
+        const byteLength = patch.patchedBytes.replace(/\s+/g, "").length / 2;
+        const currentBytes = readBytesAtOffset(args.filePath, patch.offset, byteLength);
+        const normalizedCurrent = currentBytes.replace(/\s+/g, "").toUpperCase();
+        const normalizedPatched = patch.patchedBytes.replace(/\s+/g, "").toUpperCase();
+
+        if (normalizedCurrent === normalizedPatched) {
+          results.push(`  ✓ ${patch.id}: APPLIED`);
+        } else if (normalizedCurrent === patch.originalBytes.replace(/\s+/g, "").toUpperCase()) {
+          results.push(`  ✗ ${patch.id}: NOT APPLIED (original bytes present)`);
+          allApplied = false;
+        } else {
+          results.push(`  ? ${patch.id}: UNKNOWN (bytes don't match expected)`);
+          results.push(`      Current: ${currentBytes}`);
+          results.push(`      Expected: ${patch.patchedBytes}`);
+          allApplied = false;
+        }
+      } catch (e) {
+        results.push(`  ✗ ${patch.id}: ERROR - ${e instanceof Error ? e.message : String(e)}`);
+        allApplied = false;
+      }
+    }
+
+    results.push("");
+    if (allApplied && currentChecksum === record.lastPatchedChecksum) {
+      results.push("Status: All patches verified and applied.");
+    } else if (!allApplied) {
+      results.push("Status: Some patches need to be applied.");
+      results.push("Action: Run bin_patch_apply");
+    } else {
+      results.push("Status: Binary may have been updated. Re-apply patches.");
+      results.push("Action: Run bin_patch_apply");
+    }
+
+    return { content: [{ type: "text", text: results.join("\n") }] };
+  } catch (error) {
+    return {
+      content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
+      isError: true
+    };
+  }
+}
+
+// --- Restore original bytes ---
+async function handlePatchRestore(args: {
+  filePath: string;
+  patchId?: string;
+  resign?: boolean;
+}) {
+  const isMac = isMacOS();
+  const resign = args.resign !== false && isMac;
+
+  try {
+    const results: string[] = [];
+    results.push(`Restore Patches: ${args.filePath}`);
+    results.push("");
+
+    // Load manifest
+    const manifest = loadManifest();
+    const record = manifest.binaries[args.filePath];
+
+    if (!record || record.patches.length === 0) {
+      results.push("No registered patches found for this binary.");
+      return { content: [{ type: "text", text: results.join("\n") }] };
+    }
+
+    // Filter patches if specific ID requested
+    const patchesToRestore = args.patchId
+      ? record.patches.filter(p => p.id === args.patchId)
+      : record.patches;
+
+    if (patchesToRestore.length === 0) {
+      results.push(`No patch found with ID: ${args.patchId}`);
+      return { content: [{ type: "text", text: results.join("\n") }] };
+    }
+
+    // Create backup
+    const backupPath = `${args.filePath}.prerestore`;
+    fs.copyFileSync(args.filePath, backupPath);
+    results.push(`Backup: ${backupPath}`);
+    results.push("");
+
+    // Restore each patch
+    let restoredCount = 0;
+    for (const patch of patchesToRestore) {
+      if (patch.originalBytes === "UNKNOWN") {
+        results.push(`${patch.id}: SKIPPED (no original bytes captured)`);
+        continue;
+      }
+
+      try {
+        results.push(`Restoring: ${patch.id}`);
+        writeBytesAtOffset(args.filePath, patch.offset, patch.originalBytes);
+        results.push(`  Offset: 0x${patch.offset.toString(16)}`);
+        results.push(`  Bytes: ${patch.originalBytes}`);
+        results.push("  Status: Restored");
+        restoredCount++;
+      } catch (e) {
+        results.push(`  Status: FAILED - ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+
+    // macOS: resign
+    if (isMac && restoredCount > 0 && resign) {
+      results.push("");
+      results.push("Re-signing binary...");
+      try {
+        await execAsync(`codesign --remove-signature "${args.filePath}" 2>&1`);
+        await execAsync(`codesign --force --sign - "${args.filePath}"`);
+        results.push("  Status: Re-signed with ad-hoc signature");
+      } catch (e) {
+        results.push(`  Warning: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+
+    // Update manifest
+    const newChecksum = await getFileChecksum(args.filePath);
+    record.lastPatchedChecksum = newChecksum;
+    saveManifest(manifest);
+
+    results.push("");
+    results.push(`Restored: ${restoredCount}/${patchesToRestore.length} patches`);
+
+    return { content: [{ type: "text", text: results.join("\n") }] };
+  } catch (error) {
+    return {
+      content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
+      isError: true
+    };
+  }
+}
+
+// --- List registered patches ---
+async function handlePatchList(args: { filePath?: string }) {
+  try {
+    const results: string[] = [];
+    results.push("Patch Registry");
+    results.push(`Manifest: ${MANIFEST_PATH}`);
+    results.push("");
+
+    const manifest = loadManifest();
+
+    if (Object.keys(manifest.binaries).length === 0) {
+      results.push("No patches registered.");
+      results.push("");
+      results.push("To register a patch, use: bin_patch_register");
+      return { content: [{ type: "text", text: results.join("\n") }] };
+    }
+
+    // Filter by file if specified
+    const binariesToShow = args.filePath
+      ? { [args.filePath]: manifest.binaries[args.filePath] }
+      : manifest.binaries;
+
+    for (const [binaryPath, record] of Object.entries(binariesToShow)) {
+      if (!record) continue;
+
+      results.push(`═══════════════════════════════════════════════════════════`);
+      results.push(`Binary: ${binaryPath}`);
+      results.push(`Name: ${record.binaryName}`);
+      results.push(`Patches: ${record.patches.length}`);
+      results.push(`Last Applied: ${record.lastAppliedAt}`);
+      results.push(`Checksum: ${record.lastPatchedChecksum.substring(0, 16)}...`);
+      results.push("");
+
+      if (record.patches.length > 0) {
+        results.push("Registered Patches:");
+        for (const patch of record.patches) {
+          results.push(`  ┌─ ${patch.id} ─────────────────────────────────`);
+          results.push(`  │ Offset: 0x${patch.offset.toString(16)} (${patch.offset})`);
+          results.push(`  │ Original: ${patch.originalBytes}`);
+          results.push(`  │ Patched:  ${patch.patchedBytes}`);
+          results.push(`  │ Description: ${patch.description}`);
+          results.push(`  │ Created: ${patch.createdAt}`);
+          results.push(`  └────────────────────────────────────────────`);
+        }
+      }
+      results.push("");
+    }
+
+    return { content: [{ type: "text", text: results.join("\n") }] };
+  } catch (error) {
+    return {
+      content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
+      isError: true
+    };
+  }
+}
+
+// --- Remove a patch from registry ---
+async function handlePatchRemove(args: {
+  filePath: string;
+  patchId: string;
+}) {
+  try {
+    const results: string[] = [];
+    results.push(`Remove Patch: ${args.patchId}`);
+    results.push("");
+
+    const manifest = loadManifest();
+    const record = manifest.binaries[args.filePath];
+
+    if (!record) {
+      results.push("No patches registered for this binary.");
+      return { content: [{ type: "text", text: results.join("\n") }] };
+    }
+
+    const index = record.patches.findIndex(p => p.id === args.patchId);
+    if (index < 0) {
+      results.push(`Patch not found: ${args.patchId}`);
+      return { content: [{ type: "text", text: results.join("\n") }] };
+    }
+
+    const removed = record.patches.splice(index, 1)[0];
+    results.push("Removed patch:");
+    results.push(`  ID: ${removed.id}`);
+    results.push(`  Offset: 0x${removed.offset.toString(16)}`);
+    results.push(`  Description: ${removed.description}`);
+
+    // Remove binary entry if no patches left
+    if (record.patches.length === 0) {
+      delete manifest.binaries[args.filePath];
+      results.push("");
+      results.push("No more patches for this binary - removed from registry.");
+    }
+
+    saveManifest(manifest);
+    results.push("");
+    results.push("Patch removed from registry.");
+    results.push("Note: This does NOT undo the patch in the binary.");
+    results.push("Use bin_patch_restore to restore original bytes.");
+
+    return { content: [{ type: "text", text: results.join("\n") }] };
+  } catch (error) {
+    return {
+      content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
+      isError: true
+    };
+  }
+}
+
 // ============================================================================
 // Tool definitions
 // ============================================================================
@@ -2372,6 +3601,170 @@ const TOOLS = [
       required: ["filePath", "offset", "length"],
     },
   },
+  // macOS Binary Patching Tools
+  {
+    name: "bin_codesign_info",
+    description: "Show code signature details for a macOS binary (macOS only)",
+    inputSchema: {
+      type: "object" as const,
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+      },
+      required: ["filePath"],
+    },
+  },
+  {
+    name: "bin_codesign_remove",
+    description: "Remove code signature from a macOS binary (DESTRUCTIVE - macOS only)",
+    inputSchema: {
+      type: "object" as const,
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        createBackup: { type: "boolean", description: "Create .bak backup (default: true)" },
+      },
+      required: ["filePath"],
+    },
+  },
+  {
+    name: "bin_codesign_sign",
+    description: "Apply ad-hoc or certificate signature to a macOS binary (macOS only)",
+    inputSchema: {
+      type: "object" as const,
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        certificate: { type: "string", description: "Certificate identity (default: '-' for ad-hoc signature)" },
+        force: { type: "boolean", description: "Force replace existing signature (default: true)" },
+        createBackup: { type: "boolean", description: "Create .bak backup before signing" },
+        deep: { type: "boolean", description: "Sign all nested code" },
+        options: { type: "string", description: "Additional signing options (e.g., 'runtime' for hardened runtime)" },
+      },
+      required: ["filePath"],
+    },
+  },
+  {
+    name: "bin_quarantine_check",
+    description: "Check quarantine status of a file on macOS (macOS only)",
+    inputSchema: {
+      type: "object" as const,
+      properties: {
+        filePath: { type: "string", description: "Path to the file" },
+      },
+      required: ["filePath"],
+    },
+  },
+  {
+    name: "bin_quarantine_remove",
+    description: "Remove quarantine attributes from a file on macOS (DESTRUCTIVE - macOS only)",
+    inputSchema: {
+      type: "object" as const,
+      properties: {
+        filePath: { type: "string", description: "Path to the file" },
+      },
+      required: ["filePath"],
+    },
+  },
+  {
+    name: "bin_safe_patch",
+    description: "Safe binary patching workflow for macOS: patch, remove signature, re-sign, remove quarantine (DESTRUCTIVE - macOS only)",
+    inputSchema: {
+      type: "object" as const,
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        offset: { type: "number", description: "Byte offset to patch" },
+        hexData: { type: "string", description: "Hex bytes to write (e.g., '90 90 90')" },
+        createBackup: { type: "boolean", description: "Create .bak backup (default: true)" },
+      },
+      required: ["filePath", "offset", "hexData"],
+    },
+  },
+  {
+    name: "bin_verify",
+    description: "Verify if a macOS binary will run: check signature, quarantine, architecture (macOS only)",
+    inputSchema: {
+      type: "object" as const,
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+      },
+      required: ["filePath"],
+    },
+  },
+  // Patch Management Tools
+  {
+    name: "bin_patch_register",
+    description: "Register a binary patch for persistence across updates. Captures original bytes and stores in manifest.",
+    inputSchema: {
+      type: "object" as const,
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        patchId: { type: "string", description: "Unique identifier for this patch (e.g., 'skip-permissions')" },
+        offset: { type: "number", description: "Byte offset to patch" },
+        patchedBytes: { type: "string", description: "Hex bytes to write (e.g., '90 90 90')" },
+        description: { type: "string", description: "Description of what this patch does" },
+        captureOriginal: { type: "boolean", description: "Capture original bytes (default: true)" },
+      },
+      required: ["filePath", "patchId", "offset", "patchedBytes", "description"],
+    },
+  },
+  {
+    name: "bin_patch_apply",
+    description: "Apply all registered patches to a binary. Handles macOS re-signing and quarantine. Detects binary updates.",
+    inputSchema: {
+      type: "object" as const,
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        resign: { type: "boolean", description: "Re-sign binary after patching (macOS, default: true)" },
+        removeQuarantine: { type: "boolean", description: "Remove quarantine after patching (macOS, default: true)" },
+      },
+      required: ["filePath"],
+    },
+  },
+  {
+    name: "bin_patch_verify",
+    description: "Verify if registered patches are currently applied to a binary. Detects if binary was updated.",
+    inputSchema: {
+      type: "object" as const,
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+      },
+      required: ["filePath"],
+    },
+  },
+  {
+    name: "bin_patch_restore",
+    description: "Restore original bytes for registered patches. Undoes patches in the binary.",
+    inputSchema: {
+      type: "object" as const,
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        patchId: { type: "string", description: "Specific patch to restore (optional - restores all if omitted)" },
+        resign: { type: "boolean", description: "Re-sign binary after restoring (macOS, default: true)" },
+      },
+      required: ["filePath"],
+    },
+  },
+  {
+    name: "bin_patch_list",
+    description: "List all registered patches in the manifest, optionally filtered by binary.",
+    inputSchema: {
+      type: "object" as const,
+      properties: {
+        filePath: { type: "string", description: "Filter by binary path (optional)" },
+      },
+      required: [],
+    },
+  },
+  {
+    name: "bin_patch_remove",
+    description: "Remove a patch from the registry. Does NOT undo the patch in the binary.",
+    inputSchema: {
+      type: "object" as const,
+      properties: {
+        filePath: { type: "string", description: "Path to the binary file" },
+        patchId: { type: "string", description: "ID of the patch to remove from registry" },
+      },
+      required: ["filePath", "patchId"],
+    },
+  },
 ];
 
 // ============================================================================
@@ -2500,6 +3893,64 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
           byteSize?: 8 | 16 | 32 | 64;
           signed?: boolean;
         });
+      // macOS Binary Patching handlers
+      case "bin_codesign_info":
+        return await handleCodesignInfo(args as { filePath: string });
+      case "bin_codesign_remove":
+        return await handleCodesignRemove(args as { filePath: string; createBackup?: boolean });
+      case "bin_codesign_sign":
+        return await handleCodesignSign(args as {
+          filePath: string;
+          certificate?: string;
+          force?: boolean;
+          createBackup?: boolean;
+          deep?: boolean;
+          options?: string;
+        });
+      case "bin_quarantine_check":
+        return await handleQuarantineCheck(args as { filePath: string });
+      case "bin_quarantine_remove":
+        return await handleQuarantineRemove(args as { filePath: string });
+      case "bin_safe_patch":
+        return await handleSafePatch(args as {
+          filePath: string;
+          offset: number;
+          hexData: string;
+          createBackup?: boolean;
+        });
+      case "bin_verify":
+        return await handleBinVerify(args as { filePath: string });
+      // Patch Management handlers
+      case "bin_patch_register":
+        return await handlePatchRegister(args as {
+          filePath: string;
+          patchId: string;
+          offset: number;
+          patchedBytes: string;
+          description: string;
+          captureOriginal?: boolean;
+        });
+      case "bin_patch_apply":
+        return await handlePatchApply(args as {
+          filePath: string;
+          resign?: boolean;
+          removeQuarantine?: boolean;
+        });
+      case "bin_patch_verify":
+        return await handlePatchVerify(args as { filePath: string });
+      case "bin_patch_restore":
+        return await handlePatchRestore(args as {
+          filePath: string;
+          patchId?: string;
+          resign?: boolean;
+        });
+      case "bin_patch_list":
+        return await handlePatchList(args as { filePath?: string });
+      case "bin_patch_remove":
+        return await handlePatchRemove(args as {
+          filePath: string;
+          patchId: string;
+        });
       default:
         throw new Error(`Unknown tool: ${name}`);
     }