@fanboynz/network-scanner 3.0.0 → 3.0.2

package/nwss.js

@@ -109,6 +109,7 @@ const TIMEOUTS = Object.freeze({
   EMERGENCY_RESTART_DELAY: 2000,      // Delay after emergency browser restart
   BROWSER_STABILIZE_DELAY: 1000,      // Browser stabilization after restart
   CURL_HANDLER_DELAY: 3000,           // Wait for async curl operations
+  NETTOOLS_DRAIN_TIMEOUT: 3000,       // Hard cap for awaiting in-flight nettools (dig/whois) handlers before snapshot. Drains immediately if all complete; bounded so a hung dig can't block exit. Mirrors CURL_HANDLER_DELAY's role for curl/searchstring.
   PROTOCOL_TIMEOUT: 180000,           // Chrome DevTools Protocol timeout
   REDIRECT_JS_TIMEOUT: 5000           // JavaScript redirect detection timeout
 });
@@ -777,7 +778,8 @@ Redirect Handling Options:
   isBrave: true/false                          Spoof Brave browser detection
   userAgent: "chrome"|"chrome_mac"|"chrome_linux"|"firefox"|"firefox_mac"|"firefox_linux"|"safari"  Custom desktop User-Agent
   interact_intensity: "low"|"medium"|"high"     Interaction simulation intensity (default: medium)
-  delay: <milliseconds>                        Delay after load (default: 4000)
+  delay: <milliseconds>                        Delay after load (default: 6000, capped at 2000ms unless delay_uncapped: true)
+  delay_uncapped: true/false                   Honor 'delay' up to half the per-URL timeout instead of the 2s default cap. Use for sites with setTimeout-deferred lazy ad/tracker loaders that fire well past the standard post-networkidle window
   reload: <number>                             Reload page n times after load (default: 1)
   forcereload: true/false or ["domain1.com", "domain2.com"]  Force cache-clearing reload for all URLs or specific domains
   clear_sitedata: true/false                   Clear all cookies, cache, storage before each load (default: false)
@@ -1864,7 +1866,13 @@ function setupFrameHandling(page, forceDebug) {
         '--disable-domain-reliability', // No reliability monitor disk writes
         // PERFORMANCE: Disable non-essential Chrome features in a single flag
         // IMPORTANT: Chrome only reads the LAST --disable-features flag, so combine all into one
-        `--disable-features=AudioServiceOutOfProcess,VizDisplayCompositor,TranslateUI,BlinkGenPropertyTrees,Translate,BackForwardCache,AcceptCHFrame,SafeBrowsing,HttpsFirstBalancedModeAutoEnable,site-per-process,PaintHolding${disable_ad_tagging ? ',AdTagging' : ''}`,
+        // AccountConsistencyMirror + AccountConsistencyDice prevent the
+        // Chrome sign-in subsystem from initialising at startup. Combined
+        // with --disable-sync + --allow-browser-signin=false below, this
+        // suppresses the "Something went wrong when opening your profile"
+        // popup that fires in headful + --keep-open mode (temp userDataDir
+        // has no real profile, so the sync init errors out and pops up).
+        `--disable-features=AudioServiceOutOfProcess,VizDisplayCompositor,TranslateUI,BlinkGenPropertyTrees,Translate,BackForwardCache,AcceptCHFrame,SafeBrowsing,HttpsFirstBalancedModeAutoEnable,site-per-process,PaintHolding,AccountConsistencyMirror,AccountConsistencyDice${disable_ad_tagging ? ',AdTagging' : ''}`,
         '--disable-ipc-flooding-protection',
         '--aggressive-cache-discard',
         '--memory-pressure-off',
@@ -1874,7 +1882,16 @@ function setupFrameHandling(page, forceDebug) {
         '--no-sandbox',
         '--disable-setuid-sandbox',
         '--disable-dev-shm-usage',
-        ...(keepBrowserOpen ? [] : ['--disable-sync']),
+        // --disable-sync is always-on (was previously dropped in --keep-open
+        // mode, which let the sync subsystem init against our temp
+        // userDataDir and pop the "Something went wrong when opening your
+        // profile" dialog). Inspection during --keep-open doesn't need
+        // sync; nothing in the scanner flow does.
+        '--disable-sync',
+        // Prevent the sign-in promo / account banner from appearing in
+        // headful sessions. Same family of fixes as --disable-sync and the
+        // AccountConsistency* features disabled above.
+        '--allow-browser-signin=false',
         '--mute-audio',
         '--disable-translate',
         '--window-size=1920,1080',
@@ -2100,6 +2117,30 @@ function setupFrameHandling(page, forceDebug) {
     // Use Map to track domains and their resource types for --adblock-rules or --dry-run
     const matchedDomains = (adblockRulesMode || siteConfig.adblock_rules || dryRunMode) ? new Map() : new Set();
 
+    // Per-URL tracking of in-flight async nettools (dig/whois) handlers so we
+    // can drain them BEFORE snapshotting matchedDomains into the result. The
+    // previous fire-and-forget setImmediate pattern dropped late-completing
+    // matches (handler resolved after formatRules had already run). Each
+    // setImmediate-scheduled handler now registers a promise via
+    // trackNetToolsHandler; drainPendingNetTools() awaits all of them with a
+    // hard cap (TIMEOUTS.NETTOOLS_DRAIN_TIMEOUT) so a hung dig can't block.
+    const pendingNetTools = [];
+    const trackNetToolsHandler = (handlerFn) => {
+      pendingNetTools.push(new Promise((resolve) => {
+        setImmediate(async () => {
+          try { await handlerFn(); } catch (_) { /* handler logs its own errors */ }
+          finally { resolve(); }
+        });
+      }));
+    };
+    const drainPendingNetTools = async () => {
+      if (pendingNetTools.length === 0) return;
+      await Promise.race([
+        Promise.all(pendingNetTools),
+        fastTimeout(TIMEOUTS.NETTOOLS_DRAIN_TIMEOUT)
+      ]);
+    };
+
     // Local domain dedup scoped to THIS processUrl call only
     // Prevents cross-config contamination from the global domain cache
     const localDetectedDomains = new Set();
@@ -2323,7 +2364,7 @@ function setupFrameHandling(page, forceDebug) {
           let browserResponsive = false;
           try {
               // Check if browser is still connected before attempting health check
-              if (!browserInstance.isConnected()) {
+              if (!browserInstance.connected) {
                   throw new Error('Browser not connected');
               }
 
@@ -3167,7 +3208,7 @@ function setupFrameHandling(page, forceDebug) {
                   currentUrl, getRootDomain, siteConfig, dumpUrls, matchedUrlsLogFile, forceDebug, fs,
                   ignoreDomains, matchesIgnoreDomain
                 });
-                setImmediate(() => popupNetToolsHandler(checkedRootDomain, fullSubdomain));
+                trackNetToolsHandler(() => popupNetToolsHandler(checkedRootDomain, fullSubdomain));
               } else {
                 // No nettools required — regex match alone counts.
                 addMatchedDomain(checkedRootDomain, resourceType, fullSubdomain);
@@ -3573,7 +3614,7 @@ function setupFrameHandling(page, forceDebug) {
 
               // Execute nettools check asynchronously
               const originalDomain = fullSubdomain;
-              setImmediate(() => netToolsHandler(reqDomain, originalDomain));
+              trackNetToolsHandler(() => netToolsHandler(reqDomain, originalDomain));
             }
             if (forceDebug) {
               console.log(formatLogMessage('debug', `${reqUrl} has nettools validation required - skipping immediate add`));
@@ -3688,7 +3729,7 @@ function setupFrameHandling(page, forceDebug) {
 
              // Execute nettools check asynchronously
             const originalDomain = fullSubdomain; // Use full subdomain for nettools
-            setImmediate(() => netToolsHandler(reqDomain, originalDomain));
+            trackNetToolsHandler(() => netToolsHandler(reqDomain, originalDomain));
 
              // Do NOT continue processing this request for immediate domain addition
              // The nettools handler is responsible for adding the domain if validation passes
@@ -4237,13 +4278,22 @@ function setupFrameHandling(page, forceDebug) {
       }
       }
 
-      const delayMs = DEFAULT_DELAY;
+      const delayMs = siteConfig.delay || DEFAULT_DELAY;
 
       // Optimized delays for Puppeteer 23.x performance
       const isFastSite = timeout <= TIMEOUTS.FAST_SITE_THRESHOLD;
       const networkIdleTime = TIMEOUTS.NETWORK_IDLE;  // Balanced: 2s for reliable network detection
       const networkIdleTimeout = Math.min(timeout / 2, TIMEOUTS.NETWORK_IDLE_MAX);  // Balanced: 10s timeout
-      const actualDelay = Math.min(delayMs, TIMEOUTS.NETWORK_IDLE);  // Balanced: 2s delay for stability
+      // Post-networkidle delay cap. Default (2s) keeps fast sites fast. Opt
+      // in with `delay_uncapped: true` to honor the configured `delay` up to
+      // half the per-URL timeout — useful for sites with setTimeout-deferred
+      // lazy ad/tracker loaders (weather.com, cbssports.com class) where
+      // late requests fire well past the 2s window. See also the per-URL
+      // drainPendingNetTools() which awaits in-flight dig/whois handlers
+      // before the matchedDomains snapshot regardless of this flag.
+      const actualDelay = siteConfig.delay_uncapped === true
+        ? Math.min(delayMs, Math.floor(timeout / 2))
+        : Math.min(delayMs, TIMEOUTS.NETWORK_IDLE);
 
       // Build delay promise (networkIdle + delay + optional flowProxy delay)
       const delayPromise = (async () => {
@@ -4625,7 +4675,8 @@ function setupFrameHandling(page, forceDebug) {
         // Wait a moment for async nettools/searchstring operations to complete
         // Use fast timeout helper for Puppeteer 22.x compatibility
         await fastTimeout(TIMEOUTS.CURL_HANDLER_DELAY); // Wait for async operations
-        
+        await drainPendingNetTools(); // Bounded wait for in-flight dig/whois (race fix)
+
         return { url: currentUrl, rules: [], success: true, dryRun: true, matchCount: dryRunResult.matchCount };
       } else {
         // Format rules using the output module
@@ -4639,6 +4690,12 @@ function setupFrameHandling(page, forceDebug) {
         privoxyMode,
         piholeMode
       };
+        // Drain pending dig/whois handlers BEFORE snapshotting matchedDomains.
+        // Without this, late-completing async validations (request fired near
+        // end of the delay window, dig still in flight) get orphaned — their
+        // addMatchedDomain calls happen but the result has already been
+        // returned. Bounded by TIMEOUTS.NETTOOLS_DRAIN_TIMEOUT.
+        await drainPendingNetTools();
         const formattedRules = formatRules(matchedDomains, siteConfig, globalOptions);
         
         return {
@@ -4690,7 +4747,11 @@ function setupFrameHandling(page, forceDebug) {
       };
     }
          
-      // For other errors, preserve any matches we found before the error
+      // For other errors, preserve any matches we found before the error.
+      // Drain pending nettools first so dig/whois handlers scheduled DURING
+      // the failed navigation get a chance to add to matchedDomains before
+      // the partial-success snapshot — same race as the success path.
+      await drainPendingNetTools();
       if (matchedDomains && (matchedDomains.size > 0 || (matchedDomains instanceof Map && matchedDomains.size > 0))) {
         const globalOptions = {
           localhostIP,
@@ -5713,7 +5774,7 @@ function setupFrameHandling(page, forceDebug) {
     console.log(messageColors.info('Browser kept open.') + ' Close the browser window or press Ctrl+C to exit.');
     const cleanup = async () => {
       try {
-        if (browser.isConnected()) await browser.close();
+        if (browser.connected) await browser.close();
       } catch {}
       process.exit(0);
     };
@@ -5731,7 +5792,7 @@ function setupFrameHandling(page, forceDebug) {
 
   // Enhanced final validation for Puppeteer 23.x
   try {
-    const isStillConnected = browser.isConnected();
+    const isStillConnected = browser.connected;
     if (forceDebug) console.log(formatLogMessage('debug', `Browser connection status before cleanup: ${isStillConnected}`));
   } catch (connErr) {
     if (forceDebug) console.log(formatLogMessage('debug', `Browser connection check failed: ${connErr.message}`));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fanboynz/network-scanner",
-  "version": "3.0.0",
+  "version": "3.0.2",
   "description": "A Puppeteer-based network scanner for analyzing web traffic, generating adblock filter rules, and identifying third-party requests. Features include fingerprint spoofing, Cloudflare bypass, content analysis with curl/grep, and multiple output formats.",
   "main": "nwss.js",
   "scripts": {

package/scripts/test-stealth.js

@@ -0,0 +1,281 @@
+#!/usr/bin/env node
+/**
+ * Stealth integration smoke test.
+ *
+ * Launches Puppeteer, applies the project's full fingerprint spoofing stack
+ * (lib/fingerprint.js's applyAllFingerprintSpoofing), navigates to public
+ * bot-detection test pages, and reports what the page concluded about us.
+ *
+ * Purpose: replace "I think the spoof works" theoretical reviews with real
+ * signal -- which checks pass, which fail, which moved after a fingerprint
+ * change. Run before and after a stealth-related commit to A/B the impact.
+ *
+ * Usage:
+ *   node scripts/test-stealth.js                  # all targets, human-readable
+ *   node scripts/test-stealth.js sannysoft        # one target
+ *   node scripts/test-stealth.js --headful        # show browser GUI
+ *   node scripts/test-stealth.js --no-spoof       # baseline (no fingerprint protection)
+ *   node scripts/test-stealth.js --ua=firefox     # change UA family
+ *   node scripts/test-stealth.js --format=json    # machine-readable output
+ *   node scripts/test-stealth.js --help           # show usage
+ *
+ * Environment:
+ *   PUPPETEER_NO_SANDBOX=1   pass --no-sandbox --disable-setuid-sandbox to
+ *                            Chromium. Required when running as root (CI
+ *                            containers, some Docker setups). Off by default
+ *                            so local dev doesn't silently drop the sandbox.
+ *
+ * Targets (extend by adding to TARGETS below):
+ *   sannysoft     https://bot.sannysoft.com/                  — classic fingerprint tests
+ *   creepjs       https://abrahamjuliot.github.io/creepjs/    — modern fingerprint suite
+ *   browserleaks  https://browserleaks.com/javascript         — JS env probe
+ *
+ * Output: one line per target with PASS / WARN / FAIL counts (where parseable),
+ * plus a short summary of any explicit detection markers ("Bot detected",
+ * "Headless", etc.) found in the page text. With --format=json, emits a single
+ * JSON object suitable for piping to diff/jq for before/after comparison.
+ *
+ * This is a SMOKE test, not a unit test. It doesn't make assertions; it
+ * reports what the page reports. Use the output to decide if a stealth
+ * change moved the needle.
+ */
+
+'use strict';
+
+const puppeteer = require('puppeteer');
+const path = require('path');
+const {
+  applyAllFingerprintSpoofing,
+  USER_AGENT_COLLECTIONS
+} = require(path.resolve(__dirname, '..', 'lib', 'fingerprint'));
+
+const args = process.argv.slice(2);
+const HELP = args.includes('--help') || args.includes('-h');
+const HEADFUL = args.includes('--headful');
+const NO_SPOOF = args.includes('--no-spoof');
+const UA_FLAG = (args.find(a => a.startsWith('--ua=')) || '').slice(5) || 'chrome';
+const FORMAT = (args.find(a => a.startsWith('--format=')) || '').slice(9) || 'text';
+const filterTargets = args.filter(a => !a.startsWith('-'));
+// Anything starting with '-' is a flag claim; we validate the known set
+// below so typos like "-headful" or "--no_spoof" don't silently no-op.
+const flagArgs = args.filter(a => a.startsWith('-'));
+const KNOWN_FLAGS = new Set(['--headful', '--no-spoof', '--help', '-h']);
+const KNOWN_FLAG_PREFIXES = ['--ua=', '--format='];
+
+const TARGETS = [
+  {
+    name: 'sannysoft',
+    url: 'https://bot.sannysoft.com/',
+    // Parse the result tables. Sannysoft uses td.passed / td.failed / td.warn.
+    extract: async (page) => {
+      return await page.evaluate(() => {
+        const cells = Array.from(document.querySelectorAll('td'));
+        const out = { passed: 0, failed: 0, warn: 0, total: 0, failures: [] };
+        for (const c of cells) {
+          const cls = c.className || '';
+          if (cls.includes('passed')) { out.passed++; out.total++; }
+          else if (cls.includes('failed')) {
+            out.failed++; out.total++;
+            // Try to capture the row label for context
+            const row = c.closest('tr');
+            const label = row?.querySelector('td')?.textContent?.trim() || '?';
+            out.failures.push(label);
+          }
+          else if (cls.includes('warn')) { out.warn++; out.total++; }
+        }
+        return out;
+      });
+    }
+  },
+  {
+    name: 'creepjs',
+    url: 'https://abrahamjuliot.github.io/creepjs/',
+    extract: async (page) => {
+      // CreepJS surfaces a trust score in the page. Wait briefly for the
+      // async fingerprinting tests to complete.
+      await page.waitForSelector('#fingerprint-data', { timeout: 30000 }).catch(() => {});
+      await new Promise(r => setTimeout(r, 8000)); // give async tests time
+      return await page.evaluate(() => {
+        const text = document.body.innerText || '';
+        // CreepJS reports a "Trust Score" percentage and individual signal entries.
+        const trustMatch = text.match(/Trust Score[:\s]+(\d+(?:\.\d+)?)\s*%/i);
+        const lieMatch = text.match(/lies[:\s]+(\d+)/i);
+        const botMatch = text.match(/bot[:\s]+(true|false)/i);
+        return {
+          trustScore: trustMatch ? parseFloat(trustMatch[1]) : null,
+          lies: lieMatch ? parseInt(lieMatch[1], 10) : null,
+          botDetected: botMatch ? botMatch[1] === 'true' : null,
+          excerpt: text.split('\n').slice(0, 15).join('\n').slice(0, 400)
+        };
+      });
+    }
+  },
+  {
+    name: 'browserleaks',
+    url: 'https://browserleaks.com/javascript',
+    extract: async (page) => {
+      return await page.evaluate(() => {
+        // browserleaks shows the values; we just capture the navigator-related ones
+        // and report which look anomalous.
+        return {
+          userAgent: navigator.userAgent,
+          platform: navigator.platform,
+          webdriver: navigator.webdriver,
+          languages: JSON.stringify(navigator.languages),
+          hardwareConcurrency: navigator.hardwareConcurrency,
+          deviceMemory: navigator.deviceMemory,
+          plugins: navigator.plugins?.length,
+          chromeRuntime: typeof window.chrome?.runtime,
+          chromeRuntimeVersion: (() => { try { return window.chrome?.runtime?.getManifest?.()?.version; } catch (e) { return 'error'; } })(),
+          windowChromeDescriptor: (() => {
+            const d = Object.getOwnPropertyDescriptor(window, 'chrome');
+            return d ? `writable=${d.writable},enumerable=${d.enumerable},configurable=${d.configurable}` : 'no-descriptor';
+          })(),
+          errorName: Error.name,
+          errorLength: Error.length,
+          rtcName: window.RTCPeerConnection?.name,
+          imageName: window.Image?.name
+        };
+      });
+    }
+  }
+];
+
+function printHelp() {
+  console.log(`Usage: node scripts/test-stealth.js [options] [target...]
+
+Options:
+  --headful           launch with browser GUI visible
+  --no-spoof          baseline run — skip applyAllFingerprintSpoofing
+  --ua=<family>       UA family to spoof (default: chrome)
+                      valid: ${Array.from(USER_AGENT_COLLECTIONS.keys()).join(', ')}
+  --format=<fmt>      output format: text (default) | json
+  --help, -h          show this message
+
+Environment:
+  PUPPETEER_NO_SANDBOX=1   pass --no-sandbox to Chromium (required in some CI)
+
+Targets: ${TARGETS.map(t => t.name).join(', ')} (default: all)`);
+}
+
+function formatResult(target, result) {
+  const lines = [`\n=== ${target.name} (${target.url}) ===`];
+  if (target.name === 'sannysoft') {
+    lines.push(`  passed: ${result.passed} | warn: ${result.warn} | failed: ${result.failed} | total: ${result.total}`);
+    if (result.failures.length) {
+      lines.push(`  failure rows: ${result.failures.slice(0, 10).join(', ')}${result.failures.length > 10 ? ` ... +${result.failures.length - 10} more` : ''}`);
+    }
+  } else if (target.name === 'creepjs') {
+    lines.push(`  trust score: ${result.trustScore ?? 'n/a'}%`);
+    lines.push(`  lies detected: ${result.lies ?? 'n/a'}`);
+    lines.push(`  bot flagged: ${result.botDetected ?? 'n/a'}`);
+    if (result.excerpt) lines.push(`  excerpt:\n    ${result.excerpt.split('\n').join('\n    ')}`);
+  } else if (target.name === 'browserleaks') {
+    for (const [k, v] of Object.entries(result)) {
+      lines.push(`  ${k.padEnd(24)} ${v}`);
+    }
+  }
+  return lines.join('\n');
+}
+
+(async () => {
+  if (HELP) { printHelp(); process.exit(0); }
+
+  // Validate --ua= against the canonical UA list. Previously a typo like
+  // --ua=opera silently fell through to applyUserAgentSpoofing's "unknown UA,
+  // no-op" path, producing run results that looked spoofed but weren't.
+  if (!USER_AGENT_COLLECTIONS.has(UA_FLAG)) {
+    console.error(`Invalid --ua=${UA_FLAG}. Valid: ${Array.from(USER_AGENT_COLLECTIONS.keys()).join(', ')}`);
+    process.exit(2);
+  }
+
+  if (!['text', 'json'].includes(FORMAT)) {
+    console.error(`Invalid --format=${FORMAT}. Valid: text, json`);
+    process.exit(2);
+  }
+
+  // Reject unrecognised flags before we launch a browser. Typos like
+  // "-headful" or "--no_spoof" used to silently no-op and produce a
+  // misleading "spoof on" run that wasn't actually spoofed.
+  const badFlags = flagArgs.filter(f =>
+    !KNOWN_FLAGS.has(f) && !KNOWN_FLAG_PREFIXES.some(p => f.startsWith(p))
+  );
+  if (badFlags.length) {
+    console.error(`Unrecognised flag(s): ${badFlags.join(', ')}. See --help.`);
+    process.exit(2);
+  }
+
+  const targetsToRun = filterTargets.length
+    ? TARGETS.filter(t => filterTargets.includes(t.name))
+    : TARGETS;
+
+  if (targetsToRun.length === 0) {
+    console.error(`No targets matched. Available: ${TARGETS.map(t => t.name).join(', ')}`);
+    process.exit(2);
+  }
+
+  if (FORMAT === 'text') {
+    console.log(`Stealth test config: spoof=${!NO_SPOOF}, ua=${UA_FLAG}, headful=${HEADFUL}`);
+    console.log(`Targets: ${targetsToRun.map(t => t.name).join(', ')}`);
+  }
+
+  // Sandbox is on by default; opt out via env var rather than baking
+  // --no-sandbox into the launch line. CI-as-root needs it; local dev should
+  // not silently drop the sandbox just because the test happens to start it.
+  const launchArgs = ['--disable-blink-features=AutomationControlled'];
+  if (process.env.PUPPETEER_NO_SANDBOX === '1') {
+    launchArgs.push('--no-sandbox', '--disable-setuid-sandbox');
+  }
+
+  const browser = await puppeteer.launch({
+    headless: !HEADFUL,
+    args: launchArgs
+  });
+
+  // Collected for JSON output (and to support a future --fail-on-detection
+  // exit code without restructuring the loop).
+  const collected = [];
+
+  try {
+    for (const target of targetsToRun) {
+      const page = await browser.newPage();
+      const started = Date.now();
+      try {
+        if (!NO_SPOOF) {
+          // Apply the same spoofing stack nwss.js uses for real scans.
+          await applyAllFingerprintSpoofing(page,
+            { userAgent: UA_FLAG, fingerprint_protection: 'random' },
+            false,
+            target.url
+          );
+        }
+        await page.goto(target.url, { waitUntil: 'networkidle2', timeout: 60000 });
+        const result = await target.extract(page);
+        collected.push({ name: target.name, url: target.url, ok: true, durationMs: Date.now() - started, result });
+        if (FORMAT === 'text') console.log(formatResult(target, result));
+      } catch (err) {
+        collected.push({ name: target.name, url: target.url, ok: false, durationMs: Date.now() - started, error: err.message });
+        if (FORMAT === 'text') {
+          console.error(`\n=== ${target.name} (${target.url}) ===`);
+          console.error(`  ERROR: ${err.message}`);
+        }
+      } finally {
+        await page.close().catch(() => {});
+      }
+    }
+  } finally {
+    await browser.close().catch(() => {});
+  }
+
+  if (FORMAT === 'json') {
+    // Single object, not NDJSON — easier to diff with `jq` or `diff` between
+    // before/after runs. Schema is stable: top-level config + targets[].
+    process.stdout.write(JSON.stringify({
+      config: { spoof: !NO_SPOOF, ua: UA_FLAG, headful: HEADFUL, noSandbox: process.env.PUPPETEER_NO_SANDBOX === '1' },
+      targets: collected
+    }, null, 2) + '\n');
+  }
+})().catch(err => {
+  console.error('test-stealth fatal:', err);
+  process.exit(1);
+});