@fanboynz/network-scanner 3.0.0 → 3.0.2

package/lib/fingerprint.js

@@ -26,13 +26,6 @@ function seededRandom(seed) {
 const _fingerprintCache = new Map();
 const FINGERPRINT_CACHE_MAX = 500;
 
-// Type-specific property spoofing functions for monomorphic optimization
-// Built-in properties that should not be modified
-const BUILT_IN_PROPERTIES = new Set([
-  'href', 'origin', 'protocol', 'host', 'hostname', 'port', 'pathname', 'search', 'hash',
-  'constructor', 'prototype', '__proto__', 'toString', 'valueOf', 'assign', 'reload', 'replace'
-]);
-
 // User agent collections with latest versions
 const USER_AGENT_COLLECTIONS = Object.freeze(new Map([
   ['chrome', "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"],
@@ -77,15 +70,53 @@ const GPU_POOL = {
 };
 
 /**
- * Select a GPU from the pool based on user agent string.
- * Called once per browser session so the GPU stays consistent across page loads.
+ * Select a GPU from the pool based on user agent string. When `domain` is
+ * provided, selection is deterministic per-domain (seeded) -- a tracker
+ * logging UNMASKED_RENDERER_WEBGL sees the SAME machine across reloads of
+ * the same site. Without `domain`, falls back to Math.random for ad-hoc
+ * callers. Matches the same per-domain consistency that
+ * generateRealisticFingerprint uses for the rest of the spoof set.
  */
-function selectGpuForUserAgent(userAgentString) {
+function selectGpuForUserAgent(userAgentString, domain = '') {
   let osKey = 'windows';
   if (userAgentString && (userAgentString.includes('Macintosh') || userAgentString.includes('Mac OS X'))) osKey = 'mac';
   else if (userAgentString && (userAgentString.includes('X11; Linux') || userAgentString.includes('Ubuntu'))) osKey = 'linux';
   const pool = GPU_POOL[osKey];
-  return pool[Math.floor(Math.random() * pool.length)];
+  // Distinct seed suffix so the GPU pick doesn't collide with the
+  // fingerprint generator's advance sequence for the same domain.
+  const rand = domain ? seededRandom(domain + ':gpu') : Math.random;
+  return pool[Math.floor(rand() * pool.length)];
+}
+
+/**
+ * One-shot "is this browser dead?" guard. Three of the four spoof entry
+ * points (applyUserAgentSpoofing, applyBraveSpoofing,
+ * applyFingerprintProtection) had this exact try/catch block inline:
+ *
+ *   try {
+ *     if (!page.browser().connected || page.isClosed()) return;
+ *     if (page.browser().process()?.killed) return;
+ *   } catch { return; }
+ *
+ * Three copies meant any Puppeteer API change (like the v25
+ * isConnected -> connected swap) needed three fixes. Now one.
+ *
+ * simulateHumanBehavior is NOT migrated here -- it has different debug
+ * log messages per failure mode ("page closed" vs "browser
+ * disconnected") that this helper doesn't preserve. Could plumb a
+ * callback for the log but the existing inline form is fine for one
+ * caller.
+ */
+function isBrowserDead(page) {
+  try {
+    if (!page || page.isClosed()) return true;
+    const browser = page.browser();
+    if (!browser.connected) return true;
+    if (browser.process()?.killed) return true;
+    return false;
+  } catch {
+    return true; // any failure reading browser state -> treat as dead
+  }
 }
 
 /**
@@ -103,67 +134,21 @@ function isSessionClosedError(err) {
 }
 
 /**
- * Safely defines a property with comprehensive error handling
- */
-function safeDefineProperty(target, property, descriptor, options = {}) {
-  if (BUILT_IN_PROPERTIES.has(property)) {
-    if (options.debug) console.log(`[fingerprint] Skipping built-in property: ${property}`);
-    return false;
-  }
-
-  try {
-    const existing = Object.getOwnPropertyDescriptor(target, property);
-    if (existing?.configurable === false) {
-      if (options.debug) console.log(`[fingerprint] Cannot modify non-configurable: ${property}`);
-      return false;
-    }
-
-    Object.defineProperty(target, property, descriptor);
-    return true;
-  } catch (err) {
-    if (options.debug) console.log(`[fingerprint] Failed to define ${property}: ${err.message}`);
-    return false;
-  }
-}
-
-/**
- * Safely executes spoofing operations with error handling
- */
-function safeSpoofingExecution(spoofFunction, description, options = {}) {
-  try {
-    spoofFunction();
-    return true;
-  } catch (err) {
-    if (options.debug) console.log(`[fingerprint] ${description} failed: ${err.message}`);
-    return false;
-  }
-}
-
-/**
- * Generates realistic screen resolutions based on common monitor sizes
- */
-function getRealisticScreenResolution() {
-  const commonResolutions = [
-    { width: 1920, height: 1080 },
-    { width: 1366, height: 768 },
-    { width: 1440, height: 900 },
-    { width: 1536, height: 864 },
-    { width: 1600, height: 900 },
-    { width: 2560, height: 1440 },
-    { width: 1280, height: 720 },
-    { width: 3440, height: 1440 }
-  ];
-  return commonResolutions[Math.floor(Math.random() * commonResolutions.length)];
-}
-
-/**
- * Generates randomized but realistic browser fingerprint values
- * When domain is provided, values are deterministic per-domain (consistent across reloads)
+ * Generates randomized but realistic browser fingerprint values.
+ * When domain is provided, values are deterministic per-(domain, userAgent)
+ * tuple -- consistent across reloads, but distinct across UA rotation so
+ * a re-scan with `userAgent: 'firefox'` doesn't reuse a previous
+ * `userAgent: 'chrome'` cache entry (which would ship Mac/Win-platform
+ * values under a Firefox UA, etc.).
  */
 function generateRealisticFingerprint(userAgent, domain = '') {
-  // Return cached fingerprint if same domain visited again
-  if (domain) {
-    const cached = _fingerprintCache.get(domain);
+  // Cache key includes UA so a domain scanned twice with different UAs
+  // doesn't get the first UA's OS-mismatched fingerprint reused for the
+  // second. The `|` separator can't appear in a hostname (RFC 952/RFC
+  // 1123 allow only LDH) so it's collision-safe.
+  const cacheKey = domain ? `${domain}|${userAgent}` : '';
+  if (cacheKey) {
+    const cached = _fingerprintCache.get(cacheKey);
     if (cached) return cached;
   }
 
@@ -239,12 +224,12 @@ function generateRealisticFingerprint(userAgent, domain = '') {
     doNotTrack: null // Most users don't enable DNT
   };
   
-  // Cache for this domain
-  if (domain) {
+  // Cache for this (domain, userAgent) tuple. Same key as the lookup above.
+  if (cacheKey) {
     if (_fingerprintCache.size >= FINGERPRINT_CACHE_MAX) {
       _fingerprintCache.delete(_fingerprintCache.keys().next().value);
     }
-    _fingerprintCache.set(domain, fingerprint);
+    _fingerprintCache.set(cacheKey, fingerprint);
   }
 
   return fingerprint;
@@ -257,7 +242,7 @@ async function validatePageForInjection(page, currentUrl, forceDebug) {
   try {
     if (!page || page.isClosed()) return false;
     
-    if (!page.browser().isConnected()) {
+    if (!page.browser().connected) {
       if (forceDebug) console.log(formatLogMessage('debug', `Page validation failed - browser disconnected: ${currentUrl}`));
       return false;
     }
@@ -277,14 +262,18 @@ async function validatePageForInjection(page, currentUrl, forceDebug) {
  */
 async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl) {
   if (!siteConfig.userAgent) return;
+  // Type guard: callers (including config-driven paths) might pass non-string
+  // values by accident (e.g. an array, an object). Without this guard, the
+  // .toLowerCase() call below would throw and crash the whole spoof
+  // pipeline for this URL with no actionable error.
+  if (typeof siteConfig.userAgent !== 'string') {
+    if (forceDebug) console.log(formatLogMessage('debug', `Invalid userAgent type for ${currentUrl}: expected string, got ${typeof siteConfig.userAgent}`));
+    return;
+  }
 
   if (forceDebug) console.log(formatLogMessage('debug', `User agent spoofing: ${siteConfig.userAgent}`));
 
-  // Browser connection check
-  try { 
-    if (!page.browser().isConnected() || page.isClosed()) return; 
-    if (page.browser().process()?.killed) return;
-  } catch { return; }
+  if (isBrowserDead(page)) return;
 
   // Validate page state before injection
   if (!(await validatePageForInjection(page, currentUrl, forceDebug))) return;
@@ -303,11 +292,27 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
     if (forceDebug) console.log(formatLogMessage('debug', `Applying stealth protection for ${currentUrl}`));
     
     try {
-      // Select GPU once per session — stays consistent across all page loads
-      const selectedGpu = selectGpuForUserAgent(ua);
+      // Derive site domain once -- used to seed the per-domain GPU pick
+      // (so a tracker logging UNMASKED_RENDERER_WEBGL sees one machine per
+      // site) AND to pre-compute hardware-concurrency from the SAME
+      // realistic-fingerprint generator that applyFingerprintProtection
+      // uses. That kills the order-dependent visible-value bug: previously
+      // hardwareConcurrency was random in the UA block (line 819) and
+      // domain-seeded in applyFingerprintProtection -- whichever evaluate
+      // ran second won. Now both paths produce the same value.
+      let siteDomain = '';
+      try { siteDomain = new URL(currentUrl).hostname; } catch (_) {}
+
+      const selectedGpu = selectGpuForUserAgent(ua, siteDomain);
       if (forceDebug) console.log(formatLogMessage('debug', `Selected GPU: ${selectedGpu.vendor} / ${selectedGpu.renderer}`));
 
-      await page.evaluateOnNewDocument((userAgent, debugEnabled, gpuConfig) => {
+      // Pre-compute hardware-concurrency from the (cached, domain-seeded)
+      // realistic fingerprint so the UA-spoof block uses the same value
+      // applyFingerprintProtection will later -- no order dependency,
+      // same value regardless of which evaluate runs first.
+      const realistic = generateRealisticFingerprint(ua, siteDomain);
+
+      await page.evaluateOnNewDocument((userAgent, debugEnabled, gpuConfig, seededCores) => {
       
         // Apply inline error suppression first
         (function() {
@@ -315,35 +320,53 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           const originalWindowError = window.onerror;
           
           function shouldSuppressFingerprintError(message) {
+            // Suppression list, ordered specific -> general.
+            // .some() stops at first match, so a broken specific just means
+            // the general catchers below do the work instead.
+            //
+            // Fixed (was using `\\.` / `\\d` / `\\(` / `\\$` -- DOUBLE
+            // backslashes in source). Each `\\X` parses as
+            // literal-backslash + wildcard-X, requiring a literal `\` in
+            // the error text -- which never appears. So those entries
+            // silently never matched anything; only the general catchers
+            // below were actually suppressing those error families.
+            // Switched to single-backslash form (literal-X escapes) so
+            // each specific entry now matches its intended error class
+            // for accurate debug logging of WHICH pattern matched.
+            //
+            // Also dropped:
+            //   - /Failed to load resource.*40[34]/i -- fully subsumed by
+            //     the broader /[45]\d{2}/i below.
             const patterns = [
               /\.closest is not a function/i,
               /\.querySelector is not a function/i,
               /\.addEventListener is not a function/i,
-              /Cannot read propert(y|ies) of null \\(reading 'fp'\\)/i,
-              /Cannot read propert(y|ies) of undefined \\(reading 'fp'\\)/i,
+              /Cannot read propert(y|ies) of null \(reading 'fp'\)/i,
+              /Cannot read propert(y|ies) of undefined \(reading 'fp'\)/i,
               /Cannot redefine property: href/i,
               /Cannot redefine property: __webdriver_script_func/i,
               /Cannot redefine property: webdriver/i,
-              /Cannot read propert(y|ies) of undefined \\(reading 'toLowerCase'\\)/i,
-              /\\.toLowerCase is not a function/i,
+              /Cannot read propert(y|ies) of undefined \(reading 'toLowerCase'\)/i,
+              /\.toLowerCase is not a function/i,
               /fp is not defined/i,
               /fingerprint is not defined/i,
               /FingerprintJS is not defined/i,
-              /\\$ is not defined/i,
+              /\$ is not defined/i,
               /jQuery is not defined/i,
               /_ is not defined/i,
-              /Failed to load resource.*server responded with a status of [45]\\d{2}/i,
+              /Failed to load resource.*server responded with a status of [45]\d{2}/i,
               /Failed to fetch/i,
               /(webdriver|callPhantom|_phantom|__nightmare|_selenium) is not defined/i,
               /Failed to execute 'observe' on 'IntersectionObserver'.*parameter 1 is not of type 'Element'/i,
               /tz check/i,
-              /new window\\.Error.*<anonymous>/i,
-              /Failed to load resource.*server responded with a status of 40[34]/i,
+              /new window\.Error.*<anonymous>/i,
               /Blocked script execution in 'about:blank'.*sandboxed.*allow-scripts/i,
               /Page JavaScript error:/i,
               /^[a-zA-Z0-9_$]+\[.*\]\s+is not a function/i,
               /^[a-zA-Z0-9_$]+\(.*\)\s+is not a function/i,
               /^[a-zA-Z0-9_$]+\.[a-zA-Z0-9_$]+.*is not a function/i,
+              // General catchers — kept last so the specific entries
+              // above can match first for accurate debug attribution.
               /Failed to load resource/i,
               /is not defined/i,
               /is not a function/i
@@ -383,6 +406,30 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
           return fn;
         }
+
+        // Wrapper-constructor identity preserver. Function.name and
+        // Function.length are own data properties of every function
+        // object, NOT inherited via prototype chain -- so even after
+        // Object.setPrototypeOf(wrapper, OriginalCtor), the wrapper
+        // still has its own name (empty for anonymous expressions) and
+        // length (count of leading formal params). A bot detector that
+        // checks `Error.name === 'Error'` would see '' on our spoof.
+        //
+        // Real Chrome's Function.name has descriptor
+        //   {value: ..., writable: false, enumerable: false, configurable: true}
+        // -- match that shape so getOwnPropertyDescriptor checks pass too.
+        function preserveCtorIdentity(wrapper, original) {
+          try {
+            Object.defineProperty(wrapper, 'name', {
+              value: original.name, writable: false, enumerable: false, configurable: true
+            });
+            Object.defineProperty(wrapper, 'length', {
+              value: original.length, writable: false, enumerable: false, configurable: true
+            });
+          } catch (e) {
+            if (debugEnabled) console.log(`[fingerprint] preserveCtorIdentity failed: ${e.message}`);
+          }
+        }
         
         Function.prototype.toString = function() {
           if (nativeFunctionStore.has(this)) {
@@ -393,10 +440,14 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
         // Protect the toString override itself
         nativeFunctionStore.set(Function.prototype.toString, 'toString');
         
-        // Create safe property definition helper
+        // Create safe property definition helper.
+        // configurable: true is a DEFAULT (not a force) -- if a caller
+        // wants to lock a property (configurable: false) the spread won't
+        // override their explicit value. Previously `{ ...descriptor,
+        // configurable: true }` silently overrode any caller intent.
         function safeDefinePropertyLocal(target, property, descriptor) {
           const builtInProps = new Set(['href', 'origin', 'protocol', 'host', 'hostname', 'port', 'pathname', 'search', 'hash', 'constructor', 'prototype', '__proto__', 'toString', 'valueOf', 'assign', 'reload', 'replace']);
-       
+
           if (builtInProps.has(property)) {
             if (debugEnabled) console.log(`[fingerprint] Skipping built-in property: ${property}`);
             return false;
@@ -410,8 +461,8 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             }
 
             Object.defineProperty(target, property, {
-              ...descriptor,
-              configurable: true
+              configurable: true,
+              ...descriptor
             });
             return true;
           } catch (err) {
@@ -473,13 +524,21 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             '$cdc_asdjflasutopfhvcZLmcfl_', '$chrome_asyncScriptInfo', '__$webdriverAsyncExecutor'
           ];
           
+          // Just delete -- DO NOT re-add as undefined-returning getters.
+          // The previous version did:
+          //   delete window[prop];
+          //   safeDefinePropertyLocal(window, prop, { get: () => undefined });
+          // which made `window.callPhantom` return undefined (good) but ALSO
+          // made `'callPhantom' in window` return TRUE (bad) -- the property
+          // exists on the object even if the getter returns undefined. Real
+          // Chrome doesn't have these props at all, so `in`-operator and
+          // Object.getOwnPropertyNames probes saw a present property and
+          // flagged us as a bot. This own-goal was caught by
+          // scripts/test-stealth.js sannysoft (PHANTOM_PROPERTIES and
+          // SELENIUM_DRIVER cells went red because of it).
           automationProps.forEach(prop => {
-            try {
-              delete window[prop];
-              delete navigator[prop];
-              safeDefinePropertyLocal(window, prop, { get: () => undefined });
-              safeDefinePropertyLocal(navigator, prop, { get: () => undefined });
-            } catch (e) {}
+            try { delete window[prop]; } catch (e) {}
+            try { delete navigator[prop]; } catch (e) {}
           });
         }, 'automation properties removal');
 
@@ -501,12 +560,21 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
                 postMessage: () => {}, 
                 disconnect: () => {} 
               }),
-              getManifest: () => ({ 
-                name: "Chrome", 
-                version: "146.0.0.0",
-                manifest_version: 3,
-                description: "Chrome Browser"
-              }),
+              getManifest: () => {
+                // Derive Chrome version from the spoofed UA so a tracker
+                // cross-checking navigator.userAgent's Chrome version
+                // against chrome.runtime.getManifest().version sees a
+                // consistent number. Was hardcoded "146.0.0.0" which lied
+                // any time the UA was rotated to a different Chrome major.
+                const m = userAgent.match(/Chrome\/(\d+)/);
+                const major = m ? m[1] : '146';
+                return {
+                  name: "Chrome",
+                  version: `${major}.0.0.0`,
+                  manifest_version: 3,
+                  description: "Chrome Browser"
+                };
+              },
               getURL: (path) => `chrome-extension://invalid/${path}`,
               id: undefined,
               getPlatformInfo: (callback) => callback({
@@ -571,11 +639,22 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             });
           }
 
-          // Make chrome object non-enumerable to match real Chrome
+          // The old comment claimed "non-enumerable to match real Chrome" --
+          // but real Chrome's window.chrome property descriptor is
+          // {value: ..., writable: true, enumerable: true, configurable: true}.
+          // The previous writable:false + enumerable:false were themselves
+          // fingerprintable tells: a bot detector reading
+          //   Object.getOwnPropertyDescriptor(window, 'chrome')
+          // would see {writable:false, enumerable:false} and know this
+          // isn't real Chrome. `window.chrome = 'x'` would also silently
+          // fail (vs succeed on real Chrome). Match real Chrome's
+          // descriptor instead. The defineProperty is kept (rather than
+          // removed entirely) so re-injection on reload doesn't lose the
+          // descriptor shape if anything earlier tightened it.
           Object.defineProperty(window, 'chrome', {
             value: window.chrome,
-            writable: false,
-            enumerable: false,
+            writable: true,
+            enumerable: true,
             configurable: true
           });
 
@@ -649,6 +728,30 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             // Safari typically has no plugins in modern versions
             plugins = [];
           }
+          // Each plugin object needs to identify as a Plugin instance so
+          // `navigator.plugins[i].toString() === '[object Plugin]'` passes.
+          // (Sannysoft's actual PluginArray check tests this -- found via
+          // scripts/test-stealth.js sannysoft.) Resolve Plugin.prototype the
+          // same way we resolve PluginArray.prototype below: prefer the
+          // global, fall back to navigator.plugins[0]'s prototype if a real
+          // plugin exists, fall back to just Symbol.toStringTag if neither.
+          let pluginProto = null;
+          try {
+            if (typeof Plugin !== 'undefined' && Plugin.prototype) {
+              pluginProto = Plugin.prototype;
+            } else if (navigator.plugins && navigator.plugins[0]) {
+              pluginProto = Object.getPrototypeOf(navigator.plugins[0]);
+            }
+          } catch (e) {}
+          plugins = plugins.map(p => {
+            const wrapped = Object.assign(Object.create(pluginProto || Object.prototype), p);
+            if (!pluginProto) {
+              // Last-ditch: at least toString() returns "[object Plugin]"
+              wrapped[Symbol.toStringTag] = 'Plugin';
+            }
+            return wrapped;
+          });
+
           // Create proper array-like object with enumerable indices and length
           // Create proper PluginArray-like object with required methods
           const pluginsArray = {};
@@ -671,6 +774,27 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           pluginsArray[Symbol.iterator] = function*() { for (const p of plugins) yield p; };
           pluginsArray[Symbol.toStringTag] = 'PluginArray';
 
+          // Make `navigator.plugins instanceof PluginArray` evaluate true.
+          // Multiple ways to get PluginArray.prototype, in order of
+          // preference -- evaluateOnNewDocument can fire before all globals
+          // are bound, so we don't assume `PluginArray` is in scope. Falls
+          // back to inheriting from the existing navigator.plugins's own
+          // prototype, which is ALWAYS a real PluginArray.prototype on
+          // any DOM-bearing context.
+          try {
+            let pluginArrayProto = null;
+            if (typeof PluginArray !== 'undefined' && PluginArray.prototype) {
+              pluginArrayProto = PluginArray.prototype;
+            } else if (navigator.plugins) {
+              pluginArrayProto = Object.getPrototypeOf(navigator.plugins);
+            }
+            if (pluginArrayProto && pluginArrayProto !== Object.prototype) {
+              Object.setPrototypeOf(pluginsArray, pluginArrayProto);
+            }
+          } catch (e) {
+            if (debugEnabled) console.log(`[fingerprint] PluginArray prototype setup failed: ${e.message}`);
+          }
+
           safeDefinePropertyLocal(navigator, 'plugins', { get: () => pluginsArray });
         }, 'plugins spoofing');
 
@@ -813,12 +937,17 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'enhanced OS fingerprinting protection');
 
-        // Hardware concurrency spoofing (universal coverage)
-        //
+        // Hardware concurrency spoofing (universal coverage).
+        // Uses the domain-seeded value passed in from the Node-side
+        // generateRealisticFingerprint call -- previously did its own
+        // Math.random() pick from [4,6,8,12], which conflicted with the
+        // domain-seeded value set later by applyFingerprintProtection.
+        // Whichever evaluate ran second won, producing an order-dependent
+        // visible value. Now both paths use the same seeded value, so
+        // double-spoof becomes idempotent.
         safeExecute(() => {
-          const spoofedCores = [4, 6, 8, 12][Math.floor(Math.random() * 4)];
           const hardwareProps = {
-            hardwareConcurrency: { get: () => spoofedCores }
+            hardwareConcurrency: { get: () => seededCores }
           };
           spoofNavigatorProperties(navigator, hardwareProps);
         }, 'hardware concurrency spoofing');
@@ -889,12 +1018,24 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           
           window.Error.prototype = OriginalError.prototype;
           Object.setPrototypeOf(window.Error, OriginalError);
+          preserveCtorIdentity(window.Error, OriginalError);
           
-          // Copy static properties
+          // Forward static properties via getter/setter pairs instead of
+          // value-copy, so live mutations to OriginalError (e.g. page
+          // code doing `Error.stackTraceLimit = 100`) propagate through
+          // the wrapper. Previously the value-copy froze a snapshot at
+          // injection time; a tracker that mutated stackTraceLimit and
+          // then read it back from the wrapped Error would see the old
+          // value -- a real fingerprint tell.
           ['captureStackTrace', 'stackTraceLimit', 'prepareStackTrace'].forEach(prop => {
-            if (OriginalError[prop]) {
-              try { window.Error[prop] = OriginalError[prop]; } catch (e) {}
-            }
+            try {
+              Object.defineProperty(window.Error, prop, {
+                get: () => OriginalError[prop],
+                set: (v) => { OriginalError[prop] = v; },
+                configurable: true,
+                enumerable: false
+              });
+            } catch (e) {}
           });
         }, 'Error stack protection');
 
@@ -1161,19 +1302,25 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'window dimension spoofing');
 
-        // navigator.connection — missing or incomplete in headless
+        // navigator.connection — missing or incomplete in headless.
+        // Object literal hoisted out of the getter so identity is stable
+        // across reads. Real Chrome's NetworkInformation instance has
+        // `navigator.connection === navigator.connection`; previously
+        // the getter returned a new object on every read, which a
+        // tracker could detect by comparing references.
         safeExecute(() => {
           if (!navigator.connection) {
+            const connectionInfoStable = {
+              effectiveType: '4g',
+              rtt: 50,
+              downlink: 10,
+              saveData: false,
+              type: 'wifi',
+              addEventListener: () => {},
+              removeEventListener: () => {}
+            };
             Object.defineProperty(navigator, 'connection', {
-              get: () => ({
-                effectiveType: '4g',
-                rtt: 50,
-                downlink: 10,
-                saveData: false,
-                type: 'wifi',
-                addEventListener: () => {},
-                removeEventListener: () => {}
-              })
+              get: () => connectionInfoStable
             });
           }
         }, 'connection API spoofing');
@@ -1254,7 +1401,10 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             return img;
           };
           window.Image.prototype = OrigImage.prototype;
-          Object.defineProperty(window, 'Image', { writable: true, configurable: true });
+          preserveCtorIdentity(window.Image, OrigImage);
+          // (Note: the prior Object.defineProperty(window, 'Image', ...) here
+          // was a no-op -- changed descriptor flags without setting value.
+          // Removed; the wrapper is already assigned to window.Image above.)
         }, 'broken image dimension spoofing');
         
         // Fetch Request Headers Normalization
@@ -1345,6 +1495,7 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             };
             Object.setPrototypeOf(window.RTCPeerConnection, OriginalRTC);
             window.RTCPeerConnection.prototype = OriginalRTC.prototype;
+            preserveCtorIdentity(window.RTCPeerConnection, OriginalRTC);
           }
         }, 'WebRTC spoofing');
 
@@ -1587,8 +1738,9 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
               return new OriginalPointerEvent(type, enhancedDict);
             };
             Object.setPrototypeOf(window.PointerEvent, OriginalPointerEvent);
+            preserveCtorIdentity(window.PointerEvent, OriginalPointerEvent);
           }
-          
+
           // Spoof touch capabilities for mobile detection evasion
           if (!window.TouchEvent && Math.random() > 0.8) {
             // 20% chance to add touch support to confuse fingerprinters
@@ -1612,6 +1764,8 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
               };
               return new originalWheelEvent(type, enhancedDict);
             };
+            Object.setPrototypeOf(window.WheelEvent, originalWheelEvent);
+            preserveCtorIdentity(window.WheelEvent, originalWheelEvent);
           }
           
         }, 'enhanced mouse/pointer spoofing');
@@ -1744,7 +1898,7 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'interaction-gated script trigger');
 
-      }, ua, forceDebug, selectedGpu);
+      }, ua, forceDebug, selectedGpu, realistic.hardwareConcurrency);
     } catch (stealthErr) {
       if (isSessionClosedError(stealthErr)) {
         if (forceDebug) console.log(formatLogMessage('debug', `Page closed during stealth injection: ${currentUrl}`));
@@ -1762,12 +1916,8 @@ async function applyBraveSpoofing(page, siteConfig, forceDebug, currentUrl) {
   if (!siteConfig.isBrave) return;
 
   if (forceDebug) console.log(formatLogMessage('debug', `Brave spoofing enabled for ${currentUrl}`));
-  
-  // Browser connection check
-  try { 
-    if (!page.browser().isConnected() || page.isClosed()) return; 
-    if (page.browser().process()?.killed) return;
-  } catch { return; }
+
+  if (isBrowserDead(page)) return;
 
   // Validate page state before injection
   if (!(await validatePageForInjection(page, currentUrl, forceDebug))) return;
@@ -1814,12 +1964,8 @@ async function applyFingerprintProtection(page, siteConfig, forceDebug, currentU
   if (!fingerprintSetting) return;
 
   if (forceDebug) console.log(formatLogMessage('debug', `Fingerprint protection enabled for ${currentUrl}`));
-  
-  // Browser connection check
-  try { 
-    if (!page.browser().isConnected() || page.isClosed()) return; 
-    if (page.browser().process()?.killed) return;
-  } catch { return; }
+
+  if (isBrowserDead(page)) return;
   
   // Validate page state before injection
   if (!(await validatePageForInjection(page, currentUrl, forceDebug))) return;
@@ -1864,14 +2010,30 @@ async function applyFingerprintProtection(page, siteConfig, forceDebug, currentU
         }
       }
       
+      // Mirror of the helper defined inside applyUserAgentSpoofing's
+      // evaluate -- both behave identically: skip built-ins, refuse to
+      // touch non-configurable, default (not force) configurable:true so
+      // explicit caller intent is preserved. Previously this copy
+      // diverged: it had no built-in check AND it force-overrode
+      // configurable:true regardless of caller. Now consistent.
       function safeDefinePropertyLocal(target, property, descriptor) {
+        const builtInProps = new Set(['href', 'origin', 'protocol', 'host', 'hostname', 'port', 'pathname', 'search', 'hash', 'constructor', 'prototype', '__proto__', 'toString', 'valueOf', 'assign', 'reload', 'replace']);
+
+        if (builtInProps.has(property)) {
+          if (debugEnabled) console.log(`[fingerprint] Skipping built-in property: ${property}`);
+          return false;
+        }
+
         try {
           const existing = Object.getOwnPropertyDescriptor(target, property);
-          if (existing?.configurable === false) return false;
-          
+          if (existing?.configurable === false) {
+            if (debugEnabled) console.log(`[fingerprint] Cannot modify non-configurable: ${property}`);
+            return false;
+          }
+
           Object.defineProperty(target, property, {
-            ...descriptor,
-            configurable: true
+            configurable: true,
+            ...descriptor
           });
           return true;
         } catch (err) {
@@ -1982,7 +2144,7 @@ async function simulateHumanBehavior(page, forceDebug) {
     }
     
     // Check if browser is still connected
-    if (!page.browser().isConnected()) {
+    if (!page.browser().connected) {
       if (forceDebug) console.log(formatLogMessage('debug', `Human behavior simulation skipped - browser disconnected`));
       return;
     }
@@ -2128,16 +2290,17 @@ async function applyAllFingerprintSpoofing(page, siteConfig, forceDebug, current
   }
 }
 
+// Public surface kept narrow on purpose -- only what nwss.js actually
+// imports. Internal helpers (generateRealisticFingerprint,
+// applyUserAgentSpoofing, applyBraveSpoofing, applyFingerprintProtection,
+// simulateHumanBehavior, selectGpuForUserAgent, isBrowserDead,
+// isSessionClosedError, validatePageForInjection, seededRandom,
+// DEFAULT_PLATFORM, DEFAULT_TIMEZONE) stay as module-local; move back to
+// module.exports only if a new external consumer appears.
 module.exports = {
-  generateRealisticFingerprint,
-  getRealisticScreenResolution,
-  applyUserAgentSpoofing,
-  applyBraveSpoofing,
-  applyFingerprintProtection,
   applyAllFingerprintSpoofing,
-  simulateHumanBehavior,
-  safeDefineProperty,
-  safeSpoofingExecution,
-  DEFAULT_PLATFORM,
-  DEFAULT_TIMEZONE
+  // Exposed for scripts/test-stealth.js so the harness can validate --ua=
+  // against the canonical UA list (instead of duplicating the keys here).
+  // The Map itself is frozen; consumers cannot mutate the spoof source.
+  USER_AGENT_COLLECTIONS
 };