@jshookmcp/jshook 0.2.7 → 0.2.9

package/dist/network-671Cw6hV.mjs

@@ -0,0 +1,3346 @@
+import { t as logger } from "./logger-Dh_xb7_2.mjs";
+import { Gt as NETWORK_REPLAY_MAX_REDIRECTS, Wt as NETWORK_HAR_BODY_CONCURRENCY, dt as ICMP_DEFAULT_PACKET_SIZE, ft as ICMP_PROBE_TIMEOUT_MS, pt as ICMP_TRACEROUTE_MAX_HOPS } from "./constants-B0OANIBL.mjs";
+import { t as DetailedDataManager } from "./DetailedDataManager-BQQcxh64.mjs";
+import { a as PerformanceMonitor } from "./modules-C184v-S9.mjs";
+import { n as argEnum, t as argBool } from "./parse-args-BlRjqlkL.mjs";
+import { a as isLoopbackHost, c as isSsrfTarget, i as isLocalSsrfBypassEnabled, l as resolveNetworkTarget, n as hasAuthorizedTargets, o as isNetworkAuthorizationExpired, r as isAuthorizedNetworkTarget, s as isPrivateHost, t as createNetworkAuthorizationPolicy } from "./ssrf-policy-ZaUfvhq7.mjs";
+import { t as R } from "./ResponseBuilder-D3iFYx2N.mjs";
+import "./definitions-CXEI7QC72.mjs";
+import * as http$1 from "node:http";
+import { promises } from "node:fs";
+import koffi from "koffi";
+import * as net from "node:net";
+import * as tls from "node:tls";
+import * as dns from "node:dns/promises";
+import * as https from "node:https";
+import * as http2 from "node:http2";
+//#region src/server/domains/network/handlers.base.types.ts
+/** Resource types excluded by default when no explicit filters are set. */
+const EXCLUDED_RESOURCE_TYPES = new Set([
+	"Image",
+	"Font",
+	"Stylesheet",
+	"Media",
+	"Manifest",
+	"Ping"
+]);
+/** Priority order for smart sorting (lower = higher priority). */
+const TYPE_SORT_PRIORITY = {
+	XHR: 0,
+	Fetch: 1,
+	Document: 2,
+	Script: 3,
+	WebSocket: 4,
+	EventSource: 5
+};
+const isObjectRecord$1 = (value) => typeof value === "object" && value !== null;
+const isNetworkRequestPayload = (value) => {
+	if (!isObjectRecord$1(value)) return false;
+	return typeof value.url === "string" && typeof value.method === "string";
+};
+const isNetworkResponsePayload = (value) => {
+	if (!isObjectRecord$1(value)) return false;
+	return typeof value.status === "number";
+};
+const isFiniteNumber = (value) => typeof value === "number" && Number.isFinite(value);
+const asOptionalString = (value) => typeof value === "string" ? value : void 0;
+const asOptionalBoolean = (value) => typeof value === "boolean" ? value : void 0;
+const asOptionalNumber = (value) => typeof value === "number" && Number.isFinite(value) ? value : void 0;
+const asOptionalStringArray = (value) => {
+	if (!Array.isArray(value)) return;
+	return value.every((item) => typeof item === "string") ? value : void 0;
+};
+const isCpuProfileNodePayload = (value) => {
+	if (!isObjectRecord$1(value)) return false;
+	if (value.hitCount !== void 0 && typeof value.hitCount !== "number") return false;
+	if (value.callFrame !== void 0 && !isObjectRecord$1(value.callFrame)) return false;
+	if (isObjectRecord$1(value.callFrame)) {
+		if (value.callFrame.functionName !== void 0 && typeof value.callFrame.functionName !== "string") return false;
+		if (value.callFrame.url !== void 0 && typeof value.callFrame.url !== "string") return false;
+		if (value.callFrame.lineNumber !== void 0 && typeof value.callFrame.lineNumber !== "number") return false;
+	}
+	return true;
+};
+const toCpuProfilePayload = (value) => {
+	if (!isObjectRecord$1(value)) return null;
+	if (!Array.isArray(value.nodes)) return null;
+	if (typeof value.startTime !== "number" || typeof value.endTime !== "number") return null;
+	if (!value.nodes.every((node) => isCpuProfileNodePayload(node))) return null;
+	return {
+		nodes: value.nodes,
+		samples: Array.isArray(value.samples) ? value.samples : void 0,
+		startTime: value.startTime,
+		endTime: value.endTime
+	};
+};
+//#endregion
+//#region src/server/domains/network/handlers/shared.ts
+function getDetailedDataManager() {
+	return DetailedDataManager.getInstance();
+}
+function emitEvent(eventBus, event, payload) {
+	eventBus?.emit(event, payload);
+}
+function parseBooleanArg(value, defaultValue) {
+	if (typeof value === "boolean") return value;
+	if (typeof value === "number") {
+		if (value === 1) return true;
+		if (value === 0) return false;
+		return defaultValue;
+	}
+	if (typeof value === "string") {
+		const normalized = value.trim().toLowerCase();
+		if ([
+			"true",
+			"1",
+			"yes",
+			"on"
+		].includes(normalized)) return true;
+		if ([
+			"false",
+			"0",
+			"no",
+			"off"
+		].includes(normalized)) return false;
+	}
+	return defaultValue;
+}
+function parseNumberArg(value, options) {
+	let parsed;
+	if (typeof value === "number" && Number.isFinite(value)) parsed = value;
+	else if (typeof value === "string") {
+		const trimmed = value.trim();
+		if (trimmed.length > 0) {
+			const n = Number(trimmed);
+			if (Number.isFinite(n)) parsed = n;
+		}
+	}
+	if (parsed === void 0) parsed = options.defaultValue;
+	if (options.integer) parsed = Math.trunc(parsed);
+	if (typeof options.min === "number") parsed = Math.max(options.min, parsed);
+	if (typeof options.max === "number") parsed = Math.min(options.max, parsed);
+	return parsed;
+}
+//#endregion
+//#region src/server/domains/network/handlers/core-handlers.ts
+/**
+* Core network handlers — enable/disable/status/requests/response/stats.
+*
+* Extracted from NetworkHandlersCore (handlers.base.core.ts).
+*/
+var CoreHandlers = class {
+	detailedDataManager = getDetailedDataManager();
+	constructor(deps) {
+		this.deps = deps;
+	}
+	async handleNetworkMonitor(args) {
+		const action = String(args["action"] ?? "");
+		switch (action) {
+			case "enable": return this.handleNetworkEnable(args);
+			case "disable": return this.handleNetworkDisable(args);
+			case "status": return this.handleNetworkGetStatus(args);
+			default: return R.fail(`Invalid generic action parameter: ${action}. Expected enable, disable, status.`).json();
+		}
+	}
+	async handleNetworkEnable(args) {
+		try {
+			const enableExceptions = parseBooleanArg(args.enableExceptions, true);
+			await this.deps.consoleMonitor.enable({
+				enableNetwork: true,
+				enableExceptions
+			});
+			const status = this.deps.consoleMonitor.getNetworkStatus();
+			return R.ok().merge({
+				message: " Network monitoring enabled successfully",
+				enabled: status.enabled,
+				cdpSessionActive: status.cdpSessionActive,
+				listenerCount: status.listenerCount,
+				usage: {
+					step1: "Network monitoring is now active",
+					step2: "Navigate to a page using page_navigate tool",
+					step3: "Use network_get_requests to retrieve captured requests",
+					step4: "Use network_get_response_body to get response content"
+				},
+				important: "Network monitoring must be enabled BEFORE navigating to capture requests"
+			}).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleNetworkDisable(_args) {
+		try {
+			await this.deps.consoleMonitor.disable();
+			return R.ok().set("message", "Network monitoring disabled").json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleNetworkGetStatus(_args) {
+		try {
+			const status = this.deps.consoleMonitor.getNetworkStatus();
+			if (!status.enabled) return R.fail(" Network monitoring is NOT enabled").merge({
+				enabled: false,
+				nextSteps: {
+					step1: "Call network_enable tool to start monitoring",
+					step2: "Then navigate to a page using page_navigate",
+					step3: "Finally use network_get_requests to see captured requests"
+				},
+				example: "network_enable -> page_navigate -> network_get_requests"
+			}).json();
+			return R.ok().merge({
+				enabled: true,
+				message: ` Network monitoring is active. Captured ${status.requestCount} requests and ${status.responseCount} responses.`,
+				requestCount: status.requestCount,
+				responseCount: status.responseCount,
+				listenerCount: status.listenerCount,
+				cdpSessionActive: status.cdpSessionActive,
+				nextSteps: status.requestCount === 0 ? {
+					hint: "No requests captured yet",
+					action: "Navigate to a page using page_navigate to capture network traffic"
+				} : {
+					hint: `${status.requestCount} requests captured`,
+					action: "Use network_get_requests to retrieve them"
+				}
+			}).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleNetworkGetRequests(args) {
+		try {
+			const autoEnable = parseBooleanArg(args.autoEnable, true);
+			const enableExceptions = parseBooleanArg(args.enableExceptions, true);
+			const networkState = await this.ensureNetworkEnabled({
+				autoEnable,
+				enableExceptions
+			});
+			if (!networkState.enabled) return this.buildNotEnabledResponse(autoEnable, networkState.error);
+			const url = asOptionalString(args.url);
+			const urlRegex = asOptionalString(args.urlRegex);
+			const method = asOptionalString(args.method);
+			const sinceTimestamp = isFiniteNumber(args.sinceTimestamp) ? args.sinceTimestamp : void 0;
+			const sinceRequestId = asOptionalString(args.sinceRequestId);
+			const tail = isFiniteNumber(args.tail) && args.tail > 0 ? Math.floor(args.tail) : void 0;
+			const limit = parseNumberArg(args.limit, {
+				defaultValue: 100,
+				min: 1,
+				max: 1e3,
+				integer: true
+			});
+			const offset = parseNumberArg(args.offset, {
+				defaultValue: 0,
+				min: 0,
+				integer: true
+			});
+			const requests = this.deps.consoleMonitor.getNetworkRequests().filter((req) => isNetworkRequestPayload(req)).map((r) => r);
+			if (requests.length === 0) return this.buildEmptyRequestsResponse(networkState.autoEnabled);
+			const result = this.applyRequestFilters(requests, {
+				url,
+				urlRegex,
+				method,
+				sinceTimestamp,
+				sinceRequestId,
+				tail,
+				limit,
+				offset
+			});
+			const processedResult = this.detailedDataManager.smartHandle(result.finalPayload, 25600);
+			return R.ok().merge(processedResult).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleNetworkGetResponseBody(args) {
+		try {
+			const requestId = asOptionalString(args.requestId) || "";
+			const maxSize = parseNumberArg(args.maxSize, {
+				defaultValue: 1e5,
+				min: 1024,
+				max: 20 * 1024 * 1024,
+				integer: true
+			});
+			const returnSummary = parseBooleanArg(args.returnSummary, false);
+			const retries = parseNumberArg(args.retries, {
+				defaultValue: 3,
+				min: 0,
+				max: 10,
+				integer: true
+			});
+			const retryIntervalMs = parseNumberArg(args.retryIntervalMs, {
+				defaultValue: 500,
+				min: 50,
+				max: 5e3,
+				integer: true
+			});
+			const autoEnable = parseBooleanArg(args.autoEnable, false);
+			const enableExceptions = parseBooleanArg(args.enableExceptions, true);
+			if (!requestId) return R.fail("requestId parameter is required").set("hint", "Get requestId from network_get_requests tool").json();
+			const networkState = await this.ensureNetworkEnabled({
+				autoEnable,
+				enableExceptions
+			});
+			if (!networkState.enabled) return R.fail("Network monitoring is not enabled").merge({
+				hint: autoEnable ? "Auto-enable failed. Check active page and call network_enable manually." : "Use network_enable tool first, or set autoEnable=true",
+				detail: networkState.error
+			}).json();
+			let body = null;
+			let attemptsMade = 0;
+			for (let attempt = 0; attempt <= retries; attempt += 1) {
+				attemptsMade = attempt + 1;
+				body = await this.deps.consoleMonitor.getResponseBody(requestId);
+				if (body) break;
+				if (attempt < retries) await new Promise((resolve) => setTimeout(resolve, retryIntervalMs));
+			}
+			if (!body) return R.fail(`No response body found for requestId: ${requestId}`).merge({
+				hint: "The request may not have completed yet, or the requestId is invalid",
+				attempts: attemptsMade,
+				waitedMs: retries * retryIntervalMs,
+				retryConfig: {
+					retries,
+					retryIntervalMs
+				}
+			}).json();
+			return this.buildResponseBodyResult(requestId, body, attemptsMade, maxSize, returnSummary);
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleNetworkGetStats(_args) {
+		try {
+			if (!this.deps.consoleMonitor.isNetworkEnabled()) return R.fail("Network monitoring is not enabled").set("hint", "Use network_enable tool first").json();
+			const requests = this.deps.consoleMonitor.getNetworkRequests().filter((req) => isNetworkRequestPayload(req));
+			const responses = this.deps.consoleMonitor.getNetworkResponses().filter(isNetworkResponsePayload);
+			const byMethod = {};
+			requests.forEach((req) => {
+				byMethod[req.method] = (byMethod[req.method] || 0) + 1;
+			});
+			const byStatus = {};
+			responses.forEach((res) => {
+				byStatus[res.status] = (byStatus[res.status] || 0) + 1;
+			});
+			const byType = {};
+			requests.forEach((req) => {
+				const type = req.type || "unknown";
+				byType[type] = (byType[type] || 0) + 1;
+			});
+			const timestamps = requests.map((r) => r.timestamp).filter((t) => isFiniteNumber(t));
+			const timeStats = timestamps.length > 0 ? {
+				earliest: Math.min(...timestamps),
+				latest: Math.max(...timestamps),
+				duration: Math.max(...timestamps) - Math.min(...timestamps)
+			} : null;
+			return R.ok().set("stats", {
+				totalRequests: requests.length,
+				totalResponses: responses.length,
+				byMethod,
+				byStatus,
+				byType,
+				timeStats,
+				monitoringEnabled: true
+			}).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async ensureNetworkEnabled(options) {
+		if (this.deps.consoleMonitor.isNetworkEnabled()) return {
+			enabled: true,
+			autoEnabled: false
+		};
+		if (!options.autoEnable) return {
+			enabled: false,
+			autoEnabled: false
+		};
+		try {
+			await this.deps.consoleMonitor.enable({
+				enableNetwork: true,
+				enableExceptions: options.enableExceptions
+			});
+			return {
+				enabled: this.deps.consoleMonitor.isNetworkEnabled(),
+				autoEnabled: true
+			};
+		} catch (error) {
+			return {
+				enabled: false,
+				autoEnabled: false,
+				error: error instanceof Error ? error.message : String(error)
+			};
+		}
+	}
+	buildNotEnabledResponse(autoEnable, error) {
+		if (autoEnable && error) return R.fail("Failed to auto-enable network monitoring").merge({
+			detail: error,
+			solution: {
+				step1: "Ensure browser page is active and reachable",
+				step2: "Call network_enable manually",
+				step3: "Navigate to target page: page_navigate(url)",
+				step4: "Get requests: network_get_requests"
+			}
+		}).json();
+		return R.fail(" Network monitoring is not enabled").merge({
+			requests: [],
+			total: 0,
+			solution: {
+				step1: "Enable network monitoring: network_enable",
+				step2: "Navigate to target page: page_navigate(url)",
+				step3: "Get requests: network_get_requests"
+			},
+			tip: "Set autoEnable=true to auto-enable monitoring in this call"
+		}).json();
+	}
+	buildEmptyRequestsResponse(autoEnabled) {
+		return R.ok().merge({
+			message: "No network requests captured yet",
+			requests: [],
+			total: 0,
+			hint: "Network monitoring is enabled, but no requests have been captured",
+			possibleReasons: [
+				"1. You haven't navigated to any page yet (use page_navigate)",
+				"2. The page has already loaded before network monitoring was enabled",
+				"3. The page doesn't make any network requests",
+				"4. The page uses frontend-wrapped fetch/XHR not captured by CDP"
+			],
+			recommended_actions: [
+				"console_inject_fetch_interceptor() — capture frontend-wrapped fetch calls (SPAs, React, Vue)",
+				"console_inject_xhr_interceptor() — capture XMLHttpRequest calls",
+				"page_navigate(url, enableNetworkMonitoring=true) — re-navigate with monitoring enabled"
+			],
+			nextAction: "Call console_inject_fetch_interceptor(), then re-navigate or trigger the target action",
+			monitoring: { autoEnabled }
+		}).json();
+	}
+	applyRequestFilters(requests, filters) {
+		const { url, urlRegex, method, sinceTimestamp, sinceRequestId, tail, limit, offset } = filters;
+		const originalCount = requests.length;
+		const allUrls = requests.map((r) => r.url);
+		const hasAnyFilter = !!(url || urlRegex || method && method.toUpperCase() !== "ALL" || sinceTimestamp || sinceRequestId || tail);
+		let excludedStaticCount = 0;
+		if (!hasAnyFilter) {
+			const beforeTypeFilter = requests.length;
+			requests = requests.filter((r) => !r.type || !EXCLUDED_RESOURCE_TYPES.has(r.type));
+			excludedStaticCount = beforeTypeFilter - requests.length;
+		}
+		if (sinceRequestId) {
+			const idx = requests.findIndex((r) => r.requestId === sinceRequestId);
+			if (idx >= 0) requests = requests.slice(idx + 1);
+		}
+		if (sinceTimestamp !== void 0) requests = requests.filter((r) => (r.timestamp ?? 0) > sinceTimestamp);
+		if (urlRegex) {
+			if (urlRegex.length > 500) throw new Error("urlRegex too long (max 500 characters)");
+			const re = new RegExp(urlRegex, "i");
+			if (requests.length > 0) {
+				const start = performance.now();
+				re.test(requests[0].url);
+				const elapsed = performance.now() - start;
+				if (elapsed > 100) throw new Error(`urlRegex pattern is too expensive (${elapsed.toFixed(0)}ms on first URL). Use a simpler pattern.`);
+			}
+			requests = requests.filter((req) => re.test(req.url));
+		} else if (url) {
+			const urlLower = url.toLowerCase();
+			requests = requests.filter((req) => req.url.toLowerCase().includes(urlLower));
+		}
+		if (method && method.toUpperCase() !== "ALL") requests = requests.filter((req) => req.method.toUpperCase() === method.toUpperCase());
+		if (tail !== void 0 && requests.length > tail) requests = requests.slice(-tail);
+		requests.sort((a, b) => (TYPE_SORT_PRIORITY[a.type ?? ""] ?? 6) - (TYPE_SORT_PRIORITY[b.type ?? ""] ?? 6));
+		const beforeLimit = requests.length;
+		requests = requests.slice(offset, offset + limit);
+		const hasMore = offset + requests.length < beforeLimit;
+		const filterMiss = beforeLimit === 0 && originalCount > 0 && !!(url || method && method.toUpperCase() !== "ALL");
+		const urlSamples = filterMiss ? allUrls.slice(0, 10).map((u) => u.substring(0, 120)) : void 0;
+		return { finalPayload: {
+			message: ` Retrieved ${requests.length} network request(s)`,
+			requests,
+			total: requests.length,
+			page: {
+				offset,
+				limit,
+				returned: requests.length,
+				totalAfterFilter: beforeLimit,
+				hasMore,
+				nextOffset: hasMore ? offset + requests.length : null
+			},
+			stats: {
+				totalCaptured: originalCount,
+				afterFilter: beforeLimit,
+				returned: requests.length,
+				truncated: beforeLimit > offset + limit
+			},
+			filtered: hasAnyFilter,
+			filters: {
+				url,
+				urlRegex,
+				method,
+				sinceTimestamp,
+				sinceRequestId,
+				tail,
+				limit,
+				offset
+			},
+			monitoring: {},
+			...filterMiss && {
+				filterMiss: true,
+				hint: `URL filter "${url}" matched 0 of ${originalCount} captured requests. Check urlSamples to verify the correct filter substring.`,
+				urlSamples
+			},
+			tip: requests.length > 0 ? "Use network_get_response_body(requestId) to get response content" : void 0,
+			...excludedStaticCount > 0 && {
+				staticResourcesExcluded: excludedStaticCount,
+				staticFilterNote: `${excludedStaticCount} static resources (Image/Font/Stylesheet/Media) excluded by default. Set any filter to include all types.`
+			},
+			...originalCount > 100 && !hasAnyFilter && { optimizationHint: `${originalCount} requests captured. Use url/method filters to reduce payload size.` }
+		} };
+	}
+	buildResponseBodyResult(requestId, body, attemptsMade, maxSize, returnSummary) {
+		const originalSize = body.body.length;
+		const isTooLarge = originalSize > maxSize;
+		if (returnSummary || isTooLarge) {
+			const preview = body.body.substring(0, 500);
+			return R.ok().merge({
+				requestId,
+				attempts: attemptsMade,
+				summary: {
+					size: originalSize,
+					sizeKB: (originalSize / 1024).toFixed(2),
+					base64Encoded: body.base64Encoded,
+					preview: preview + (originalSize > 500 ? "..." : ""),
+					truncated: isTooLarge,
+					reason: isTooLarge ? `Response too large (${(originalSize / 1024).toFixed(2)} KB > ${(maxSize / 1024).toFixed(2)} KB)` : "Summary mode enabled"
+				},
+				tip: isTooLarge ? "Use collect_code tool to collect and compress this script, or increase maxSize parameter" : "Set returnSummary=false to get full body"
+			}).json();
+		}
+		return R.ok().merge({
+			requestId,
+			attempts: attemptsMade,
+			body: body.body,
+			base64Encoded: body.base64Encoded,
+			size: originalSize,
+			sizeKB: (originalSize / 1024).toFixed(2)
+		}).json();
+	}
+};
+//#endregion
+//#region src/server/domains/network/handlers/performance-handlers.ts
+var PerformanceHandlers = class {
+	constructor(deps) {
+		this.deps = deps;
+	}
+	async handlePerformanceGetMetrics(args) {
+		try {
+			const includeTimeline = args.includeTimeline === true;
+			const monitor = this.deps.getPerformanceMonitor();
+			const metrics = await monitor.getPerformanceMetrics();
+			const builder = R.ok().set("metrics", metrics);
+			if (includeTimeline) builder.set("timeline", await monitor.getPerformanceTimeline());
+			return builder.json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handlePerformanceCoverage(args) {
+		return argEnum(args, "action", new Set(["start", "stop"])) === "stop" ? this.handlePerformanceStopCoverage(args) : this.handlePerformanceStartCoverage(args);
+	}
+	async handlePerformanceStartCoverage(_args) {
+		try {
+			await this.deps.getPerformanceMonitor().startCoverage();
+			return R.ok().set("message", "Code coverage collection started").json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handlePerformanceStopCoverage(_args) {
+		try {
+			const coverage = await this.deps.getPerformanceMonitor().stopCoverage();
+			const avgCoverage = coverage.length > 0 ? coverage.reduce((sum, info) => sum + info.coveragePercentage, 0) / coverage.length : 0;
+			return R.ok().merge({
+				coverage,
+				totalScripts: coverage.length,
+				avgCoverage
+			}).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handlePerformanceTakeHeapSnapshot(_args) {
+		try {
+			const snapshotSize = await this.deps.getPerformanceMonitor().takeHeapSnapshot();
+			return R.ok().merge({
+				snapshotSize,
+				message: "Heap snapshot taken (data too large to return, saved internally)"
+			}).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handlePerformanceTraceStart(args) {
+		try {
+			const monitor = this.deps.getPerformanceMonitor();
+			const categories = asOptionalStringArray(args.categories);
+			const screenshots = asOptionalBoolean(args.screenshots);
+			await monitor.startTracing({
+				categories,
+				screenshots
+			});
+			return R.ok().set("message", "Performance tracing started. Call performance_trace_stop to save the trace.").json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handlePerformanceTraceStop(args) {
+		try {
+			const monitor = this.deps.getPerformanceMonitor();
+			const artifactPath = asOptionalString(args.artifactPath);
+			const result = await monitor.stopTracing({ artifactPath });
+			return R.ok().merge({
+				artifactPath: result.artifactPath,
+				eventCount: result.eventCount,
+				sizeBytes: result.sizeBytes,
+				sizeKB: (result.sizeBytes / 1024).toFixed(1),
+				hint: "Open the trace file in Chrome DevTools -> Performance tab -> Load profile"
+			}).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleProfilerCpuStart(_args) {
+		try {
+			await this.deps.getPerformanceMonitor().startCPUProfiling();
+			return R.ok().set("message", "CPU profiling started. Call profiler_cpu_stop to save the profile.").json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleProfilerCpuStop(args) {
+		try {
+			const profileRaw = await this.deps.getPerformanceMonitor().stopCPUProfiling();
+			const profile = toCpuProfilePayload(profileRaw) || profileRaw;
+			const { writeFile } = await import("node:fs/promises");
+			const { resolveArtifactPath } = await import("./artifacts-Bk2-_uPq.mjs").then((n) => n.t);
+			const artifactPath = asOptionalString(args.artifactPath);
+			const profileJson = JSON.stringify(profile, null, 2);
+			let savedPath;
+			if (artifactPath) {
+				await writeFile(artifactPath, profileJson, "utf-8");
+				savedPath = artifactPath;
+			} else {
+				const { absolutePath, displayPath } = await resolveArtifactPath({
+					category: "profiles",
+					toolName: "cpu-profile",
+					ext: "cpuprofile"
+				});
+				await writeFile(absolutePath, profileJson, "utf-8");
+				savedPath = displayPath;
+			}
+			const hotFunctions = profile.nodes.filter((n) => (n.hitCount || 0) > 0).toSorted((a, b) => (b.hitCount || 0) - (a.hitCount || 0)).slice(0, 20).map((n) => ({
+				functionName: n.callFrame?.functionName || "(anonymous)",
+				url: n.callFrame?.url,
+				line: n.callFrame?.lineNumber,
+				hitCount: n.hitCount
+			}));
+			return R.ok().merge({
+				artifactPath: savedPath,
+				totalNodes: profile.nodes.length,
+				totalSamples: profile.samples?.length || 0,
+				durationMs: profile.endTime - profile.startTime,
+				hotFunctions,
+				hint: "Open the .cpuprofile file in Chrome DevTools -> Performance tab"
+			}).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleProfilerHeapSamplingStart(args) {
+		try {
+			const monitor = this.deps.getPerformanceMonitor();
+			const samplingInterval = asOptionalNumber(args.samplingInterval);
+			await monitor.startHeapSampling({ samplingInterval });
+			return R.ok().set("message", "Heap sampling started. Call profiler_heap_sampling_stop to save the report.").json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleProfilerHeapSamplingStop(args) {
+		try {
+			const monitor = this.deps.getPerformanceMonitor();
+			const artifactPath = asOptionalString(args.artifactPath);
+			const topN = asOptionalNumber(args.topN);
+			const result = await monitor.stopHeapSampling({
+				artifactPath,
+				topN
+			});
+			return R.ok().merge({
+				artifactPath: result.artifactPath,
+				sampleCount: result.sampleCount,
+				topAllocations: result.topAllocations
+			}).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+};
+//#endregion
+//#region src/server/domains/network/handlers/console-handlers.ts
+/**
+* Console exception, interceptor, tracer, and monitoring handlers.
+*
+* Extracted from AdvancedHandlersBase (handlers.base.ts).
+*/
+var ConsoleHandlers = class {
+	constructor(deps) {
+		this.deps = deps;
+	}
+	async handleConsoleGetExceptions(args) {
+		try {
+			const url = asOptionalString(args.url);
+			const limit = parseNumberArg(args.limit, {
+				defaultValue: 50,
+				min: 1,
+				max: 1e3,
+				integer: true
+			});
+			let exceptions = this.deps.consoleMonitor.getExceptions();
+			if (url) exceptions = exceptions.filter((ex) => ex.url?.includes(url));
+			exceptions = exceptions.slice(0, limit);
+			return R.ok().merge({
+				exceptions,
+				total: exceptions.length
+			}).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleConsoleInjectScriptMonitor(args) {
+		try {
+			const persistent = argBool(args, "persistent", false);
+			await this.deps.consoleMonitor.enableDynamicScriptMonitoring({ persistent });
+			return R.ok().set("message", persistent ? "Dynamic script monitoring enabled (persistent — survives navigations)" : "Dynamic script monitoring enabled").json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleConsoleInjectXhrInterceptor(args) {
+		try {
+			const persistent = argBool(args, "persistent", false);
+			await this.deps.consoleMonitor.injectXHRInterceptor({ persistent });
+			return R.ok().set("message", persistent ? "XHR interceptor injected (persistent)" : "XHR interceptor injected").json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleConsoleInjectFetchInterceptor(args) {
+		try {
+			const persistent = argBool(args, "persistent", false);
+			await this.deps.consoleMonitor.injectFetchInterceptor({ persistent });
+			return R.ok().set("message", persistent ? "Fetch interceptor injected (persistent)" : "Fetch interceptor injected").json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleConsoleClearInjectedBuffers(_args) {
+		try {
+			const result = await this.deps.consoleMonitor.clearInjectedBuffers();
+			return R.ok().merge({
+				message: "Injected buffers cleared",
+				...result
+			}).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleConsoleResetInjectedInterceptors(_args) {
+		try {
+			const result = await this.deps.consoleMonitor.resetInjectedInterceptors();
+			return R.ok().merge({
+				message: "Injected interceptors/monitors reset",
+				...result
+			}).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleConsoleInjectFunctionTracer(args) {
+		try {
+			const functionName = asOptionalString(args.functionName) || "";
+			if (!functionName) return R.fail("functionName is required").json();
+			const persistent = argBool(args, "persistent", false);
+			await this.deps.consoleMonitor.injectFunctionTracer(functionName, { persistent });
+			return R.ok().set("message", persistent ? `Function tracer injected for: ${functionName} (persistent — survives navigations)` : `Function tracer injected for: ${functionName}`).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+};
+//#endregion
+//#region src/server/domains/network/auth-extractor.ts
+const AUTH_HEADER_KEYS = [
+	"authorization",
+	"cookie",
+	"x-token",
+	"x-auth-token",
+	"x-access-token",
+	"x-api-key",
+	"x-signature",
+	"x-sign",
+	"x-csrf-token"
+];
+const TOKEN_BODY_KEYS = /^(token|access_token|refresh_token|sign|signature|auth|jwt|api_key|apikey|key|secret)$/i;
+const JWT_RE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
+const BEARER_RE = /^Bearer\s+\S+/i;
+function maskSecret(raw) {
+	const trimmed = raw.trim();
+	if (trimmed.length <= 12) return "***";
+	return `${trimmed.slice(0, 6)}***${trimmed.slice(-4)}`;
+}
+function scoreValue(value) {
+	const v = value.trim();
+	if (BEARER_RE.test(v)) return .95;
+	if (JWT_RE.test(v)) return .9;
+	if (v.length > 20 && /^[A-Za-z0-9+/=_-]+$/.test(v)) return .7;
+	if (v.length > 10) return .5;
+	return .3;
+}
+function extractAuthFromRequests(requests) {
+	const findings = [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const req of requests) {
+		const headers = req.headers ?? {};
+		for (const [k, v] of Object.entries(headers)) {
+			const lk = k.toLowerCase();
+			if (!AUTH_HEADER_KEYS.includes(lk)) continue;
+			if (!v || v.length < 4) continue;
+			if (lk === "cookie") {
+				for (const part of v.split(";")) {
+					const eqIdx = part.indexOf("=");
+					if (eqIdx === -1) continue;
+					const name = part.slice(0, eqIdx).trim();
+					const val = part.slice(eqIdx + 1).trim();
+					if (!val || val.length < 8) continue;
+					const dedupeKey = `cookie:${name}:${val.slice(0, 8)}`;
+					if (seen.has(dedupeKey)) continue;
+					seen.add(dedupeKey);
+					findings.push({
+						header: `cookie[${name}]`,
+						value_masked: maskSecret(val),
+						request_url: req.url,
+						confidence: scoreValue(val),
+						source: "cookie"
+					});
+				}
+				continue;
+			}
+			const dedupeKey = `header:${lk}:${v.slice(0, 8)}`;
+			if (seen.has(dedupeKey)) continue;
+			seen.add(dedupeKey);
+			findings.push({
+				header: k,
+				value_masked: maskSecret(v),
+				request_url: req.url,
+				confidence: scoreValue(v),
+				source: "header"
+			});
+		}
+		try {
+			const u = new URL(req.url);
+			for (const [k, v] of u.searchParams.entries()) {
+				if (!TOKEN_BODY_KEYS.test(k)) continue;
+				if (!v || v.length < 8) continue;
+				const dedupeKey = `query:${k}:${v.slice(0, 8)}`;
+				if (seen.has(dedupeKey)) continue;
+				seen.add(dedupeKey);
+				findings.push({
+					header: k,
+					value_masked: maskSecret(v),
+					request_url: req.url,
+					confidence: scoreValue(v) * .9,
+					source: "query"
+				});
+			}
+		} catch {}
+		if (req.postData) try {
+			const body = JSON.parse(req.postData);
+			if (body && typeof body === "object") for (const [k, v] of Object.entries(body)) {
+				if (!TOKEN_BODY_KEYS.test(k)) continue;
+				if (typeof v !== "string" || v.length < 8) continue;
+				const dedupeKey = `body:${k}:${v.slice(0, 8)}`;
+				if (seen.has(dedupeKey)) continue;
+				seen.add(dedupeKey);
+				findings.push({
+					header: k,
+					value_masked: maskSecret(v),
+					request_url: req.url,
+					confidence: scoreValue(v) * .85,
+					source: "body"
+				});
+			}
+		} catch {}
+	}
+	return findings.toSorted((a, b) => b.confidence - a.confidence);
+}
+//#endregion
+//#region src/server/domains/network/har.ts
+/**
+* HAR 1.2 builder — converts NetworkMonitor captured data to standard HAR format.
+* Ref: http://www.softwareishard.com/blog/har-12-spec/
+*/
+function headersToHar(headers = {}) {
+	return Object.entries(headers).map(([name, value]) => ({
+		name,
+		value
+	}));
+}
+function parseCookies(cookieHeader) {
+	return cookieHeader.split(";").map((part) => {
+		const eq = part.indexOf("=");
+		if (eq === -1) return {
+			name: part.trim(),
+			value: ""
+		};
+		return {
+			name: part.slice(0, eq).trim(),
+			value: part.slice(eq + 1).trim()
+		};
+	});
+}
+function queryStringFromUrl(url) {
+	try {
+		const u = new URL(url);
+		return Array.from(u.searchParams.entries()).map(([name, value]) => ({
+			name,
+			value
+		}));
+	} catch {
+		return [];
+	}
+}
+async function buildHar(params) {
+	const { requests, getResponse, getResponseBody, includeBodies, creatorVersion = "unknown" } = params;
+	const entries = [];
+	const bodyResults = /* @__PURE__ */ new Map();
+	if (includeBodies) {
+		const BODY_CONCURRENCY = NETWORK_HAR_BODY_CONCURRENCY;
+		for (let i = 0; i < requests.length; i += BODY_CONCURRENCY) {
+			const batch = requests.slice(i, i + BODY_CONCURRENCY);
+			const settled = await Promise.allSettled(batch.map(async (req) => {
+				try {
+					const bodyResult = await getResponseBody(req.requestId);
+					if (bodyResult) return {
+						requestId: req.requestId,
+						text: bodyResult.body
+					};
+					return {
+						requestId: req.requestId,
+						_bodyUnavailable: true
+					};
+				} catch {
+					return {
+						requestId: req.requestId,
+						_bodyUnavailable: true
+					};
+				}
+			}));
+			for (const result of settled) if (result.status === "fulfilled") {
+				const val = result.value;
+				bodyResults.set(val.requestId, "_bodyUnavailable" in val ? { _bodyUnavailable: true } : { text: val.text });
+			}
+		}
+	}
+	for (const req of requests) {
+		const res = getResponse(req.requestId);
+		const startedDateTime = req.timestamp ? (/* @__PURE__ */ new Date(req.timestamp * 1e3)).toISOString() : (/* @__PURE__ */ new Date()).toISOString();
+		const bodyContent = includeBodies ? bodyResults.get(req.requestId) ?? { _bodyUnavailable: true } : {};
+		const postData = req.postData ? {
+			mimeType: req.headers?.["content-type"] ?? "application/octet-stream",
+			text: req.postData
+		} : void 0;
+		const reqCookieHeader = req.headers?.["cookie"] ?? "";
+		const resCookieHeader = res?.headers?.["set-cookie"] ?? "";
+		const entry = {
+			startedDateTime,
+			time: res?.timing?.receiveHeadersEnd ?? 0,
+			request: {
+				method: req.method,
+				url: req.url,
+				httpVersion: "HTTP/1.1",
+				headers: headersToHar(req.headers),
+				queryString: queryStringFromUrl(req.url),
+				cookies: reqCookieHeader ? parseCookies(reqCookieHeader) : [],
+				headersSize: -1,
+				bodySize: req.postData ? req.postData.length : 0,
+				...postData ? { postData } : {}
+			},
+			response: {
+				status: res?.status ?? 0,
+				statusText: res?.statusText ?? "",
+				httpVersion: "HTTP/1.1",
+				headers: headersToHar(res?.headers),
+				cookies: resCookieHeader ? parseCookies(resCookieHeader) : [],
+				content: {
+					size: bodyContent.text ? bodyContent.text.length : -1,
+					mimeType: res?.mimeType ?? "application/octet-stream",
+					...bodyContent
+				},
+				redirectURL: res?.headers?.["location"] ?? "",
+				headersSize: -1,
+				bodySize: bodyContent.text ? bodyContent.text.length : -1
+			},
+			cache: {},
+			timings: {
+				send: 0,
+				wait: res?.timing?.receiveHeadersEnd ?? 0,
+				receive: 0
+			},
+			_requestId: req.requestId
+		};
+		entries.push(entry);
+	}
+	return { log: {
+		version: "1.2",
+		creator: {
+			name: "jshookmcp",
+			version: creatorVersion
+		},
+		entries
+	} };
+}
+//#endregion
+//#region src/server/domains/network/replay.ts
+/**
+* Request Replay — rebuilds and re-sends a captured network request
+* with optional header/body/method/URL overrides.
+*
+* Security: dryRun defaults to true to prevent accidental side-effects.
+* Always sanitize headers that would conflict (host, content-length, transfer-encoding).
+* SSRF guard resolves DNS before checking to defeat rebinding attacks.
+*/
+const STRIPPED_HEADERS = new Set([
+	"host",
+	"content-length",
+	"transfer-encoding",
+	"connection",
+	"keep-alive",
+	"proxy-authenticate",
+	"proxy-authorization",
+	"te",
+	"trailers",
+	"upgrade"
+]);
+const DANGEROUS_KEYS = new Set([
+	"__proto__",
+	"constructor",
+	"prototype"
+]);
+function sanitizeHeaders(headers) {
+	const out = Object.create(null);
+	for (const [k, v] of Object.entries(headers)) if (!STRIPPED_HEADERS.has(k.toLowerCase()) && !DANGEROUS_KEYS.has(k)) out[k] = v;
+	return out;
+}
+async function replayRequest(base, args, maxBodyBytes = 512e3) {
+	const url = args.urlOverride ?? base.url;
+	const method = (args.methodOverride ?? base.method).toUpperCase();
+	const mergedHeaders = sanitizeHeaders({
+		...base.headers,
+		...args.headerPatch
+	});
+	const body = args.bodyPatch !== void 0 ? args.bodyPatch : base.postData;
+	const authorizationPolicy = createNetworkAuthorizationPolicy(args.authorization);
+	const allowLegacyLocalSsrf = !authorizationPolicy && isLocalSsrfBypassEnabled();
+	if (authorizationPolicy && (authorizationPolicy.allowPrivateNetwork || authorizationPolicy.allowInsecureHttp) && !hasAuthorizedTargets(authorizationPolicy)) throw new Error("Replay authorization must include at least one allowed host or CIDR when enabling private network or insecure HTTP access.");
+	if (isNetworkAuthorizationExpired(authorizationPolicy)) throw new Error("Replay authorization expired before the request was executed.");
+	const isPrivateTargetAllowed = (target) => {
+		if (allowLegacyLocalSsrf) return true;
+		return authorizationPolicy?.allowPrivateNetwork === true && isAuthorizedNetworkTarget(authorizationPolicy, target);
+	};
+	const isInsecureHttpAllowed = (target) => {
+		if (target.parsedUrl.protocol !== "http:") return true;
+		if (allowLegacyLocalSsrf) return true;
+		if (isLoopbackHost(target.hostname)) return true;
+		return authorizationPolicy?.allowInsecureHttp === true && isAuthorizedNetworkTarget(authorizationPolicy, target);
+	};
+	const resolvePinned = async (targetUrl) => {
+		let target;
+		try {
+			target = await resolveNetworkTarget(targetUrl);
+		} catch {
+			throw new Error(`Replay blocked: DNS resolution failed for "${targetUrl}"`);
+		}
+		if (!isInsecureHttpAllowed(target)) throw new Error(`Replay blocked: insecure HTTP is only allowed for loopback or explicitly authorized targets, got "${targetUrl}"`);
+		const hostnameIsPrivate = isPrivateHost(target.hostname);
+		const resolvedAddressIsPrivate = isPrivateHost(target.resolvedAddress ?? "");
+		if ((hostnameIsPrivate || resolvedAddressIsPrivate) && !isPrivateTargetAllowed(target)) {
+			if (!hostnameIsPrivate && resolvedAddressIsPrivate && target.resolvedAddress) throw new Error(`Replay blocked: "${targetUrl}" resolved to private IP ${target.resolvedAddress}`);
+			throw new Error(`Replay blocked: target URL "${targetUrl}" resolves to a private/reserved address.`);
+		}
+		if (target.parsedUrl.protocol === "https:" || target.isIpLiteral) return {
+			pinnedUrl: targetUrl,
+			originalHost: target.parsedUrl.host,
+			target
+		};
+		const originalHost = target.parsedUrl.host;
+		target.parsedUrl.hostname = target.resolvedAddress && target.resolvedAddress.includes(":") ? `[${target.resolvedAddress}]` : target.resolvedAddress ?? target.hostname;
+		return {
+			pinnedUrl: target.parsedUrl.toString(),
+			originalHost,
+			target
+		};
+	};
+	if (args.dryRun !== false) {
+		if (await isSsrfTarget(url, args.authorization)) throw new Error(`Replay blocked: target URL "${url}" resolves to a private/reserved address.`);
+		const dryRunTarget = await resolveNetworkTarget(url).catch(() => null);
+		if (dryRunTarget && !isInsecureHttpAllowed(dryRunTarget)) throw new Error(`Replay blocked: insecure HTTP is only allowed for loopback or explicitly authorized targets, got "${url}"`);
+		return {
+			dryRun: true,
+			preview: {
+				url,
+				method,
+				headers: mergedHeaders,
+				body
+			}
+		};
+	}
+	const controller = new AbortController();
+	const timeoutId = setTimeout(() => controller.abort(), args.timeoutMs ?? 3e4);
+	const MAX_REDIRECTS = NETWORK_REPLAY_MAX_REDIRECTS;
+	try {
+		let currentUrl = url;
+		let currentMethod = method;
+		let currentBody = body;
+		let resp;
+		for (let hop = 0; hop < MAX_REDIRECTS; hop++) {
+			const { pinnedUrl, originalHost, target } = await resolvePinned(currentUrl);
+			const hopHeaders = { ...mergedHeaders };
+			if (target.parsedUrl.protocol === "http:" && target.resolvedAddress && !target.isIpLiteral) hopHeaders.Host = originalHost;
+			resp = await fetch(pinnedUrl, {
+				method: currentMethod,
+				headers: hopHeaders,
+				body: currentMethod !== "GET" && currentMethod !== "HEAD" ? currentBody : void 0,
+				signal: controller.signal,
+				redirect: "manual"
+			});
+			if (resp.status >= 300 && resp.status < 400) {
+				const location = resp.headers.get("location");
+				if (!location) break;
+				currentUrl = new URL(location, currentUrl).toString();
+				if (resp.status === 301 || resp.status === 302 || resp.status === 303) {
+					currentMethod = "GET";
+					currentBody = void 0;
+				}
+				delete mergedHeaders["Host"];
+				delete mergedHeaders["host"];
+				continue;
+			}
+			break;
+		}
+		if (resp.status >= 300 && resp.status < 400) throw new Error(`Replay blocked: too many redirects (>${MAX_REDIRECTS})`);
+		const responseHeaders = {};
+		resp.headers.forEach((v, k) => {
+			responseHeaders[k] = v;
+		});
+		const rawText = await resp.text();
+		const bodyTruncated = rawText.length > maxBodyBytes;
+		const bodyOut = bodyTruncated ? rawText.slice(0, maxBodyBytes) : rawText;
+		return {
+			dryRun: false,
+			status: resp.status,
+			statusText: resp.statusText,
+			headers: responseHeaders,
+			body: bodyOut,
+			bodyTruncated,
+			requestId: args.requestId
+		};
+	} finally {
+		clearTimeout(timeoutId);
+	}
+}
+//#endregion
+//#region src/server/domains/network/handlers/replay-handlers.ts
+/**
+* Replay and analysis handlers — auth extraction, HAR export, request replay.
+*
+* Extracted from AdvancedToolHandlersRuntime (handlers.impl.core.runtime.replay.ts).
+*/
+const isReplayableRequest = (value) => {
+	if (typeof value !== "object" || value === null) return false;
+	const record = value;
+	return typeof record.requestId === "string" && typeof record.url === "string" && typeof record.method === "string";
+};
+const parseStringArray$1 = (value, field) => {
+	if (value === void 0) return [];
+	if (!Array.isArray(value) || value.some((entry) => typeof entry !== "string")) throw new Error(`${field} must be an array of strings`);
+	return value.map((entry) => entry.trim()).filter((entry) => entry.length > 0);
+};
+const parseOptionalString$1 = (value, field) => {
+	if (value === void 0) return;
+	if (typeof value !== "string") throw new Error(`${field} must be a string`);
+	const trimmed = value.trim();
+	return trimmed.length > 0 ? trimmed : void 0;
+};
+const parseOptionalBoolean$1 = (value, field) => {
+	if (value === void 0) return;
+	if (typeof value !== "boolean") throw new Error(`${field} must be a boolean`);
+	return value;
+};
+const decodeAuthorizationCapability = (capability, requestId) => {
+	if (typeof capability !== "string" || capability.trim().length === 0) throw new Error("authorizationCapability must be a non-empty base64url string");
+	let parsed;
+	try {
+		parsed = JSON.parse(Buffer.from(capability, "base64url").toString("utf8"));
+	} catch {
+		throw new Error("authorizationCapability must be valid base64url-encoded JSON");
+	}
+	if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) throw new Error("authorizationCapability payload must be an object");
+	const payload = parsed;
+	if (payload.version !== void 0 && payload.version !== 1) throw new Error(`authorizationCapability version ${String(payload.version)} is not supported`);
+	if (payload.requestId !== requestId) throw new Error("authorizationCapability requestId does not match the replay requestId");
+	return payload;
+};
+const parseReplayAuthorization = (args, requestId) => {
+	const authorizationArg = args.authorization;
+	const capabilityArg = args.authorizationCapability;
+	if (authorizationArg !== void 0 && capabilityArg !== void 0) throw new Error("Provide either authorization or authorizationCapability, not both");
+	let source;
+	if (authorizationArg !== void 0) {
+		if (typeof authorizationArg !== "object" || authorizationArg === null || Array.isArray(authorizationArg)) throw new Error("authorization must be an object");
+		source = authorizationArg;
+	} else if (capabilityArg !== void 0) source = decodeAuthorizationCapability(capabilityArg, requestId);
+	else return;
+	const allowedHosts = parseStringArray$1(source.allowedHosts, "authorization.allowedHosts");
+	const allowedCidrs = parseStringArray$1(source.allowedCidrs, "authorization.allowedCidrs");
+	const allowPrivateNetwork = parseOptionalBoolean$1(source.allowPrivateNetwork, "authorization.allowPrivateNetwork");
+	const allowInsecureHttp = parseOptionalBoolean$1(source.allowInsecureHttp, "authorization.allowInsecureHttp");
+	const expiresAt = parseOptionalString$1(source.expiresAt, "authorization.expiresAt");
+	const reason = parseOptionalString$1(source.reason, "authorization.reason");
+	const authorization = {};
+	if (allowedHosts.length > 0) authorization.allowedHosts = allowedHosts;
+	if (allowedCidrs.length > 0) authorization.allowedCidrs = allowedCidrs;
+	if (allowPrivateNetwork !== void 0) authorization.allowPrivateNetwork = allowPrivateNetwork;
+	if (allowInsecureHttp !== void 0) authorization.allowInsecureHttp = allowInsecureHttp;
+	if (expiresAt !== void 0) authorization.expiresAt = expiresAt;
+	if (reason !== void 0) authorization.reason = reason;
+	return authorization;
+};
+var ReplayHandlers = class {
+	detailedDataManager = getDetailedDataManager();
+	constructor(deps) {
+		this.deps = deps;
+	}
+	async handleNetworkExtractAuth(args) {
+		try {
+			const minConfidence = parseNumberArg(args.minConfidence, { defaultValue: .4 });
+			const requests = this.deps.consoleMonitor.getNetworkRequests();
+			if (requests.length === 0) return R.fail("No captured requests found. Call network_enable then page_navigate first.").json();
+			const findings = extractAuthFromRequests(requests).filter((f) => f.confidence >= minConfidence);
+			return R.ok().merge({
+				scannedRequests: requests.length,
+				found: findings.length,
+				findings,
+				note: "Values are masked (first 6 + last 4 chars). Use network_replay_request to test with actual values."
+			}).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleNetworkExportHar(args) {
+		try {
+			const outputPath = args.outputPath;
+			const includeBodies = parseBooleanArg(args.includeBodies, false);
+			let resolvedOutputPath;
+			if (outputPath) {
+				const path = await import("node:path");
+				const fsDynamic = await import("node:fs/promises");
+				const resolved = path.resolve(outputPath);
+				const cwd = await fsDynamic.realpath(process.cwd());
+				const tmpDir = await fsDynamic.realpath((await import("node:os")).tmpdir());
+				const parentDir = path.dirname(resolved);
+				let realParent;
+				try {
+					realParent = await fsDynamic.realpath(parentDir);
+				} catch {
+					realParent = parentDir;
+				}
+				const realPath = path.join(realParent, path.basename(resolved));
+				const inCwd = realPath === cwd || realPath.startsWith(cwd + path.sep);
+				const inTmp = realPath === tmpDir || realPath.startsWith(tmpDir + path.sep);
+				if (!inCwd && !inTmp) return R.fail("outputPath must be within the current working directory or system temp dir.").json();
+				resolvedOutputPath = realPath;
+			}
+			const requests = this.deps.consoleMonitor.getNetworkRequests();
+			if (requests.length === 0) return R.fail("No captured requests to export. Call network_enable then page_navigate first.").json();
+			const getResponse = (id) => this.deps.consoleMonitor.getNetworkActivity(id)?.response;
+			const har = await buildHar({
+				requests,
+				getResponse,
+				getResponseBody: async (id) => {
+					try {
+						return await this.deps.consoleMonitor.getResponseBody(id);
+					} catch {
+						return null;
+					}
+				},
+				includeBodies,
+				creatorVersion: "1.0.0"
+			});
+			if (resolvedOutputPath) {
+				try {
+					if ((await promises.lstat(resolvedOutputPath)).isSymbolicLink()) return R.fail("outputPath must not be a symbolic link.").json();
+				} catch {}
+				await promises.writeFile(resolvedOutputPath, JSON.stringify(har, null, 2), "utf-8");
+				return R.ok().merge({
+					message: `HAR exported to ${resolvedOutputPath}`,
+					entryCount: har.log.entries.length,
+					outputPath: resolvedOutputPath
+				}).json();
+			}
+			const result = this.detailedDataManager.smartHandle({
+				entryCount: har.log.entries.length,
+				har
+			}, 51200);
+			return R.ok().merge(result).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+	async handleNetworkReplayRequest(args) {
+		try {
+			const requestId = args.requestId;
+			if (!requestId) return R.fail("requestId is required").json();
+			const base = this.deps.consoleMonitor.getNetworkRequests().find((request) => isReplayableRequest(request) && request.requestId === requestId);
+			if (!base) return R.fail(`Request ${requestId} not found in captured requests`).merge({ hint: "Use network_get_requests to list available requestIds" }).json();
+			const authorization = parseReplayAuthorization(args, requestId);
+			const result = await replayRequest(base, {
+				requestId,
+				headerPatch: args.headerPatch,
+				bodyPatch: args.bodyPatch,
+				methodOverride: args.methodOverride,
+				urlOverride: args.urlOverride,
+				timeoutMs: args.timeoutMs,
+				dryRun: args.dryRun !== false,
+				authorization
+			});
+			return R.ok().merge(result).json();
+		} catch (error) {
+			return R.fail(error).json();
+		}
+	}
+};
+//#endregion
+//#region src/server/domains/network/handlers/intercept-handlers.ts
+const isObjectRecord = (value) => typeof value === "object" && value !== null;
+var InterceptHandlers = class {
+	constructor(deps) {
+		this.deps = deps;
+	}
+	async handleNetworkInterceptResponse(args) {
+		try {
+			const rules = this.parseInterceptRules(args);
+			if (rules.length === 0) return R.fail("No valid rules provided. Provide either \"urlPattern\" (single) or \"rules\" array (batch).").merge({ usage: {
+				single: {
+					urlPattern: "*api/status*",
+					responseCode: 200,
+					responseBody: "{\"status\":\"active\"}"
+				},
+				batch: { rules: [{
+					urlPattern: "*api/status*",
+					responseBody: "{\"status\":\"active\"}"
+				}] }
+			} }).json();
+			const createdRules = await this.deps.consoleMonitor.enableFetchIntercept(rules);
+			const status = this.deps.consoleMonitor.getFetchInterceptStatus();
+			emitEvent(this.deps.eventBus, "network:intercept_started", {
+				interceptType: "fetch",
+				timestamp: (/* @__PURE__ */ new Date()).toISOString()
+			});
+			return R.ok().merge({
+				message: `Added ${createdRules.length} interception rule(s)`,
+				createdRules: createdRules.map((r) => ({
+					id: r.id,
+					urlPattern: r.urlPattern,
+					stage: r.stage,
+					responseCode: r.responseCode
+				})),
+				totalActiveRules: status.rules.length,
+				hint: "Use network_intercept(action: \"list\") to see all rules and hit counts. Use network_intercept(action: \"disable\") to remove rules."
+			}).json();
+		} catch (error) {
+			return R.fail(error instanceof Error ? error.message : String(error)).merge({ hint: "Ensure browser is launched and a page is active before enabling interception." }).json();
+		}
+	}
+	async handleNetworkInterceptList(_args) {
+		const status = this.deps.consoleMonitor.getFetchInterceptStatus();
+		return R.ok().merge(status).merge({ hint: status.rules.length > 0 ? "Use network_intercept(action: \"disable\", ruleId) to remove a specific rule, or network_intercept(action: \"disable\", all: true) to remove all." : "No active interception rules. Use network_intercept(action: \"add\") to add rules." }).json();
+	}
+	async handleNetworkInterceptDisable(args) {
+		const ruleId = typeof args.ruleId === "string" ? args.ruleId : void 0;
+		const all = args.all === true;
+		if (!ruleId && !all) return R.fail("Provide either \"ruleId\" to remove a specific rule, or \"all\": true to disable all.").json();
+		try {
+			if (all) {
+				const result = await this.deps.consoleMonitor.disableFetchIntercept();
+				return R.ok().merge({
+					message: `Disabled all interception. Removed ${result.removedRules} rule(s).`,
+					removedRules: result.removedRules
+				}).json();
+			}
+			const removed = await this.deps.consoleMonitor.removeFetchInterceptRule(ruleId);
+			const status = this.deps.consoleMonitor.getFetchInterceptStatus();
+			return R.ok().merge({
+				success: removed,
+				message: removed ? `Rule ${ruleId} removed.` : `Rule ${ruleId} not found.`,
+				remainingRules: status.rules.length
+			}).json();
+		} catch (error) {
+			return R.fail(error instanceof Error ? error.message : String(error)).json();
+		}
+	}
+	parseInterceptRules(args) {
+		const rules = [];
+		if (Array.isArray(args.rules)) {
+			for (const rawRule of args.rules) if (isObjectRecord(rawRule) && typeof rawRule.urlPattern === "string") rules.push(this.toInterceptRule(rawRule));
+		} else if (typeof args.urlPattern === "string") rules.push(this.toInterceptRule(args));
+		return rules;
+	}
+	toInterceptRule(source) {
+		return {
+			urlPattern: source.urlPattern,
+			urlPatternType: source.urlPatternType === "regex" ? "regex" : "glob",
+			stage: source.stage === "Request" ? "Request" : "Response",
+			responseCode: typeof source.responseCode === "number" ? source.responseCode : 200,
+			responseHeaders: isObjectRecord(source.responseHeaders) ? source.responseHeaders : void 0,
+			responseBody: typeof source.responseBody === "string" ? source.responseBody : typeof source.responseBody === "object" ? JSON.stringify(source.responseBody) : void 0
+		};
+	}
+};
+//#endregion
+//#region src/utils/BufferChain.ts
+/**
+* Zero-copy buffer chain — avoids repeated Buffer.concat allocations.
+*
+* Appends chunks without copying. Materializes into a single Buffer only
+* when `toBuffer()` is called. Tracks total byte length for size limits.
+*/
+var BufferChain = class {
+	chunks = [];
+	totalLength = 0;
+	/** Number of bytes accumulated so far. */
+	get length() {
+		return this.totalLength;
+	}
+	/** Append a chunk without copying. */
+	append(chunk) {
+		if (chunk.length === 0) return;
+		this.chunks.push(chunk);
+		this.totalLength += chunk.length;
+	}
+	/** Materialize all chunks into a single Buffer. */
+	toBuffer() {
+		if (this.chunks.length === 0) return Buffer.alloc(0);
+		if (this.chunks.length === 1) return this.chunks[0];
+		const result = Buffer.concat(this.chunks, this.totalLength);
+		this.chunks = [result];
+		return result;
+	}
+	/** Reset the chain, releasing all chunk references. */
+	reset() {
+		this.chunks = [];
+		this.totalLength = 0;
+	}
+	/** Whether any data has been accumulated. */
+	get isEmpty() {
+		return this.totalLength === 0;
+	}
+};
+//#endregion
+//#region src/server/domains/network/http-raw.ts
+const HEADER_NAME_RE = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;
+const TEXTUAL_CONTENT_TYPE_RE = /^(?:text\/|application\/(?:json|ld\+json|xml|xhtml\+xml|javascript|x-javascript|problem\+json|problem\+xml|graphql-response\+json|x-www-form-urlencoded)|image\/svg\+xml)/i;
+function assertNoLineBreak(value, field) {
+	if (value.includes("\r") || value.includes("\n")) throw new Error(`${field} must not contain CR or LF characters`);
+}
+function hasHeader(headers, headerName) {
+	return Object.keys(headers).some((key) => key.toLowerCase() === headerName.toLowerCase());
+}
+function findHeaderValue(headers, headerName) {
+	return headers.find((header) => header.name.toLowerCase() === headerName.toLowerCase())?.value ?? null;
+}
+function isBodylessResponse(statusCode, requestMethod) {
+	return requestMethod?.toUpperCase() === "HEAD" || statusCode >= 100 && statusCode < 200 || statusCode === 204 || statusCode === 304;
+}
+function findHeaderTerminator(buffer) {
+	const crlf = buffer.indexOf("\r\n\r\n");
+	if (crlf >= 0) return crlf + 4;
+	const lf = buffer.indexOf("\n\n");
+	if (lf >= 0) return lf + 2;
+	return null;
+}
+function findLineBreak(buffer, start) {
+	const lfIndex = buffer.indexOf(10, start);
+	if (lfIndex < 0) return null;
+	return {
+		lineEnd: lfIndex > start && buffer[lfIndex - 1] === 13 ? lfIndex - 1 : lfIndex,
+		nextOffset: lfIndex + 1
+	};
+}
+function decodeChunkedBody(buffer) {
+	const chunks = [];
+	let offset = 0;
+	while (offset < buffer.length) {
+		const line = findLineBreak(buffer, offset);
+		if (!line) return {
+			complete: false,
+			consumedBytes: offset,
+			body: Buffer.concat(chunks)
+		};
+		const sizeToken = buffer.subarray(offset, line.lineEnd).toString("latin1").trim().split(";", 1)[0]?.trim() ?? "";
+		const chunkSize = Number.parseInt(sizeToken, 16);
+		if (!Number.isFinite(chunkSize) || chunkSize < 0) return {
+			complete: false,
+			consumedBytes: offset,
+			body: Buffer.concat(chunks)
+		};
+		if (chunkSize === 0) {
+			const trailerSection = buffer.subarray(line.nextOffset);
+			const trailerEnd = findHeaderTerminator(trailerSection);
+			if (trailerEnd !== null) return {
+				complete: true,
+				consumedBytes: line.nextOffset + trailerEnd,
+				body: Buffer.concat(chunks)
+			};
+			if (trailerSection.length >= 2 && trailerSection[0] === 13 && trailerSection[1] === 10) return {
+				complete: true,
+				consumedBytes: line.nextOffset + 2,
+				body: Buffer.concat(chunks)
+			};
+			if (trailerSection.length >= 1 && trailerSection[0] === 10) return {
+				complete: true,
+				consumedBytes: line.nextOffset + 1,
+				body: Buffer.concat(chunks)
+			};
+			return {
+				complete: false,
+				consumedBytes: offset,
+				body: Buffer.concat(chunks)
+			};
+		}
+		const dataStart = line.nextOffset;
+		const dataEnd = dataStart + chunkSize;
+		if (dataEnd > buffer.length) return {
+			complete: false,
+			consumedBytes: offset,
+			body: Buffer.concat(chunks)
+		};
+		chunks.push(buffer.subarray(dataStart, dataEnd));
+		const afterChunkLine = findLineBreak(buffer, dataEnd);
+		if (!afterChunkLine || afterChunkLine.lineEnd !== dataEnd) return {
+			complete: false,
+			consumedBytes: offset,
+			body: Buffer.concat(chunks)
+		};
+		offset = afterChunkLine.nextOffset;
+	}
+	return {
+		complete: false,
+		consumedBytes: offset,
+		body: Buffer.concat(chunks)
+	};
+}
+function buildHeaderSection(headers) {
+	const entries = Object.entries(headers);
+	if (entries.length === 0) return "";
+	return `${entries.map(([name, value]) => `${name}: ${value}`).join("\r\n")}\r\n`;
+}
+function buildHttpRequest(input) {
+	const method = input.method.trim().toUpperCase();
+	const target = input.target.trim();
+	const httpVersion = input.httpVersion ?? "1.1";
+	if (!HEADER_NAME_RE.test(method)) throw new Error("method must be a valid HTTP token");
+	if (target.length === 0) throw new Error("target is required");
+	assertNoLineBreak(target, "target");
+	if (httpVersion !== "1.0" && httpVersion !== "1.1") throw new Error("httpVersion must be either \"1.0\" or \"1.1\"");
+	const headers = {};
+	for (const [name, value] of Object.entries(input.headers ?? {})) {
+		if (!HEADER_NAME_RE.test(name)) throw new Error(`Invalid HTTP header name: ${name}`);
+		if (typeof value !== "string") throw new Error(`HTTP header "${name}" must be a string`);
+		assertNoLineBreak(value, `headers.${name}`);
+		headers[name] = value;
+	}
+	if (input.addHostHeader !== false && input.host && !hasHeader(headers, "Host")) {
+		assertNoLineBreak(input.host, "host");
+		headers.Host = input.host;
+	}
+	const body = input.body ?? "";
+	if (input.body !== void 0 && input.addContentLength !== false && !hasHeader(headers, "Content-Length")) {
+		if (!hasHeader(headers, "Transfer-Encoding")) headers["Content-Length"] = String(Buffer.byteLength(body, "utf8"));
+	}
+	if (input.addConnectionClose !== false && !hasHeader(headers, "Connection")) headers.Connection = "close";
+	const startLine = `${method} ${target} HTTP/${httpVersion}`;
+	const requestText = `${startLine}\r\n${buildHeaderSection(headers)}\r\n${body}`;
+	const requestBuffer = Buffer.from(requestText, "utf8");
+	return {
+		requestText,
+		requestHex: requestBuffer.toString("hex"),
+		requestBytes: requestBuffer.length,
+		startLine,
+		headers,
+		bodyBytes: Buffer.byteLength(body, "utf8"),
+		httpVersion
+	};
+}
+function analyzeHttpResponse(rawResponse, requestMethod) {
+	const headerBytes = findHeaderTerminator(rawResponse);
+	if (headerBytes === null) return null;
+	const headerLines = rawResponse.subarray(0, headerBytes).toString("latin1").replace(/\r?\n\r?\n$/, "").split(/\r?\n/).filter((line) => line.length > 0);
+	if (headerLines.length === 0) throw new Error("HTTP response did not contain a status line");
+	const statusLine = headerLines[0];
+	const statusMatch = /^HTTP\/(\d+\.\d+)\s+(\d{3})(?:\s+(.*))?$/.exec(statusLine);
+	if (!statusMatch) throw new Error(`Invalid HTTP status line: ${statusLine}`);
+	const rawHeaders = [];
+	const headers = {};
+	for (const line of headerLines.slice(1)) {
+		const separator = line.indexOf(":");
+		if (separator <= 0) continue;
+		const name = line.slice(0, separator).trim();
+		const value = line.slice(separator + 1).trim();
+		rawHeaders.push({
+			name,
+			value
+		});
+		if (!(name in headers)) headers[name] = value;
+		else if (name.toLowerCase() === "set-cookie") headers[name] = `${headers[name]}, ${value}`;
+		else headers[name] = `${headers[name]}, ${value}`;
+	}
+	const statusCode = Number.parseInt(statusMatch[2], 10);
+	const responseBody = rawResponse.subarray(headerBytes);
+	if (isBodylessResponse(statusCode, requestMethod)) return {
+		statusLine,
+		httpVersion: statusMatch[1],
+		statusCode,
+		statusText: statusMatch[3] ?? "",
+		headers,
+		rawHeaders,
+		headerBytes,
+		bodyBytes: 0,
+		bodyBuffer: Buffer.alloc(0),
+		bodyMode: "none",
+		complete: true,
+		expectedRawBytes: headerBytes,
+		chunkedDecoded: false
+	};
+	if (findHeaderValue(rawHeaders, "transfer-encoding")?.toLowerCase().includes("chunked")) {
+		const decoded = decodeChunkedBody(responseBody);
+		return {
+			statusLine,
+			httpVersion: statusMatch[1],
+			statusCode,
+			statusText: statusMatch[3] ?? "",
+			headers,
+			rawHeaders,
+			headerBytes,
+			bodyBytes: decoded.body.length,
+			bodyBuffer: decoded.complete ? decoded.body : responseBody,
+			bodyMode: "chunked",
+			complete: decoded.complete,
+			expectedRawBytes: decoded.complete ? headerBytes + decoded.consumedBytes : null,
+			chunkedDecoded: decoded.complete
+		};
+	}
+	const contentLengthValue = findHeaderValue(rawHeaders, "content-length");
+	if (contentLengthValue !== null) {
+		const contentLength = Number.parseInt(contentLengthValue, 10);
+		if (Number.isFinite(contentLength) && contentLength >= 0) {
+			const bodyBuffer = responseBody.subarray(0, Math.min(responseBody.length, contentLength));
+			return {
+				statusLine,
+				httpVersion: statusMatch[1],
+				statusCode,
+				statusText: statusMatch[3] ?? "",
+				headers,
+				rawHeaders,
+				headerBytes,
+				bodyBytes: bodyBuffer.length,
+				bodyBuffer,
+				bodyMode: "content-length",
+				complete: responseBody.length >= contentLength,
+				expectedRawBytes: headerBytes + contentLength,
+				chunkedDecoded: false
+			};
+		}
+	}
+	return {
+		statusLine,
+		httpVersion: statusMatch[1],
+		statusCode,
+		statusText: statusMatch[3] ?? "",
+		headers,
+		rawHeaders,
+		headerBytes,
+		bodyBytes: responseBody.length,
+		bodyBuffer: responseBody,
+		bodyMode: "until-close",
+		complete: false,
+		expectedRawBytes: null,
+		chunkedDecoded: false
+	};
+}
+function isLikelyTextHttpBody(contentType, body) {
+	if (body.length === 0) return true;
+	if (contentType && TEXTUAL_CONTENT_TYPE_RE.test(contentType)) return true;
+	const sample = body.subarray(0, Math.min(body.length, 64));
+	for (const byte of sample) if (byte === 0) return false;
+	return true;
+}
+//#endregion
+//#region src/server/domains/network/http2-raw.ts
+const HTTP2_MAX_FRAME_SIZE = 16777215;
+const HTTP2_MAX_STREAM_ID = 2147483647;
+const HTTP2_MAX_SETTINGS_ID = 65535;
+const HTTP2_MAX_UNSIGNED_INT32 = 4294967295;
+const FRAME_TYPE_CODES = {
+	DATA: 0,
+	RST_STREAM: 3,
+	SETTINGS: 4,
+	PING: 6,
+	GOAWAY: 7,
+	WINDOW_UPDATE: 8
+};
+function assertIntegerInRange(value, field, min, max) {
+	if (!Number.isInteger(value) || value < min || value > max) throw new Error(`${field} must be an integer between ${String(min)} and ${String(max)}`);
+}
+function parseHexBytes(value, field) {
+	const normalized = value.replace(/\s+/g, "").trim();
+	if (normalized.length === 0) return Buffer.alloc(0);
+	if (normalized.length % 2 !== 0 || !/^[0-9a-fA-F]+$/.test(normalized)) throw new Error(`${field} must be an even-length hexadecimal string`);
+	return Buffer.from(normalized, "hex");
+}
+function encodeTextBytes(value, encoding) {
+	return Buffer.from(value, encoding);
+}
+function resolvePayloadBytes(payloadHex, payloadText, payloadEncoding) {
+	if (payloadHex !== void 0 && payloadText !== void 0) throw new Error("payloadHex and payloadText are mutually exclusive");
+	if (payloadHex !== void 0) return parseHexBytes(payloadHex, "payloadHex");
+	if (payloadText !== void 0) return encodeTextBytes(payloadText, payloadEncoding);
+	return Buffer.alloc(0);
+}
+function buildSettingsPayload(entries) {
+	const payload = Buffer.alloc(entries.length * 6);
+	entries.forEach((entry, index) => {
+		assertIntegerInRange(entry.id, `settings[${String(index)}].id`, 0, HTTP2_MAX_SETTINGS_ID);
+		assertIntegerInRange(entry.value, `settings[${String(index)}].value`, 0, HTTP2_MAX_UNSIGNED_INT32);
+		payload.writeUInt16BE(entry.id, index * 6);
+		payload.writeUInt32BE(entry.value >>> 0, index * 6 + 2);
+	});
+	return payload;
+}
+function encodeUInt31(value, field) {
+	assertIntegerInRange(value, field, 0, HTTP2_MAX_STREAM_ID);
+	const buffer = Buffer.alloc(4);
+	buffer.writeUInt32BE(value >>> 0, 0);
+	buffer[0] = buffer[0] & 127;
+	return buffer;
+}
+function buildFramePayload(input) {
+	const frameType = input.frameType;
+	const flags = input.flags ?? 0;
+	assertIntegerInRange(flags, "flags", 0, 255);
+	switch (frameType) {
+		case "DATA": return {
+			payload: resolvePayloadBytes(input.payloadHex, input.payloadText, input.payloadEncoding ?? "utf8"),
+			typeCode: FRAME_TYPE_CODES.DATA,
+			flags
+		};
+		case "SETTINGS":
+			if (input.ack === true && (input.settings?.length ?? 0) > 0) throw new Error("SETTINGS ack frames must not include settings payload");
+			return {
+				payload: buildSettingsPayload(input.settings ?? []),
+				typeCode: FRAME_TYPE_CODES.SETTINGS,
+				flags: input.ack ? flags | 1 : flags
+			};
+		case "PING": {
+			const payload = input.pingOpaqueDataHex ? parseHexBytes(input.pingOpaqueDataHex, "pingOpaqueDataHex") : Buffer.alloc(8);
+			if (payload.length !== 8) throw new Error("PING frames require exactly 8 bytes of opaque data");
+			return {
+				payload,
+				typeCode: FRAME_TYPE_CODES.PING,
+				flags: input.ack ? flags | 1 : flags
+			};
+		}
+		case "WINDOW_UPDATE": {
+			const increment = input.windowSizeIncrement;
+			if (increment === void 0) throw new Error("windowSizeIncrement is required for WINDOW_UPDATE frames");
+			assertIntegerInRange(increment, "windowSizeIncrement", 1, HTTP2_MAX_STREAM_ID);
+			return {
+				payload: encodeUInt31(increment, "windowSizeIncrement"),
+				typeCode: FRAME_TYPE_CODES.WINDOW_UPDATE,
+				flags
+			};
+		}
+		case "RST_STREAM": {
+			const errorCode = input.errorCode ?? 0;
+			assertIntegerInRange(errorCode, "errorCode", 0, HTTP2_MAX_UNSIGNED_INT32);
+			const payload = Buffer.alloc(4);
+			payload.writeUInt32BE(errorCode >>> 0, 0);
+			return {
+				payload,
+				typeCode: FRAME_TYPE_CODES.RST_STREAM,
+				flags
+			};
+		}
+		case "GOAWAY": {
+			const lastStreamId = input.lastStreamId ?? 0;
+			const errorCode = input.errorCode ?? 0;
+			assertIntegerInRange(lastStreamId, "lastStreamId", 0, HTTP2_MAX_STREAM_ID);
+			assertIntegerInRange(errorCode, "errorCode", 0, HTTP2_MAX_UNSIGNED_INT32);
+			const debugData = input.debugDataText !== void 0 ? encodeTextBytes(input.debugDataText, input.debugDataEncoding ?? "utf8") : Buffer.alloc(0);
+			return {
+				payload: Buffer.concat([
+					encodeUInt31(lastStreamId, "lastStreamId"),
+					Buffer.from([
+						errorCode >>> 24 & 255,
+						errorCode >>> 16 & 255,
+						errorCode >>> 8 & 255,
+						errorCode & 255
+					]),
+					debugData
+				]),
+				typeCode: FRAME_TYPE_CODES.GOAWAY,
+				flags
+			};
+		}
+		case "RAW": {
+			const typeCode = input.frameTypeCode;
+			if (typeCode === void 0) throw new Error("frameTypeCode is required when frameType is RAW");
+			assertIntegerInRange(typeCode, "frameTypeCode", 0, 255);
+			return {
+				payload: resolvePayloadBytes(input.payloadHex, input.payloadText, input.payloadEncoding ?? "utf8"),
+				typeCode,
+				flags
+			};
+		}
+	}
+}
+function validateFrameTypeStream(frameType, streamId) {
+	if ((frameType === "SETTINGS" || frameType === "PING" || frameType === "GOAWAY") && streamId !== 0) throw new Error(`${frameType} frames must use streamId 0`);
+	if ((frameType === "DATA" || frameType === "RST_STREAM") && streamId === 0) throw new Error(`${frameType} frames must use a non-zero streamId`);
+}
+function buildHttp2Frame(input) {
+	const streamId = input.streamId ?? 0;
+	assertIntegerInRange(streamId, "streamId", 0, HTTP2_MAX_STREAM_ID);
+	validateFrameTypeStream(input.frameType, streamId);
+	const { payload, typeCode, flags } = buildFramePayload(input);
+	if (payload.length > HTTP2_MAX_FRAME_SIZE) throw new Error(`payload exceeds the HTTP/2 maximum frame size of ${String(HTTP2_MAX_FRAME_SIZE)} bytes`);
+	const header = Buffer.alloc(9);
+	header[0] = payload.length >>> 16 & 255;
+	header[1] = payload.length >>> 8 & 255;
+	header[2] = payload.length & 255;
+	header[3] = typeCode & 255;
+	header[4] = flags & 255;
+	header.writeUInt32BE(streamId >>> 0, 5);
+	header[5] = header[5] & 127;
+	const frame = Buffer.concat([header, payload]);
+	return {
+		frameType: input.frameType,
+		typeCode,
+		streamId,
+		flags,
+		payloadBytes: payload.length,
+		payloadHex: payload.toString("hex"),
+		frameHeaderHex: header.toString("hex"),
+		frameHex: frame.toString("hex")
+	};
+}
+//#endregion
+//#region src/server/domains/network/handlers/raw-helpers.ts
+const HTTP_TOKEN_RE = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;
+function parseOptionalString(value, field) {
+	if (value === void 0) return void 0;
+	if (typeof value !== "string") throw new Error(`${field} must be a string`);
+	const trimmed = value.trim();
+	return trimmed.length > 0 ? trimmed : void 0;
+}
+function parseRawString(value, field, options = {}) {
+	if (value === void 0) return void 0;
+	if (typeof value !== "string") throw new Error(`${field} must be a string`);
+	if (value.length === 0 && !options.allowEmpty) return void 0;
+	return value;
+}
+function parseOptionalBoolean(value, field) {
+	if (value === void 0) return void 0;
+	if (typeof value !== "boolean") throw new Error(`${field} must be a boolean`);
+	return value;
+}
+function parseStringArray(value, field) {
+	if (value === void 0) return [];
+	if (!Array.isArray(value) || value.some((entry) => typeof entry !== "string")) throw new Error(`${field} must be an array of strings`);
+	return value.map((entry) => entry.trim()).filter((entry) => entry.length > 0);
+}
+function parseHeaderRecord(value, field) {
+	if (value === void 0) return void 0;
+	if (typeof value !== "object" || value === null || Array.isArray(value)) throw new Error(`${field} must be an object`);
+	const headers = {};
+	for (const [name, headerValue] of Object.entries(value)) {
+		if (!HTTP_TOKEN_RE.test(name)) throw new Error(`${field} contains an invalid HTTP header name: ${name}`);
+		if (typeof headerValue !== "string") throw new Error(`${field}.${name} must be a string`);
+		headers[name] = headerValue;
+	}
+	return headers;
+}
+function parseNetworkAuthorization(value, field = "authorization") {
+	if (value === void 0) return void 0;
+	if (typeof value !== "object" || value === null || Array.isArray(value)) throw new Error(`${field} must be an object`);
+	const record = value;
+	const allowedHosts = parseStringArray(record.allowedHosts, `${field}.allowedHosts`);
+	const allowedCidrs = parseStringArray(record.allowedCidrs, `${field}.allowedCidrs`);
+	const allowPrivateNetwork = parseOptionalBoolean(record.allowPrivateNetwork, `${field}.allowPrivateNetwork`);
+	const allowInsecureHttp = parseOptionalBoolean(record.allowInsecureHttp, `${field}.allowInsecureHttp`);
+	const expiresAt = parseOptionalString(record.expiresAt, `${field}.expiresAt`);
+	const reason = parseOptionalString(record.reason, `${field}.reason`);
+	const authorization = {};
+	if (allowedHosts.length > 0) authorization.allowedHosts = allowedHosts;
+	if (allowedCidrs.length > 0) authorization.allowedCidrs = allowedCidrs;
+	if (allowPrivateNetwork !== void 0) authorization.allowPrivateNetwork = allowPrivateNetwork;
+	if (allowInsecureHttp !== void 0) authorization.allowInsecureHttp = allowInsecureHttp;
+	if (expiresAt !== void 0) authorization.expiresAt = expiresAt;
+	if (reason !== void 0) authorization.reason = reason;
+	return authorization;
+}
+function clamp(value, min, max) {
+	return Math.min(Math.max(value, min), max);
+}
+function roundMs(ms) {
+	return Math.round(ms * 100) / 100;
+}
+function computeRttStats(samples) {
+	const sorted = [...samples].toSorted((a, b) => a - b);
+	if (sorted.length === 0) return null;
+	return {
+		count: sorted.length,
+		minMs: sorted[0],
+		maxMs: sorted[sorted.length - 1],
+		avgMs: roundMs(sorted.reduce((s, v) => s + v, 0) / sorted.length),
+		p50Ms: sorted[Math.floor(sorted.length * .5)],
+		p95Ms: sorted[Math.floor(sorted.length * .95)]
+	};
+}
+async function resolveAuthorizedTransportTarget(rawUrl, authorization, operationLabel) {
+	let url;
+	try {
+		url = new URL(rawUrl);
+	} catch {
+		throw new Error("url must be an absolute http:// or https:// URL");
+	}
+	if (url.protocol !== "http:" && url.protocol !== "https:") throw new Error("url must use the http:// or https:// scheme");
+	const authorizationPolicy = createNetworkAuthorizationPolicy(authorization);
+	const allowLegacyLocalSsrf = !authorizationPolicy && isLocalSsrfBypassEnabled();
+	if (authorizationPolicy && (authorizationPolicy.allowPrivateNetwork || authorizationPolicy.allowInsecureHttp) && !hasAuthorizedTargets(authorizationPolicy)) throw new Error("authorization must include at least one allowed host or CIDR when enabling private network or insecure HTTP access.");
+	if (isNetworkAuthorizationExpired(authorizationPolicy)) throw new Error("authorization expired before the request was executed.");
+	let target;
+	try {
+		target = await resolveNetworkTarget(url.toString());
+	} catch {
+		throw new Error(`${operationLabel} blocked: DNS resolution failed for "${url.toString()}"`);
+	}
+	const isPrivateTargetAllowed = (resolvedTarget) => {
+		if (allowLegacyLocalSsrf) return true;
+		return authorizationPolicy?.allowPrivateNetwork === true && isAuthorizedNetworkTarget(authorizationPolicy, resolvedTarget);
+	};
+	const isInsecureHttpAllowed = (resolvedTarget) => {
+		if (allowLegacyLocalSsrf) return true;
+		if (isLoopbackHost(resolvedTarget.hostname)) return true;
+		return authorizationPolicy?.allowInsecureHttp === true && isAuthorizedNetworkTarget(authorizationPolicy, resolvedTarget);
+	};
+	const effectivePort = Number.parseInt(url.port || (url.protocol === "https:" ? "443" : "80"), 10);
+	if (url.protocol === "http:" && !isInsecureHttpAllowed(target)) throw new Error(`${operationLabel} blocked: insecure HTTP is only allowed for loopback or explicitly authorized targets, got "${target.hostname}:${String(effectivePort)}"`);
+	const hostnameIsPrivate = isPrivateHost(target.hostname);
+	const resolvedAddressIsPrivate = isPrivateHost(target.resolvedAddress ?? "");
+	const loopbackTarget = isLoopbackHost(target.hostname) || isLoopbackHost(target.resolvedAddress ?? "");
+	if ((hostnameIsPrivate || resolvedAddressIsPrivate) && !loopbackTarget && !isPrivateTargetAllowed(target)) {
+		if (!hostnameIsPrivate && resolvedAddressIsPrivate && target.resolvedAddress) throw new Error(`${operationLabel} blocked: "${target.hostname}:${String(effectivePort)}" resolved to private IP ${target.resolvedAddress}`);
+		throw new Error(`${operationLabel} blocked: target "${target.hostname}:${String(effectivePort)}" resolves to a private or reserved address.`);
+	}
+	return {
+		url,
+		target,
+		authorizationPolicy,
+		allowLegacyLocalSsrf
+	};
+}
+function normalizeTargetHost(host) {
+	const trimmed = host.trim();
+	if (trimmed.startsWith("[") && trimmed.endsWith("]")) return trimmed.slice(1, -1);
+	return trimmed;
+}
+function formatHostForUrl(host) {
+	return host.includes(":") && !host.startsWith("[") ? `[${host}]` : host;
+}
+function getRequestMethod(requestText) {
+	const method = (requestText.split(/\r?\n/, 1)[0]?.trim() ?? "").split(/\s+/, 1)[0]?.trim().toUpperCase() ?? "";
+	if (!HTTP_TOKEN_RE.test(method)) throw new Error("requestText must start with a valid HTTP request line");
+	return method;
+}
+async function exchangePlainHttp(host, port, requestBuffer, requestMethod, timeoutMs, maxResponseBytes) {
+	return await new Promise((resolve, reject) => {
+		const socket = net.createConnection({
+			host,
+			port
+		});
+		let settled = false;
+		let sawData = false;
+		const responseChain = new BufferChain();
+		const cleanup = () => {
+			socket.removeAllListeners();
+			socket.destroy();
+		};
+		const finalize = (endedBy) => {
+			if (settled) return;
+			settled = true;
+			cleanup();
+			resolve({
+				rawResponse: responseChain.toBuffer(),
+				endedBy
+			});
+		};
+		const fail = (error) => {
+			if (settled) return;
+			settled = true;
+			cleanup();
+			reject(error);
+		};
+		socket.setTimeout(timeoutMs);
+		socket.once("connect", () => {
+			socket.end(requestBuffer);
+		});
+		socket.on("data", (chunk) => {
+			sawData = true;
+			responseChain.append(chunk);
+			if (responseChain.length > maxResponseBytes) {
+				finalize("max-bytes");
+				return;
+			}
+			const analysis = analyzeHttpResponse(responseChain.toBuffer(), requestMethod);
+			if (!analysis || !analysis.complete) return;
+			if (analysis.bodyMode === "none") {
+				finalize("no-body");
+				return;
+			}
+			if (analysis.bodyMode === "content-length") {
+				finalize("content-length");
+				return;
+			}
+			if (analysis.bodyMode === "chunked") finalize("chunked");
+		});
+		socket.once("timeout", () => {
+			if (!sawData) {
+				fail(/* @__PURE__ */ new Error(`Timed out waiting for HTTP response from ${host}:${String(port)}`));
+				return;
+			}
+			finalize("timeout");
+		});
+		socket.once("end", () => {
+			finalize("socket-close");
+		});
+		socket.once("error", (error) => {
+			fail(error);
+		});
+	});
+}
+function normalizeHttp2HeaderValue(value) {
+	if (value === void 0) return null;
+	if (Array.isArray(value)) return value.map((entry) => String(entry));
+	return String(value);
+}
+function normalizeHttp2Headers(headers) {
+	const normalized = {};
+	for (const [name, value] of Object.entries(headers)) {
+		const normalizedValue = normalizeHttp2HeaderValue(value);
+		if (normalizedValue !== null) normalized[name] = normalizedValue;
+	}
+	return normalized;
+}
+function normalizeAlpnProtocol(protocol) {
+	if (!protocol) return null;
+	const trimmed = protocol.trim();
+	return trimmed.length > 0 ? trimmed : null;
+}
+function toHttp2RequestHeaders(headers) {
+	const output = {};
+	for (const [name, value] of Object.entries(headers ?? {})) output[name.toLowerCase()] = value;
+	return output;
+}
+function performHttp2ProbeInternal(options) {
+	const { url, target, method, requestHeaders, bodyBuffer, timeoutMs, maxBodyBytes, effectivePort, requestedAlpnProtocols } = options;
+	let observedAlpnProtocol = null;
+	return new Promise((resolve, reject) => {
+		let settled = false;
+		let responseHeaders;
+		const bodyChain = new BufferChain();
+		let truncated = false;
+		let request = null;
+		let connectedSocket = null;
+		const session = http2.connect(url.origin, { createConnection: () => {
+			if (url.protocol === "https:") {
+				const socket = tls.connect({
+					host: target.resolvedAddress ?? target.hostname,
+					port: effectivePort,
+					servername: target.hostname,
+					ALPNProtocols: requestedAlpnProtocols,
+					rejectUnauthorized: true
+				});
+				socket.setTimeout(timeoutMs, () => {
+					socket.destroy(/* @__PURE__ */ new Error(`Timed out probing HTTP/2 endpoint ${url.toString()}`));
+				});
+				socket.once("secureConnect", () => {
+					observedAlpnProtocol = normalizeAlpnProtocol(socket.alpnProtocol);
+				});
+				connectedSocket = socket;
+				return socket;
+			}
+			const socket = net.connect({
+				host: target.resolvedAddress ?? target.hostname,
+				port: effectivePort
+			});
+			socket.setTimeout(timeoutMs, () => {
+				socket.destroy(/* @__PURE__ */ new Error(`Timed out probing HTTP/2 endpoint ${url.toString()}`));
+			});
+			connectedSocket = socket;
+			return socket;
+		} });
+		const cleanup = () => {
+			request?.removeAllListeners();
+			session.removeAllListeners();
+		};
+		const finish = () => {
+			if (settled) return;
+			settled = true;
+			cleanup();
+			session.close();
+			resolve({
+				responseHeaders: responseHeaders ?? {},
+				bodyBuffer: bodyChain.toBuffer(),
+				truncated,
+				alpnProtocol: observedAlpnProtocol
+			});
+		};
+		const fail = (error) => {
+			if (settled) return;
+			settled = true;
+			cleanup();
+			session.destroy(error);
+			reject(error);
+		};
+		session.once("error", (error) => {
+			if (connectedSocket instanceof tls.TLSSocket) observedAlpnProtocol = normalizeAlpnProtocol(connectedSocket.alpnProtocol);
+			fail(error instanceof Error ? error : new Error(String(error)));
+		});
+		session.once("connect", () => {
+			if (connectedSocket instanceof tls.TLSSocket) observedAlpnProtocol = normalizeAlpnProtocol(connectedSocket.alpnProtocol);
+			request = session.request({
+				":method": method,
+				":path": `${url.pathname}${url.search}`,
+				":scheme": url.protocol.slice(0, -1),
+				":authority": url.host,
+				...requestHeaders
+			});
+			request.once("response", (headers) => {
+				responseHeaders = headers;
+			});
+			request.on("data", (chunk) => {
+				const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, "utf8");
+				const remaining = maxBodyBytes - bodyChain.length;
+				if (remaining > 0) bodyChain.append(buffer.subarray(0, remaining));
+				if (buffer.length > remaining && !truncated) {
+					truncated = true;
+					request?.close(http2.constants.NGHTTP2_CANCEL);
+				}
+			});
+			request.once("end", finish);
+			request.once("close", () => {
+				if (truncated) finish();
+			});
+			request.once("error", (error) => {
+				fail(error instanceof Error ? error : new Error(String(error)));
+			});
+			if (bodyBuffer.length > 0) request.end(bodyBuffer);
+			else request.end();
+		});
+	});
+}
+//#endregion
+//#region src/native/IcmpProbe.ts
+/**
+* Cross-platform ICMP probe and traceroute via koffi FFI.
+*
+* Windows: IcmpSendEcho from iphlpapi.dll (no admin required).
+* Linux/macOS: Raw ICMP sockets via libc (requires root/CAP_NET_RAW).
+*
+* Uses Buffer-based struct parsing (same pattern as Win32API.ts)
+* to avoid koffi struct registration issues in test environments.
+*/
+function ipToString(addr) {
+	return `${addr & 255}.${addr >>> 8 & 255}.${addr >>> 16 & 255}.${addr >>> 24 & 255}`;
+}
+function isValidIpv4(ip) {
+	const parts = ip.split(".");
+	if (parts.length !== 4) return false;
+	return parts.every((p) => {
+		const n = parseInt(p, 10);
+		return !isNaN(n) && n >= 0 && n <= 255 && p === String(n);
+	});
+}
+let _available = null;
+const IP_STATUS = {
+	0: "SUCCESS",
+	11001: "BUF_TOO_SMALL",
+	11002: "DEST_NET_UNREACHABLE",
+	11003: "DEST_HOST_UNREACHABLE",
+	11004: "DEST_PROT_UNREACHABLE",
+	11005: "DEST_PORT_UNREACHABLE",
+	11009: "PACKET_TOO_BIG",
+	11010: "REQ_TIMED_OUT",
+	11013: "TTL_EXPIRED_TRANSIT",
+	11014: "TTL_EXPIRED_REASSEM",
+	11015: "PARAM_PROBLEM",
+	11016: "SOURCE_QUENCH",
+	11050: "GENERAL_FAILURE"
+};
+function winStatusLabel(s) {
+	return IP_STATUS[s] ?? `UNKNOWN_${s}`;
+}
+function winStatusClass(s) {
+	if (s === 0) return "success";
+	if (s === 11010) return "timeout";
+	if (s === 11013 || s === 11014) return "time_exceeded";
+	if (s >= 11002 && s <= 11005) return "destination_unreachable";
+	if (s === 11016) return "source_quench";
+	if (s === 11009) return "packet_too_big";
+	if (s === 11015) return "parameter_problem";
+	return "error";
+}
+let iphlpapi = null;
+let ws2_32 = null;
+function getIphlpapi() {
+	if (!iphlpapi) {
+		iphlpapi = koffi.load("iphlpapi.dll");
+		logger.debug("Loaded iphlpapi.dll via koffi");
+	}
+	return iphlpapi;
+}
+function getWs2_32() {
+	if (!ws2_32) {
+		ws2_32 = koffi.load("ws2_32.dll");
+		logger.debug("Loaded ws2_32.dll via koffi");
+	}
+	return ws2_32;
+}
+const IP_OPT_SIZE = 16;
+const MIN_REPLY_BUF_SIZE = 256;
+const ICMP_REPLY_OVERHEAD = 64;
+function getReplyBufferSize(packetSize) {
+	return Math.max(MIN_REPLY_BUF_SIZE, packetSize + ICMP_REPLY_OVERHEAD);
+}
+function buildOptionBuf(ttl) {
+	const buf = Buffer.alloc(IP_OPT_SIZE, 0);
+	buf.writeUInt8(ttl, 0);
+	return buf;
+}
+function parseReply(buf) {
+	return {
+		address: buf.readUInt32LE(0),
+		status: buf.readUInt32LE(4),
+		rtt: buf.readUInt32LE(8)
+	};
+}
+function win_inet_addr(ip) {
+	return getWs2_32().func("uint32 inet_addr(char *)")(ip);
+}
+function win_IcmpCreateFile() {
+	return getIphlpapi().func("void * IcmpCreateFile()")();
+}
+function win_IcmpCloseHandle(h) {
+	return getIphlpapi().func("int IcmpCloseHandle(void *)")(h) !== 0;
+}
+function win_IcmpSendEcho(handle, destAddr, sendData, optionBuf, timeoutMs) {
+	const fn = getIphlpapi().func("uint32 IcmpSendEcho(void *, uint32, void *, uint16, void *, void *, uint32, uint32)");
+	const replyBuf = Buffer.alloc(getReplyBufferSize(sendData.length));
+	const n = fn(handle, destAddr, sendData, sendData.length, optionBuf, replyBuf, replyBuf.length, timeoutMs);
+	return {
+		numReplies: Number(n),
+		replyBuf
+	};
+}
+function winIcmpProbe(params) {
+	const { target, ttl = 128, packetSize = ICMP_DEFAULT_PACKET_SIZE, timeout = ICMP_PROBE_TIMEOUT_MS } = params;
+	const destAddr = win_inet_addr(target);
+	if (destAddr === 4294967295) return {
+		target,
+		ip: "",
+		alive: false,
+		rtt: null,
+		ttl,
+		icmpStatus: "INVALID_ADDRESS",
+		errorClass: "error",
+		packetSize
+	};
+	const handle = win_IcmpCreateFile();
+	try {
+		const { numReplies, replyBuf } = win_IcmpSendEcho(handle, destAddr, Buffer.alloc(packetSize, 170), buildOptionBuf(ttl), timeout);
+		if (numReplies === 0) return {
+			target,
+			ip: ipToString(destAddr),
+			alive: false,
+			rtt: null,
+			ttl,
+			icmpStatus: "REQ_TIMED_OUT",
+			errorClass: "timeout",
+			packetSize
+		};
+		const reply = parseReply(replyBuf);
+		return {
+			target,
+			ip: ipToString(reply.address),
+			alive: reply.status === 0,
+			rtt: reply.status === 0 ? reply.rtt : null,
+			ttl,
+			icmpStatus: winStatusLabel(reply.status),
+			errorClass: winStatusClass(reply.status),
+			packetSize
+		};
+	} finally {
+		win_IcmpCloseHandle(handle);
+	}
+}
+function winTraceroute(params) {
+	const { target, maxHops = ICMP_TRACEROUTE_MAX_HOPS, timeout = ICMP_PROBE_TIMEOUT_MS, packetSize = ICMP_DEFAULT_PACKET_SIZE } = params;
+	const destAddr = win_inet_addr(target);
+	if (destAddr === 4294967295) return {
+		target,
+		ip: "",
+		hops: [],
+		reached: false,
+		totalHops: 0,
+		totalTime: 0
+	};
+	const handle = win_IcmpCreateFile();
+	const hops = [];
+	const t0 = performance.now();
+	try {
+		for (let ttl = 1; ttl <= maxHops; ttl++) {
+			const { numReplies, replyBuf } = win_IcmpSendEcho(handle, destAddr, Buffer.alloc(packetSize, 170), buildOptionBuf(ttl), timeout);
+			if (numReplies === 0) {
+				hops.push({
+					hop: ttl,
+					ip: null,
+					rtt: null,
+					status: "REQ_TIMED_OUT",
+					errorClass: "timeout"
+				});
+				continue;
+			}
+			const reply = parseReply(replyBuf);
+			const hopIp = ipToString(reply.address);
+			hops.push({
+				hop: ttl,
+				ip: hopIp,
+				rtt: reply.rtt,
+				status: winStatusLabel(reply.status),
+				errorClass: winStatusClass(reply.status)
+			});
+			if (reply.status === 0) break;
+		}
+	} finally {
+		win_IcmpCloseHandle(handle);
+	}
+	const last = hops[hops.length - 1];
+	return {
+		target,
+		ip: ipToString(destAddr),
+		hops,
+		reached: last?.status === "SUCCESS",
+		totalHops: hops.length,
+		totalTime: Math.round((performance.now() - t0) * 100) / 100
+	};
+}
+const AF_INET = 2;
+const SOCK_RAW = 3;
+const IPPROTO_ICMP = 1;
+const IPPROTO_IP = 0;
+const IP_TTL = 2;
+const SOL_SOCKET = 1;
+const SO_RCVTIMEO = process.platform === "darwin" ? 4102 : 20;
+const POSIX_LIB = process.platform === "darwin" ? "/usr/lib/libSystem.B.dylib" : "libc.so.6";
+let posixLib = null;
+function getPosixLib() {
+	if (!posixLib) {
+		posixLib = koffi.load(POSIX_LIB);
+		logger.debug(`Loaded ${POSIX_LIB} via koffi for ICMP`);
+	}
+	return posixLib;
+}
+function posixSocket(domain, type, protocol) {
+	return getPosixLib().func("int socket(int, int, int)")(domain, type, protocol);
+}
+function posixSetsockopt(fd, level, optname, optval, optlen) {
+	return getPosixLib().func("int setsockopt(int, int, int, void *, int)")(fd, level, optname, optval, optlen);
+}
+function posixSendto(fd, buf, addr) {
+	return getPosixLib().func("int sendto(int, void *, int, int, void *, int)")(fd, buf, buf.length, 0, addr, 16);
+}
+function posixRecv(fd, buf) {
+	return getPosixLib().func("int recv(int, void *, int, int)")(fd, buf, buf.length, 0);
+}
+function posixClose(fd) {
+	return getPosixLib().func("int close(int)")(fd);
+}
+function computeChecksum(buf) {
+	let sum = 0;
+	for (let i = 0; i < buf.length - 1; i += 2) sum += buf.readUInt16BE(i);
+	if (buf.length & 1) sum += (buf[buf.length - 1] ?? 0) << 8;
+	while (sum > 65535) sum = (sum & 65535) + (sum >>> 16);
+	return ~sum & 65535;
+}
+function buildIcmpEcho(id, seq, payloadSize) {
+	const buf = Buffer.alloc(8 + payloadSize);
+	buf[0] = 8;
+	buf[1] = 0;
+	buf.writeUInt16BE(id & 65535, 4);
+	buf.writeUInt16BE(seq & 65535, 6);
+	for (let i = 8; i < buf.length; i++) buf[i] = 170;
+	buf.writeUInt16BE(computeChecksum(buf), 2);
+	return buf;
+}
+function buildSockaddrIn(ip) {
+	const buf = Buffer.alloc(16, 0);
+	buf.writeUInt16LE(AF_INET, 0);
+	const parts = ip.split(".").map(Number);
+	buf[4] = parts[0] ?? 0;
+	buf[5] = parts[1] ?? 0;
+	buf[6] = parts[2] ?? 0;
+	buf[7] = parts[3] ?? 0;
+	return buf;
+}
+function parseIcmpPacket(buf, n, expectedId) {
+	if (n < 20) return null;
+	const ihl = ((buf[0] ?? 0) & 15) * 4;
+	if (n < ihl + 8) return null;
+	const icmpType = buf[ihl] ?? 0;
+	const icmpCode = buf[ihl + 1] ?? 0;
+	const fromIp = buf.readUInt32LE(12);
+	if (icmpType === 0) {
+		if (buf.readUInt16BE(ihl + 4) !== expectedId) return null;
+		return {
+			type: icmpType,
+			code: icmpCode,
+			fromIp
+		};
+	}
+	if (icmpType === 11 || icmpType === 3) {
+		const origStart = ihl + 8;
+		if (n < origStart + 28) return null;
+		const origIhl = ((buf[origStart] ?? 0) & 15) * 4;
+		if (n < origStart + origIhl + 8) return null;
+		if (buf.readUInt16BE(origStart + origIhl + 4) !== expectedId) return null;
+		return {
+			type: icmpType,
+			code: icmpCode,
+			fromIp
+		};
+	}
+	return null;
+}
+function posixStatusLabel(type, code, timedOut) {
+	if (type === 0) return "SUCCESS";
+	if (timedOut) return "REQ_TIMED_OUT";
+	if (type === 11 && code === 0) return "TTL_EXPIRED_TRANSIT";
+	if (type === 11 && code === 1) return "TTL_EXPIRED_REASSEM";
+	if (type === 3 && code === 0) return "DEST_NET_UNREACHABLE";
+	if (type === 3 && code === 1) return "DEST_HOST_UNREACHABLE";
+	if (type === 3 && code === 2) return "DEST_PROT_UNREACHABLE";
+	if (type === 3 && code === 3) return "DEST_PORT_UNREACHABLE";
+	return `UNKNOWN_${type}_${code}`;
+}
+function posixErrorClass(type, _code, timedOut) {
+	if (type === 0) return "success";
+	if (timedOut) return "timeout";
+	if (type === 11) return "time_exceeded";
+	if (type === 3) return "destination_unreachable";
+	return "error";
+}
+function posixSetTtl(fd, ttl) {
+	const buf = Buffer.alloc(4);
+	buf.writeInt32LE(ttl);
+	posixSetsockopt(fd, IPPROTO_IP, IP_TTL, buf, 4);
+}
+function posixSetRecvTimeout(fd, timeoutMs) {
+	const tv = Buffer.alloc(16, 0);
+	tv.writeInt32LE(Math.floor(timeoutMs / 1e3), 0);
+	tv.writeInt32LE(timeoutMs % 1e3 * 1e3, 8);
+	posixSetsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, tv, 16);
+}
+function posixIcmpProbe(params) {
+	const { target, ttl = 128, packetSize = ICMP_DEFAULT_PACKET_SIZE, timeout = ICMP_PROBE_TIMEOUT_MS } = params;
+	if (!isValidIpv4(target)) return {
+		target,
+		ip: "",
+		alive: false,
+		rtt: null,
+		ttl,
+		icmpStatus: "INVALID_ADDRESS",
+		errorClass: "error",
+		packetSize
+	};
+	const fd = posixSocket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+	if (fd < 0) return {
+		target,
+		ip: "",
+		alive: false,
+		rtt: null,
+		ttl,
+		icmpStatus: "SOCKET_ERROR",
+		errorClass: "error",
+		packetSize
+	};
+	try {
+		posixSetTtl(fd, ttl);
+		posixSetRecvTimeout(fd, timeout);
+		const id = process.pid & 65535;
+		const packet = buildIcmpEcho(id, 1, packetSize);
+		const destAddr = buildSockaddrIn(target);
+		const t0 = performance.now();
+		if (posixSendto(fd, packet, destAddr) < 0) return {
+			target,
+			ip: target,
+			alive: false,
+			rtt: null,
+			ttl,
+			icmpStatus: "SEND_ERROR",
+			errorClass: "error",
+			packetSize
+		};
+		const recvBuf = Buffer.alloc(512);
+		const n = posixRecv(fd, recvBuf);
+		const rtt = Math.round(performance.now() - t0);
+		if (n <= 0) return {
+			target,
+			ip: target,
+			alive: false,
+			rtt: null,
+			ttl,
+			icmpStatus: "REQ_TIMED_OUT",
+			errorClass: "timeout",
+			packetSize
+		};
+		const reply = parseIcmpPacket(recvBuf, n, id);
+		if (!reply) return {
+			target,
+			ip: target,
+			alive: false,
+			rtt: null,
+			ttl,
+			icmpStatus: "UNEXPECTED_REPLY",
+			errorClass: "error",
+			packetSize
+		};
+		const alive = reply.type === 0;
+		return {
+			target,
+			ip: ipToString(reply.fromIp),
+			alive,
+			rtt: alive ? rtt : null,
+			ttl,
+			icmpStatus: posixStatusLabel(reply.type, reply.code, false),
+			errorClass: posixErrorClass(reply.type, reply.code, false),
+			packetSize
+		};
+	} finally {
+		posixClose(fd);
+	}
+}
+function posixTraceroute(params) {
+	const { target, maxHops = ICMP_TRACEROUTE_MAX_HOPS, timeout = ICMP_PROBE_TIMEOUT_MS, packetSize = ICMP_DEFAULT_PACKET_SIZE } = params;
+	if (!isValidIpv4(target)) return {
+		target,
+		ip: "",
+		hops: [],
+		reached: false,
+		totalHops: 0,
+		totalTime: 0
+	};
+	const fd = posixSocket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+	if (fd < 0) return {
+		target,
+		ip: "",
+		hops: [],
+		reached: false,
+		totalHops: 0,
+		totalTime: 0
+	};
+	const hops = [];
+	const id = process.pid & 65535;
+	const destAddr = buildSockaddrIn(target);
+	const t0 = performance.now();
+	const MAX_CONSECUTIVE_SEND_ERRORS = 5;
+	let consecutiveSendErrors = 0;
+	try {
+		posixSetRecvTimeout(fd, timeout);
+		for (let ttl = 1; ttl <= maxHops; ttl++) {
+			posixSetTtl(fd, ttl);
+			const packet = buildIcmpEcho(id, ttl, packetSize);
+			const sendT0 = performance.now();
+			if (posixSendto(fd, packet, destAddr) < 0) {
+				consecutiveSendErrors++;
+				hops.push({
+					hop: ttl,
+					ip: null,
+					rtt: null,
+					status: "SEND_ERROR",
+					errorClass: "error"
+				});
+				if (consecutiveSendErrors >= MAX_CONSECUTIVE_SEND_ERRORS) break;
+				continue;
+			}
+			consecutiveSendErrors = 0;
+			const recvBuf = Buffer.alloc(512);
+			const n = posixRecv(fd, recvBuf);
+			const rtt = Math.round(performance.now() - sendT0);
+			if (n <= 0) {
+				hops.push({
+					hop: ttl,
+					ip: null,
+					rtt: null,
+					status: "REQ_TIMED_OUT",
+					errorClass: "timeout"
+				});
+				continue;
+			}
+			const reply = parseIcmpPacket(recvBuf, n, id);
+			if (!reply) {
+				hops.push({
+					hop: ttl,
+					ip: null,
+					rtt: null,
+					status: "UNEXPECTED_REPLY",
+					errorClass: "error"
+				});
+				continue;
+			}
+			const status = posixStatusLabel(reply.type, reply.code, false);
+			const errorCls = posixErrorClass(reply.type, reply.code, false);
+			hops.push({
+				hop: ttl,
+				ip: ipToString(reply.fromIp),
+				rtt,
+				status,
+				errorClass: errorCls
+			});
+			if (reply.type === 0) break;
+		}
+	} finally {
+		posixClose(fd);
+	}
+	return {
+		target,
+		ip: target,
+		hops,
+		reached: hops[hops.length - 1]?.status === "SUCCESS",
+		totalHops: hops.length,
+		totalTime: Math.round((performance.now() - t0) * 100) / 100
+	};
+}
+const isPosix = process.platform === "linux" || process.platform === "darwin";
+function isIcmpAvailable() {
+	if (_available !== null) return _available;
+	if (process.platform === "win32") try {
+		koffi.load("iphlpapi.dll").unload();
+		_available = true;
+		return true;
+	} catch {
+		_available = false;
+		return false;
+	}
+	if (isPosix) {
+		try {
+			const fd = posixSocket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+			if (fd >= 0) {
+				posixClose(fd);
+				_available = true;
+			} else _available = false;
+		} catch {
+			_available = false;
+		}
+		return _available;
+	}
+	_available = false;
+	return false;
+}
+function icmpProbe(params) {
+	const { target, ttl = 128, packetSize = ICMP_DEFAULT_PACKET_SIZE, timeout = ICMP_PROBE_TIMEOUT_MS } = params;
+	if (!isIcmpAvailable()) return {
+		target,
+		ip: "",
+		alive: false,
+		rtt: null,
+		ttl,
+		icmpStatus: "PLATFORM_NOT_SUPPORTED",
+		errorClass: "error",
+		packetSize
+	};
+	if (process.platform === "win32") return winIcmpProbe({
+		target,
+		ttl,
+		packetSize,
+		timeout
+	});
+	return posixIcmpProbe({
+		target,
+		ttl,
+		packetSize,
+		timeout
+	});
+}
+function traceroute(params) {
+	const { target, maxHops = ICMP_TRACEROUTE_MAX_HOPS, timeout = ICMP_PROBE_TIMEOUT_MS, packetSize = ICMP_DEFAULT_PACKET_SIZE } = params;
+	if (!isIcmpAvailable()) return {
+		target,
+		ip: "",
+		hops: [],
+		reached: false,
+		totalHops: 0,
+		totalTime: 0
+	};
+	if (process.platform === "win32") return winTraceroute({
+		target,
+		maxHops,
+		timeout,
+		packetSize
+	});
+	return posixTraceroute({
+		target,
+		maxHops,
+		timeout,
+		packetSize
+	});
+}
+//#endregion
+//#region src/server/domains/network/handlers/raw-handlers.ts
+/**
+* Raw HTTP/HTTP2/DNS/RTT handlers — standalone class using composition.
+*
+* Extracted from AdvancedToolHandlersRaw (handlers.impl.core.runtime.raw.ts).
+* Uses helpers from ./raw-helpers.ts and ./shared.ts instead of inheritance.
+*/
+var RawHandlers = class {
+	constructor(eventBus) {
+		this.eventBus = eventBus;
+	}
+	async handleDnsResolve(args) {
+		try {
+			const hostname = parseOptionalString(args.hostname, "hostname");
+			if (!hostname) return R.text("hostname is required", true);
+			const rrType = parseOptionalString(args.rrType, "rrType") ?? "A";
+			const validTypes = [
+				"A",
+				"AAAA",
+				"MX",
+				"TXT",
+				"NS",
+				"CNAME",
+				"SOA",
+				"PTR",
+				"SRV",
+				"ANY"
+			];
+			if (!validTypes.includes(rrType)) return R.text(`Invalid rrType: "${rrType}". Expected one of: ${validTypes.join(", ")}`, true);
+			const start = performance.now();
+			const records = await dns.resolve(hostname, rrType);
+			const timing = roundMs(performance.now() - start);
+			return R.ok().json({
+				hostname,
+				rrType,
+				records,
+				timing
+			});
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			return R.fail(`DNS resolve failed: ${message}`).json();
+		}
+	}
+	async handleDnsReverse(args) {
+		try {
+			const ip = parseOptionalString(args.ip, "ip");
+			if (!ip) return R.text("ip is required", true);
+			const start = performance.now();
+			const hostnames = await dns.reverse(ip);
+			const timing = roundMs(performance.now() - start);
+			return R.ok().json({
+				ip,
+				hostnames,
+				timing
+			});
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			return R.fail(`DNS reverse lookup failed: ${message}`).json();
+		}
+	}
+	async handleHttpRequestBuild(args) {
+		try {
+			const method = parseOptionalString(args.method, "method");
+			const target = parseOptionalString(args.target, "target");
+			if (!method) throw new Error("method is required");
+			if (!target) throw new Error("target is required");
+			const built = buildHttpRequest({
+				method,
+				target,
+				host: parseOptionalString(args.host, "host"),
+				headers: parseHeaderRecord(args.headers, "headers"),
+				body: parseRawString(args.body, "body", { allowEmpty: true }),
+				httpVersion: parseOptionalString(args.httpVersion, "httpVersion") ?? "1.1",
+				addHostHeader: parseBooleanArg(args.addHostHeader, true),
+				addContentLength: parseBooleanArg(args.addContentLength, true),
+				addConnectionClose: parseBooleanArg(args.addConnectionClose, true)
+			});
+			emitEvent(this.eventBus, "network:http_request_built", {
+				method: built.startLine.split(" ", 1)[0] ?? "UNKNOWN",
+				target,
+				byteLength: built.requestBytes,
+				timestamp: (/* @__PURE__ */ new Date()).toISOString()
+			});
+			return R.ok().merge(built).json();
+		} catch (error) {
+			return R.fail(error instanceof Error ? error.message : String(error)).json();
+		}
+	}
+	async handleHttpPlainRequest(args) {
+		try {
+			const hostArg = parseOptionalString(args.host, "host");
+			const requestText = parseRawString(args.requestText, "requestText");
+			if (!hostArg) throw new Error("host is required");
+			if (!requestText) throw new Error("requestText is required");
+			const host = normalizeTargetHost(hostArg);
+			const port = parseNumberArg(args.port, {
+				defaultValue: 80,
+				min: 1,
+				max: 65535,
+				integer: true
+			});
+			const timeoutMs = parseNumberArg(args.timeoutMs, {
+				defaultValue: 3e4,
+				min: 1,
+				max: 12e4,
+				integer: true
+			});
+			const maxResponseBytes = parseNumberArg(args.maxResponseBytes, {
+				defaultValue: 512e3,
+				min: 256,
+				max: 5242880,
+				integer: true
+			});
+			const requestMethod = getRequestMethod(requestText);
+			const authorization = parseNetworkAuthorization(args.authorization);
+			const { target } = await resolveAuthorizedTransportTarget(`http://${formatHostForUrl(host)}:${String(port)}/`, authorization, "HTTP request");
+			if (authorization) {
+				const requestTarget = (requestText.split(/\r?\n/, 1)[0] ?? "").split(/\s+/)[1] ?? "";
+				if (requestTarget.includes("://")) try {
+					const targetHost = normalizeTargetHost(new URL(requestTarget).hostname);
+					if (targetHost !== host && targetHost !== (target.resolvedAddress ?? "")) throw new Error(`HTTP request blocked: request-line target host "${targetHost}" does not match authorized host "${host}"`);
+				} catch (e) {
+					if (e instanceof Error && e.message.startsWith("HTTP request blocked:")) throw e;
+				}
+				const hostHeaderValue = requestText.match(/^Host:\s*(\S+)/im)?.[1];
+				if (hostHeaderValue) {
+					const declaredHost = normalizeTargetHost(hostHeaderValue.replace(/:\d+$/, ""));
+					if (declaredHost !== host && declaredHost !== (target.resolvedAddress ?? "")) throw new Error(`HTTP request blocked: Host header "${hostHeaderValue}" does not match authorized host "${host}"`);
+				}
+			}
+			const exchange = await exchangePlainHttp(target.resolvedAddress ?? target.hostname, port, Buffer.from(requestText, "utf8"), requestMethod, timeoutMs, maxResponseBytes);
+			const analysis = analyzeHttpResponse(exchange.rawResponse, requestMethod);
+			if (!analysis) throw new Error("Received data but could not parse complete HTTP response headers.");
+			const bodyIsText = isLikelyTextHttpBody(analysis.rawHeaders.find((h) => h.name.toLowerCase() === "content-type")?.value ?? null, analysis.bodyBuffer);
+			const complete = analysis.complete || analysis.bodyMode === "until-close" && exchange.endedBy === "socket-close";
+			emitEvent(this.eventBus, "network:http_plain_request_completed", {
+				host,
+				port,
+				statusCode: analysis.statusCode,
+				byteLength: exchange.rawResponse.length,
+				timestamp: (/* @__PURE__ */ new Date()).toISOString()
+			});
+			return R.ok().merge({
+				host,
+				port,
+				resolvedAddress: target.resolvedAddress ?? target.hostname,
+				requestBytes: Buffer.byteLength(requestText, "utf8"),
+				response: {
+					statusLine: analysis.statusLine,
+					httpVersion: analysis.httpVersion,
+					statusCode: analysis.statusCode,
+					statusText: analysis.statusText,
+					headers: analysis.headers,
+					rawHeaders: analysis.rawHeaders,
+					headerBytes: analysis.headerBytes,
+					bodyBytes: analysis.bodyBytes,
+					bodyMode: analysis.bodyMode,
+					chunkedDecoded: analysis.chunkedDecoded,
+					complete,
+					truncated: exchange.endedBy === "max-bytes",
+					endedBy: exchange.endedBy,
+					bodyText: bodyIsText ? analysis.bodyBuffer.toString("utf8") : void 0,
+					bodyBase64: bodyIsText ? void 0 : analysis.bodyBuffer.toString("base64")
+				}
+			}).json();
+		} catch (error) {
+			return R.fail(error instanceof Error ? error.message : String(error)).json();
+		}
+	}
+	async handleHttp2Probe(args) {
+		const rawUrl = parseOptionalString(args.url, "url");
+		let eventUrl = rawUrl ?? "";
+		let eventStatusCode = null;
+		let eventAlpnProtocol = null;
+		let eventSuccess = false;
+		try {
+			if (!rawUrl) throw new Error("url is required");
+			const method = (parseOptionalString(args.method, "method") ?? "GET").toUpperCase();
+			if (!HTTP_TOKEN_RE.test(method)) throw new Error("method must be a valid HTTP token");
+			const timeoutMs = parseNumberArg(args.timeoutMs, {
+				defaultValue: 3e4,
+				min: 1,
+				max: 12e4,
+				integer: true
+			});
+			const maxBodyBytes = parseNumberArg(args.maxBodyBytes, {
+				defaultValue: 32768,
+				min: 128,
+				max: 1048576,
+				integer: true
+			});
+			const bodyBuffer = Buffer.from(parseRawString(args.body, "body", { allowEmpty: true }) ?? "", "utf8");
+			const alpnProtocols = parseStringArray(args.alpnProtocols, "alpnProtocols");
+			const requestHeaders = toHttp2RequestHeaders(parseHeaderRecord(args.headers, "headers"));
+			const { url, target } = await resolveAuthorizedTransportTarget(rawUrl, parseNetworkAuthorization(args.authorization), "HTTP/2 probe");
+			eventUrl = url.toString();
+			if (!("content-length" in requestHeaders) && bodyBuffer.length > 0) requestHeaders["content-length"] = String(bodyBuffer.length);
+			const { responseHeaders, bodyBuffer: capturedBody, truncated, alpnProtocol } = await performHttp2ProbeInternal({
+				url,
+				target,
+				method,
+				requestHeaders,
+				bodyBuffer,
+				timeoutMs,
+				maxBodyBytes,
+				effectivePort: Number.parseInt(url.port || (url.protocol === "https:" ? "443" : "80"), 10),
+				requestedAlpnProtocols: alpnProtocols.length > 0 ? alpnProtocols : ["h2", "http/1.1"]
+			});
+			const normalizedHeaders = normalizeHttp2Headers(responseHeaders);
+			const rawStatus = responseHeaders[":status"];
+			const statusCode = typeof rawStatus === "number" ? rawStatus : typeof rawStatus === "string" ? Number.parseInt(rawStatus, 10) : null;
+			const bodyIsText = isLikelyTextHttpBody(typeof normalizedHeaders["content-type"] === "string" ? normalizedHeaders["content-type"] : Array.isArray(normalizedHeaders["content-type"]) ? normalizedHeaders["content-type"][0] ?? null : null, capturedBody);
+			eventStatusCode = Number.isFinite(statusCode ?? NaN) ? statusCode : null;
+			eventAlpnProtocol = alpnProtocol;
+			eventSuccess = true;
+			return R.ok().merge({
+				url: eventUrl,
+				statusCode: eventStatusCode,
+				alpnProtocol: eventAlpnProtocol,
+				headers: normalizedHeaders,
+				bodyBytes: capturedBody.length,
+				truncated,
+				bodyText: bodyIsText ? capturedBody.toString("utf8") : void 0,
+				bodyBase64: bodyIsText ? void 0 : capturedBody.toString("base64")
+			}).json();
+		} catch (error) {
+			return R.fail(error instanceof Error ? error.message : String(error)).json();
+		} finally {
+			emitEvent(this.eventBus, "network:http2_probed", {
+				url: eventUrl,
+				success: eventSuccess,
+				statusCode: eventStatusCode,
+				alpnProtocol: eventAlpnProtocol,
+				timestamp: (/* @__PURE__ */ new Date()).toISOString()
+			});
+		}
+	}
+	async handleHttp2FrameBuild(args) {
+		const frameTypeRaw = parseOptionalString(args.frameType, "frameType");
+		if (!frameTypeRaw) throw new Error("frameType is required");
+		const validFrameTypes = [
+			"DATA",
+			"SETTINGS",
+			"PING",
+			"WINDOW_UPDATE",
+			"RST_STREAM",
+			"GOAWAY",
+			"RAW"
+		];
+		const frameType = frameTypeRaw.toUpperCase();
+		if (!validFrameTypes.includes(frameType)) throw new Error(`frameType must be one of: ${validFrameTypes.join(", ")}`);
+		const streamId = args.streamId !== void 0 ? parseNumberArg(args.streamId, {
+			defaultValue: 0,
+			min: 0,
+			integer: true
+		}) : void 0;
+		const flags = args.flags !== void 0 ? parseNumberArg(args.flags, {
+			defaultValue: 0,
+			min: 0,
+			max: 255,
+			integer: true
+		}) : void 0;
+		const frameTypeCode = args.frameTypeCode !== void 0 ? parseNumberArg(args.frameTypeCode, {
+			defaultValue: 0,
+			min: 0,
+			max: 255,
+			integer: true
+		}) : void 0;
+		const windowSizeIncrement = args.windowSizeIncrement !== void 0 ? parseNumberArg(args.windowSizeIncrement, {
+			defaultValue: 1,
+			min: 1,
+			integer: true
+		}) : void 0;
+		const errorCode = args.errorCode !== void 0 ? parseNumberArg(args.errorCode, {
+			defaultValue: 0,
+			min: 0,
+			integer: true
+		}) : void 0;
+		const lastStreamId = args.lastStreamId !== void 0 ? parseNumberArg(args.lastStreamId, {
+			defaultValue: 0,
+			min: 0,
+			integer: true
+		}) : void 0;
+		const payloadHex = parseOptionalString(args.payloadHex, "payloadHex");
+		const payloadText = parseRawString(args.payloadText, "payloadText", { allowEmpty: true });
+		const payloadEncoding = parseOptionalString(args.payloadEncoding, "payloadEncoding");
+		const ack = parseOptionalBoolean(args.ack, "ack");
+		const pingOpaqueDataHex = parseOptionalString(args.pingOpaqueDataHex, "pingOpaqueDataHex");
+		const debugDataText = parseRawString(args.debugDataText, "debugDataText", { allowEmpty: true });
+		const debugDataEncoding = parseOptionalString(args.debugDataEncoding, "debugDataEncoding");
+		let settings;
+		if (args.settings !== void 0) {
+			if (!Array.isArray(args.settings)) throw new Error("settings must be an array");
+			settings = args.settings.map((entry, index) => {
+				if (typeof entry !== "object" || entry === null || Array.isArray(entry)) throw new Error(`settings[${String(index)}] must be an object with id and value`);
+				return {
+					id: typeof entry.id === "number" ? entry.id : (() => {
+						throw new Error(`settings[${String(index)}].id must be a number`);
+					})(),
+					value: typeof entry.value === "number" ? entry.value : (() => {
+						throw new Error(`settings[${String(index)}].value must be a number`);
+					})()
+				};
+			});
+		}
+		const result = buildHttp2Frame({
+			frameType,
+			...streamId !== void 0 && { streamId },
+			...flags !== void 0 && { flags },
+			...frameTypeCode !== void 0 && { frameTypeCode },
+			...payloadHex !== void 0 && { payloadHex },
+			...payloadText !== void 0 && { payloadText },
+			...payloadEncoding !== void 0 && { payloadEncoding },
+			...settings !== void 0 && { settings },
+			...ack !== void 0 && { ack },
+			...pingOpaqueDataHex !== void 0 && { pingOpaqueDataHex },
+			...windowSizeIncrement !== void 0 && { windowSizeIncrement },
+			...errorCode !== void 0 && { errorCode },
+			...lastStreamId !== void 0 && { lastStreamId },
+			...debugDataText !== void 0 && { debugDataText },
+			...debugDataEncoding !== void 0 && { debugDataEncoding }
+		});
+		emitEvent(this.eventBus, "network:http2_frame_build_completed", {
+			frameType: result.frameType,
+			typeCode: result.typeCode,
+			streamId: result.streamId,
+			flags: result.flags,
+			payloadBytes: result.payloadBytes,
+			timestamp: (/* @__PURE__ */ new Date()).toISOString()
+		});
+		return R.ok().merge(result).json();
+	}
+	async handleNetworkRttMeasure(args) {
+		const urlRaw = parseOptionalString(args.url, "url");
+		if (!urlRaw) throw new Error("url is required");
+		const probeType = parseOptionalString(args.probeType, "probeType") ?? "tcp";
+		if (![
+			"tcp",
+			"tls",
+			"http"
+		].includes(probeType)) throw new Error("probeType must be one of: tcp, tls, http");
+		const iterations = clamp(args.iterations !== void 0 ? parseNumberArg(args.iterations, {
+			defaultValue: 5,
+			min: 1,
+			integer: true
+		}) : 5, 1, 50);
+		const timeoutMs = clamp(args.timeoutMs !== void 0 ? parseNumberArg(args.timeoutMs, {
+			defaultValue: 5e3,
+			min: 100,
+			integer: true
+		}) : 5e3, 100, 3e4);
+		const { url, target } = await resolveAuthorizedTransportTarget(urlRaw, parseNetworkAuthorization(args.authorization), "RTT measurement");
+		const hostname = target.hostname;
+		const port = Number(url.port) || (url.protocol === "https:" ? 443 : 80);
+		const resolvedIp = target.resolvedAddress ?? hostname;
+		const useHttps = url.protocol === "https:";
+		const samples = [];
+		const errors = [];
+		for (let i = 0; i < iterations; i++) try {
+			const rtt = await this.measureSingleRtt(hostname, resolvedIp, port, probeType, timeoutMs, useHttps);
+			samples.push(rtt);
+		} catch (err) {
+			errors.push(err instanceof Error ? err.message : String(err));
+		}
+		const stats = computeRttStats(samples);
+		emitEvent(this.eventBus, "network:rtt_measured", {
+			url: urlRaw,
+			probeType,
+			iterations,
+			successCount: samples.length,
+			errorCount: errors.length,
+			stats,
+			timestamp: (/* @__PURE__ */ new Date()).toISOString()
+		});
+		return R.ok().merge({
+			target: {
+				hostname,
+				port,
+				resolvedIp,
+				probeType
+			},
+			stats,
+			samples,
+			errors: errors.length > 0 ? errors : void 0,
+			timestamp: (/* @__PURE__ */ new Date()).toISOString()
+		}).json();
+	}
+	measureSingleRtt(hostname, address, port, probeType, timeoutMs, useHttps) {
+		switch (probeType) {
+			case "tcp": return this.probeTcp(address, port, timeoutMs);
+			case "tls": return this.probeTls(hostname, address, port, timeoutMs);
+			case "http": return this.probeHttp(hostname, address, port, timeoutMs, useHttps);
+		}
+	}
+	createPinnedLookup(address) {
+		const family = net.isIP(address) === 6 ? 6 : 4;
+		return (_hostname, optionsOrCallback, maybeCallback) => {
+			(typeof optionsOrCallback === "function" ? optionsOrCallback : maybeCallback)?.(null, address, family);
+		};
+	}
+	probeTcp(host, port, timeoutMs) {
+		return new Promise((resolve, reject) => {
+			const start = performance.now();
+			const timer = setTimeout(() => reject(/* @__PURE__ */ new Error(`TCP probe timed out after ${timeoutMs}ms`)), timeoutMs);
+			const socket = net.createConnection({
+				host,
+				port
+			}, () => {
+				clearTimeout(timer);
+				socket.destroy();
+				resolve(roundMs(performance.now() - start));
+			});
+			socket.on("error", (err) => {
+				clearTimeout(timer);
+				socket.destroy();
+				reject(err);
+			});
+		});
+	}
+	probeTls(hostname, address, port, timeoutMs) {
+		return new Promise((resolve, reject) => {
+			const start = performance.now();
+			let settled = false;
+			let socket = null;
+			const finish = (callback) => {
+				if (settled) return;
+				settled = true;
+				clearTimeout(timer);
+				socket?.destroy();
+				callback();
+			};
+			const timer = setTimeout(() => {
+				finish(() => reject(/* @__PURE__ */ new Error(`TLS probe timed out after ${timeoutMs}ms`)));
+			}, timeoutMs);
+			socket = tls.connect({
+				host: hostname,
+				port,
+				lookup: this.createPinnedLookup(address),
+				...net.isIP(hostname) === 0 ? { servername: hostname } : {}
+			}, () => {
+				finish(() => resolve(roundMs(performance.now() - start)));
+			});
+			socket.on("error", (err) => {
+				finish(() => reject(err));
+			});
+		});
+	}
+	probeHttp(hostname, address, port, timeoutMs, useHttps) {
+		return new Promise((resolve, reject) => {
+			const start = performance.now();
+			let settled = false;
+			let request = null;
+			const finish = (callback) => {
+				if (settled) return;
+				settled = true;
+				clearTimeout(timer);
+				request?.destroy();
+				callback();
+			};
+			const timer = setTimeout(() => {
+				finish(() => reject(/* @__PURE__ */ new Error(`HTTP probe timed out after ${timeoutMs}ms`)));
+			}, timeoutMs);
+			request = (useHttps ? https.request : http$1.request)({
+				host: hostname,
+				port,
+				path: "/",
+				method: "HEAD",
+				lookup: this.createPinnedLookup(address),
+				...useHttps && net.isIP(hostname) === 0 ? { servername: hostname } : {}
+			}, (response) => {
+				response.resume();
+				finish(() => resolve(roundMs(performance.now() - start)));
+			});
+			request.on("error", (error) => {
+				finish(() => reject(error));
+			});
+			request.end();
+		});
+	}
+	async handleNetworkTraceroute(args) {
+		try {
+			if (!isIcmpAvailable()) return R.text("ICMP traceroute not available on this platform (Windows: native API, Linux/macOS: requires root/CAP_NET_RAW)", true);
+			const target = parseOptionalString(args.target, "target");
+			if (!target) return R.text("target is required", true);
+			const result = traceroute({
+				target,
+				maxHops: clamp(args.maxHops !== void 0 ? Number(args.maxHops) : 30, 1, 64),
+				timeout: clamp(args.timeout !== void 0 ? Number(args.timeout) : 5e3, 100, 3e4),
+				packetSize: clamp(args.packetSize !== void 0 ? Number(args.packetSize) : 32, 8, 65500)
+			});
+			return R.ok().json(result);
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			return R.fail(`Traceroute failed: ${message}`).json();
+		}
+	}
+	async handleNetworkIcmpProbe(args) {
+		try {
+			if (!isIcmpAvailable()) return R.text("ICMP probe not available on this platform (Windows: native API, Linux/macOS: requires root/CAP_NET_RAW)", true);
+			const target = parseOptionalString(args.target, "target");
+			if (!target) return R.text("target is required", true);
+			const ttl = clamp(args.ttl !== void 0 ? Number(args.ttl) : 128, 1, 255);
+			const timeout = clamp(args.timeout !== void 0 ? Number(args.timeout) : 5e3, 100, 3e4);
+			const result = icmpProbe({
+				target,
+				ttl,
+				packetSize: clamp(args.packetSize !== void 0 ? Number(args.packetSize) : 32, 8, 65500),
+				timeout
+			});
+			return R.ok().json(result);
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			return R.fail(`ICMP probe failed: ${message}`).json();
+		}
+	}
+};
+//#endregion
+//#region src/server/domains/network/handlers.impl.ts
+var AdvancedToolHandlers = class {
+	collector;
+	consoleMonitor;
+	eventBus;
+	performanceMonitor = null;
+	detailedDataManager = DetailedDataManager.getInstance();
+	core;
+	perf;
+	console_;
+	replay;
+	intercept;
+	raw;
+	constructor(collector, consoleMonitor, eventBus) {
+		this.collector = collector;
+		this.consoleMonitor = consoleMonitor;
+		this.eventBus = eventBus;
+		this.core = new CoreHandlers({
+			collector,
+			consoleMonitor,
+			eventBus
+		});
+		this.perf = new PerformanceHandlers({
+			collector,
+			getPerformanceMonitor: () => this.getPerformanceMonitor()
+		});
+		this.console_ = new ConsoleHandlers({ consoleMonitor });
+		this.replay = new ReplayHandlers({ consoleMonitor });
+		this.intercept = new InterceptHandlers({
+			consoleMonitor,
+			eventBus
+		});
+		this.raw = new RawHandlers(eventBus);
+	}
+	getPerformanceMonitor() {
+		if (!this.performanceMonitor) this.performanceMonitor = new PerformanceMonitor(this.collector);
+		return this.performanceMonitor;
+	}
+	handleNetworkEnable = (args) => this.core.handleNetworkEnable(args);
+	handleNetworkDisable = (args) => this.core.handleNetworkDisable(args);
+	handleNetworkGetStatus = (args) => this.core.handleNetworkGetStatus(args);
+	handleNetworkMonitor = (args) => this.core.handleNetworkMonitor(args);
+	handleNetworkGetRequests = (args) => this.core.handleNetworkGetRequests(args);
+	handleNetworkGetResponseBody = (args) => this.core.handleNetworkGetResponseBody(args);
+	handleNetworkGetStats = (args) => this.core.handleNetworkGetStats(args);
+	handlePerformanceGetMetrics = (args) => this.perf.handlePerformanceGetMetrics(args);
+	handlePerformanceCoverage = (args) => this.perf.handlePerformanceCoverage(args);
+	handlePerformanceStartCoverage = (args) => this.perf.handlePerformanceStartCoverage(args);
+	handlePerformanceStopCoverage = (args) => this.perf.handlePerformanceStopCoverage(args);
+	handlePerformanceTakeHeapSnapshot = (args) => this.perf.handlePerformanceTakeHeapSnapshot(args);
+	handlePerformanceTraceStart = (args) => this.perf.handlePerformanceTraceStart(args);
+	handlePerformanceTraceStop = (args) => this.perf.handlePerformanceTraceStop(args);
+	handlePerformanceTraceDispatch = (args) => String(args["action"] ?? "") === "stop" ? this.perf.handlePerformanceTraceStop(args) : this.perf.handlePerformanceTraceStart(args);
+	handleProfilerCpuStart = (args) => this.perf.handleProfilerCpuStart(args);
+	handleProfilerCpuStop = (args) => this.perf.handleProfilerCpuStop(args);
+	handleProfilerCpuDispatch = (args) => String(args["action"] ?? "") === "stop" ? this.perf.handleProfilerCpuStop(args) : this.perf.handleProfilerCpuStart(args);
+	handleProfilerHeapSamplingStart = (args) => this.perf.handleProfilerHeapSamplingStart(args);
+	handleProfilerHeapSamplingStop = (args) => this.perf.handleProfilerHeapSamplingStop(args);
+	handleProfilerHeapSamplingDispatch = (args) => String(args["action"] ?? "") === "stop" ? this.perf.handleProfilerHeapSamplingStop(args) : this.perf.handleProfilerHeapSamplingStart(args);
+	handleConsoleGetExceptions = (args) => this.console_.handleConsoleGetExceptions(args);
+	handleConsoleInjectDispatch = (args) => {
+		switch (String(args["type"] ?? "")) {
+			case "xhr": return this.console_.handleConsoleInjectXhrInterceptor(args);
+			case "fetch": return this.console_.handleConsoleInjectFetchInterceptor(args);
+			case "function": return this.console_.handleConsoleInjectFunctionTracer(args);
+			default: return this.console_.handleConsoleInjectScriptMonitor(args);
+		}
+	};
+	handleConsoleBuffersDispatch = (args) => {
+		return String(args["action"] ?? "") === "reset" ? this.console_.handleConsoleResetInjectedInterceptors(args) : this.console_.handleConsoleClearInjectedBuffers(args);
+	};
+	handleConsoleInjectScriptMonitor = (args) => this.console_.handleConsoleInjectScriptMonitor(args);
+	handleConsoleInjectXhrInterceptor = (args) => this.console_.handleConsoleInjectXhrInterceptor(args);
+	handleConsoleInjectFetchInterceptor = (args) => this.console_.handleConsoleInjectFetchInterceptor(args);
+	handleConsoleClearInjectedBuffers = (args) => this.console_.handleConsoleClearInjectedBuffers(args);
+	handleConsoleResetInjectedInterceptors = (args) => this.console_.handleConsoleResetInjectedInterceptors(args);
+	handleConsoleInjectFunctionTracer = (args) => this.console_.handleConsoleInjectFunctionTracer(args);
+	handleNetworkExtractAuth = (args) => this.replay.handleNetworkExtractAuth(args);
+	handleNetworkExportHar = (args) => this.replay.handleNetworkExportHar(args);
+	handleNetworkReplayRequest = (args) => this.replay.handleNetworkReplayRequest(args);
+	handleNetworkInterceptResponse = (args) => this.intercept.handleNetworkInterceptResponse(args);
+	handleNetworkInterceptList = (args) => this.intercept.handleNetworkInterceptList(args);
+	handleNetworkInterceptDisable = (args) => this.intercept.handleNetworkInterceptDisable(args);
+	handleNetworkInterceptDispatch = (args) => {
+		const action = String(args["action"] ?? "");
+		switch (action) {
+			case "add": return this.intercept.handleNetworkInterceptResponse(args);
+			case "list": return this.intercept.handleNetworkInterceptList(args);
+			case "disable": return this.intercept.handleNetworkInterceptDisable(args);
+			default: return Promise.resolve({
+				content: [{
+					type: "text",
+					text: `Invalid action: "${action}". Expected one of: add, list, disable`
+				}],
+				isError: true
+			});
+		}
+	};
+	handleNetworkTraceroute = (args) => this.raw.handleNetworkTraceroute(args);
+	handleNetworkIcmpProbe = (args) => this.raw.handleNetworkIcmpProbe(args);
+	handleHttpRequestBuild = (args) => this.raw.handleHttpRequestBuild(args);
+	handleHttpPlainRequest = (args) => this.raw.handleHttpPlainRequest(args);
+	handleHttp2Probe = (args) => this.raw.handleHttp2Probe(args);
+	handleHttp2FrameBuild = (args) => this.raw.handleHttp2FrameBuild(args);
+	handleNetworkRttMeasure = (args) => this.raw.handleNetworkRttMeasure(args);
+};
+//#endregion
+export { AdvancedToolHandlers };