npm - @fanboynz/network-scanner - Versions diffs - 3.1.0 → 3.2.0 - Mend

@fanboynz/network-scanner 3.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/lib/domain-cache.js CHANGED Viewed

@@ -103,54 +103,6 @@ class DomainCache {
     return wasNew;
   }
-  /**
-   * Combined check-and-mark in one pass. Functionally equivalent to
-   * isDomainAlreadyDetected() followed by markDomainAsDetected(), but with
-   * one Set.has() call instead of two. (JS is single-threaded so all three
-   * variants are individually atomic; this one is just cheaper.)
-   * @param {string} domain - Domain to check and potentially mark
-   * @returns {boolean} True if domain was ALREADY detected (should skip), false if NEW (should process)
-   */
-  checkAndMark(domain) {
-    if (!domain || typeof domain !== 'string') {
-      return false;
-    }
-    const wasAlreadyDetected = this.cache.has(domain);
-    if (wasAlreadyDetected) {
-      // Domain already exists - update skip stats and return true (should skip)
-      this.stats.totalSkipped++;
-      this.stats.cacheHits++;
-      if (this.enableLogging) {
-        console.log(formatLogMessage('debug', `${this.logPrefix} Cache HIT: ${domain} (skipped)`));
-      }
-      return true; // Already detected, should skip
-    }
-    // Domain is NEW - mark it as detected
-    this.stats.cacheMisses++;
-    this.cache.add(domain);
-    this.stats.totalDetected++;
-    if (this.enableLogging) {
-      console.log(formatLogMessage('debug', `${this.logPrefix} Cache MISS: ${domain} (processing and marked, cache size: ${this.cache.size})`));
-    }
-    // Check size after the add so an overflow only fires eviction once per
-    // overflowing call (using targetCacheSize precomputed in the constructor).
-    if (this.cache.size > this.maxCacheSize) {
-      const toRemove = this.cache.size - this.targetCacheSize;
-      if (toRemove > 0) {
-        this.clearOldestEntries(toRemove);
-      }
-    }
-    return false; // New domain, should process
-  }
   /**
    * Clear oldest entries from cache (FIFO eviction). Set iteration order is
    * guaranteed insertion order per ES2015, so this genuinely evicts oldest-
@@ -208,45 +160,6 @@ class DomainCache {
     return this.cache.has(domain);
   }
-  /**
-   * Add multiple domains to cache at once. Uses a single .size delta to
-   * count actually-new entries (skipping per-domain .has() calls), and
-   * runs the size-overflow eviction check once after the batch instead of
-   * per-domain. For a batch of N domains this is N .has() calls saved and
-   * up to N redundant cap checks collapsed to one.
-   * @param {Array<string>} domains - Array of domains to add
-   * @returns {number} Number of domains actually added (excludes duplicates)
-   */
-  markMultipleDomainsAsDetected(domains) {
-    if (!Array.isArray(domains) || domains.length === 0) {
-      return 0;
-    }
-    const startSize = this.cache.size;
-    for (let i = 0; i < domains.length; i++) {
-      const d = domains[i];
-      if (d && typeof d === 'string') {
-        this.cache.add(d);
-      }
-    }
-    const addedCount = this.cache.size - startSize;
-    this.stats.totalDetected += addedCount;
-    if (this.enableLogging && addedCount > 0) {
-      console.log(formatLogMessage('debug', `${this.logPrefix} Batch added ${addedCount} new domains (cache size: ${this.cache.size})`));
-    }
-    // One eviction sweep at the end, mirroring the single-add overflow check.
-    if (this.cache.size > this.maxCacheSize) {
-      const toRemove = this.cache.size - this.targetCacheSize;
-      if (toRemove > 0) {
-        this.clearOldestEntries(toRemove);
-      }
-    }
-    return addedCount;
-  }
   /**
    * Create bound helper functions for easy integration with existing code
    * @returns {object} Object with bound helper functions
@@ -255,7 +168,6 @@ class DomainCache {
     return {
       isDomainAlreadyDetected: this.isDomainAlreadyDetected.bind(this),
       markDomainAsDetected: this.markDomainAsDetected.bind(this),
-      checkAndMark: this.checkAndMark.bind(this),
       getSkippedCount: () => this.stats.totalSkipped,
       getCacheSize: () => this.cache.size,
       getStats: this.getStats.bind(this)
@@ -273,8 +185,7 @@ let globalDomainCache = null;
  *
  * NOTE: `options` is honored ONLY on the first call (the call that actually
  * constructs the singleton). Subsequent calls return the existing instance
- * regardless of what's passed. If you need different settings, call
- * resetGlobalCache() first or use `new DomainCache(options)` directly.
+ * regardless of what's passed; options are fixed at first construction.
  *
  * Under debug logging, a warning fires if a later caller passes options
  * that don't match the live instance — silent drift is a recurring source
@@ -295,7 +206,7 @@ function getGlobalDomainCache(options = {}) {
       (options.enableLogging !== undefined && options.enableLogging !== globalDomainCache.enableLogging) ||
       (options.logPrefix !== undefined && options.logPrefix !== globalDomainCache.logPrefix);
     if (drifted) {
-      console.log(formatLogMessage('debug', `${globalDomainCache.logPrefix} getGlobalDomainCache called with options that differ from the live singleton; ignored (call resetGlobalCache() first to apply new options)`));
+      console.log(formatLogMessage('debug', `${globalDomainCache.logPrefix} getGlobalDomainCache called with options that differ from the live singleton; ignored (options are fixed at first construction)`));
     }
   }
   return globalDomainCache;
@@ -312,36 +223,17 @@ function createGlobalHelpers(options = {}) {
 }
 /**
- * Reset the global cache (useful for testing or manual resets)
- */
-function resetGlobalCache() {
-  if (globalDomainCache) {
-    globalDomainCache.clear();
-  }
-  globalDomainCache = null;
-}
-/**
- * Legacy wrapper functions for backward compatibility
- * These match the original function signatures from nwss.js
+ * Legacy wrapper for backward compatibility.
  *
- * NOTE: getTotalDomainsSkipped and getDetectedDomainsCount are the only
- * ones kept — they're used directly by nwss.js for end-of-scan stats.
- * Previously-defined isDomainAlreadyDetected / markDomainAsDetected /
- * checkAndMark wrappers were removed: nwss.js calls those via
- * createGlobalHelpers() now and repo-wide grep confirmed zero remaining
- * external callers of the legacy wrappers.
+ * getDetectedDomainsCount is the only one kept — nwss.js reads it for the
+ * end-of-scan "unique domains cached" stat. getTotalDomainsSkipped was
+ * removed: its value was always 0 because the global cache's skip-check
+ * (isDomainAlreadyDetected) is never called — cross-URL dedup is handled by
+ * nettools' processed-domain sets / smart-cache / the per-URL set — so the
+ * stat was misleading. The isDomainAlreadyDetected / markDomainAsDetected /
+ * checkAndMark wrappers were likewise removed; nwss.js uses createGlobalHelpers().
  */
-/**
- * Get total domains skipped (legacy wrapper)
- * @returns {number} Number of domains skipped
- */
-function getTotalDomainsSkipped() {
-  const cache = getGlobalDomainCache();
-  return cache.stats.totalSkipped;
-}
 /**
  * Get detected domains cache size (legacy wrapper)
  * @returns {number} Size of the detected domains cache
@@ -352,15 +244,10 @@ function getDetectedDomainsCount() {
 }
 module.exports = {
-  // Main class
-  DomainCache,
-  // Global cache functions
-  getGlobalDomainCache,
+  // Global cache helpers — createGlobalHelpers feeds nwss.js's per-domain
+  // marking; getDetectedDomainsCount feeds the end-of-scan "unique domains
+  // cached" stat. (DomainCache / getGlobalDomainCache stay internal — no
+  // external consumer; construct via createGlobalHelpers.)
   createGlobalHelpers,
-  resetGlobalCache,
-  // Legacy wrappers still used by nwss.js for end-of-scan stats
-  getTotalDomainsSkipped,
   getDetectedDomainsCount
 };

package/lib/fingerprint.js CHANGED Viewed

@@ -26,12 +26,43 @@ function seededRandom(seed) {
 const _fingerprintCache = new Map();
 const FINGERPRINT_CACHE_MAX = 500;
+// The build portion of the Chrome full version (major.0.BUILD). The reduced
+// UA string deliberately hides this (Chrome/148.0.0.0), but the full-version
+// Client Hints — Sec-CH-UA-Full-Version, -Full-Version-List, and
+// userAgentData.getHighEntropyValues(['fullVersionList','uaFullVersion']) —
+// expose the REAL build. Single source of truth so the HTTP headers (set in
+// nwss.js, which imports this) and the JS high-entropy spoof can't disagree;
+// a server cross-checking the two would catch a mismatch. The major comes
+// from the UA string at each call site, so on a Chrome bump update BOTH the
+// USER_AGENT_COLLECTIONS major AND this build.
+//
+// We deliberately spoof the current STABLE Chrome (148), NOT whatever build
+// puppeteer happens to bundle (currently 149, ahead of Stable) — the spoof
+// must blend with the real-world population, and almost nobody runs 149 yet.
+// 7778.217 is a real 148 Stable build (verified against a live Chrome 148
+// desktop). The bundled 149 binary still works; only the claimed identity is
+// pinned to Stable.
+const CHROME_BUILD = '7778.217';
+// Chrome's UA-CH GREASE brand. Despite the name, GREASE is NOT random per
+// request — Chromium derives the greasy brand string AND the brand-list order
+// deterministically from the major version, so every real Chrome 148 emits the
+// exact same Sec-CH-UA. Anti-bot detectors exploit this: a spoofer that uses a
+// stale/wrong grease ("Not:A-Brand" instead of 148's "Not/A)Brand") or the
+// wrong order is instantly flagged. Real Chrome 148 order is Chromium, Google
+// Chrome, <grease>. Both the string AND the order are version-coupled — update
+// alongside the major when bumping (verify against a real Chrome of that major).
+const CHROME_GREASE_BRAND = 'Not/A)Brand';
 // User agent collections with latest versions
 const USER_AGENT_COLLECTIONS = Object.freeze(new Map([
   // Chrome version uses the reduced 'X.0.0.0' privacy-preserving form (per
-  // Chrome's UA reduction since v101). The full build (148.0.7778.179) is
+  // Chrome's UA reduction since v101). The full build (148.0.7778.217) is
   // not exposed via UA in modern Chrome — UA-Client-Hints carries that
-  // separately. User confirmed Chrome 148 stable as of late May 2026.
+  // separately (see CHROME_BUILD). Pinned to the current STABLE major (148),
+  // which is what the real-world population runs — NOT the newer build
+  // puppeteer bundles; we want to blend in, not advertise an ahead-of-Stable
+  // version. Bump when Stable advances, alongside CHROME_BUILD.
   ['chrome', "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
   ['chrome_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
   ['chrome_linux', "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
@@ -177,7 +208,7 @@ function generateRealisticFingerprint(userAgent, domain = '') {
   // Generate OS-appropriate hardware specs
   const profiles = {
     windows: {
-      deviceMemory: [8, 16], // Common Windows configurations
+      deviceMemory: [8], // caps at 8 (navigator.deviceMemory max); matches HTTP Sec-CH-Device-Memory on >=8GB hosts
       hardwareConcurrency: [4, 6, 8], // Typical consumer CPUs
       platform: 'Win32',
       timezone: 'America/New_York',
@@ -189,7 +220,7 @@ function generateRealisticFingerprint(userAgent, domain = '') {
       ]
     },
     mac: {
-      deviceMemory: [8, 16], // MacBook/iMac typical configs
+      deviceMemory: [8], // caps at 8 (see Windows profile note)
       hardwareConcurrency: [8, 10], // Apple Silicon M1/M2 cores
       platform: 'MacIntel',
       timezone: 'America/Los_Angeles',
@@ -201,7 +232,7 @@ function generateRealisticFingerprint(userAgent, domain = '') {
       ]
     },
     linux: {
-      deviceMemory: [8, 16],
+      deviceMemory: [8],
       hardwareConcurrency: [4, 8, 12], // Wide variety on Linux
       platform: 'Linux x86_64',
       timezone: 'America/New_York',
@@ -331,7 +362,7 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
       // same value regardless of which evaluate runs first.
       const realistic = generateRealisticFingerprint(ua, siteDomain);
-      await page.evaluateOnNewDocument((userAgent, debugEnabled, gpuConfig, seededCores) => {
+      await page.evaluateOnNewDocument((userAgent, debugEnabled, gpuConfig, seededCores, chromeBuild, chromeGrease) => {
         // Apply inline error suppression first
         (function() {
@@ -879,13 +910,22 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           if (!userAgent.includes('Chrome/')) return; // Only for Chrome UAs
           const chromeMatch = userAgent.match(/Chrome\/(\d+)/);
-          const majorVersion = chromeMatch ? chromeMatch[1] : '145';
+          const majorVersion = chromeMatch ? chromeMatch[1] : '148';
           let platform = 'Windows';
-          let platformVersion = '15.0.0';
+          // 19.0.0 = current Windows 11 mapping (verified against a real
+          // Chrome 148 desktop; the old 15.0.0 was an older Win11 build).
+          // MUST match nwss.js's Sec-CH-UA-Platform-Version header.
+          let platformVersion = '19.0.0';
           let architecture = 'x86';
           let model = '';
           let bitness = '64';
+          // wow64 is true only for a 32-bit Chrome on 64-bit Windows. Our
+          // spoofed configs are all 64-bit (bitness '64'), so it's false on
+          // every platform — but the value must be PRESENT: the server's
+          // accept-ch requests sec-ch-ua-wow64 and trackers call
+          // getHighEntropyValues(['wow64']); an undefined return is a tell.
+          const wow64 = false;
           if (userAgent.includes('Macintosh') || userAgent.includes('Mac OS X')) {
             platform = 'macOS';
             platformVersion = '13.5.0';
@@ -896,10 +936,12 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             architecture = 'x86';
           }
+          // Order + grease must match real Chrome of this major exactly
+          // (deterministic GREASE): Chromium, Google Chrome, <grease>.
           const brands = [
-            { brand: 'Not:A-Brand', version: '99' },
+            { brand: 'Chromium', version: majorVersion },
             { brand: 'Google Chrome', version: majorVersion },
-            { brand: 'Chromium', version: majorVersion }
+            { brand: chromeGrease, version: '99' }
           ];
           const uaData = {
@@ -914,18 +956,20 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
                 architecture: architecture,
                 bitness: bitness,
                 model: model,
+                wow64: wow64,
+                // Real Chrome (128+) always exposes this for desktop. Omitting
+                // it returned undefined to any site requesting form-factors.
+                formFactors: ['Desktop'],
                 platformVersion: platformVersion,
+                // uaFullVersion (deprecated but still requested via
+                // sec-ch-ua-full-version) and fullVersionList both carry the
+                // real build, sourced from CHROME_BUILD (passed in as
+                // chromeBuild) so HTTP headers and JS can't drift apart.
+                uaFullVersion: majorVersion + '.0.' + chromeBuild,
                 fullVersionList: [
-                  { brand: 'Not:A-Brand', version: '99.0.0.0' },
-                  // Build number 7778.179 matches real Chrome 148 stable
-                  // (per user-confirmed installed version as of late May 2026).
-                  // Prior 7632.160 was Chrome 145's build — outdated for 148.
-                  // If Chrome major bumps in future, update this build number
-                  // too — fullVersionList being inconsistent with the major
-                  // version is a fingerprint-detection signal (a real Chrome
-                  // 148 install would never report a 7632.x build).
-                  { brand: 'Google Chrome', version: majorVersion + '.0.7778.179' },
-                  { brand: 'Chromium', version: majorVersion + '.0.7778.179' }
+                  { brand: 'Chromium', version: majorVersion + '.0.' + chromeBuild },
+                  { brand: 'Google Chrome', version: majorVersion + '.0.' + chromeBuild },
+                  { brand: chromeGrease, version: '99.0.0.0' }
                 ]
               };
               // Only return requested hints
@@ -1575,25 +1619,11 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'pdfViewerEnabled spoofing');
-        // speechSynthesis — headless returns empty voices array
-        safeExecute(() => {
-          if (window.speechSynthesis) {
-            const origGetVoices = speechSynthesis.getVoices.bind(speechSynthesis);
-            speechSynthesis.getVoices = function() {
-              const voices = origGetVoices();
-              if (voices.length === 0) {
-                return [{
-                  default: true, lang: 'en-US', localService: true,
-                  name: 'Microsoft David - English (United States)', voiceURI: 'Microsoft David - English (United States)'
-                }, {
-                  default: false, lang: 'en-US', localService: true,
-                  name: 'Microsoft Zira - English (United States)', voiceURI: 'Microsoft Zira - English (United States)'
-                }];
-              }
-              return voices;
-            };
-          }
-        }, 'speechSynthesis spoofing');
+        // (speechSynthesis voices are spoofed in a single, fuller block later
+        // in this evaluate — "speechSynthesis voices spoofing" — which installs
+        // the complete claimed-OS voice set with instanceof-correct objects. An
+        // earlier 2-voice fallback override lived here and was redundant: the
+        // later block replaced it unconditionally on every injection. Removed.)
         // AudioContext fingerprint spoofing — intercept the actual READ
         // surface fingerprinters care about.
@@ -2230,36 +2260,27 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
         // Battery API spoofing
         //
-        // Previously: `Math.random()` for every field, fired on every
-        // evaluateOnNewDocument injection (i.e. every page load). Battery
-        // 'level' jumping from 0.42 to 0.87 to 0.31 across navigations on
-        // the same site is anomalous -- real battery state changes slowly
-        // (minutes, not seconds). Detector noting battery delta across
-        // reloads catches us.
+        // Report the plugged-in / fully-charged default: charging=true,
+        // level=1, chargingTime=0, dischargingTime=Infinity. This is what a
+        // real Chrome desktop reports (verified against a live reference) AND
+        // what the largest slice of the population shows (desktops + plugged-in
+        // laptops), so it blends with the majority.
         //
-        // Now: FNV-1a hash of window.location.hostname seeds all four
-        // fields. Stable per-domain across navigations; varies across
-        // sites (so cross-publisher correlation isn't trivial via this
-        // signal). Also corrects two real-Chrome invariants the old
-        // spoof violated:
-        //   - charging=true  -> chargingTime finite, dischargingTime = Infinity
-        //   - charging=false -> chargingTime = Infinity, dischargingTime finite
-        // The old spoof could produce 'both finite' which never happens
-        // in real Chrome.
+        // Battery is a known fingerprinting vector. The prior approach
+        // per-domain-randomized a partial level (0.25..0.94) and the charging
+        // state — but a partial battery level is MORE identifying than the
+        // common plugged-in state, and "Desktop" form-factor + a discharging
+        // battery is mildly contradictory. The fixed plugged-in default is
+        // both the least-surprising value and carries zero cross-domain entropy.
+        // (Earlier history: an even-older spoof used Math.random() per field,
+        // which made level jump between reloads — also anomalous.)
         safeExecute(() => {
           if (navigator.getBattery) {
-            // FNV-1a 32-bit hash of the hostname -- cheap, deterministic.
-            let h = 0x811c9dc5;
-            const domain = (window.location && window.location.hostname) || '';
-            for (let i = 0; i < domain.length; i++) {
-              h = ((h ^ domain.charCodeAt(i)) * 0x01000193) >>> 0;
-            }
-            const charging = (h & 1) === 1;
             const batteryState = {
-              charging,
-              chargingTime: charging ? (((h >>> 4) % 3540) + 60) : Infinity,        // 60..3600s when charging
-              dischargingTime: charging ? Infinity : (((h >>> 8) % 6600) + 600),    // 600..7200s when on battery
-              level: Math.round((((h >>> 16) % 70) + 25)) / 100,                    // 0.25..0.94, 2-decimal precision
+              charging: true,
+              chargingTime: 0,
+              dischargingTime: Infinity,
+              level: 1,
               addEventListener: () => {},
               removeEventListener: () => {},
               dispatchEvent: () => true
@@ -2270,6 +2291,105 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'battery API spoofing');
+        // navigator.bluetooth (Web Bluetooth). Real Chrome ALWAYS exposes the
+        // Bluetooth object — even with no adapter, where getAvailability()
+        // resolves false. Headless Chrome omits it entirely, so `'bluetooth'
+        // in navigator` returning false is a headless tell. Provide a minimal
+        // stub (only when missing) so the presence check passes; report no
+        // adapter (false) — honest for a server, common for a real desktop,
+        // and avoids claiming hardware a requestDevice() probe couldn't back.
+        safeExecute(() => {
+          if (!navigator.bluetooth) {
+            const bt = {
+              getAvailability: () => Promise.resolve(false),
+              getDevices: () => Promise.resolve([]),
+              requestDevice: () => Promise.reject(
+                new DOMException('User cancelled the requestDevice() chooser.', 'NotFoundError')),
+              addEventListener: () => {},
+              removeEventListener: () => {},
+              dispatchEvent: () => true
+            };
+            if (typeof maskAsNative === 'function') {
+              maskAsNative(bt.getAvailability, 'getAvailability');
+              maskAsNative(bt.requestDevice, 'requestDevice');
+              maskAsNative(bt.getDevices, 'getDevices');
+            }
+            Object.defineProperty(navigator, 'bluetooth', { get: () => bt, configurable: true });
+          }
+        }, 'bluetooth API spoofing');
+        // SpeechSynthesis voices. Real Chrome ships an OS-dependent voice set;
+        // a non-Windows headless host can't have the Microsoft SAPI voices a
+        // Windows UA implies, so the short native list (2 voices here) reading
+        // back contradicts the claimed OS. Provide the canonical set for the
+        // claimed OS (verified vs a live Windows Chrome reference). Voice
+        // objects are built on SpeechSynthesisVoice.prototype with OWN data
+        // properties, so `voice instanceof SpeechSynthesisVoice` passes AND
+        // name/lang/localService read back the spoofed values (own props shadow
+        // the prototype getters). getVoices() returns a fresh array per call,
+        // like real Chrome.
+        safeExecute(() => {
+          if (!window.speechSynthesis) return;
+          const SSV = window.SpeechSynthesisVoice;
+          const isWin = /Windows/.test(userAgent);
+          const mk = (name, lang, local) => {
+            const data = { voiceURI: name, name, lang, localService: local, default: false };
+            if (SSV && SSV.prototype) {
+              const v = Object.create(SSV.prototype);
+              for (const k in data) {
+                Object.defineProperty(v, k, { value: data[k], enumerable: true, configurable: true, writable: k === 'default' });
+              }
+              return v;
+            }
+            return data;
+          };
+          // Microsoft SAPI voices are Windows-only; the Google network voices
+          // are the same set across platforms.
+          const ms = isWin ? [
+            mk('Microsoft David - English (United States)', 'en-US', true),
+            mk('Microsoft Mark - English (United States)', 'en-US', true),
+            mk('Microsoft Zira - English (United States)', 'en-US', true)
+          ] : [];
+          const google = [
+            ['Google Deutsch', 'de-DE'], ['Google US English', 'en-US'],
+            ['Google UK English Female', 'en-GB'], ['Google UK English Male', 'en-GB'],
+            ['Google español', 'es-ES'], ['Google español de Estados Unidos', 'es-US'],
+            ['Google français', 'fr-FR'], ['Google हिन्दी', 'hi-IN'],
+            ['Google Bahasa Indonesia', 'id-ID'], ['Google italiano', 'it-IT'],
+            ['Google 日本語', 'ja-JP'], ['Google 한국의', 'ko-KR'],
+            ['Google Nederlands', 'nl-NL'], ['Google polski', 'pl-PL'],
+            ['Google português do Brasil', 'pt-BR'], ['Google русский', 'ru-RU'],
+            ['Google 普通话（中国大陆）', 'zh-CN'], ['Google 粤語（香港）', 'zh-HK'],
+            ['Google 國語（臺灣）', 'zh-TW']
+          ].map(([n, l]) => mk(n, l, false));
+          const voices = ms.concat(google);
+          if (voices[0]) voices[0].default = true;
+          window.speechSynthesis.getVoices = function getVoices() { return voices.slice(); };
+          if (typeof maskAsNative === 'function') maskAsNative(window.speechSynthesis.getVoices, 'getVoices');
+        }, 'speechSynthesis voices spoofing');
+        // Web Share API (navigator.share / canShare). Present on real DESKTOP
+        // Chrome (since 89) but absent in headless, so `'share' in navigator`
+        // returning false contradicts a desktop UA. Provide stubs only when
+        // missing. canShare() mirrors Chrome's "is there shareable data?"
+        // result; share() requires transient user activation, which automation
+        // never has, so real Chrome rejects with NotAllowedError — match that.
+        safeExecute(() => {
+          if (typeof navigator.canShare !== 'function') {
+            const canShare = function canShare(data) {
+              if (!data) return false;
+              return !!(data.url || data.text || data.title || (data.files && data.files.length));
+            };
+            const share = function share() {
+              return Promise.reject(new DOMException(
+                'Must be handling a user gesture to perform a share request.', 'NotAllowedError'));
+            };
+            if (typeof maskAsNative === 'function') { maskAsNative(canShare, 'canShare'); maskAsNative(share, 'share'); }
+            Object.defineProperty(navigator, 'canShare', { value: canShare, configurable: true, writable: true });
+            Object.defineProperty(navigator, 'share', { value: share, configurable: true, writable: true });
+          }
+        }, 'web share API spoofing');
         // Enhanced Mouse/Pointer Spoofing
         //
         safeExecute(() => {
@@ -2435,7 +2555,9 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             [HTMLCanvasElement.prototype, ['getContext', 'toDataURL', 'toBlob']],
             [CanvasRenderingContext2D.prototype, ['getImageData', 'fillText', 'strokeText', 'measureText']],
             [EventTarget.prototype, ['addEventListener', 'removeEventListener']],
-            [Date.prototype, ['getTimezoneOffset']],
+            // Date.prototype.getTimezoneOffset is no longer overridden (timezone
+            // is done via CDP emulateTimezone), so the native function needs no
+            // masking — masking a native fn is at best a no-op, at worst a wrap.
           ];
           if (typeof WebGL2RenderingContext !== 'undefined') {
             protoMasks.push([WebGL2RenderingContext.prototype, ['getParameter', 'getExtension']]);
@@ -2516,7 +2638,7 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'interaction-gated script trigger');
-      }, ua, forceDebug, selectedGpu, realistic.hardwareConcurrency);
+      }, ua, forceDebug, selectedGpu, realistic.hardwareConcurrency, CHROME_BUILD, CHROME_GREASE_BRAND);
     } catch (stealthErr) {
       if (isSessionClosedError(stealthErr)) {
         if (forceDebug) console.log(formatLogMessage('debug', `Page closed during stealth injection: ${currentUrl}`));
@@ -2704,36 +2826,14 @@ async function applyFingerprintProtection(page, siteConfig, forceDebug, currentU
       };
       spoofNavigatorProperties(navigator, languageSpoofProps);
-      // Timezone spoofing
-      if (spoof.timezone && window.Intl?.DateTimeFormat) {
-        const OriginalDateTimeFormat = window.Intl.DateTimeFormat;
-        window.Intl.DateTimeFormat = function(...args) {
-          const instance = new OriginalDateTimeFormat(...args);
-          const originalResolvedOptions = instance.resolvedOptions;
-          instance.resolvedOptions = function() {
-            const opts = originalResolvedOptions.call(this);
-            opts.timeZone = spoof.timezone;
-            return opts;
-          };
-          return instance;
-        };
-        Object.setPrototypeOf(window.Intl.DateTimeFormat, OriginalDateTimeFormat);
-        // Timezone offset spoofing
-        const timezoneOffsets = {
-          'America/New_York': 300,
-          'America/Los_Angeles': 480,
-          'Europe/London': 0,
-          'America/Chicago': 360
-        };
-        const originalGetTimezoneOffset = Date.prototype.getTimezoneOffset;
-        Date.prototype.getTimezoneOffset = function() {
-          return timezoneOffsets[spoof.timezone] || originalGetTimezoneOffset.call(this);
-        };
-      }
+      // Timezone is handled at the CDP level via page.emulateTimezone() (set
+      // in applyFingerprintProtection, Node side) — NOT here. JS-patching
+      // Intl.resolvedOptions + Date.getTimezoneOffset was actively harmful: it
+      // left the real Date object in the host's true zone, so the formatted
+      // time / getHours() / Date.toString() contradicted the claimed zone, and
+      // the hardcoded offsets ignored DST. emulateTimezone makes every Date and
+      // Intl read consistent, so no JS override is needed (or wanted) here.
       // Cookie and DNT spoofing
       if (spoof.cookieEnabled !== undefined) {
         safeDefinePropertyLocal(navigator, 'cookieEnabled', { get: () => spoof.cookieEnabled });
@@ -2743,6 +2843,22 @@ async function applyFingerprintProtection(page, siteConfig, forceDebug, currentU
       }
     }, { spoof, debugEnabled: forceDebug });
+    // Timezone: use CDP-level emulation (Emulation.setTimezoneOverride) instead
+    // of JS patching. The old JS overrides (Intl.resolvedOptions + Date.proto
+    // getTimezoneOffset) left the REAL Date object in the host's true zone, so
+    // Date.toString(), getHours(), and an Intl format of the same instant all
+    // contradicted the claimed zone (verified: claimed America/New_York while
+    // Date reported the host zone — an 8-hour hour gap, a textbook tell).
+    // emulateTimezone changes the browser's ACTUAL timezone, so Date, Intl, and
+    // getTimezoneOffset are all consistent (and DST-correct).
+    if (spoof.timezone) {
+      try {
+        await page.emulateTimezone(spoof.timezone);
+      } catch (tzErr) {
+        if (forceDebug) console.log(formatLogMessage('debug', `emulateTimezone(${spoof.timezone}) failed for ${currentUrl}: ${tzErr.message}`));
+      }
+    }
   } catch (err) {
     if (isSessionClosedError(err)) {
       if (forceDebug) console.log(formatLogMessage('debug', `Page closed during fingerprint injection: ${currentUrl}`));
@@ -2920,6 +3036,13 @@ async function applyAllFingerprintSpoofing(page, siteConfig, forceDebug, current
 // module.exports only if a new external consumer appears.
 module.exports = {
   applyAllFingerprintSpoofing,
+  // Build portion of the Chrome full version — nwss.js uses it to keep the
+  // Sec-CH-UA-Full-Version* HTTP headers consistent with the JS high-entropy
+  // spoof. Single source of truth for the build that the reduced UA hides.
+  CHROME_BUILD,
+  // GREASE brand string — nwss.js uses it for the Sec-CH-UA / -Full-Version-List
+  // headers so the HTTP brand list matches the JS brands (and real Chrome).
+  CHROME_GREASE_BRAND,
   // Exposed for scripts/test-stealth.js so the harness can validate --ua=
   // against the canonical UA list (instead of duplicating the keys here).
   // The Map itself is frozen; consumers cannot mutate the spoof source.