@jshookmcp/jshook 0.2.7 → 0.2.9

package/dist/handlers-9sAbfIg-.mjs

@@ -0,0 +1,2552 @@
+import { n as asJsonResponse } from "./response-BQVP-xUn.mjs";
+import { a as enableKeyLog, c as parseKeyLog, i as disableKeyLog, l as summarizeKeyLog, n as TLSKeyLogExtractor, o as getKeyLogFilePath, r as decryptPayload, s as lookupSecret } from "./boringssl-inspector-BH2D3VKc.mjs";
+import { a as argString, n as argEnum, o as argStringArray, r as argNumber, t as argBool } from "./parse-args-BlRjqlkL.mjs";
+import { a as isLoopbackHost, s as isPrivateHost } from "./ssrf-policy-ZaUfvhq7.mjs";
+import { X509Certificate, createHash, randomBytes, randomUUID } from "node:crypto";
+import { readFile } from "node:fs/promises";
+import { Socket, createServer, isIP } from "node:net";
+import { createSocket } from "node:dgram";
+import { checkServerIdentity, connect } from "node:tls";
+//#region src/server/domains/boringssl-inspector/handlers/shared.ts
+function validateNetworkTarget(host) {
+	if (isPrivateHost(host) && !isLoopbackHost(host)) return {
+		ok: false,
+		error: `Blocked: target host "${host}" resolves to a private/internal address. SSRF protection applies.`
+	};
+	return null;
+}
+const TLS_VERSION_SET = new Set([
+	"TLSv1",
+	"TLSv1.1",
+	"TLSv1.2",
+	"TLSv1.3"
+]);
+function errorMessage(error) {
+	return error instanceof Error ? error.message : String(error);
+}
+function normalizeSocketServername(servername) {
+	return typeof servername === "string" && servername.length > 0 ? servername : null;
+}
+function normalizeAlpnProtocol(protocol) {
+	return typeof protocol === "string" && protocol.length > 0 ? protocol : null;
+}
+function applyTlsValidationPolicy(options, allowInvalidCertificates) {
+	const next = { ...options };
+	Reflect.set(next, "rejectUnauthorized", !allowInvalidCertificates);
+	return next;
+}
+function isNonEmptyObject(value) {
+	return value !== null && typeof value === "object" && Object.keys(value).length > 0;
+}
+function hasPeerCertificate(value) {
+	return isNonEmptyObject(value);
+}
+function summarizePeerCertificate(cert, depth) {
+	const raw = Buffer.isBuffer(cert.raw) ? cert.raw : null;
+	const x509 = raw ? new X509Certificate(raw) : null;
+	const subject = x509?.subject ?? null;
+	const issuer = x509?.issuer ?? null;
+	return {
+		depth,
+		subject,
+		issuer,
+		subjectAltName: x509?.subjectAltName ?? cert.subjectaltname ?? null,
+		serialNumber: x509?.serialNumber ?? cert.serialNumber ?? null,
+		validFrom: x509?.validFrom ?? cert.valid_from ?? null,
+		validTo: x509?.validTo ?? cert.valid_to ?? null,
+		fingerprint256: x509?.fingerprint256 ?? cert.fingerprint256 ?? null,
+		fingerprint512: x509?.fingerprint512 ?? cert.fingerprint512 ?? null,
+		rawLength: raw?.length ?? null,
+		isCA: x509?.ca ?? cert.ca ?? null,
+		selfIssued: subject && issuer ? subject === issuer : null
+	};
+}
+function buildPeerCertificateChain(peerCertificate) {
+	if (!peerCertificate) return [];
+	const chain = [];
+	const seen = /* @__PURE__ */ new Set();
+	let current = peerCertificate;
+	let depth = 0;
+	while (current && hasPeerCertificate(current)) {
+		const summary = summarizePeerCertificate(current, depth);
+		const dedupeKey = summary.fingerprint256 ?? `${summary.subject ?? "unknown-subject"}:${summary.serialNumber ?? "unknown-serial"}:${depth}`;
+		if (seen.has(dedupeKey)) break;
+		seen.add(dedupeKey);
+		chain.push(summary);
+		if (!("issuerCertificate" in current)) break;
+		const issuerCertificate = current.issuerCertificate;
+		if (!issuerCertificate || issuerCertificate === current || !hasPeerCertificate(issuerCertificate)) break;
+		current = issuerCertificate;
+		depth += 1;
+	}
+	return chain;
+}
+async function loadProbeCaBundle(args) {
+	const caPem = argString(args, "caPem") ?? null;
+	const caPath = argString(args, "caPath") ?? null;
+	if (caPem && caPath) return {
+		ok: false,
+		error: "caPem and caPath are mutually exclusive"
+	};
+	if (caPem) return {
+		ok: true,
+		ca: caPem,
+		source: "inline",
+		path: null,
+		bytes: Buffer.byteLength(caPem)
+	};
+	if (caPath) try {
+		const ca = await readFile(caPath, "utf8");
+		return {
+			ok: true,
+			ca,
+			source: "path",
+			path: caPath,
+			bytes: Buffer.byteLength(ca)
+		};
+	} catch (error) {
+		return {
+			ok: false,
+			error: `Failed to read caPath "${caPath}": ${errorMessage(error)}`
+		};
+	}
+	return {
+		ok: true,
+		ca: void 0,
+		source: null,
+		path: null,
+		bytes: null
+	};
+}
+function makeSessionId(kind) {
+	return `${kind}_${randomUUID()}`;
+}
+function serializeSocketAddresses(socket) {
+	return {
+		localAddress: socket.localAddress ?? null,
+		localPort: socket.localPort ?? null,
+		remoteAddress: socket.remoteAddress ?? null,
+		remotePort: socket.remotePort ?? null
+	};
+}
+function serializeSessionState(session) {
+	return {
+		bufferedBytes: session.buffer.length,
+		remoteEnded: session.ended,
+		socketClosed: session.closed,
+		error: session.error
+	};
+}
+function serializeWebSocketSessionState(session) {
+	return {
+		bufferedBytes: session.parserBuffer.length,
+		queuedFrames: session.frames.length,
+		remoteEnded: session.ended,
+		socketClosed: session.closed,
+		closeSent: session.closeSent,
+		closeReceived: session.closeReceived,
+		error: session.error
+	};
+}
+function normalizeWebSocketPath(path) {
+	if (!path || path.trim().length === 0) return "/";
+	return path.startsWith("/") ? path : `/${path}`;
+}
+function websocketOpcodeName(opcode) {
+	switch (opcode) {
+		case 1: return "text";
+		case 2: return "binary";
+		case 8: return "close";
+		case 9: return "ping";
+		case 10: return "pong";
+		default: return null;
+	}
+}
+function computeWebSocketAccept(requestKey) {
+	return createHash("sha1").update(`${requestKey}258EAFA5-E914-47DA-95CA-C5AB0DC85B11`, "utf8").digest("base64");
+}
+function encodeWebSocketFrame(type, payload, closeCode, closeReason) {
+	let opcode = 1;
+	let framePayload = payload;
+	if (type === "binary") opcode = 2;
+	else if (type === "close") {
+		opcode = 8;
+		if (closeCode !== void 0 && closeCode !== null) {
+			const reasonBuffer = closeReason ? Buffer.from(closeReason, "utf8") : Buffer.alloc(0);
+			framePayload = Buffer.alloc(2 + reasonBuffer.length);
+			framePayload.writeUInt16BE(closeCode, 0);
+			reasonBuffer.copy(framePayload, 2);
+		} else if (closeReason) framePayload = Buffer.from(closeReason, "utf8");
+	} else if (type === "ping") opcode = 9;
+	else if (type === "pong") opcode = 10;
+	const maskKey = randomBytes(4);
+	const payloadLength = framePayload.length;
+	let header;
+	if (payloadLength < 126) {
+		header = Buffer.alloc(2);
+		header[1] = 128 | payloadLength;
+	} else if (payloadLength <= 65535) {
+		header = Buffer.alloc(4);
+		header[1] = 254;
+		header.writeUInt16BE(payloadLength, 2);
+	} else {
+		header = Buffer.alloc(10);
+		header[1] = 255;
+		header.writeBigUInt64BE(BigInt(payloadLength), 2);
+	}
+	header[0] = 128 | opcode;
+	const maskedPayload = Buffer.alloc(payloadLength);
+	for (let index = 0; index < payloadLength; index += 1) maskedPayload[index] = framePayload[index] ^ maskKey[index % 4];
+	return Buffer.concat([
+		header,
+		maskKey,
+		maskedPayload
+	]);
+}
+function tryConsumeWebSocketFrame(buffer) {
+	if (buffer.length < 2) return null;
+	const first = buffer[0];
+	const second = buffer[1];
+	const fin = (first & 128) !== 0;
+	const opcode = first & 15;
+	const masked = (second & 128) !== 0;
+	let payloadLength = second & 127;
+	let cursor = 2;
+	if (payloadLength === 126) {
+		if (buffer.length < cursor + 2) return null;
+		payloadLength = buffer.readUInt16BE(cursor);
+		cursor += 2;
+	} else if (payloadLength === 127) {
+		if (buffer.length < cursor + 8) return null;
+		const bigLength = buffer.readBigUInt64BE(cursor);
+		if (bigLength > BigInt(Number.MAX_SAFE_INTEGER)) throw new Error("WebSocket frame payload length exceeds supported limits");
+		payloadLength = Number(bigLength);
+		cursor += 8;
+	}
+	const maskKey = masked ? buffer.subarray(cursor, cursor + 4) : null;
+	if (masked) {
+		if (buffer.length < cursor + 4) return null;
+		cursor += 4;
+	}
+	if (buffer.length < cursor + payloadLength) return null;
+	const payload = buffer.subarray(cursor, cursor + payloadLength);
+	const data = Buffer.alloc(payload.length);
+	if (masked && maskKey) for (let index = 0; index < payload.length; index += 1) data[index] = payload[index] ^ maskKey[index % 4];
+	else payload.copy(data);
+	const type = websocketOpcodeName(opcode);
+	if (!type) throw new Error(`Unsupported WebSocket opcode 0x${opcode.toString(16)}`);
+	let closeCode = null;
+	let closeReason = null;
+	if (type === "close" && data.length >= 2) {
+		closeCode = data.readUInt16BE(0);
+		closeReason = data.subarray(2).toString("utf8");
+	}
+	return {
+		frame: {
+			type,
+			fin,
+			opcode,
+			masked,
+			data,
+			closeCode,
+			closeReason,
+			receivedAt: Date.now()
+		},
+		bytesConsumed: cursor + payloadLength
+	};
+}
+function wakeSessionWaiters(session) {
+	for (const waiter of session.waiters) waiter();
+	session.waiters.clear();
+}
+function attachBufferedSession(session) {
+	session.socket.on("data", (chunk) => {
+		session.buffer = Buffer.concat([session.buffer, chunk]);
+		wakeSessionWaiters(session);
+	});
+	session.socket.on("end", () => {
+		session.ended = true;
+		wakeSessionWaiters(session);
+	});
+	session.socket.on("close", () => {
+		session.closed = true;
+		wakeSessionWaiters(session);
+	});
+	session.socket.on("error", (error) => {
+		session.error = error.message;
+		wakeSessionWaiters(session);
+	});
+}
+function waitForSessionActivity(session, timeoutMs) {
+	return new Promise((resolve) => {
+		const onActivity = () => {
+			clearTimeout(timer);
+			session.waiters.delete(onActivity);
+			resolve(true);
+		};
+		const timer = setTimeout(() => {
+			session.waiters.delete(onActivity);
+			resolve(false);
+		}, timeoutMs);
+		session.waiters.add(onActivity);
+	});
+}
+function wakeWebSocketWaiters(session) {
+	for (const waiter of session.waiters) waiter();
+	session.waiters.clear();
+}
+function waitForWebSocketActivity(session, timeoutMs) {
+	return new Promise((resolve) => {
+		const onActivity = () => {
+			clearTimeout(timer);
+			session.waiters.delete(onActivity);
+			resolve(true);
+		};
+		const timer = setTimeout(() => {
+			session.waiters.delete(onActivity);
+			resolve(false);
+		}, timeoutMs);
+		session.waiters.add(onActivity);
+	});
+}
+function consumeSessionBuffer(session, delimiter, includeDelimiter, maxBytes) {
+	if (delimiter) {
+		const matchIndex = session.buffer.indexOf(delimiter);
+		if (matchIndex >= 0) {
+			const consumedBytes = matchIndex + delimiter.length;
+			const data = includeDelimiter ? session.buffer.subarray(0, consumedBytes) : session.buffer.subarray(0, matchIndex);
+			session.buffer = session.buffer.subarray(consumedBytes);
+			return {
+				data,
+				matchedDelimiter: true,
+				stopReason: "delimiter",
+				delimiterHex: delimiter.toString("hex").toUpperCase()
+			};
+		}
+	}
+	if (typeof maxBytes === "number" && session.buffer.length >= maxBytes) {
+		const data = session.buffer.subarray(0, maxBytes);
+		session.buffer = session.buffer.subarray(maxBytes);
+		return {
+			data,
+			matchedDelimiter: false,
+			stopReason: "maxBytes",
+			delimiterHex: delimiter ? delimiter.toString("hex").toUpperCase() : null
+		};
+	}
+	if ((session.error || session.ended || session.closed) && session.buffer.length > 0) {
+		const data = session.buffer;
+		session.buffer = Buffer.alloc(0);
+		return {
+			data,
+			matchedDelimiter: false,
+			stopReason: session.error ? "error" : "closed",
+			delimiterHex: delimiter ? delimiter.toString("hex").toUpperCase() : null
+		};
+	}
+	return null;
+}
+function normalizeHex(value) {
+	return value.replace(/\s+/g, "").toUpperCase();
+}
+function isHex(value) {
+	return value.length > 0 && value.length % 2 === 0 && /^[0-9A-F]+$/i.test(value);
+}
+function tlsVersionName(major, minor) {
+	if (major === 3 && minor === 1) return "TLS 1.0";
+	if (major === 3 && minor === 2) return "TLS 1.1";
+	if (major === 3 && minor === 3) return "TLS 1.2";
+	if (major === 3 && minor === 4) return "TLS 1.3";
+	return `0x${major.toString(16).padStart(2, "0")}${minor.toString(16).padStart(2, "0")}`;
+}
+function contentTypeName(contentType) {
+	if (contentType === 20) return "change_cipher_spec";
+	if (contentType === 21) return "alert";
+	if (contentType === 22) return "handshake";
+	if (contentType === 23) return "application_data";
+	if (contentType === 24) return "heartbeat";
+	return "unknown";
+}
+/**
+* Parse TLS ClientHello to extract SNI, cipher suites, and extensions.
+* Handles two input layouts:
+* - With handshake header: [type(1) + length(3) + version(2) + random(32) + ...]
+* - Without handshake header: [version(2) + random(32) + ...]
+*/
+function parseClientHello(payload) {
+	const result = {
+		cipherSuites: [],
+		extensions: []
+	};
+	const bodyOffset = payload[0] !== void 0 && payload[0] < 25 ? 4 : 0;
+	if (payload.length < bodyOffset + 38) return result;
+	const sessionIdOffset = bodyOffset + 34;
+	const sessionIdLength = payload[sessionIdOffset] ?? 0;
+	let cursor = sessionIdOffset + 1 + sessionIdLength;
+	if (cursor + 2 > payload.length) return result;
+	const cipherSuitesLength = payload.readUInt16BE(cursor);
+	cursor += 2;
+	const cipherSuitesEnd = cursor + cipherSuitesLength;
+	while (cursor + 2 <= cipherSuitesEnd) {
+		const suiteId = payload.readUInt16BE(cursor);
+		result.cipherSuites.push(CIPHER_SUITES_BY_ID[suiteId] ?? `0x${suiteId.toString(16).padStart(4, "0")}`);
+		cursor += 2;
+	}
+	cursor = cipherSuitesEnd + 1;
+	if (cursor < payload.length) {
+		const compLength = payload[cursor];
+		if (compLength !== void 0) cursor += 1 + compLength;
+	}
+	if (cursor + 2 <= payload.length) {
+		const extensionsLength = payload.readUInt16BE(cursor);
+		cursor += 2;
+		const extensionsEnd = cursor + extensionsLength;
+		while (cursor + 4 <= extensionsEnd) {
+			const extType = payload.readUInt16BE(cursor);
+			const extLength = payload.readUInt16BE(cursor + 2);
+			cursor += 4;
+			const extName = EXTENSION_NAMES[extType] ?? `unknown(0x${extType.toString(16)})`;
+			result.extensions.push({
+				type: extType,
+				name: extName,
+				length: extLength
+			});
+			if (extType === 0 && cursor + 2 <= extensionsEnd) {
+				const sniCursor = cursor + 2;
+				if (sniCursor + 3 <= extensionsEnd) {
+					if (payload[sniCursor] === 0) {
+						const sniLength = payload.readUInt16BE(sniCursor + 1);
+						const sniStart = sniCursor + 3;
+						if (sniStart + sniLength <= extensionsEnd) result.serverName = payload.subarray(sniStart, sniStart + sniLength).toString("utf8");
+					}
+				}
+			}
+			cursor += extLength;
+		}
+	}
+	return result;
+}
+const CIPHER_SUITES_BY_ID = {
+	156: "TLS_RSA_WITH_AES_128_GCM_SHA256",
+	157: "TLS_RSA_WITH_AES_256_GCM_SHA384",
+	52392: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	52393: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	4865: "TLS_AES_128_GCM_SHA256",
+	4866: "TLS_AES_256_GCM_SHA384",
+	4867: "TLS_CHACHA20_POLY1305_SHA256",
+	4868: "TLS_AES_128_CCM_SHA256",
+	4869: "TLS_AES_128_CCM_8_SHA256",
+	49195: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	49196: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+	49199: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	49200: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+};
+const EXTENSION_NAMES = {
+	0: "server_name",
+	1: "max_fragment_length",
+	5: "status_request",
+	10: "supported_groups",
+	13: "signature_algorithms",
+	16: "application_layer_protocol_negotiation",
+	18: "signed_certificate_timestamp",
+	23: "record_size_limit",
+	27: "compress_certificate",
+	35: "session_ticket",
+	43: "supported_versions",
+	44: "cookie",
+	45: "psk_key_exchange_modes",
+	49: "post_handshake_auth",
+	51: "key_share"
+};
+/**
+* Parse a DER-encoded certificate to extract basic info.
+*/
+function parseDerCertificate(der) {
+	const sha256 = createHash("sha256").update(der).digest("hex").toUpperCase();
+	try {
+		const cert = new X509Certificate(der);
+		return {
+			subject: cert.subject || void 0,
+			issuer: cert.issuer || void 0,
+			serialNumber: cert.serialNumber || void 0,
+			validFrom: cert.validFrom || void 0,
+			validTo: cert.validTo || void 0,
+			sha256,
+			length: der.length
+		};
+	} catch {
+		return {
+			sha256,
+			length: der.length
+		};
+	}
+}
+/**
+* Parse a chain of DER certificates from hex.
+*/
+function parseCertificateChain(hexPayload) {
+	const buffer = Buffer.from(normalizeHex(hexPayload), "hex");
+	const certs = [];
+	let cursor = 0;
+	while (cursor < buffer.length - 4) if (buffer[cursor] === 48) {
+		const info = parseDerCertificate(buffer.subarray(cursor));
+		certs.push({
+			sha256: info.sha256,
+			length: info.length
+		});
+		cursor += info.length;
+	} else cursor += 1;
+	if (certs.length === 0 && buffer.length > 0) certs.push({
+		sha256: createHash("sha256").update(buffer).digest("hex").toUpperCase(),
+		length: buffer.length
+	});
+	return certs;
+}
+//#endregion
+//#region src/server/domains/boringssl-inspector/handlers/handler-class.ts
+/**
+* BoringsslInspectorHandlers — handler methods using shared utilities from ./shared.ts.
+*/
+var BoringsslInspectorHandlers = class {
+	extensionInvoke;
+	eventBus;
+	tcpSessions = /* @__PURE__ */ new Map();
+	tlsSessions = /* @__PURE__ */ new Map();
+	websocketSessions = /* @__PURE__ */ new Map();
+	constructor(keyLogExtractor = new TLSKeyLogExtractor()) {
+		this.keyLogExtractor = keyLogExtractor;
+	}
+	setExtensionInvoke(invoke) {
+		this.extensionInvoke = invoke;
+	}
+	setEventBus(eventBus) {
+		this.eventBus = eventBus;
+	}
+	getTcpSession(sessionId) {
+		return this.tcpSessions.get(sessionId) ?? null;
+	}
+	getTlsSession(sessionId) {
+		return this.tlsSessions.get(sessionId) ?? null;
+	}
+	getWebSocketSession(sessionId) {
+		return this.websocketSessions.get(sessionId) ?? null;
+	}
+	emitWebSocketEvent(event, payload) {
+		this.eventBus?.emit(event, payload);
+	}
+	parseWritePayload(args) {
+		const dataHex = argString(args, "dataHex");
+		const dataText = argString(args, "dataText");
+		if (!dataHex && !dataText) return {
+			ok: false,
+			error: "dataHex or dataText is required"
+		};
+		if (dataHex && dataText) return {
+			ok: false,
+			error: "dataHex and dataText are mutually exclusive"
+		};
+		if (dataHex) {
+			const normalized = normalizeHex(dataHex);
+			if (!isHex(normalized)) return {
+				ok: false,
+				error: "dataHex must be valid even-length hexadecimal data"
+			};
+			return {
+				ok: true,
+				data: Buffer.from(normalized, "hex"),
+				inputEncoding: "hex"
+			};
+		}
+		return {
+			ok: true,
+			data: Buffer.from(dataText ?? "", "utf8"),
+			inputEncoding: "utf8"
+		};
+	}
+	async writeBufferedSession(session, args) {
+		if (session.socket.destroyed || session.closed) return {
+			ok: false,
+			error: `Session "${session.id}" is already closed`,
+			sessionId: session.id,
+			kind: session.kind,
+			state: serializeSessionState(session)
+		};
+		const payload = this.parseWritePayload(args);
+		if (!payload.ok) return {
+			ok: false,
+			error: payload.error,
+			sessionId: session.id,
+			kind: session.kind
+		};
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 5e3;
+		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
+			ok: false,
+			error: "timeoutMs must be a positive number"
+		};
+		return new Promise((resolve) => {
+			let settled = false;
+			const finish = (result) => {
+				if (settled) return;
+				settled = true;
+				clearTimeout(timer);
+				session.socket.off("error", onError);
+				resolve(result);
+			};
+			const timer = setTimeout(() => {
+				finish({
+					ok: false,
+					error: "write timed out",
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeSessionState(session)
+				});
+			}, timeoutMs);
+			const onError = (error) => {
+				finish({
+					ok: false,
+					error: error.message,
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeSessionState(session)
+				});
+			};
+			session.socket.once("error", onError);
+			session.socket.write(payload.data, () => {
+				if (session.kind === "tcp") this.eventBus?.emit("tcp:session_written", {
+					sessionId: session.id,
+					byteLength: payload.data.length,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				else this.eventBus?.emit("tls:session_written", {
+					sessionId: session.id,
+					byteLength: payload.data.length,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: true,
+					sessionId: session.id,
+					kind: session.kind,
+					inputEncoding: payload.inputEncoding,
+					bytesWritten: payload.data.length,
+					transport: serializeSocketAddresses(session.socket),
+					state: serializeSessionState(session)
+				});
+			});
+		});
+	}
+	async readBufferedSessionUntil(session, args) {
+		const delimiterHex = argString(args, "delimiterHex");
+		const delimiterText = argString(args, "delimiterText");
+		if (delimiterHex && delimiterText) return {
+			ok: false,
+			error: "delimiterHex and delimiterText are mutually exclusive"
+		};
+		let delimiter = null;
+		if (delimiterHex) {
+			const normalized = normalizeHex(delimiterHex);
+			if (!isHex(normalized)) return {
+				ok: false,
+				error: "delimiterHex must be valid even-length hexadecimal data"
+			};
+			delimiter = Buffer.from(normalized, "hex");
+		} else if (delimiterText !== void 0) delimiter = Buffer.from(delimiterText, "utf8");
+		if (delimiter && delimiter.length === 0) return {
+			ok: false,
+			error: "delimiter must not be empty"
+		};
+		const includeDelimiter = argBool(args, "includeDelimiter") ?? true;
+		const rawMaxBytes = argNumber(args, "maxBytes");
+		const maxBytes = rawMaxBytes === void 0 ? void 0 : Math.trunc(rawMaxBytes);
+		if (maxBytes !== void 0 && (!Number.isFinite(maxBytes) || maxBytes <= 0)) return {
+			ok: false,
+			error: "maxBytes must be a positive integer when provided"
+		};
+		if (!delimiter && maxBytes === void 0) return {
+			ok: false,
+			error: "delimiterHex, delimiterText, or maxBytes is required"
+		};
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 5e3;
+		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
+			ok: false,
+			error: "timeoutMs must be a positive number"
+		};
+		if (session.activeRead) return {
+			ok: false,
+			error: `Session "${session.id}" already has a pending read`,
+			sessionId: session.id,
+			kind: session.kind,
+			state: serializeSessionState(session)
+		};
+		session.activeRead = true;
+		const startedAt = Date.now();
+		try {
+			while (true) {
+				const consumed = consumeSessionBuffer(session, delimiter, includeDelimiter, maxBytes);
+				if (consumed) {
+					if (session.kind === "tcp") this.eventBus?.emit("tcp:session_read", {
+						sessionId: session.id,
+						byteLength: consumed.data.length,
+						matched: consumed.matchedDelimiter,
+						timestamp: (/* @__PURE__ */ new Date()).toISOString()
+					});
+					else this.eventBus?.emit("tls:session_read", {
+						sessionId: session.id,
+						byteLength: consumed.data.length,
+						matched: consumed.matchedDelimiter,
+						timestamp: (/* @__PURE__ */ new Date()).toISOString()
+					});
+					return {
+						ok: true,
+						sessionId: session.id,
+						kind: session.kind,
+						bytesRead: consumed.data.length,
+						matchedDelimiter: consumed.matchedDelimiter,
+						stopReason: consumed.stopReason,
+						delimiterHex: consumed.delimiterHex,
+						dataHex: consumed.data.toString("hex").toUpperCase(),
+						dataText: consumed.data.toString("utf8"),
+						elapsedMs: Date.now() - startedAt,
+						state: serializeSessionState(session)
+					};
+				}
+				if (session.error) return {
+					ok: false,
+					error: session.error,
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeSessionState(session)
+				};
+				if (session.ended || session.closed) return {
+					ok: false,
+					error: "socket closed before the requested read condition was satisfied",
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeSessionState(session)
+				};
+				const remainingMs = timeoutMs - (Date.now() - startedAt);
+				if (remainingMs <= 0) return {
+					ok: false,
+					error: "read timed out",
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeSessionState(session)
+				};
+				if (!await waitForSessionActivity(session, remainingMs)) return {
+					ok: false,
+					error: "read timed out",
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeSessionState(session)
+				};
+			}
+		} finally {
+			session.activeRead = false;
+		}
+	}
+	attachWebSocketSession(session) {
+		const parseBufferedFrames = () => {
+			while (session.parserBuffer.length > 0) {
+				let consumed;
+				try {
+					consumed = tryConsumeWebSocketFrame(session.parserBuffer);
+				} catch (error) {
+					session.error = errorMessage(error);
+					session.socket.destroy();
+					break;
+				}
+				if (!consumed) break;
+				session.parserBuffer = session.parserBuffer.subarray(consumed.bytesConsumed);
+				const frame = consumed.frame;
+				session.frames.push(frame);
+				if (frame.type === "ping" && !session.closeSent && !session.socket.destroyed) {
+					const pongFrame = encodeWebSocketFrame("pong", frame.data);
+					session.socket.write(pongFrame);
+					this.emitWebSocketEvent("websocket:session_written", {
+						sessionId: session.id,
+						frameType: "pong",
+						byteLength: frame.data.length,
+						automatic: true,
+						timestamp: (/* @__PURE__ */ new Date()).toISOString()
+					});
+				}
+				if (frame.type === "close") {
+					session.closeReceived = true;
+					if (!session.closeSent && !session.socket.destroyed) {
+						session.closeSent = true;
+						session.socket.write(encodeWebSocketFrame("close", frame.data, frame.closeCode, frame.closeReason));
+						this.emitWebSocketEvent("websocket:session_written", {
+							sessionId: session.id,
+							frameType: "close",
+							byteLength: frame.data.length,
+							automatic: true,
+							timestamp: (/* @__PURE__ */ new Date()).toISOString()
+						});
+					}
+				}
+			}
+			wakeWebSocketWaiters(session);
+		};
+		session.socket.on("data", (chunk) => {
+			session.parserBuffer = Buffer.concat([session.parserBuffer, chunk]);
+			parseBufferedFrames();
+		});
+		session.socket.on("end", () => {
+			session.ended = true;
+			wakeWebSocketWaiters(session);
+		});
+		session.socket.on("close", () => {
+			session.closed = true;
+			wakeWebSocketWaiters(session);
+		});
+		session.socket.on("error", (error) => {
+			session.error = error.message;
+			wakeWebSocketWaiters(session);
+		});
+		parseBufferedFrames();
+	}
+	async readWebSocketFrame(session, args) {
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 5e3;
+		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
+			ok: false,
+			error: "timeoutMs must be a positive number"
+		};
+		if (session.activeRead) return {
+			ok: false,
+			error: `Session "${session.id}" already has a pending read`,
+			sessionId: session.id,
+			kind: session.kind,
+			state: serializeWebSocketSessionState(session)
+		};
+		session.activeRead = true;
+		const startedAt = Date.now();
+		try {
+			while (true) {
+				const frame = session.frames.shift();
+				if (frame) {
+					this.emitWebSocketEvent("websocket:frame_read", {
+						sessionId: session.id,
+						frameType: frame.type,
+						byteLength: frame.data.length,
+						timestamp: (/* @__PURE__ */ new Date()).toISOString()
+					});
+					return {
+						ok: true,
+						sessionId: session.id,
+						kind: session.kind,
+						scheme: session.scheme,
+						frameType: frame.type,
+						fin: frame.fin,
+						opcode: frame.opcode,
+						masked: frame.masked,
+						byteLength: frame.data.length,
+						dataHex: frame.data.toString("hex").toUpperCase(),
+						dataText: frame.type === "binary" ? null : frame.data.toString("utf8"),
+						closeCode: frame.closeCode,
+						closeReason: frame.closeReason,
+						elapsedMs: Date.now() - startedAt,
+						state: serializeWebSocketSessionState(session)
+					};
+				}
+				if (session.error) return {
+					ok: false,
+					error: session.error,
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeWebSocketSessionState(session)
+				};
+				if (session.closed || session.ended) return {
+					ok: false,
+					error: "socket closed before a WebSocket frame was available",
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeWebSocketSessionState(session)
+				};
+				const remainingMs = timeoutMs - (Date.now() - startedAt);
+				if (remainingMs <= 0) return {
+					ok: false,
+					error: "read timed out",
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeWebSocketSessionState(session)
+				};
+				if (!await waitForWebSocketActivity(session, remainingMs)) return {
+					ok: false,
+					error: "read timed out",
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeWebSocketSessionState(session)
+				};
+			}
+		} finally {
+			session.activeRead = false;
+		}
+	}
+	async sendWebSocketFrame(session, args) {
+		if (session.closed || session.socket.destroyed) return {
+			ok: false,
+			error: `Session "${session.id}" is already closed`,
+			sessionId: session.id,
+			kind: session.kind,
+			state: serializeWebSocketSessionState(session)
+		};
+		const frameType = argEnum(args, "frameType", new Set([
+			"text",
+			"binary",
+			"ping",
+			"pong",
+			"close"
+		]));
+		if (!frameType) return {
+			ok: false,
+			error: "frameType is required"
+		};
+		const dataHex = argString(args, "dataHex");
+		const dataText = argString(args, "dataText");
+		if (dataHex && dataText) return {
+			ok: false,
+			error: "dataHex and dataText are mutually exclusive"
+		};
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 5e3;
+		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
+			ok: false,
+			error: "timeoutMs must be a positive number"
+		};
+		let payload = Buffer.alloc(0);
+		if (dataHex) {
+			const normalized = normalizeHex(dataHex);
+			if (!isHex(normalized)) return {
+				ok: false,
+				error: "dataHex must be valid even-length hexadecimal data"
+			};
+			payload = Buffer.from(normalized, "hex");
+		} else if (dataText !== void 0) payload = Buffer.from(dataText, "utf8");
+		let closeCode = null;
+		let closeReason = null;
+		if (frameType === "close") {
+			const rawCloseCode = argNumber(args, "closeCode");
+			if (rawCloseCode !== void 0) {
+				if (!Number.isInteger(rawCloseCode) || rawCloseCode < 1e3 || rawCloseCode > 4999) return {
+					ok: false,
+					error: "closeCode must be an integer between 1000 and 4999"
+				};
+				closeCode = rawCloseCode;
+			}
+			closeReason = argString(args, "closeReason") ?? null;
+			if (dataHex || dataText) return {
+				ok: false,
+				error: "close frames use closeCode/closeReason instead of dataHex/dataText"
+			};
+			session.closeSent = true;
+		}
+		if (frameType === "text" && dataHex) return {
+			ok: false,
+			error: "text frames require UTF-8 dataText instead of dataHex"
+		};
+		const frameBuffer = encodeWebSocketFrame(frameType, payload, closeCode, closeReason);
+		return new Promise((resolve) => {
+			let settled = false;
+			const finish = (result) => {
+				if (settled) return;
+				settled = true;
+				clearTimeout(timer);
+				session.socket.off("error", onError);
+				resolve(result);
+			};
+			const timer = setTimeout(() => {
+				finish({
+					ok: false,
+					error: "write timed out",
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeWebSocketSessionState(session)
+				});
+			}, timeoutMs);
+			const onError = (error) => {
+				finish({
+					ok: false,
+					error: error.message,
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeWebSocketSessionState(session)
+				});
+			};
+			session.socket.once("error", onError);
+			session.socket.write(frameBuffer, () => {
+				this.emitWebSocketEvent("websocket:session_written", {
+					sessionId: session.id,
+					frameType,
+					byteLength: frameType === "close" ? closeReason ? Buffer.byteLength(closeReason) + 2 : closeCode ? 2 : 0 : payload.length,
+					automatic: false,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: true,
+					sessionId: session.id,
+					kind: session.kind,
+					scheme: session.scheme,
+					frameType,
+					bytesWritten: frameBuffer.length,
+					payloadBytes: frameType === "close" ? closeReason ? Buffer.byteLength(closeReason) + 2 : closeCode ? 2 : 0 : payload.length,
+					state: serializeWebSocketSessionState(session)
+				});
+			});
+		});
+	}
+	async closeWebSocketSession(sessionId, args) {
+		const session = this.websocketSessions.get(sessionId);
+		if (!session) return {
+			ok: false,
+			error: `Unknown websocket sessionId "${sessionId}"`
+		};
+		const force = argBool(args, "force") ?? false;
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 1e3;
+		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
+			ok: false,
+			error: "timeoutMs must be a positive number"
+		};
+		const queuedFramesDiscarded = session.frames.length;
+		if (session.closed || session.socket.destroyed) {
+			this.websocketSessions.delete(sessionId);
+			return {
+				ok: true,
+				sessionId,
+				kind: session.kind,
+				force,
+				closed: true,
+				queuedFramesDiscarded,
+				state: serializeWebSocketSessionState(session)
+			};
+		}
+		let closeCode = null;
+		const rawCloseCode = argNumber(args, "closeCode");
+		if (rawCloseCode !== void 0) {
+			if (!Number.isInteger(rawCloseCode) || rawCloseCode < 1e3 || rawCloseCode > 4999) return {
+				ok: false,
+				error: "closeCode must be an integer between 1000 and 4999"
+			};
+			closeCode = rawCloseCode;
+		}
+		const closeReason = argString(args, "closeReason") ?? null;
+		return new Promise((resolve) => {
+			let settled = false;
+			const finish = (closed) => {
+				if (settled) return;
+				settled = true;
+				clearTimeout(timer);
+				session.socket.off("close", onClose);
+				session.socket.off("error", onError);
+				this.websocketSessions.delete(sessionId);
+				this.emitWebSocketEvent("websocket:session_closed", {
+					sessionId,
+					reason: session.error,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				resolve({
+					ok: true,
+					sessionId,
+					kind: session.kind,
+					force,
+					closed,
+					queuedFramesDiscarded,
+					state: serializeWebSocketSessionState(session)
+				});
+			};
+			const onClose = () => finish(true);
+			const onError = () => finish(session.socket.destroyed || session.closed);
+			const timer = setTimeout(() => {
+				session.socket.destroy();
+				finish(session.socket.destroyed || session.closed);
+			}, timeoutMs);
+			session.socket.once("close", onClose);
+			session.socket.once("error", onError);
+			if (force) {
+				session.socket.destroy();
+				return;
+			}
+			if (!session.closeSent) {
+				session.closeSent = true;
+				session.socket.write(encodeWebSocketFrame("close", Buffer.alloc(0), closeCode, closeReason));
+				this.emitWebSocketEvent("websocket:session_written", {
+					sessionId,
+					frameType: "close",
+					byteLength: closeReason ? Buffer.byteLength(closeReason) + 2 : closeCode ? 2 : 0,
+					automatic: false,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+			}
+		});
+	}
+	async closeBufferedSession(sessionId, sessions, kind, args) {
+		const session = sessions.get(sessionId);
+		if (!session) return {
+			ok: false,
+			error: `Unknown ${kind} sessionId "${sessionId}"`
+		};
+		const force = argBool(args, "force") ?? false;
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 1e3;
+		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
+			ok: false,
+			error: "timeoutMs must be a positive number"
+		};
+		const bufferedBytesDiscarded = session.buffer.length;
+		if (session.closed || session.socket.destroyed) {
+			sessions.delete(sessionId);
+			return {
+				ok: true,
+				sessionId,
+				kind,
+				force,
+				closed: true,
+				bufferedBytesDiscarded,
+				state: serializeSessionState(session)
+			};
+		}
+		return new Promise((resolve) => {
+			let settled = false;
+			const finish = (closed) => {
+				if (settled) return;
+				settled = true;
+				clearTimeout(timer);
+				session.socket.off("close", onClose);
+				session.socket.off("error", onError);
+				sessions.delete(sessionId);
+				if (kind === "tcp") this.eventBus?.emit("tcp:session_closed", {
+					sessionId,
+					reason: session.error,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				else this.eventBus?.emit("tls:session_closed", {
+					sessionId,
+					reason: session.error,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				resolve({
+					ok: true,
+					sessionId,
+					kind,
+					force,
+					closed,
+					bufferedBytesDiscarded,
+					state: serializeSessionState(session)
+				});
+			};
+			const onClose = () => finish(true);
+			const onError = () => finish(session.socket.destroyed || session.closed);
+			const timer = setTimeout(() => {
+				session.socket.destroy();
+				finish(session.socket.destroyed || session.closed);
+			}, timeoutMs);
+			session.socket.once("close", onClose);
+			session.socket.once("error", onError);
+			if (force) {
+				session.socket.destroy();
+				return;
+			}
+			session.socket.end();
+		});
+	}
+	async handleTlsKeylogEnable(_args) {
+		return {
+			enabled: true,
+			keyLogPath: await this.keyLogExtractor.enableKeyLog(),
+			environmentVariable: "SSLKEYLOGFILE"
+		};
+	}
+	async handleTlsKeylogDisable(args) {
+		const path = argString(args, "path") ?? null;
+		if (path) await this.keyLogExtractor.disableKeyLog();
+		else disableKeyLog();
+		return {
+			disabled: true,
+			previousPath: path ?? getKeyLogFilePath()
+		};
+	}
+	async handleTlsKeylogParse(args) {
+		const path = argString(args, "path") ?? null;
+		const entries = this.keyLogExtractor.parseKeyLog(path ?? void 0);
+		const summary = this.keyLogExtractor.summarizeKeyLog(path ?? void 0);
+		return {
+			path: path ?? this.keyLogExtractor.getKeyLogFilePath(),
+			entries,
+			summary
+		};
+	}
+	async handleTlsDecryptPayload(args) {
+		const encryptedHex = argString(args, "encryptedHex") ?? null;
+		const keyHex = argString(args, "keyHex") ?? null;
+		const nonceHex = argString(args, "nonceHex") ?? null;
+		const algorithm = argString(args, "algorithm") ?? "aes-256-gcm";
+		const authTagHex = argString(args, "authTagHex") ?? null;
+		if (!encryptedHex || !keyHex || !nonceHex) return {
+			ok: false,
+			error: "encryptedHex, keyHex, and nonceHex are required"
+		};
+		const decrypted = decryptPayload(encryptedHex, keyHex, nonceHex, algorithm, authTagHex ?? void 0);
+		return {
+			ok: true,
+			algorithm,
+			decrypted,
+			isFailed: decrypted.startsWith("DECRYPTION_FAILED:")
+		};
+	}
+	async handleTlsKeylogSummarize(args) {
+		const content = argString(args, "content") ?? null;
+		if (content) return summarizeKeyLog(parseKeyLog(content));
+		this.keyLogExtractor.parseKeyLog();
+		return this.keyLogExtractor.summarizeKeyLog();
+	}
+	async handleTlsKeylogLookupSecret(args) {
+		const clientRandom = argString(args, "clientRandom") ?? null;
+		const label = argString(args, "label") ?? void 0;
+		if (!clientRandom) return {
+			ok: false,
+			error: "clientRandom is required"
+		};
+		const cached = this.keyLogExtractor.lookupSecret(clientRandom);
+		if (cached) return {
+			ok: true,
+			clientRandom: normalizeHex(clientRandom),
+			secret: cached
+		};
+		const secret = lookupSecret(this.keyLogExtractor.parseKeyLog(), clientRandom, label);
+		return {
+			ok: secret !== null,
+			clientRandom: normalizeHex(clientRandom),
+			secret: secret ?? null
+		};
+	}
+	async handleTlsCertPinBypass(args) {
+		const target = argString(args, "target") ?? null;
+		if (target !== "android" && target !== "ios" && target !== "desktop") return { error: "target must be one of android, ios, or desktop" };
+		return {
+			bypassStrategy: {
+				android: "hook-trust-manager",
+				ios: "replace-sec-trust-evaluation",
+				desktop: "patch-custom-verifier"
+			}[target],
+			affectedDomains: ["*"],
+			instructions: {
+				android: ["Inject a Frida script that overrides X509TrustManager checks.", "Re-run the target flow after SSLKEYLOGFILE capture is enabled."],
+				ios: ["Hook SecTrustEvaluateWithError and return success for the target session.", "Collect TLS keys after the app resumes the failing request."],
+				desktop: ["Patch the custom verifier callback or disable pin comparison in the client.", "Capture a fresh handshake after the patched build starts."]
+			}[target]
+		};
+	}
+	async handleParseHandshake(args) {
+		const rawHex = argString(args, "rawHex") ?? null;
+		const decrypt = args.decrypt === true;
+		if (!rawHex) return asJsonResponse({
+			success: false,
+			error: "rawHex is required"
+		});
+		const normalizedHex = normalizeHex(rawHex);
+		if (!isHex(normalizedHex)) return asJsonResponse({
+			success: false,
+			error: "Invalid hex payload"
+		});
+		const record = Buffer.from(normalizedHex, "hex");
+		if (record.length < 5) return asJsonResponse({
+			success: false,
+			error: "TLS record is too short"
+		});
+		const contentType = record[0] ?? 0;
+		const versionMajor = record[1] ?? 0;
+		const versionMinor = record[2] ?? 0;
+		const declaredLength = record.readUInt16BE(3);
+		const payload = record.subarray(5);
+		const clientHello = contentType === 22 && payload.length > 0 && payload[0] === 1 ? parseClientHello(payload) : void 0;
+		const decryptedPreviewHex = decrypt ? (() => {
+			const decrypted = this.keyLogExtractor.decryptPayload(normalizedHex, this.keyLogExtractor.parseKeyLog());
+			return decrypted ? decrypted.subarray(0, 16).toString("hex").toUpperCase() : null;
+		})() : void 0;
+		return asJsonResponse({
+			success: true,
+			record: {
+				contentType,
+				contentTypeName: contentTypeName(contentType),
+				version: tlsVersionName(versionMajor, versionMinor),
+				declaredLength,
+				actualLength: payload.length
+			},
+			handshake: {
+				version: tlsVersionName(versionMajor, versionMinor),
+				contentType: contentTypeName(contentType),
+				...clientHello ? {
+					type: "client_hello",
+					serverName: clientHello.serverName,
+					cipherSuites: clientHello.cipherSuites,
+					extensions: clientHello.extensions
+				} : {
+					cipherSuite: [],
+					extensions: []
+				}
+			},
+			sni: clientHello?.serverName ? { serverName: clientHello.serverName } : void 0,
+			...decryptedPreviewHex !== void 0 ? { decryptedPreviewHex } : {}
+		});
+	}
+	async handleKeyLogEnable(args) {
+		const filePath = argString(args, "filePath") ?? "/tmp/sslkeylog.log";
+		enableKeyLog(filePath);
+		this.eventBus?.emit("tls:keylog_started", {
+			filePath,
+			timestamp: (/* @__PURE__ */ new Date()).toISOString()
+		});
+		return asJsonResponse({
+			success: true,
+			filePath,
+			currentFilePath: getKeyLogFilePath()
+		});
+	}
+	async handleCipherSuites(args) {
+		const filter = argString(args, "filter") ?? null;
+		const allSuites = [
+			"TLS_AES_128_GCM_SHA256",
+			"TLS_AES_256_GCM_SHA384",
+			"TLS_CHACHA20_POLY1305_SHA256",
+			"TLS_AES_128_CCM_SHA256",
+			"TLS_AES_128_CCM_8_SHA256",
+			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+			"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+			"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+			"TLS_RSA_WITH_AES_128_GCM_SHA256",
+			"TLS_RSA_WITH_AES_256_GCM_SHA384"
+		];
+		const filteredSuites = filter ? allSuites.filter((suite) => suite.includes(filter)) : allSuites;
+		return asJsonResponse({
+			success: true,
+			filter,
+			total: filteredSuites.length,
+			suites: filteredSuites
+		});
+	}
+	async handleParseCertificate(args) {
+		const rawHex = argString(args, "rawHex") ?? null;
+		if (!rawHex) return asJsonResponse({
+			success: false,
+			error: "rawHex is required"
+		});
+		const certs = parseCertificateChain(rawHex);
+		return asJsonResponse({
+			success: true,
+			certificateCount: certs.length,
+			fingerprints: certs.map((c) => ({
+				sha256: c.sha256,
+				length: c.length
+			}))
+		});
+	}
+	async handleTlsProbeEndpoint(args) {
+		const host = argString(args, "host")?.trim() ?? null;
+		if (!host) return {
+			ok: false,
+			error: "host is required"
+		};
+		const port = argNumber(args, "port") ?? 443;
+		if (!Number.isInteger(port) || port < 1 || port > 65535) return {
+			ok: false,
+			error: "port must be an integer between 1 and 65535"
+		};
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 5e3;
+		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
+			ok: false,
+			error: "timeoutMs must be a positive number"
+		};
+		const allowInvalidCertificates = argBool(args, "allowInvalidCertificates") ?? false;
+		const skipHostnameCheck = argBool(args, "skipHostnameCheck") ?? false;
+		const servernameArg = argString(args, "servername")?.trim() ?? null;
+		const alpnProtocols = [...new Set(argStringArray(args, "alpnProtocols").map((v) => v.trim()))].filter((v) => v.length > 0);
+		let minVersion;
+		let maxVersion;
+		try {
+			minVersion = argEnum(args, "minVersion", TLS_VERSION_SET);
+			maxVersion = argEnum(args, "maxVersion", TLS_VERSION_SET);
+		} catch (error) {
+			return {
+				ok: false,
+				error: errorMessage(error)
+			};
+		}
+		const versionOrder = [
+			"TLSv1",
+			"TLSv1.1",
+			"TLSv1.2",
+			"TLSv1.3"
+		];
+		if (minVersion && maxVersion && versionOrder.indexOf(minVersion) > versionOrder.indexOf(maxVersion)) return {
+			ok: false,
+			error: "minVersion must not be greater than maxVersion"
+		};
+		const ssrfCheck = validateNetworkTarget(host);
+		if (ssrfCheck) return ssrfCheck;
+		const caBundle = await loadProbeCaBundle(args);
+		if (!caBundle.ok) return {
+			ok: false,
+			error: caBundle.error
+		};
+		const validationTarget = servernameArg ?? host;
+		const requestedServername = servernameArg ?? (isIP(host) === 0 ? host : void 0);
+		const startedAt = Date.now();
+		return new Promise((resolve) => {
+			let settled = false;
+			const socket = connect(applyTlsValidationPolicy({
+				host,
+				port,
+				servername: requestedServername,
+				...minVersion ? { minVersion } : {},
+				...maxVersion ? { maxVersion } : {},
+				...alpnProtocols.length > 0 ? { ALPNProtocols: alpnProtocols } : {},
+				...caBundle.ca ? { ca: caBundle.ca } : {}
+			}, allowInvalidCertificates));
+			const finish = (payload) => {
+				if (settled) return;
+				settled = true;
+				clearTimeout(timer);
+				socket.removeAllListeners();
+				socket.destroy();
+				resolve(payload);
+			};
+			const timer = setTimeout(() => {
+				this.eventBus?.emit("tls:probe_completed", {
+					host,
+					port,
+					success: false,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: false,
+					error: "TLS probe timed out",
+					target: {
+						host,
+						port,
+						requestedServername: requestedServername ?? null,
+						validationTarget
+					},
+					policy: {
+						allowInvalidCertificates,
+						skipHostnameCheck,
+						timeoutMs,
+						minVersion: minVersion ?? null,
+						maxVersion: maxVersion ?? null,
+						alpnProtocols,
+						customCa: {
+							source: caBundle.source,
+							path: caBundle.path,
+							bytes: caBundle.bytes
+						}
+					}
+				});
+			}, timeoutMs);
+			socket.once("error", (error) => {
+				this.eventBus?.emit("tls:probe_completed", {
+					host,
+					port,
+					success: false,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: false,
+					error: error.message,
+					errorCode: error.code ?? null,
+					target: {
+						host,
+						port,
+						requestedServername: requestedServername ?? null,
+						validationTarget
+					},
+					policy: {
+						allowInvalidCertificates,
+						skipHostnameCheck,
+						timeoutMs,
+						minVersion: minVersion ?? null,
+						maxVersion: maxVersion ?? null,
+						alpnProtocols,
+						customCa: {
+							source: caBundle.source,
+							path: caBundle.path,
+							bytes: caBundle.bytes
+						}
+					}
+				});
+			});
+			socket.once("secureConnect", () => {
+				const handshakeMs = Date.now() - startedAt;
+				const peerCertificate = socket.getPeerCertificate(true);
+				const hasLeafCertificate = hasPeerCertificate(peerCertificate);
+				const certificateChain = hasLeafCertificate ? buildPeerCertificateChain(peerCertificate) : [];
+				const leafCertificate = certificateChain[0] ?? null;
+				const hostnameError = skipHostnameCheck || !hasLeafCertificate ? void 0 : checkServerIdentity(validationTarget, peerCertificate);
+				const hostnameValidation = {
+					checked: !skipHostnameCheck,
+					target: skipHostnameCheck ? null : validationTarget,
+					matched: skipHostnameCheck ? null : hostnameError === void 0,
+					error: !skipHostnameCheck && !hasLeafCertificate ? "Peer certificate was not presented by the server" : hostnameError?.message ?? null
+				};
+				const authorizationReasons = [
+					socket.authorized ? "Certificate chain validated against the active trust store." : `Certificate chain validation failed: ${socket.authorizationError ?? "unknown_authority"}`,
+					skipHostnameCheck ? "Hostname validation was skipped by request." : hostnameValidation.matched ? "Hostname validation passed." : `Hostname validation failed: ${hostnameValidation.error ?? "unknown_error"}`,
+					!socket.authorized && allowInvalidCertificates ? "Policy allowed the probe to continue despite certificate trust failure." : null
+				].filter((reason) => Boolean(reason));
+				const cipher = socket.getCipher();
+				this.eventBus?.emit("tls:probe_completed", {
+					host,
+					port,
+					success: true,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: true,
+					target: {
+						host,
+						port,
+						requestedServername: requestedServername ?? null,
+						validationTarget
+					},
+					policy: {
+						allowInvalidCertificates,
+						skipHostnameCheck,
+						timeoutMs,
+						minVersion: minVersion ?? null,
+						maxVersion: maxVersion ?? null,
+						alpnProtocols,
+						customCa: {
+							source: caBundle.source,
+							path: caBundle.path,
+							bytes: caBundle.bytes
+						}
+					},
+					transport: {
+						protocol: socket.getProtocol() ?? null,
+						alpnProtocol: normalizeAlpnProtocol(socket.alpnProtocol),
+						cipher: {
+							name: cipher.name,
+							standardName: cipher.standardName,
+							version: cipher.version
+						},
+						localAddress: socket.localAddress ?? null,
+						localPort: socket.localPort ?? null,
+						remoteAddress: socket.remoteAddress ?? null,
+						remotePort: socket.remotePort ?? null,
+						servernameSent: normalizeSocketServername(socket.servername),
+						sessionReused: socket.isSessionReused()
+					},
+					authorization: {
+						socketAuthorized: socket.authorized,
+						authorizationError: typeof socket.authorizationError === "string" ? socket.authorizationError : socket.authorizationError?.message ?? null,
+						hostnameValidation,
+						policyAllowed: (socket.authorized || allowInvalidCertificates) && (skipHostnameCheck || hostnameValidation.matched === true),
+						reasons: authorizationReasons
+					},
+					certificates: {
+						leaf: leafCertificate,
+						chain: certificateChain
+					},
+					timing: { handshakeMs }
+				});
+			});
+		});
+	}
+	async handleTcpOpen(args) {
+		const host = argString(args, "host") ?? "127.0.0.1";
+		const port = argNumber(args, "port");
+		if (port === void 0 || !Number.isInteger(port) || port < 1 || port > 65535) return {
+			ok: false,
+			error: "port must be an integer between 1 and 65535"
+		};
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 5e3;
+		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
+			ok: false,
+			error: "timeoutMs must be a positive number"
+		};
+		const noDelay = argBool(args, "noDelay") ?? true;
+		const ssrfCheck = validateNetworkTarget(host);
+		if (ssrfCheck) return ssrfCheck;
+		return new Promise((resolve) => {
+			let settled = false;
+			const socket = new Socket();
+			const finish = (payload) => {
+				if (settled) return;
+				settled = true;
+				clearTimeout(timer);
+				socket.off("connect", onConnect);
+				socket.off("error", onError);
+				resolve(payload);
+			};
+			const timer = setTimeout(() => {
+				socket.destroy();
+				finish({
+					ok: false,
+					error: "TCP connect timed out",
+					target: {
+						host,
+						port
+					}
+				});
+			}, timeoutMs);
+			const onError = (error) => {
+				finish({
+					ok: false,
+					error: error.message,
+					target: {
+						host,
+						port
+					}
+				});
+			};
+			const onConnect = () => {
+				socket.setNoDelay(noDelay);
+				const sessionId = makeSessionId("tcp");
+				const session = {
+					id: sessionId,
+					kind: "tcp",
+					socket,
+					host,
+					port,
+					createdAt: Date.now(),
+					buffer: Buffer.alloc(0),
+					ended: false,
+					closed: false,
+					error: null,
+					waiters: /* @__PURE__ */ new Set(),
+					activeRead: false
+				};
+				attachBufferedSession(session);
+				this.tcpSessions.set(sessionId, session);
+				this.eventBus?.emit("tcp:session_opened", {
+					sessionId,
+					host,
+					port,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: true,
+					sessionId,
+					kind: "tcp",
+					target: {
+						host,
+						port
+					},
+					createdAt: new Date(session.createdAt).toISOString(),
+					transport: serializeSocketAddresses(socket),
+					state: serializeSessionState(session)
+				});
+			};
+			socket.once("connect", onConnect);
+			socket.once("error", onError);
+			socket.connect(port, host);
+		});
+	}
+	async handleTcpWrite(args) {
+		const sessionId = argString(args, "sessionId")?.trim() ?? null;
+		if (!sessionId) return {
+			ok: false,
+			error: "sessionId is required"
+		};
+		const session = this.getTcpSession(sessionId);
+		if (!session) return {
+			ok: false,
+			error: `Unknown tcp sessionId "${sessionId}"`
+		};
+		return this.writeBufferedSession(session, args);
+	}
+	async handleTcpReadUntil(args) {
+		const sessionId = argString(args, "sessionId")?.trim() ?? null;
+		if (!sessionId) return {
+			ok: false,
+			error: "sessionId is required"
+		};
+		const session = this.getTcpSession(sessionId);
+		if (!session) return {
+			ok: false,
+			error: `Unknown tcp sessionId "${sessionId}"`
+		};
+		return this.readBufferedSessionUntil(session, args);
+	}
+	async handleTcpClose(args) {
+		const sessionId = argString(args, "sessionId")?.trim() ?? null;
+		if (!sessionId) return {
+			ok: false,
+			error: "sessionId is required"
+		};
+		return this.closeBufferedSession(sessionId, this.tcpSessions, "tcp", args);
+	}
+	async handleTlsOpen(args) {
+		const host = argString(args, "host")?.trim() ?? null;
+		if (!host) return {
+			ok: false,
+			error: "host is required"
+		};
+		const port = argNumber(args, "port") ?? 443;
+		if (!Number.isInteger(port) || port < 1 || port > 65535) return {
+			ok: false,
+			error: "port must be an integer between 1 and 65535"
+		};
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 5e3;
+		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
+			ok: false,
+			error: "timeoutMs must be a positive number"
+		};
+		const allowInvalidCertificates = argBool(args, "allowInvalidCertificates") ?? false;
+		const skipHostnameCheck = argBool(args, "skipHostnameCheck") ?? false;
+		const servernameArg = argString(args, "servername")?.trim() ?? null;
+		const alpnProtocols = [...new Set(argStringArray(args, "alpnProtocols").map((value) => value.trim()))].filter((value) => value.length > 0);
+		let minVersion;
+		let maxVersion;
+		try {
+			minVersion = argEnum(args, "minVersion", TLS_VERSION_SET);
+			maxVersion = argEnum(args, "maxVersion", TLS_VERSION_SET);
+		} catch (error) {
+			return {
+				ok: false,
+				error: errorMessage(error)
+			};
+		}
+		const versionOrder = [
+			"TLSv1",
+			"TLSv1.1",
+			"TLSv1.2",
+			"TLSv1.3"
+		];
+		if (minVersion && maxVersion && versionOrder.indexOf(minVersion) > versionOrder.indexOf(maxVersion)) return {
+			ok: false,
+			error: "minVersion must not be greater than maxVersion"
+		};
+		const ssrfCheck = validateNetworkTarget(host);
+		if (ssrfCheck) return ssrfCheck;
+		const caBundle = await loadProbeCaBundle(args);
+		if (!caBundle.ok) return {
+			ok: false,
+			error: caBundle.error
+		};
+		const target = {
+			host,
+			port,
+			requestedServername: servernameArg ?? (isIP(host) === 0 ? host : void 0) ?? null,
+			validationTarget: servernameArg ?? host
+		};
+		const policy = {
+			allowInvalidCertificates,
+			skipHostnameCheck,
+			timeoutMs,
+			minVersion: minVersion ?? null,
+			maxVersion: maxVersion ?? null,
+			alpnProtocols,
+			customCa: {
+				source: caBundle.source,
+				path: caBundle.path,
+				bytes: caBundle.bytes
+			}
+		};
+		const startedAt = Date.now();
+		return new Promise((resolve) => {
+			let settled = false;
+			const socket = connect(applyTlsValidationPolicy({
+				host,
+				port,
+				servername: target.requestedServername ?? void 0,
+				...minVersion ? { minVersion } : {},
+				...maxVersion ? { maxVersion } : {},
+				...alpnProtocols.length > 0 ? { ALPNProtocols: alpnProtocols } : {},
+				...caBundle.ca ? { ca: caBundle.ca } : {}
+			}, allowInvalidCertificates));
+			const finish = (payload) => {
+				if (settled) return;
+				settled = true;
+				clearTimeout(timer);
+				socket.off("error", onError);
+				socket.off("secureConnect", onSecureConnect);
+				resolve(payload);
+			};
+			const timer = setTimeout(() => {
+				socket.destroy();
+				this.eventBus?.emit("tls:probe_completed", {
+					host,
+					port,
+					success: false,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: false,
+					error: "TLS open timed out",
+					target,
+					policy
+				});
+			}, timeoutMs);
+			const onError = (error) => {
+				this.eventBus?.emit("tls:probe_completed", {
+					host,
+					port,
+					success: false,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: false,
+					error: error.message,
+					errorCode: error.code ?? null,
+					target,
+					policy
+				});
+			};
+			const onSecureConnect = () => {
+				const handshakeMs = Date.now() - startedAt;
+				const peerCertificate = socket.getPeerCertificate(true);
+				const hasLeafCertificate = hasPeerCertificate(peerCertificate);
+				const certificateChain = hasLeafCertificate ? buildPeerCertificateChain(peerCertificate) : [];
+				const leafCertificate = certificateChain[0] ?? null;
+				const hostnameError = skipHostnameCheck || !hasLeafCertificate ? void 0 : checkServerIdentity(target.validationTarget, peerCertificate);
+				const hostnameValidation = {
+					checked: !skipHostnameCheck,
+					target: skipHostnameCheck ? null : target.validationTarget,
+					matched: skipHostnameCheck ? null : hostnameError === void 0,
+					error: !skipHostnameCheck && !hasLeafCertificate ? "Peer certificate was not presented by the server" : hostnameError?.message ?? null
+				};
+				const authorizationReasons = [
+					socket.authorized ? "Certificate chain validated against the active trust store." : `Certificate chain validation failed: ${socket.authorizationError ?? "unknown_authority"}`,
+					skipHostnameCheck ? "Hostname validation was skipped by request." : hostnameValidation.matched ? "Hostname validation passed." : `Hostname validation failed: ${hostnameValidation.error ?? "unknown_error"}`,
+					!socket.authorized && allowInvalidCertificates ? "Policy allowed the session to continue despite certificate trust failure." : null
+				].filter((reason) => Boolean(reason));
+				const cipher = socket.getCipher();
+				const metadata = {
+					target,
+					policy,
+					transport: {
+						protocol: socket.getProtocol() ?? null,
+						alpnProtocol: normalizeAlpnProtocol(socket.alpnProtocol),
+						cipher: {
+							name: cipher.name,
+							standardName: cipher.standardName,
+							version: cipher.version
+						},
+						localAddress: socket.localAddress ?? null,
+						localPort: socket.localPort ?? null,
+						remoteAddress: socket.remoteAddress ?? null,
+						remotePort: socket.remotePort ?? null,
+						servernameSent: normalizeSocketServername(socket.servername),
+						sessionReused: socket.isSessionReused()
+					},
+					authorization: {
+						socketAuthorized: socket.authorized,
+						authorizationError: typeof socket.authorizationError === "string" ? socket.authorizationError : socket.authorizationError?.message ?? null,
+						hostnameValidation,
+						policyAllowed: (socket.authorized || allowInvalidCertificates) && (skipHostnameCheck || hostnameValidation.matched === true),
+						reasons: authorizationReasons
+					},
+					certificates: {
+						leaf: leafCertificate,
+						chain: certificateChain
+					}
+				};
+				if (!metadata.authorization.policyAllowed) {
+					socket.destroy();
+					this.eventBus?.emit("tls:probe_completed", {
+						host,
+						port,
+						success: false,
+						timestamp: (/* @__PURE__ */ new Date()).toISOString()
+					});
+					finish({
+						ok: false,
+						error: "TLS session authorization failed",
+						...metadata,
+						timing: { handshakeMs }
+					});
+					return;
+				}
+				const sessionId = makeSessionId("tls");
+				const session = {
+					id: sessionId,
+					kind: "tls",
+					socket,
+					host,
+					port,
+					createdAt: Date.now(),
+					buffer: Buffer.alloc(0),
+					ended: false,
+					closed: false,
+					error: null,
+					waiters: /* @__PURE__ */ new Set(),
+					activeRead: false,
+					metadata
+				};
+				attachBufferedSession(session);
+				this.tlsSessions.set(sessionId, session);
+				this.eventBus?.emit("tls:session_opened", {
+					sessionId,
+					host,
+					port,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				this.eventBus?.emit("tls:probe_completed", {
+					host,
+					port,
+					success: true,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: true,
+					sessionId,
+					kind: "tls",
+					...metadata,
+					timing: { handshakeMs },
+					state: serializeSessionState(session)
+				});
+			};
+			socket.once("error", onError);
+			socket.once("secureConnect", onSecureConnect);
+		});
+	}
+	async handleTlsWrite(args) {
+		const sessionId = argString(args, "sessionId")?.trim() ?? null;
+		if (!sessionId) return {
+			ok: false,
+			error: "sessionId is required"
+		};
+		const session = this.getTlsSession(sessionId);
+		if (!session) return {
+			ok: false,
+			error: `Unknown tls sessionId "${sessionId}"`
+		};
+		return this.writeBufferedSession(session, args);
+	}
+	async handleTlsReadUntil(args) {
+		const sessionId = argString(args, "sessionId")?.trim() ?? null;
+		if (!sessionId) return {
+			ok: false,
+			error: "sessionId is required"
+		};
+		const session = this.getTlsSession(sessionId);
+		if (!session) return {
+			ok: false,
+			error: `Unknown tls sessionId "${sessionId}"`
+		};
+		return this.readBufferedSessionUntil(session, args);
+	}
+	async handleTlsClose(args) {
+		const sessionId = argString(args, "sessionId")?.trim() ?? null;
+		if (!sessionId) return {
+			ok: false,
+			error: "sessionId is required"
+		};
+		return this.closeBufferedSession(sessionId, this.tlsSessions, "tls", args);
+	}
+	async handleWebSocketOpen(args) {
+		const rawUrl = argString(args, "url")?.trim() ?? null;
+		const rawHost = argString(args, "host")?.trim() ?? null;
+		const rawPath = argString(args, "path")?.trim() ?? null;
+		const rawPort = argNumber(args, "port");
+		const rawScheme = argString(args, "scheme")?.trim() ?? null;
+		if (rawUrl && (rawHost || rawPath || rawPort !== void 0 || rawScheme)) return {
+			ok: false,
+			error: "url is mutually exclusive with explicit scheme/host/port/path inputs"
+		};
+		let scheme = "ws";
+		let host = rawHost;
+		let port = rawPort ?? void 0;
+		let path = normalizeWebSocketPath(rawPath);
+		let url;
+		if (rawUrl) {
+			let parsedUrl;
+			try {
+				parsedUrl = new URL(rawUrl);
+			} catch (error) {
+				return {
+					ok: false,
+					error: `Invalid url: ${errorMessage(error)}`
+				};
+			}
+			if (parsedUrl.protocol !== "ws:" && parsedUrl.protocol !== "wss:") return {
+				ok: false,
+				error: "url must use ws:// or wss:// protocol"
+			};
+			scheme = parsedUrl.protocol === "wss:" ? "wss" : "ws";
+			host = parsedUrl.hostname;
+			port = parsedUrl.port.length > 0 ? Number(parsedUrl.port) : scheme === "wss" ? 443 : 80;
+			path = normalizeWebSocketPath(`${parsedUrl.pathname}${parsedUrl.search}`);
+			url = `${scheme}://${parsedUrl.host}${path}`;
+		} else {
+			if (!host) return {
+				ok: false,
+				error: "host or url is required"
+			};
+			if (rawScheme) {
+				if (rawScheme !== "ws" && rawScheme !== "wss") return {
+					ok: false,
+					error: "scheme must be ws or wss"
+				};
+				scheme = rawScheme;
+			}
+			port ??= scheme === "wss" ? 443 : 80;
+			const authority = port === (scheme === "wss" ? 443 : 80) ? host : `${host}:${String(port)}`;
+			url = `${scheme}://${authority}${path}`;
+		}
+		if (!host || !port || !Number.isInteger(port) || port < 1 || port > 65535) return {
+			ok: false,
+			error: "port must be an integer between 1 and 65535"
+		};
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 5e3;
+		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
+			ok: false,
+			error: "timeoutMs must be a positive number"
+		};
+		const subprotocols = [...new Set(argStringArray(args, "subprotocols").map((value) => value.trim()))].filter((value) => value.length > 0);
+		const ssrfCheck = validateNetworkTarget(host);
+		if (ssrfCheck) return ssrfCheck;
+		const allowInvalidCertificates = argBool(args, "allowInvalidCertificates") ?? false;
+		const skipHostnameCheck = argBool(args, "skipHostnameCheck") ?? false;
+		const servernameArg = argString(args, "servername")?.trim() ?? null;
+		const alpnProtocols = [...new Set(argStringArray(args, "alpnProtocols").map((value) => value.trim()))].filter((value) => value.length > 0);
+		let minVersion;
+		let maxVersion;
+		try {
+			minVersion = argEnum(args, "minVersion", TLS_VERSION_SET);
+			maxVersion = argEnum(args, "maxVersion", TLS_VERSION_SET);
+		} catch (error) {
+			return {
+				ok: false,
+				error: errorMessage(error)
+			};
+		}
+		const versionOrder = [
+			"TLSv1",
+			"TLSv1.1",
+			"TLSv1.2",
+			"TLSv1.3"
+		];
+		if (minVersion && maxVersion && versionOrder.indexOf(minVersion) > versionOrder.indexOf(maxVersion)) return {
+			ok: false,
+			error: "minVersion must not be greater than maxVersion"
+		};
+		const caBundle = scheme === "wss" ? await loadProbeCaBundle(args) : {
+			ok: true,
+			ca: void 0,
+			source: null,
+			path: null,
+			bytes: null
+		};
+		if (!caBundle.ok) return {
+			ok: false,
+			error: caBundle.error
+		};
+		const target = {
+			scheme,
+			url,
+			host,
+			port,
+			path,
+			requestedServername: scheme === "wss" ? servernameArg ?? (isIP(host) === 0 ? host : void 0) ?? null : null,
+			validationTarget: scheme === "wss" ? servernameArg ?? host : null
+		};
+		const requestKey = randomBytes(16).toString("base64");
+		const acceptKey = computeWebSocketAccept(requestKey);
+		const startedAt = Date.now();
+		return new Promise((resolve) => {
+			let settled = false;
+			let handshakeBuffer = Buffer.alloc(0);
+			let transport = null;
+			let authorization = null;
+			let certificates = null;
+			const socket = scheme === "wss" ? connect(applyTlsValidationPolicy({
+				host,
+				port,
+				servername: target.requestedServername ?? void 0,
+				...minVersion ? { minVersion } : {},
+				...maxVersion ? { maxVersion } : {},
+				...alpnProtocols.length > 0 ? { ALPNProtocols: alpnProtocols } : {},
+				...caBundle.ca ? { ca: caBundle.ca } : {}
+			}, allowInvalidCertificates)) : new Socket();
+			const finish = (payload) => {
+				if (settled) return;
+				settled = true;
+				clearTimeout(timer);
+				socket.off("error", onError);
+				socket.off("connect", onConnect);
+				socket.off("secureConnect", onSecureConnect);
+				socket.off("data", onHandshakeData);
+				resolve(payload);
+			};
+			const buildHandshakeRequest = () => {
+				const hostHeader = port === (scheme === "wss" ? 443 : 80) ? host : `${host}:${String(port)}`;
+				const lines = [
+					`GET ${path} HTTP/1.1`,
+					`Host: ${hostHeader}`,
+					"Upgrade: websocket",
+					"Connection: Upgrade",
+					`Sec-WebSocket-Key: ${requestKey}`,
+					"Sec-WebSocket-Version: 13"
+				];
+				if (subprotocols.length > 0) lines.push(`Sec-WebSocket-Protocol: ${subprotocols.join(", ")}`);
+				lines.push("", "");
+				return Buffer.from(lines.join("\r\n"), "utf8");
+			};
+			const timer = setTimeout(() => {
+				socket.destroy();
+				finish({
+					ok: false,
+					error: "WebSocket open timed out",
+					target
+				});
+			}, timeoutMs);
+			const onError = (error) => {
+				finish({
+					ok: false,
+					error: error.message,
+					errorCode: error.code ?? null,
+					target
+				});
+			};
+			const sendHandshake = () => {
+				socket.write(buildHandshakeRequest());
+			};
+			const onConnect = () => {
+				if (socket instanceof Socket) socket.setNoDelay(true);
+				transport = {
+					...serializeSocketAddresses(socket),
+					protocol: null,
+					alpnProtocol: null,
+					servernameSent: null,
+					sessionReused: null
+				};
+				sendHandshake();
+			};
+			const onSecureConnect = () => {
+				if (!(socket instanceof Object) || !("getPeerCertificate" in socket)) {
+					finish({
+						ok: false,
+						error: "Expected a TLS socket for wss session",
+						target
+					});
+					return;
+				}
+				const tlsSocket = socket;
+				const peerCertificate = tlsSocket.getPeerCertificate(true);
+				const hasLeafCertificate = hasPeerCertificate(peerCertificate);
+				const certificateChain = hasLeafCertificate ? buildPeerCertificateChain(peerCertificate) : [];
+				const leafCertificate = certificateChain[0] ?? null;
+				const hostnameError = skipHostnameCheck || !hasLeafCertificate || !target.validationTarget ? void 0 : checkServerIdentity(target.validationTarget, peerCertificate);
+				const hostnameValidation = {
+					checked: !skipHostnameCheck,
+					target: skipHostnameCheck ? null : target.validationTarget,
+					matched: skipHostnameCheck ? null : hostnameError === void 0,
+					error: !skipHostnameCheck && !hasLeafCertificate ? "Peer certificate was not presented by the server" : hostnameError?.message ?? null
+				};
+				const authorizationReasons = [
+					tlsSocket.authorized ? "Certificate chain validated against the active trust store." : `Certificate chain validation failed: ${tlsSocket.authorizationError ?? "unknown_authority"}`,
+					skipHostnameCheck ? "Hostname validation was skipped by request." : hostnameValidation.matched ? "Hostname validation passed." : `Hostname validation failed: ${hostnameValidation.error ?? "unknown_error"}`,
+					!tlsSocket.authorized && allowInvalidCertificates ? "Policy allowed the session to continue despite certificate trust failure." : null
+				].filter((reason) => Boolean(reason));
+				authorization = {
+					socketAuthorized: tlsSocket.authorized,
+					authorizationError: typeof tlsSocket.authorizationError === "string" ? tlsSocket.authorizationError : tlsSocket.authorizationError?.message ?? null,
+					hostnameValidation,
+					policyAllowed: (tlsSocket.authorized || allowInvalidCertificates) && (skipHostnameCheck || hostnameValidation.matched === true),
+					reasons: authorizationReasons
+				};
+				certificates = {
+					leaf: leafCertificate,
+					chain: certificateChain
+				};
+				transport = {
+					...serializeSocketAddresses(tlsSocket),
+					protocol: tlsSocket.getProtocol() ?? null,
+					alpnProtocol: normalizeAlpnProtocol(tlsSocket.alpnProtocol),
+					servernameSent: normalizeSocketServername(tlsSocket.servername),
+					sessionReused: tlsSocket.isSessionReused()
+				};
+				if (!authorization.policyAllowed) {
+					tlsSocket.destroy();
+					finish({
+						ok: false,
+						error: "WebSocket TLS authorization failed",
+						target,
+						authorization,
+						certificates
+					});
+					return;
+				}
+				sendHandshake();
+			};
+			const onHandshakeData = (chunk) => {
+				handshakeBuffer = Buffer.concat([handshakeBuffer, chunk]);
+				const headerEnd = handshakeBuffer.indexOf("\r\n\r\n");
+				if (headerEnd < 0) return;
+				const lines = handshakeBuffer.subarray(0, headerEnd).toString("utf8").split("\r\n");
+				const statusLine = lines.shift() ?? "";
+				if (!/^HTTP\/1\.1 101\b/.test(statusLine)) {
+					socket.destroy();
+					finish({
+						ok: false,
+						error: `Unexpected WebSocket upgrade response: ${statusLine}`,
+						target
+					});
+					return;
+				}
+				const headers = /* @__PURE__ */ new Map();
+				for (const line of lines) {
+					const separator = line.indexOf(":");
+					if (separator <= 0) continue;
+					const name = line.slice(0, separator).trim().toLowerCase();
+					const value = line.slice(separator + 1).trim();
+					headers.set(name, value);
+				}
+				const upgrade = headers.get("upgrade")?.toLowerCase() ?? "";
+				const connection = headers.get("connection")?.toLowerCase() ?? "";
+				const responseAcceptKey = headers.get("sec-websocket-accept") ?? null;
+				if (upgrade !== "websocket") {
+					socket.destroy();
+					finish({
+						ok: false,
+						error: "Upgrade header did not confirm websocket",
+						target
+					});
+					return;
+				}
+				if (!connection.split(",").map((part) => part.trim()).includes("upgrade")) {
+					socket.destroy();
+					finish({
+						ok: false,
+						error: "Connection header did not confirm upgrade",
+						target
+					});
+					return;
+				}
+				if (responseAcceptKey !== acceptKey) {
+					socket.destroy();
+					finish({
+						ok: false,
+						error: "sec-websocket-accept did not match the client key",
+						target
+					});
+					return;
+				}
+				const negotiatedSubprotocol = headers.get("sec-websocket-protocol") ?? null;
+				if (negotiatedSubprotocol && !subprotocols.includes(negotiatedSubprotocol)) {
+					socket.destroy();
+					finish({
+						ok: false,
+						error: `Server selected unexpected subprotocol "${negotiatedSubprotocol}"`,
+						target
+					});
+					return;
+				}
+				const sessionId = makeSessionId("websocket");
+				const session = {
+					id: sessionId,
+					kind: "websocket",
+					scheme,
+					socket,
+					host,
+					port,
+					path,
+					createdAt: Date.now(),
+					parserBuffer: handshakeBuffer.subarray(headerEnd + 4),
+					frames: [],
+					ended: false,
+					closed: false,
+					error: null,
+					waiters: /* @__PURE__ */ new Set(),
+					activeRead: false,
+					closeSent: false,
+					closeReceived: false,
+					metadata: {
+						target,
+						handshake: {
+							requestKey,
+							acceptKey,
+							responseAcceptKey,
+							subprotocol: negotiatedSubprotocol
+						},
+						transport: transport ?? {
+							...serializeSocketAddresses(socket),
+							protocol: null,
+							alpnProtocol: null,
+							servernameSent: null,
+							sessionReused: null
+						},
+						authorization,
+						certificates
+					}
+				};
+				this.attachWebSocketSession(session);
+				this.websocketSessions.set(sessionId, session);
+				this.emitWebSocketEvent("websocket:session_opened", {
+					sessionId,
+					scheme,
+					host,
+					port,
+					path,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: true,
+					sessionId,
+					kind: session.kind,
+					scheme,
+					target,
+					handshake: session.metadata.handshake,
+					transport: session.metadata.transport,
+					authorization: session.metadata.authorization,
+					certificates: session.metadata.certificates,
+					timing: { handshakeMs: Date.now() - startedAt },
+					state: serializeWebSocketSessionState(session)
+				});
+			};
+			socket.once("error", onError);
+			socket.on("data", onHandshakeData);
+			if (scheme === "wss") socket.once("secureConnect", onSecureConnect);
+			else {
+				socket.once("connect", onConnect);
+				socket.connect(port, host);
+			}
+		});
+	}
+	async handleWebSocketSendFrame(args) {
+		const sessionId = argString(args, "sessionId")?.trim() ?? null;
+		if (!sessionId) return {
+			ok: false,
+			error: "sessionId is required"
+		};
+		const session = this.getWebSocketSession(sessionId);
+		if (!session) return {
+			ok: false,
+			error: `Unknown websocket sessionId "${sessionId}"`
+		};
+		return this.sendWebSocketFrame(session, args);
+	}
+	async handleWebSocketReadFrame(args) {
+		const sessionId = argString(args, "sessionId")?.trim() ?? null;
+		if (!sessionId) return {
+			ok: false,
+			error: "sessionId is required"
+		};
+		const session = this.getWebSocketSession(sessionId);
+		if (!session) return {
+			ok: false,
+			error: `Unknown websocket sessionId "${sessionId}"`
+		};
+		return this.readWebSocketFrame(session, args);
+	}
+	async handleWebSocketClose(args) {
+		const sessionId = argString(args, "sessionId")?.trim() ?? null;
+		if (!sessionId) return {
+			ok: false,
+			error: "sessionId is required"
+		};
+		return this.closeWebSocketSession(sessionId, args);
+	}
+	async handleBypassCertPinning(args) {
+		if (this.extensionInvoke) try {
+			const result = await this.extensionInvoke(args);
+			if (result) return asJsonResponse({
+				success: true,
+				strategy: "frida-injection",
+				result
+			});
+		} catch {}
+		return asJsonResponse({
+			success: true,
+			strategy: "manual-bypass",
+			instructions: {
+				android: ["Use Frida to hook X509TrustManager.checkServerTrusted and return without throwing.", "Alternatively, use OkHttp CertificatePinner.Builder().add() with the target cert."],
+				ios: ["Hook SecTrustEvaluateWithError to always return true.", "Or use SSLSetSessionOption to disable certificate validation."],
+				desktop: ["Set NODE_TLS_REJECT_UNAUTHORIZED=0 for Node.js targets.", "Or patch the certificate comparison function in the HTTP client."]
+			},
+			args
+		});
+	}
+	async handleRawTcpSend(args) {
+		const host = argString(args, "host") ?? "127.0.0.1";
+		const port = argNumber(args, "port");
+		if (port === void 0 || port < 1 || port > 65535) return {
+			ok: false,
+			error: "port must be a number between 1 and 65535"
+		};
+		const ssrfCheck = validateNetworkTarget(host);
+		if (ssrfCheck) return ssrfCheck;
+		const dataHex = argString(args, "dataHex");
+		const dataText = argString(args, "dataText");
+		if (!dataHex && !dataText) return {
+			ok: false,
+			error: "dataHex or dataText is required"
+		};
+		const data = dataHex ? Buffer.from(normalizeHex(dataHex), "hex") : Buffer.from(dataText ?? "", "utf8");
+		const timeout = argNumber(args, "timeout") ?? 5e3;
+		return new Promise((resolve) => {
+			const socket = new Socket();
+			const timer = setTimeout(() => {
+				socket.destroy();
+				resolve({
+					ok: false,
+					error: "Connection timed out"
+				});
+			}, timeout);
+			socket.on("connect", () => {
+				socket.write(data, () => {
+					socket.end();
+				});
+			});
+			socket.on("data", (chunk) => {
+				clearTimeout(timer);
+				resolve({
+					ok: true,
+					host,
+					port,
+					sentBytes: data.length,
+					responseHex: chunk.toString("hex").toUpperCase(),
+					responseText: chunk.toString("utf8")
+				});
+				socket.destroy();
+			});
+			socket.on("error", (error) => {
+				clearTimeout(timer);
+				resolve({
+					ok: false,
+					error: error.message
+				});
+			});
+			socket.connect(port, host);
+		});
+	}
+	async handleRawTcpListen(args) {
+		const port = argNumber(args, "port");
+		if (port === void 0 || port < 1 || port > 65535) return {
+			ok: false,
+			error: "port must be a number between 1 and 65535"
+		};
+		const timeout = argNumber(args, "timeout") ?? 1e4;
+		return new Promise((resolve) => {
+			const server = createServer();
+			const timer = setTimeout(() => {
+				server.close();
+				resolve({
+					ok: false,
+					error: "Listen timed out — no connection received"
+				});
+			}, timeout);
+			server.on("connection", (socket) => {
+				clearTimeout(timer);
+				const chunks = [];
+				socket.on("data", (chunk) => {
+					chunks.push(chunk);
+				});
+				socket.on("end", () => {
+					const data = Buffer.concat(chunks);
+					server.close();
+					resolve({
+						ok: true,
+						port,
+						receivedBytes: data.length,
+						dataHex: data.toString("hex").toUpperCase(),
+						dataText: data.toString("utf8")
+					});
+				});
+				socket.on("error", (error) => {
+					clearTimeout(timer);
+					server.close();
+					resolve({
+						ok: false,
+						error: error.message
+					});
+				});
+			});
+			server.on("error", (error) => {
+				clearTimeout(timer);
+				resolve({
+					ok: false,
+					error: error.message
+				});
+			});
+			server.listen(port, "127.0.0.1");
+		});
+	}
+	async handleRawUdpSend(args) {
+		const host = argString(args, "host") ?? "127.0.0.1";
+		const port = argNumber(args, "port");
+		if (port === void 0 || port < 1 || port > 65535) return {
+			ok: false,
+			error: "port must be a number between 1 and 65535"
+		};
+		const ssrfCheck = validateNetworkTarget(host);
+		if (ssrfCheck) return ssrfCheck;
+		const dataHex = argString(args, "dataHex");
+		const dataText = argString(args, "dataText");
+		if (!dataHex && !dataText) return {
+			ok: false,
+			error: "dataHex or dataText is required"
+		};
+		const data = dataHex ? Buffer.from(normalizeHex(dataHex), "hex") : Buffer.from(dataText ?? "", "utf8");
+		const timeout = argNumber(args, "timeout") ?? 5e3;
+		return new Promise((resolve) => {
+			const socket = createSocket("udp4");
+			const timer = setTimeout(() => {
+				socket.close();
+				resolve({
+					ok: false,
+					error: "UDP response timed out"
+				});
+			}, timeout);
+			socket.on("message", (msg) => {
+				clearTimeout(timer);
+				socket.close();
+				resolve({
+					ok: true,
+					host,
+					port,
+					sentBytes: data.length,
+					responseHex: msg.toString("hex").toUpperCase(),
+					responseText: msg.toString("utf8")
+				});
+			});
+			socket.on("error", (error) => {
+				clearTimeout(timer);
+				socket.close();
+				resolve({
+					ok: false,
+					error: error.message
+				});
+			});
+			socket.send(data, 0, data.length, port, host);
+		});
+	}
+	async handleRawUdpListen(args) {
+		const port = argNumber(args, "port");
+		if (port === void 0 || port < 1 || port > 65535) return {
+			ok: false,
+			error: "port must be a number between 1 and 65535"
+		};
+		const timeout = argNumber(args, "timeout") ?? 1e4;
+		return new Promise((resolve) => {
+			const socket = createSocket("udp4");
+			const timer = setTimeout(() => {
+				socket.close();
+				resolve({
+					ok: false,
+					error: "UDP listen timed out"
+				});
+			}, timeout);
+			socket.on("message", (msg, rinfo) => {
+				clearTimeout(timer);
+				socket.close();
+				resolve({
+					ok: true,
+					localPort: port,
+					receivedBytes: msg.length,
+					from: rinfo,
+					dataHex: msg.toString("hex").toUpperCase(),
+					dataText: msg.toString("utf8")
+				});
+			});
+			socket.on("error", (error) => {
+				clearTimeout(timer);
+				socket.close();
+				resolve({
+					ok: false,
+					error: error.message
+				});
+			});
+			socket.bind(port, "127.0.0.1");
+		});
+	}
+};
+//#endregion
+export { BoringsslInspectorHandlers };