@jshookmcp/jshook 0.2.9 → 0.3.0

package/dist/{handlers-9sAbfIg-.mjs → handlers-BOs9b907.mjs}

@@ -1,29 +1,39 @@
-import { n as asJsonResponse } from "./response-BQVP-xUn.mjs";
-import { a as enableKeyLog, c as parseKeyLog, i as disableKeyLog, l as summarizeKeyLog, n as TLSKeyLogExtractor, o as getKeyLogFilePath, r as decryptPayload, s as lookupSecret } from "./boringssl-inspector-BH2D3VKc.mjs";
-import { a as argString, n as argEnum, o as argStringArray, r as argNumber, t as argBool } from "./parse-args-BlRjqlkL.mjs";
-import { a as isLoopbackHost, s as isPrivateHost } from "./ssrf-policy-ZaUfvhq7.mjs";
+import { n as asJsonResponse } from "./response-CWhh2aLo.mjs";
+import { a as enableKeyLog, c as parseKeyLog, i as disableKeyLog, l as summarizeKeyLog, n as TLSKeyLogExtractor, o as getKeyLogFilePath, r as decryptPayload, s as lookupSecret } from "./boringssl-inspector-Bo_LOLaS.mjs";
+import { a as argString, n as argEnum, o as argStringArray, r as argNumber, t as argBool } from "./parse-args-B4cY5Vx5.mjs";
+import { a as isLoopbackHost, s as isPrivateHost } from "./ssrf-policy-Dsqd-DTX.mjs";
 import { X509Certificate, createHash, randomBytes, randomUUID } from "node:crypto";
 import { readFile } from "node:fs/promises";
 import { Socket, createServer, isIP } from "node:net";
 import { createSocket } from "node:dgram";
 import { checkServerIdentity, connect } from "node:tls";
-//#region src/server/domains/boringssl-inspector/handlers/shared.ts
-function validateNetworkTarget(host) {
-	if (isPrivateHost(host) && !isLoopbackHost(host)) return {
-		ok: false,
-		error: `Blocked: target host "${host}" resolves to a private/internal address. SSRF protection applies.`
-	};
-	return null;
-}
+//#region src/server/domains/boringssl-inspector/handlers/shared/types.ts
 const TLS_VERSION_SET = new Set([
 	"TLSv1",
 	"TLSv1.1",
 	"TLSv1.2",
 	"TLSv1.3"
 ]);
+//#endregion
+//#region src/server/domains/boringssl-inspector/handlers/shared/common.ts
 function errorMessage(error) {
 	return error instanceof Error ? error.message : String(error);
 }
+function normalizeHex(value) {
+	return value.replace(/\s+/g, "").toUpperCase();
+}
+function isHex(value) {
+	return value.length > 0 && value.length % 2 === 0 && /^[0-9A-F]+$/i.test(value);
+}
+//#endregion
+//#region src/server/domains/boringssl-inspector/handlers/shared/tls-probe.ts
+function validateNetworkTarget(host) {
+	if (isPrivateHost(host) && !isLoopbackHost(host)) return {
+		ok: false,
+		error: `Blocked: target host "${host}" resolves to a private/internal address. SSRF protection applies.`
+	};
+	return null;
+}
 function normalizeSocketServername(servername) {
 	return typeof servername === "string" && servername.length > 0 ? servername : null;
 }
@@ -35,6 +45,45 @@ function applyTlsValidationPolicy(options, allowInvalidCertificates) {
 	Reflect.set(next, "rejectUnauthorized", !allowInvalidCertificates);
 	return next;
 }
+async function loadProbeCaBundle(args) {
+	const caPem = argString(args, "caPem") ?? null;
+	const caPath = argString(args, "caPath") ?? null;
+	if (caPem && caPath) return {
+		ok: false,
+		error: "caPem and caPath are mutually exclusive"
+	};
+	if (caPem) return {
+		ok: true,
+		ca: caPem,
+		source: "inline",
+		path: null,
+		bytes: Buffer.byteLength(caPem)
+	};
+	if (caPath) try {
+		const ca = await readFile(caPath, "utf8");
+		return {
+			ok: true,
+			ca,
+			source: "path",
+			path: caPath,
+			bytes: Buffer.byteLength(ca)
+		};
+	} catch (error) {
+		return {
+			ok: false,
+			error: `Failed to read caPath "${caPath}": ${errorMessage(error)}`
+		};
+	}
+	return {
+		ok: true,
+		ca: void 0,
+		source: null,
+		path: null,
+		bytes: null
+	};
+}
+//#endregion
+//#region src/server/domains/boringssl-inspector/handlers/shared/certificates.ts
 function isNonEmptyObject(value) {
 	return value !== null && typeof value === "object" && Object.keys(value).length > 0;
 }
@@ -81,43 +130,46 @@ function buildPeerCertificateChain(peerCertificate) {
 	}
 	return chain;
 }
-async function loadProbeCaBundle(args) {
-	const caPem = argString(args, "caPem") ?? null;
-	const caPath = argString(args, "caPath") ?? null;
-	if (caPem && caPath) return {
-		ok: false,
-		error: "caPem and caPath are mutually exclusive"
-	};
-	if (caPem) return {
-		ok: true,
-		ca: caPem,
-		source: "inline",
-		path: null,
-		bytes: Buffer.byteLength(caPem)
-	};
-	if (caPath) try {
-		const ca = await readFile(caPath, "utf8");
+function parseDerCertificate(der) {
+	const sha256 = createHash("sha256").update(der).digest("hex").toUpperCase();
+	try {
+		const cert = new X509Certificate(der);
 		return {
-			ok: true,
-			ca,
-			source: "path",
-			path: caPath,
-			bytes: Buffer.byteLength(ca)
+			subject: cert.subject || void 0,
+			issuer: cert.issuer || void 0,
+			serialNumber: cert.serialNumber || void 0,
+			validFrom: cert.validFrom || void 0,
+			validTo: cert.validTo || void 0,
+			sha256,
+			length: der.length
 		};
-	} catch (error) {
+	} catch {
 		return {
-			ok: false,
-			error: `Failed to read caPath "${caPath}": ${errorMessage(error)}`
+			sha256,
+			length: der.length
 		};
 	}
-	return {
-		ok: true,
-		ca: void 0,
-		source: null,
-		path: null,
-		bytes: null
-	};
 }
+function parseCertificateChain(hexPayload) {
+	const buffer = Buffer.from(normalizeHex(hexPayload), "hex");
+	const certs = [];
+	let cursor = 0;
+	while (cursor < buffer.length - 4) if (buffer[cursor] === 48) {
+		const info = parseDerCertificate(buffer.subarray(cursor));
+		certs.push({
+			sha256: info.sha256,
+			length: info.length
+		});
+		cursor += info.length;
+	} else cursor += 1;
+	if (certs.length === 0 && buffer.length > 0) certs.push({
+		sha256: createHash("sha256").update(buffer).digest("hex").toUpperCase(),
+		length: buffer.length
+	});
+	return certs;
+}
+//#endregion
+//#region src/server/domains/boringssl-inspector/handlers/shared/session-buffer.ts
 function makeSessionId(kind) {
 	return `${kind}_${randomUUID()}`;
 }
@@ -137,6 +189,83 @@ function serializeSessionState(session) {
 		error: session.error
 	};
 }
+function wakeSessionWaiters(session) {
+	for (const waiter of session.waiters) waiter();
+	session.waiters.clear();
+}
+function attachBufferedSession(session) {
+	session.socket.on("data", (chunk) => {
+		session.buffer = Buffer.concat([session.buffer, chunk]);
+		wakeSessionWaiters(session);
+	});
+	session.socket.on("end", () => {
+		session.ended = true;
+		wakeSessionWaiters(session);
+	});
+	session.socket.on("close", () => {
+		session.closed = true;
+		wakeSessionWaiters(session);
+	});
+	session.socket.on("error", (error) => {
+		session.error = error.message;
+		wakeSessionWaiters(session);
+	});
+}
+function waitForSessionActivity(session, timeoutMs) {
+	return new Promise((resolve) => {
+		const onActivity = () => {
+			clearTimeout(timer);
+			session.waiters.delete(onActivity);
+			resolve(true);
+		};
+		const timer = setTimeout(() => {
+			session.waiters.delete(onActivity);
+			resolve(false);
+		}, timeoutMs);
+		session.waiters.add(onActivity);
+	});
+}
+function consumeSessionBuffer(session, delimiter, includeDelimiter, maxBytes) {
+	const delimiterHex = delimiter ? delimiter.toString("hex").toUpperCase() : null;
+	if (delimiter) {
+		const matchIndex = session.buffer.indexOf(delimiter);
+		if (matchIndex >= 0) {
+			const consumedBytes = matchIndex + delimiter.length;
+			const data = includeDelimiter ? session.buffer.subarray(0, consumedBytes) : session.buffer.subarray(0, matchIndex);
+			session.buffer = session.buffer.subarray(consumedBytes);
+			return {
+				data,
+				matchedDelimiter: true,
+				stopReason: "delimiter",
+				delimiterHex
+			};
+		}
+	}
+	if (typeof maxBytes === "number" && session.buffer.length >= maxBytes) {
+		const data = session.buffer.subarray(0, maxBytes);
+		session.buffer = session.buffer.subarray(maxBytes);
+		return {
+			data,
+			matchedDelimiter: false,
+			stopReason: "maxBytes",
+			delimiterHex
+		};
+	}
+	if ((session.error || session.ended || session.closed) && session.buffer.length > 0) {
+		const data = session.buffer;
+		session.buffer = Buffer.alloc(0);
+		return {
+			data,
+			matchedDelimiter: false,
+			stopReason: session.error ? "error" : "closed",
+			delimiterHex
+		};
+	}
+	return null;
+}
+//#endregion
+//#region src/server/domains/boringssl-inspector/handlers/shared/websocket.ts
+const WEBSOCKET_ACCEPT_SUFFIX = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11";
 function serializeWebSocketSessionState(session) {
 	return {
 		bufferedBytes: session.parserBuffer.length,
@@ -153,32 +282,34 @@ function normalizeWebSocketPath(path) {
 	return path.startsWith("/") ? path : `/${path}`;
 }
 function websocketOpcodeName(opcode) {
-	switch (opcode) {
-		case 1: return "text";
-		case 2: return "binary";
-		case 8: return "close";
-		case 9: return "ping";
-		case 10: return "pong";
-		default: return null;
-	}
+	return {
+		1: "text",
+		2: "binary",
+		8: "close",
+		9: "ping",
+		10: "pong"
+	}[opcode] ?? null;
 }
 function computeWebSocketAccept(requestKey) {
-	return createHash("sha1").update(`${requestKey}258EAFA5-E914-47DA-95CA-C5AB0DC85B11`, "utf8").digest("base64");
+	return createHash("sha1").update(`${requestKey}${WEBSOCKET_ACCEPT_SUFFIX}`, "utf8").digest("base64");
 }
 function encodeWebSocketFrame(type, payload, closeCode, closeReason) {
-	let opcode = 1;
+	const opcodeByType = {
+		text: 1,
+		binary: 2,
+		close: 8,
+		ping: 9,
+		pong: 10
+	};
 	let framePayload = payload;
-	if (type === "binary") opcode = 2;
-	else if (type === "close") {
-		opcode = 8;
+	if (type === "close") {
 		if (closeCode !== void 0 && closeCode !== null) {
 			const reasonBuffer = closeReason ? Buffer.from(closeReason, "utf8") : Buffer.alloc(0);
 			framePayload = Buffer.alloc(2 + reasonBuffer.length);
 			framePayload.writeUInt16BE(closeCode, 0);
 			reasonBuffer.copy(framePayload, 2);
 		} else if (closeReason) framePayload = Buffer.from(closeReason, "utf8");
-	} else if (type === "ping") opcode = 9;
-	else if (type === "pong") opcode = 10;
+	}
 	const maskKey = randomBytes(4);
 	const payloadLength = framePayload.length;
 	let header;
@@ -194,7 +325,7 @@ function encodeWebSocketFrame(type, payload, closeCode, closeReason) {
 		header[1] = 255;
 		header.writeBigUInt64BE(BigInt(payloadLength), 2);
 	}
-	header[0] = 128 | opcode;
+	header[0] = 128 | opcodeByType[type];
 	const maskedPayload = Buffer.alloc(payloadLength);
 	for (let index = 0; index < payloadLength; index += 1) maskedPayload[index] = framePayload[index] ^ maskKey[index % 4];
 	return Buffer.concat([
@@ -255,42 +386,6 @@ function tryConsumeWebSocketFrame(buffer) {
 		bytesConsumed: cursor + payloadLength
 	};
 }
-function wakeSessionWaiters(session) {
-	for (const waiter of session.waiters) waiter();
-	session.waiters.clear();
-}
-function attachBufferedSession(session) {
-	session.socket.on("data", (chunk) => {
-		session.buffer = Buffer.concat([session.buffer, chunk]);
-		wakeSessionWaiters(session);
-	});
-	session.socket.on("end", () => {
-		session.ended = true;
-		wakeSessionWaiters(session);
-	});
-	session.socket.on("close", () => {
-		session.closed = true;
-		wakeSessionWaiters(session);
-	});
-	session.socket.on("error", (error) => {
-		session.error = error.message;
-		wakeSessionWaiters(session);
-	});
-}
-function waitForSessionActivity(session, timeoutMs) {
-	return new Promise((resolve) => {
-		const onActivity = () => {
-			clearTimeout(timer);
-			session.waiters.delete(onActivity);
-			resolve(true);
-		};
-		const timer = setTimeout(() => {
-			session.waiters.delete(onActivity);
-			resolve(false);
-		}, timeoutMs);
-		session.waiters.add(onActivity);
-	});
-}
 function wakeWebSocketWaiters(session) {
 	for (const waiter of session.waiters) waiter();
 	session.waiters.clear();
@@ -309,70 +404,59 @@ function waitForWebSocketActivity(session, timeoutMs) {
 		session.waiters.add(onActivity);
 	});
 }
-function consumeSessionBuffer(session, delimiter, includeDelimiter, maxBytes) {
-	if (delimiter) {
-		const matchIndex = session.buffer.indexOf(delimiter);
-		if (matchIndex >= 0) {
-			const consumedBytes = matchIndex + delimiter.length;
-			const data = includeDelimiter ? session.buffer.subarray(0, consumedBytes) : session.buffer.subarray(0, matchIndex);
-			session.buffer = session.buffer.subarray(consumedBytes);
-			return {
-				data,
-				matchedDelimiter: true,
-				stopReason: "delimiter",
-				delimiterHex: delimiter.toString("hex").toUpperCase()
-			};
-		}
-	}
-	if (typeof maxBytes === "number" && session.buffer.length >= maxBytes) {
-		const data = session.buffer.subarray(0, maxBytes);
-		session.buffer = session.buffer.subarray(maxBytes);
-		return {
-			data,
-			matchedDelimiter: false,
-			stopReason: "maxBytes",
-			delimiterHex: delimiter ? delimiter.toString("hex").toUpperCase() : null
-		};
-	}
-	if ((session.error || session.ended || session.closed) && session.buffer.length > 0) {
-		const data = session.buffer;
-		session.buffer = Buffer.alloc(0);
-		return {
-			data,
-			matchedDelimiter: false,
-			stopReason: session.error ? "error" : "closed",
-			delimiterHex: delimiter ? delimiter.toString("hex").toUpperCase() : null
-		};
-	}
-	return null;
-}
-function normalizeHex(value) {
-	return value.replace(/\s+/g, "").toUpperCase();
-}
-function isHex(value) {
-	return value.length > 0 && value.length % 2 === 0 && /^[0-9A-F]+$/i.test(value);
-}
+//#endregion
+//#region src/server/domains/boringssl-inspector/handlers/shared/tls-parse.ts
+const TLS_VERSION_NAMES = {
+	"3:1": "TLS 1.0",
+	"3:2": "TLS 1.1",
+	"3:3": "TLS 1.2",
+	"3:4": "TLS 1.3"
+};
+const CONTENT_TYPE_NAMES = {
+	20: "change_cipher_spec",
+	21: "alert",
+	22: "handshake",
+	23: "application_data",
+	24: "heartbeat"
+};
+const CIPHER_SUITES_BY_ID = {
+	156: "TLS_RSA_WITH_AES_128_GCM_SHA256",
+	157: "TLS_RSA_WITH_AES_256_GCM_SHA384",
+	52392: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	52393: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+	4865: "TLS_AES_128_GCM_SHA256",
+	4866: "TLS_AES_256_GCM_SHA384",
+	4867: "TLS_CHACHA20_POLY1305_SHA256",
+	4868: "TLS_AES_128_CCM_SHA256",
+	4869: "TLS_AES_128_CCM_8_SHA256",
+	49195: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+	49196: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+	49199: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+	49200: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+};
+const EXTENSION_NAMES = {
+	0: "server_name",
+	1: "max_fragment_length",
+	5: "status_request",
+	10: "supported_groups",
+	13: "signature_algorithms",
+	16: "application_layer_protocol_negotiation",
+	18: "signed_certificate_timestamp",
+	23: "record_size_limit",
+	27: "compress_certificate",
+	35: "session_ticket",
+	43: "supported_versions",
+	44: "cookie",
+	45: "psk_key_exchange_modes",
+	49: "post_handshake_auth",
+	51: "key_share"
+};
 function tlsVersionName(major, minor) {
-	if (major === 3 && minor === 1) return "TLS 1.0";
-	if (major === 3 && minor === 2) return "TLS 1.1";
-	if (major === 3 && minor === 3) return "TLS 1.2";
-	if (major === 3 && minor === 4) return "TLS 1.3";
-	return `0x${major.toString(16).padStart(2, "0")}${minor.toString(16).padStart(2, "0")}`;
+	return TLS_VERSION_NAMES[`${major}:${minor}`] ?? `0x${major.toString(16).padStart(2, "0")}${minor.toString(16).padStart(2, "0")}`;
 }
 function contentTypeName(contentType) {
-	if (contentType === 20) return "change_cipher_spec";
-	if (contentType === 21) return "alert";
-	if (contentType === 22) return "handshake";
-	if (contentType === 23) return "application_data";
-	if (contentType === 24) return "heartbeat";
-	return "unknown";
+	return CONTENT_TYPE_NAMES[contentType] ?? "unknown";
 }
-/**
-* Parse TLS ClientHello to extract SNI, cipher suites, and extensions.
-* Handles two input layouts:
-* - With handshake header: [type(1) + length(3) + version(2) + random(32) + ...]
-* - Without handshake header: [version(2) + random(32) + ...]
-*/
 function parseClientHello(payload) {
 	const result = {
 		cipherSuites: [],
@@ -426,88 +510,12 @@ function parseClientHello(payload) {
 	}
 	return result;
 }
-const CIPHER_SUITES_BY_ID = {
-	156: "TLS_RSA_WITH_AES_128_GCM_SHA256",
-	157: "TLS_RSA_WITH_AES_256_GCM_SHA384",
-	52392: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-	52393: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-	4865: "TLS_AES_128_GCM_SHA256",
-	4866: "TLS_AES_256_GCM_SHA384",
-	4867: "TLS_CHACHA20_POLY1305_SHA256",
-	4868: "TLS_AES_128_CCM_SHA256",
-	4869: "TLS_AES_128_CCM_8_SHA256",
-	49195: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-	49196: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-	49199: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-	49200: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
-};
-const EXTENSION_NAMES = {
-	0: "server_name",
-	1: "max_fragment_length",
-	5: "status_request",
-	10: "supported_groups",
-	13: "signature_algorithms",
-	16: "application_layer_protocol_negotiation",
-	18: "signed_certificate_timestamp",
-	23: "record_size_limit",
-	27: "compress_certificate",
-	35: "session_ticket",
-	43: "supported_versions",
-	44: "cookie",
-	45: "psk_key_exchange_modes",
-	49: "post_handshake_auth",
-	51: "key_share"
-};
-/**
-* Parse a DER-encoded certificate to extract basic info.
-*/
-function parseDerCertificate(der) {
-	const sha256 = createHash("sha256").update(der).digest("hex").toUpperCase();
-	try {
-		const cert = new X509Certificate(der);
-		return {
-			subject: cert.subject || void 0,
-			issuer: cert.issuer || void 0,
-			serialNumber: cert.serialNumber || void 0,
-			validFrom: cert.validFrom || void 0,
-			validTo: cert.validTo || void 0,
-			sha256,
-			length: der.length
-		};
-	} catch {
-		return {
-			sha256,
-			length: der.length
-		};
-	}
-}
-/**
-* Parse a chain of DER certificates from hex.
-*/
-function parseCertificateChain(hexPayload) {
-	const buffer = Buffer.from(normalizeHex(hexPayload), "hex");
-	const certs = [];
-	let cursor = 0;
-	while (cursor < buffer.length - 4) if (buffer[cursor] === 48) {
-		const info = parseDerCertificate(buffer.subarray(cursor));
-		certs.push({
-			sha256: info.sha256,
-			length: info.length
-		});
-		cursor += info.length;
-	} else cursor += 1;
-	if (certs.length === 0 && buffer.length > 0) certs.push({
-		sha256: createHash("sha256").update(buffer).digest("hex").toUpperCase(),
-		length: buffer.length
-	});
-	return certs;
-}
 //#endregion
-//#region src/server/domains/boringssl-inspector/handlers/handler-class.ts
+//#region src/server/domains/boringssl-inspector/handlers/base.ts
 /**
-* BoringsslInspectorHandlers — handler methods using shared utilities from ./shared.ts.
+* BoringsslInspectorBaseHandlers — shared state and transport helpers.
 */
-var BoringsslInspectorHandlers = class {
+var BoringsslInspectorBaseHandlers = class {
 	extensionInvoke;
 	eventBus;
 	tcpSessions = /* @__PURE__ */ new Map();
@@ -531,9 +539,6 @@ var BoringsslInspectorHandlers = class {
 	getWebSocketSession(sessionId) {
 		return this.websocketSessions.get(sessionId) ?? null;
 	}
-	emitWebSocketEvent(event, payload) {
-		this.eventBus?.emit(event, payload);
-	}
 	parseWritePayload(args) {
 		const dataHex = argString(args, "dataHex");
 		const dataText = argString(args, "dataText");
@@ -743,347 +748,14 @@ var BoringsslInspectorHandlers = class {
 			session.activeRead = false;
 		}
 	}
-	attachWebSocketSession(session) {
-		const parseBufferedFrames = () => {
-			while (session.parserBuffer.length > 0) {
-				let consumed;
-				try {
-					consumed = tryConsumeWebSocketFrame(session.parserBuffer);
-				} catch (error) {
-					session.error = errorMessage(error);
-					session.socket.destroy();
-					break;
-				}
-				if (!consumed) break;
-				session.parserBuffer = session.parserBuffer.subarray(consumed.bytesConsumed);
-				const frame = consumed.frame;
-				session.frames.push(frame);
-				if (frame.type === "ping" && !session.closeSent && !session.socket.destroyed) {
-					const pongFrame = encodeWebSocketFrame("pong", frame.data);
-					session.socket.write(pongFrame);
-					this.emitWebSocketEvent("websocket:session_written", {
-						sessionId: session.id,
-						frameType: "pong",
-						byteLength: frame.data.length,
-						automatic: true,
-						timestamp: (/* @__PURE__ */ new Date()).toISOString()
-					});
-				}
-				if (frame.type === "close") {
-					session.closeReceived = true;
-					if (!session.closeSent && !session.socket.destroyed) {
-						session.closeSent = true;
-						session.socket.write(encodeWebSocketFrame("close", frame.data, frame.closeCode, frame.closeReason));
-						this.emitWebSocketEvent("websocket:session_written", {
-							sessionId: session.id,
-							frameType: "close",
-							byteLength: frame.data.length,
-							automatic: true,
-							timestamp: (/* @__PURE__ */ new Date()).toISOString()
-						});
-					}
-				}
-			}
-			wakeWebSocketWaiters(session);
+	async closeBufferedSession(sessionId, sessions, kind, args) {
+		const session = sessions.get(sessionId);
+		if (!session) return {
+			ok: false,
+			error: `Unknown ${kind} sessionId "${sessionId}"`
 		};
-		session.socket.on("data", (chunk) => {
-			session.parserBuffer = Buffer.concat([session.parserBuffer, chunk]);
-			parseBufferedFrames();
-		});
-		session.socket.on("end", () => {
-			session.ended = true;
-			wakeWebSocketWaiters(session);
-		});
-		session.socket.on("close", () => {
-			session.closed = true;
-			wakeWebSocketWaiters(session);
-		});
-		session.socket.on("error", (error) => {
-			session.error = error.message;
-			wakeWebSocketWaiters(session);
-		});
-		parseBufferedFrames();
-	}
-	async readWebSocketFrame(session, args) {
-		const timeoutMs = argNumber(args, "timeoutMs") ?? 5e3;
-		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
-			ok: false,
-			error: "timeoutMs must be a positive number"
-		};
-		if (session.activeRead) return {
-			ok: false,
-			error: `Session "${session.id}" already has a pending read`,
-			sessionId: session.id,
-			kind: session.kind,
-			state: serializeWebSocketSessionState(session)
-		};
-		session.activeRead = true;
-		const startedAt = Date.now();
-		try {
-			while (true) {
-				const frame = session.frames.shift();
-				if (frame) {
-					this.emitWebSocketEvent("websocket:frame_read", {
-						sessionId: session.id,
-						frameType: frame.type,
-						byteLength: frame.data.length,
-						timestamp: (/* @__PURE__ */ new Date()).toISOString()
-					});
-					return {
-						ok: true,
-						sessionId: session.id,
-						kind: session.kind,
-						scheme: session.scheme,
-						frameType: frame.type,
-						fin: frame.fin,
-						opcode: frame.opcode,
-						masked: frame.masked,
-						byteLength: frame.data.length,
-						dataHex: frame.data.toString("hex").toUpperCase(),
-						dataText: frame.type === "binary" ? null : frame.data.toString("utf8"),
-						closeCode: frame.closeCode,
-						closeReason: frame.closeReason,
-						elapsedMs: Date.now() - startedAt,
-						state: serializeWebSocketSessionState(session)
-					};
-				}
-				if (session.error) return {
-					ok: false,
-					error: session.error,
-					sessionId: session.id,
-					kind: session.kind,
-					state: serializeWebSocketSessionState(session)
-				};
-				if (session.closed || session.ended) return {
-					ok: false,
-					error: "socket closed before a WebSocket frame was available",
-					sessionId: session.id,
-					kind: session.kind,
-					state: serializeWebSocketSessionState(session)
-				};
-				const remainingMs = timeoutMs - (Date.now() - startedAt);
-				if (remainingMs <= 0) return {
-					ok: false,
-					error: "read timed out",
-					sessionId: session.id,
-					kind: session.kind,
-					state: serializeWebSocketSessionState(session)
-				};
-				if (!await waitForWebSocketActivity(session, remainingMs)) return {
-					ok: false,
-					error: "read timed out",
-					sessionId: session.id,
-					kind: session.kind,
-					state: serializeWebSocketSessionState(session)
-				};
-			}
-		} finally {
-			session.activeRead = false;
-		}
-	}
-	async sendWebSocketFrame(session, args) {
-		if (session.closed || session.socket.destroyed) return {
-			ok: false,
-			error: `Session "${session.id}" is already closed`,
-			sessionId: session.id,
-			kind: session.kind,
-			state: serializeWebSocketSessionState(session)
-		};
-		const frameType = argEnum(args, "frameType", new Set([
-			"text",
-			"binary",
-			"ping",
-			"pong",
-			"close"
-		]));
-		if (!frameType) return {
-			ok: false,
-			error: "frameType is required"
-		};
-		const dataHex = argString(args, "dataHex");
-		const dataText = argString(args, "dataText");
-		if (dataHex && dataText) return {
-			ok: false,
-			error: "dataHex and dataText are mutually exclusive"
-		};
-		const timeoutMs = argNumber(args, "timeoutMs") ?? 5e3;
-		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
-			ok: false,
-			error: "timeoutMs must be a positive number"
-		};
-		let payload = Buffer.alloc(0);
-		if (dataHex) {
-			const normalized = normalizeHex(dataHex);
-			if (!isHex(normalized)) return {
-				ok: false,
-				error: "dataHex must be valid even-length hexadecimal data"
-			};
-			payload = Buffer.from(normalized, "hex");
-		} else if (dataText !== void 0) payload = Buffer.from(dataText, "utf8");
-		let closeCode = null;
-		let closeReason = null;
-		if (frameType === "close") {
-			const rawCloseCode = argNumber(args, "closeCode");
-			if (rawCloseCode !== void 0) {
-				if (!Number.isInteger(rawCloseCode) || rawCloseCode < 1e3 || rawCloseCode > 4999) return {
-					ok: false,
-					error: "closeCode must be an integer between 1000 and 4999"
-				};
-				closeCode = rawCloseCode;
-			}
-			closeReason = argString(args, "closeReason") ?? null;
-			if (dataHex || dataText) return {
-				ok: false,
-				error: "close frames use closeCode/closeReason instead of dataHex/dataText"
-			};
-			session.closeSent = true;
-		}
-		if (frameType === "text" && dataHex) return {
-			ok: false,
-			error: "text frames require UTF-8 dataText instead of dataHex"
-		};
-		const frameBuffer = encodeWebSocketFrame(frameType, payload, closeCode, closeReason);
-		return new Promise((resolve) => {
-			let settled = false;
-			const finish = (result) => {
-				if (settled) return;
-				settled = true;
-				clearTimeout(timer);
-				session.socket.off("error", onError);
-				resolve(result);
-			};
-			const timer = setTimeout(() => {
-				finish({
-					ok: false,
-					error: "write timed out",
-					sessionId: session.id,
-					kind: session.kind,
-					state: serializeWebSocketSessionState(session)
-				});
-			}, timeoutMs);
-			const onError = (error) => {
-				finish({
-					ok: false,
-					error: error.message,
-					sessionId: session.id,
-					kind: session.kind,
-					state: serializeWebSocketSessionState(session)
-				});
-			};
-			session.socket.once("error", onError);
-			session.socket.write(frameBuffer, () => {
-				this.emitWebSocketEvent("websocket:session_written", {
-					sessionId: session.id,
-					frameType,
-					byteLength: frameType === "close" ? closeReason ? Buffer.byteLength(closeReason) + 2 : closeCode ? 2 : 0 : payload.length,
-					automatic: false,
-					timestamp: (/* @__PURE__ */ new Date()).toISOString()
-				});
-				finish({
-					ok: true,
-					sessionId: session.id,
-					kind: session.kind,
-					scheme: session.scheme,
-					frameType,
-					bytesWritten: frameBuffer.length,
-					payloadBytes: frameType === "close" ? closeReason ? Buffer.byteLength(closeReason) + 2 : closeCode ? 2 : 0 : payload.length,
-					state: serializeWebSocketSessionState(session)
-				});
-			});
-		});
-	}
-	async closeWebSocketSession(sessionId, args) {
-		const session = this.websocketSessions.get(sessionId);
-		if (!session) return {
-			ok: false,
-			error: `Unknown websocket sessionId "${sessionId}"`
-		};
-		const force = argBool(args, "force") ?? false;
-		const timeoutMs = argNumber(args, "timeoutMs") ?? 1e3;
-		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
-			ok: false,
-			error: "timeoutMs must be a positive number"
-		};
-		const queuedFramesDiscarded = session.frames.length;
-		if (session.closed || session.socket.destroyed) {
-			this.websocketSessions.delete(sessionId);
-			return {
-				ok: true,
-				sessionId,
-				kind: session.kind,
-				force,
-				closed: true,
-				queuedFramesDiscarded,
-				state: serializeWebSocketSessionState(session)
-			};
-		}
-		let closeCode = null;
-		const rawCloseCode = argNumber(args, "closeCode");
-		if (rawCloseCode !== void 0) {
-			if (!Number.isInteger(rawCloseCode) || rawCloseCode < 1e3 || rawCloseCode > 4999) return {
-				ok: false,
-				error: "closeCode must be an integer between 1000 and 4999"
-			};
-			closeCode = rawCloseCode;
-		}
-		const closeReason = argString(args, "closeReason") ?? null;
-		return new Promise((resolve) => {
-			let settled = false;
-			const finish = (closed) => {
-				if (settled) return;
-				settled = true;
-				clearTimeout(timer);
-				session.socket.off("close", onClose);
-				session.socket.off("error", onError);
-				this.websocketSessions.delete(sessionId);
-				this.emitWebSocketEvent("websocket:session_closed", {
-					sessionId,
-					reason: session.error,
-					timestamp: (/* @__PURE__ */ new Date()).toISOString()
-				});
-				resolve({
-					ok: true,
-					sessionId,
-					kind: session.kind,
-					force,
-					closed,
-					queuedFramesDiscarded,
-					state: serializeWebSocketSessionState(session)
-				});
-			};
-			const onClose = () => finish(true);
-			const onError = () => finish(session.socket.destroyed || session.closed);
-			const timer = setTimeout(() => {
-				session.socket.destroy();
-				finish(session.socket.destroyed || session.closed);
-			}, timeoutMs);
-			session.socket.once("close", onClose);
-			session.socket.once("error", onError);
-			if (force) {
-				session.socket.destroy();
-				return;
-			}
-			if (!session.closeSent) {
-				session.closeSent = true;
-				session.socket.write(encodeWebSocketFrame("close", Buffer.alloc(0), closeCode, closeReason));
-				this.emitWebSocketEvent("websocket:session_written", {
-					sessionId,
-					frameType: "close",
-					byteLength: closeReason ? Buffer.byteLength(closeReason) + 2 : closeCode ? 2 : 0,
-					automatic: false,
-					timestamp: (/* @__PURE__ */ new Date()).toISOString()
-				});
-			}
-		});
-	}
-	async closeBufferedSession(sessionId, sessions, kind, args) {
-		const session = sessions.get(sessionId);
-		if (!session) return {
-			ok: false,
-			error: `Unknown ${kind} sessionId "${sessionId}"`
-		};
-		const force = argBool(args, "force") ?? false;
-		const timeoutMs = argNumber(args, "timeoutMs") ?? 1e3;
+		const force = argBool(args, "force") ?? false;
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 1e3;
 		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
 			ok: false,
 			error: "timeoutMs must be a positive number"
@@ -1145,6 +817,13 @@ var BoringsslInspectorHandlers = class {
 			session.socket.end();
 		});
 	}
+};
+//#endregion
+//#region src/server/domains/boringssl-inspector/handlers/tls-handlers.ts
+/**
+* BoringsslInspectorTlsHandlers — keylog and TLS parsing helpers.
+*/
+var BoringsslInspectorTlsHandlers = class extends BoringsslInspectorBaseHandlers {
 	async handleTlsKeylogEnable(_args) {
 		return {
 			enabled: true,
@@ -1240,7 +919,7 @@ var BoringsslInspectorHandlers = class {
 			error: "rawHex is required"
 		});
 		const normalizedHex = normalizeHex(rawHex);
-		if (!isHex(normalizedHex)) return asJsonResponse({
+		if (!/^(?:[0-9a-f]{2})+$/i.test(normalizedHex)) return asJsonResponse({
 			success: false,
 			error: "Invalid hex payload"
 		});
@@ -1249,9 +928,9 @@ var BoringsslInspectorHandlers = class {
 			success: false,
 			error: "TLS record is too short"
 		});
-		const contentType = record[0] ?? 0;
-		const versionMajor = record[1] ?? 0;
-		const versionMinor = record[2] ?? 0;
+		const contentType = record[0];
+		const versionMajor = record[1];
+		const versionMinor = record[2];
 		const declaredLength = record.readUInt16BE(3);
 		const payload = record.subarray(5);
 		const clientHello = contentType === 22 && payload.length > 0 && payload[0] === 1 ? parseClientHello(payload) : void 0;
@@ -1331,12 +1010,25 @@ var BoringsslInspectorHandlers = class {
 		return asJsonResponse({
 			success: true,
 			certificateCount: certs.length,
-			fingerprints: certs.map((c) => ({
-				sha256: c.sha256,
-				length: c.length
+			fingerprints: certs.map((cert) => ({
+				sha256: cert.sha256,
+				length: cert.length
 			}))
 		});
 	}
+};
+//#endregion
+//#region src/server/domains/boringssl-inspector/handlers/tls-probe-handlers.ts
+/**
+* BoringsslInspectorTlsProbeHandlers — active TLS probe handler.
+*/
+const TLS_VERSION_ORDER$2 = [
+	"TLSv1",
+	"TLSv1.1",
+	"TLSv1.2",
+	"TLSv1.3"
+];
+var BoringsslInspectorTlsProbeHandlers = class extends BoringsslInspectorTlsHandlers {
 	async handleTlsProbeEndpoint(args) {
 		const host = argString(args, "host")?.trim() ?? null;
 		if (!host) return {
@@ -1368,13 +1060,7 @@ var BoringsslInspectorHandlers = class {
 				error: errorMessage(error)
 			};
 		}
-		const versionOrder = [
-			"TLSv1",
-			"TLSv1.1",
-			"TLSv1.2",
-			"TLSv1.3"
-		];
-		if (minVersion && maxVersion && versionOrder.indexOf(minVersion) > versionOrder.indexOf(maxVersion)) return {
+		if (minVersion && maxVersion && TLS_VERSION_ORDER$2.indexOf(minVersion) > TLS_VERSION_ORDER$2.indexOf(maxVersion)) return {
 			ok: false,
 			error: "minVersion must not be greater than maxVersion"
 		};
@@ -1547,6 +1233,19 @@ var BoringsslInspectorHandlers = class {
 			});
 		});
 	}
+};
+//#endregion
+//#region src/server/domains/boringssl-inspector/handlers/session-handlers.ts
+/**
+* BoringsslInspectorSessionHandlers — stateful TCP and TLS session handlers.
+*/
+const TLS_VERSION_ORDER$1 = [
+	"TLSv1",
+	"TLSv1.1",
+	"TLSv1.2",
+	"TLSv1.3"
+];
+var BoringsslInspectorSessionHandlers = class extends BoringsslInspectorTlsProbeHandlers {
 	async handleTcpOpen(args) {
 		const host = argString(args, "host") ?? "127.0.0.1";
 		const port = argNumber(args, "port");
@@ -1702,13 +1401,7 @@ var BoringsslInspectorHandlers = class {
 				error: errorMessage(error)
 			};
 		}
-		const versionOrder = [
-			"TLSv1",
-			"TLSv1.1",
-			"TLSv1.2",
-			"TLSv1.3"
-		];
-		if (minVersion && maxVersion && versionOrder.indexOf(minVersion) > versionOrder.indexOf(maxVersion)) return {
+		if (minVersion && maxVersion && TLS_VERSION_ORDER$1.indexOf(minVersion) > TLS_VERSION_ORDER$1.indexOf(maxVersion)) return {
 			ok: false,
 			error: "minVersion must not be greater than maxVersion"
 		};
@@ -1741,195 +1434,585 @@ var BoringsslInspectorHandlers = class {
 		const startedAt = Date.now();
 		return new Promise((resolve) => {
 			let settled = false;
-			const socket = connect(applyTlsValidationPolicy({
-				host,
-				port,
-				servername: target.requestedServername ?? void 0,
-				...minVersion ? { minVersion } : {},
-				...maxVersion ? { maxVersion } : {},
-				...alpnProtocols.length > 0 ? { ALPNProtocols: alpnProtocols } : {},
-				...caBundle.ca ? { ca: caBundle.ca } : {}
-			}, allowInvalidCertificates));
-			const finish = (payload) => {
+			const socket = connect(applyTlsValidationPolicy({
+				host,
+				port,
+				servername: target.requestedServername ?? void 0,
+				...minVersion ? { minVersion } : {},
+				...maxVersion ? { maxVersion } : {},
+				...alpnProtocols.length > 0 ? { ALPNProtocols: alpnProtocols } : {},
+				...caBundle.ca ? { ca: caBundle.ca } : {}
+			}, allowInvalidCertificates));
+			const finish = (payload) => {
+				if (settled) return;
+				settled = true;
+				clearTimeout(timer);
+				socket.off("error", onError);
+				socket.off("secureConnect", onSecureConnect);
+				resolve(payload);
+			};
+			const timer = setTimeout(() => {
+				socket.destroy();
+				this.eventBus?.emit("tls:probe_completed", {
+					host,
+					port,
+					success: false,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: false,
+					error: "TLS open timed out",
+					target,
+					policy
+				});
+			}, timeoutMs);
+			const onError = (error) => {
+				this.eventBus?.emit("tls:probe_completed", {
+					host,
+					port,
+					success: false,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: false,
+					error: error.message,
+					errorCode: error.code ?? null,
+					target,
+					policy
+				});
+			};
+			const onSecureConnect = () => {
+				const handshakeMs = Date.now() - startedAt;
+				const peerCertificate = socket.getPeerCertificate(true);
+				const hasLeafCertificate = hasPeerCertificate(peerCertificate);
+				const certificateChain = hasLeafCertificate ? buildPeerCertificateChain(peerCertificate) : [];
+				const leafCertificate = certificateChain[0] ?? null;
+				const hostnameError = skipHostnameCheck || !hasLeafCertificate ? void 0 : checkServerIdentity(target.validationTarget, peerCertificate);
+				const hostnameValidation = {
+					checked: !skipHostnameCheck,
+					target: skipHostnameCheck ? null : target.validationTarget,
+					matched: skipHostnameCheck ? null : hostnameError === void 0,
+					error: !skipHostnameCheck && !hasLeafCertificate ? "Peer certificate was not presented by the server" : hostnameError?.message ?? null
+				};
+				const authorizationReasons = [
+					socket.authorized ? "Certificate chain validated against the active trust store." : `Certificate chain validation failed: ${socket.authorizationError ?? "unknown_authority"}`,
+					skipHostnameCheck ? "Hostname validation was skipped by request." : hostnameValidation.matched ? "Hostname validation passed." : `Hostname validation failed: ${hostnameValidation.error ?? "unknown_error"}`,
+					!socket.authorized && allowInvalidCertificates ? "Policy allowed the session to continue despite certificate trust failure." : null
+				].filter((reason) => Boolean(reason));
+				const cipher = socket.getCipher();
+				const metadata = {
+					target,
+					policy,
+					transport: {
+						protocol: socket.getProtocol() ?? null,
+						alpnProtocol: normalizeAlpnProtocol(socket.alpnProtocol),
+						cipher: {
+							name: cipher.name,
+							standardName: cipher.standardName,
+							version: cipher.version
+						},
+						localAddress: socket.localAddress ?? null,
+						localPort: socket.localPort ?? null,
+						remoteAddress: socket.remoteAddress ?? null,
+						remotePort: socket.remotePort ?? null,
+						servernameSent: normalizeSocketServername(socket.servername),
+						sessionReused: socket.isSessionReused()
+					},
+					authorization: {
+						socketAuthorized: socket.authorized,
+						authorizationError: typeof socket.authorizationError === "string" ? socket.authorizationError : socket.authorizationError?.message ?? null,
+						hostnameValidation,
+						policyAllowed: (socket.authorized || allowInvalidCertificates) && (skipHostnameCheck || hostnameValidation.matched === true),
+						reasons: authorizationReasons
+					},
+					certificates: {
+						leaf: leafCertificate,
+						chain: certificateChain
+					}
+				};
+				if (!metadata.authorization.policyAllowed) {
+					socket.destroy();
+					this.eventBus?.emit("tls:probe_completed", {
+						host,
+						port,
+						success: false,
+						timestamp: (/* @__PURE__ */ new Date()).toISOString()
+					});
+					finish({
+						ok: false,
+						error: "TLS session authorization failed",
+						...metadata,
+						timing: { handshakeMs }
+					});
+					return;
+				}
+				const sessionId = makeSessionId("tls");
+				const session = {
+					id: sessionId,
+					kind: "tls",
+					socket,
+					host,
+					port,
+					createdAt: Date.now(),
+					buffer: Buffer.alloc(0),
+					ended: false,
+					closed: false,
+					error: null,
+					waiters: /* @__PURE__ */ new Set(),
+					activeRead: false,
+					metadata
+				};
+				attachBufferedSession(session);
+				this.tlsSessions.set(sessionId, session);
+				this.eventBus?.emit("tls:session_opened", {
+					sessionId,
+					host,
+					port,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				this.eventBus?.emit("tls:probe_completed", {
+					host,
+					port,
+					success: true,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: true,
+					sessionId,
+					kind: "tls",
+					...metadata,
+					timing: { handshakeMs },
+					state: serializeSessionState(session)
+				});
+			};
+			socket.once("error", onError);
+			socket.once("secureConnect", onSecureConnect);
+		});
+	}
+	async handleTlsWrite(args) {
+		const sessionId = argString(args, "sessionId")?.trim() ?? null;
+		if (!sessionId) return {
+			ok: false,
+			error: "sessionId is required"
+		};
+		const session = this.getTlsSession(sessionId);
+		if (!session) return {
+			ok: false,
+			error: `Unknown tls sessionId "${sessionId}"`
+		};
+		return this.writeBufferedSession(session, args);
+	}
+	async handleTlsReadUntil(args) {
+		const sessionId = argString(args, "sessionId")?.trim() ?? null;
+		if (!sessionId) return {
+			ok: false,
+			error: "sessionId is required"
+		};
+		const session = this.getTlsSession(sessionId);
+		if (!session) return {
+			ok: false,
+			error: `Unknown tls sessionId "${sessionId}"`
+		};
+		return this.readBufferedSessionUntil(session, args);
+	}
+	async handleTlsClose(args) {
+		const sessionId = argString(args, "sessionId")?.trim() ?? null;
+		if (!sessionId) return {
+			ok: false,
+			error: "sessionId is required"
+		};
+		return this.closeBufferedSession(sessionId, this.tlsSessions, "tls", args);
+	}
+};
+//#endregion
+//#region src/server/domains/boringssl-inspector/handlers/websocket-frame-handlers.ts
+/**
+* BoringsslInspectorWebSocketFrameHandlers — WebSocket session/frame operations.
+*/
+var BoringsslInspectorWebSocketFrameHandlers = class extends BoringsslInspectorSessionHandlers {
+	emitWebSocketEvent(event, payload) {
+		this.eventBus?.emit(event, payload);
+	}
+	attachWebSocketSession(session) {
+		const parseBufferedFrames = () => {
+			while (session.parserBuffer.length > 0) {
+				let consumed;
+				try {
+					consumed = tryConsumeWebSocketFrame(session.parserBuffer);
+				} catch (error) {
+					session.error = errorMessage(error);
+					session.socket.destroy();
+					break;
+				}
+				if (!consumed) break;
+				session.parserBuffer = session.parserBuffer.subarray(consumed.bytesConsumed);
+				const frame = consumed.frame;
+				session.frames.push(frame);
+				if (frame.type === "ping" && !session.closeSent && !session.socket.destroyed) {
+					const pongFrame = encodeWebSocketFrame("pong", frame.data);
+					session.socket.write(pongFrame);
+					this.emitWebSocketEvent("websocket:session_written", {
+						sessionId: session.id,
+						frameType: "pong",
+						byteLength: frame.data.length,
+						automatic: true,
+						timestamp: (/* @__PURE__ */ new Date()).toISOString()
+					});
+				}
+				if (frame.type === "close") {
+					session.closeReceived = true;
+					if (!session.closeSent && !session.socket.destroyed) {
+						session.closeSent = true;
+						session.socket.write(encodeWebSocketFrame("close", frame.data, frame.closeCode, frame.closeReason));
+						this.emitWebSocketEvent("websocket:session_written", {
+							sessionId: session.id,
+							frameType: "close",
+							byteLength: frame.data.length,
+							automatic: true,
+							timestamp: (/* @__PURE__ */ new Date()).toISOString()
+						});
+					}
+				}
+			}
+			wakeWebSocketWaiters(session);
+		};
+		session.socket.on("data", (chunk) => {
+			session.parserBuffer = Buffer.concat([session.parserBuffer, chunk]);
+			parseBufferedFrames();
+		});
+		session.socket.on("end", () => {
+			session.ended = true;
+			wakeWebSocketWaiters(session);
+		});
+		session.socket.on("close", () => {
+			session.closed = true;
+			wakeWebSocketWaiters(session);
+		});
+		session.socket.on("error", (error) => {
+			session.error = error.message;
+			wakeWebSocketWaiters(session);
+		});
+		parseBufferedFrames();
+	}
+	async readWebSocketFrame(session, args) {
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 5e3;
+		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
+			ok: false,
+			error: "timeoutMs must be a positive number"
+		};
+		if (session.activeRead) return {
+			ok: false,
+			error: `Session "${session.id}" already has a pending read`,
+			sessionId: session.id,
+			kind: session.kind,
+			state: serializeWebSocketSessionState(session)
+		};
+		session.activeRead = true;
+		const startedAt = Date.now();
+		try {
+			while (true) {
+				const frame = session.frames.shift();
+				if (frame) {
+					this.emitWebSocketEvent("websocket:frame_read", {
+						sessionId: session.id,
+						frameType: frame.type,
+						byteLength: frame.data.length,
+						timestamp: (/* @__PURE__ */ new Date()).toISOString()
+					});
+					return {
+						ok: true,
+						sessionId: session.id,
+						kind: session.kind,
+						scheme: session.scheme,
+						frameType: frame.type,
+						fin: frame.fin,
+						opcode: frame.opcode,
+						masked: frame.masked,
+						byteLength: frame.data.length,
+						dataHex: frame.data.toString("hex").toUpperCase(),
+						dataText: frame.type === "binary" ? null : frame.data.toString("utf8"),
+						closeCode: frame.closeCode,
+						closeReason: frame.closeReason,
+						elapsedMs: Date.now() - startedAt,
+						state: serializeWebSocketSessionState(session)
+					};
+				}
+				if (session.error) return {
+					ok: false,
+					error: session.error,
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeWebSocketSessionState(session)
+				};
+				if (session.closed || session.ended) return {
+					ok: false,
+					error: "socket closed before a WebSocket frame was available",
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeWebSocketSessionState(session)
+				};
+				const remainingMs = timeoutMs - (Date.now() - startedAt);
+				if (remainingMs <= 0) return {
+					ok: false,
+					error: "read timed out",
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeWebSocketSessionState(session)
+				};
+				if (!await waitForWebSocketActivity(session, remainingMs)) return {
+					ok: false,
+					error: "read timed out",
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeWebSocketSessionState(session)
+				};
+			}
+		} finally {
+			session.activeRead = false;
+		}
+	}
+	async sendWebSocketFrame(session, args) {
+		if (session.closed || session.socket.destroyed) return {
+			ok: false,
+			error: `Session "${session.id}" is already closed`,
+			sessionId: session.id,
+			kind: session.kind,
+			state: serializeWebSocketSessionState(session)
+		};
+		const frameType = argEnum(args, "frameType", new Set([
+			"text",
+			"binary",
+			"ping",
+			"pong",
+			"close"
+		]));
+		if (!frameType) return {
+			ok: false,
+			error: "frameType is required"
+		};
+		const dataHex = argString(args, "dataHex");
+		const dataText = argString(args, "dataText");
+		if (dataHex && dataText) return {
+			ok: false,
+			error: "dataHex and dataText are mutually exclusive"
+		};
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 5e3;
+		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
+			ok: false,
+			error: "timeoutMs must be a positive number"
+		};
+		let payload = Buffer.alloc(0);
+		if (dataHex) {
+			const normalized = normalizeHex(dataHex);
+			if (!isHex(normalized)) return {
+				ok: false,
+				error: "dataHex must be valid even-length hexadecimal data"
+			};
+			payload = Buffer.from(normalized, "hex");
+		} else if (dataText !== void 0) payload = Buffer.from(dataText, "utf8");
+		let closeCode = null;
+		let closeReason = null;
+		if (frameType === "close") {
+			const rawCloseCode = argNumber(args, "closeCode");
+			if (rawCloseCode !== void 0) {
+				if (!Number.isInteger(rawCloseCode) || rawCloseCode < 1e3 || rawCloseCode > 4999) return {
+					ok: false,
+					error: "closeCode must be an integer between 1000 and 4999"
+				};
+				closeCode = rawCloseCode;
+			}
+			closeReason = argString(args, "closeReason") ?? null;
+			if (dataHex || dataText) return {
+				ok: false,
+				error: "close frames use closeCode/closeReason instead of dataHex/dataText"
+			};
+			session.closeSent = true;
+		}
+		if (frameType === "text" && dataHex) return {
+			ok: false,
+			error: "text frames require UTF-8 dataText instead of dataHex"
+		};
+		const frameBuffer = encodeWebSocketFrame(frameType, payload, closeCode, closeReason);
+		return new Promise((resolve) => {
+			let settled = false;
+			const finish = (result) => {
+				if (settled) return;
+				settled = true;
+				clearTimeout(timer);
+				session.socket.off("error", onError);
+				resolve(result);
+			};
+			const timer = setTimeout(() => {
+				finish({
+					ok: false,
+					error: "write timed out",
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeWebSocketSessionState(session)
+				});
+			}, timeoutMs);
+			const onError = (error) => {
+				finish({
+					ok: false,
+					error: error.message,
+					sessionId: session.id,
+					kind: session.kind,
+					state: serializeWebSocketSessionState(session)
+				});
+			};
+			session.socket.once("error", onError);
+			session.socket.write(frameBuffer, () => {
+				this.emitWebSocketEvent("websocket:session_written", {
+					sessionId: session.id,
+					frameType,
+					byteLength: frameType === "close" ? closeReason ? Buffer.byteLength(closeReason) + 2 : closeCode ? 2 : 0 : payload.length,
+					automatic: false,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				finish({
+					ok: true,
+					sessionId: session.id,
+					kind: session.kind,
+					scheme: session.scheme,
+					frameType,
+					bytesWritten: frameBuffer.length,
+					payloadBytes: frameType === "close" ? closeReason ? Buffer.byteLength(closeReason) + 2 : closeCode ? 2 : 0 : payload.length,
+					state: serializeWebSocketSessionState(session)
+				});
+			});
+		});
+	}
+	async closeWebSocketSession(sessionId, args) {
+		const session = this.websocketSessions.get(sessionId);
+		if (!session) return {
+			ok: false,
+			error: `Unknown websocket sessionId "${sessionId}"`
+		};
+		const force = argBool(args, "force") ?? false;
+		const timeoutMs = argNumber(args, "timeoutMs") ?? 1e3;
+		if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) return {
+			ok: false,
+			error: "timeoutMs must be a positive number"
+		};
+		const queuedFramesDiscarded = session.frames.length;
+		if (session.closed || session.socket.destroyed) {
+			this.websocketSessions.delete(sessionId);
+			return {
+				ok: true,
+				sessionId,
+				kind: session.kind,
+				force,
+				closed: true,
+				queuedFramesDiscarded,
+				state: serializeWebSocketSessionState(session)
+			};
+		}
+		let closeCode = null;
+		const rawCloseCode = argNumber(args, "closeCode");
+		if (rawCloseCode !== void 0) {
+			if (!Number.isInteger(rawCloseCode) || rawCloseCode < 1e3 || rawCloseCode > 4999) return {
+				ok: false,
+				error: "closeCode must be an integer between 1000 and 4999"
+			};
+			closeCode = rawCloseCode;
+		}
+		const closeReason = argString(args, "closeReason") ?? null;
+		return new Promise((resolve) => {
+			let settled = false;
+			const finish = (closed) => {
 				if (settled) return;
 				settled = true;
 				clearTimeout(timer);
-				socket.off("error", onError);
-				socket.off("secureConnect", onSecureConnect);
-				resolve(payload);
-			};
-			const timer = setTimeout(() => {
-				socket.destroy();
-				this.eventBus?.emit("tls:probe_completed", {
-					host,
-					port,
-					success: false,
-					timestamp: (/* @__PURE__ */ new Date()).toISOString()
-				});
-				finish({
-					ok: false,
-					error: "TLS open timed out",
-					target,
-					policy
-				});
-			}, timeoutMs);
-			const onError = (error) => {
-				this.eventBus?.emit("tls:probe_completed", {
-					host,
-					port,
-					success: false,
-					timestamp: (/* @__PURE__ */ new Date()).toISOString()
-				});
-				finish({
-					ok: false,
-					error: error.message,
-					errorCode: error.code ?? null,
-					target,
-					policy
-				});
-			};
-			const onSecureConnect = () => {
-				const handshakeMs = Date.now() - startedAt;
-				const peerCertificate = socket.getPeerCertificate(true);
-				const hasLeafCertificate = hasPeerCertificate(peerCertificate);
-				const certificateChain = hasLeafCertificate ? buildPeerCertificateChain(peerCertificate) : [];
-				const leafCertificate = certificateChain[0] ?? null;
-				const hostnameError = skipHostnameCheck || !hasLeafCertificate ? void 0 : checkServerIdentity(target.validationTarget, peerCertificate);
-				const hostnameValidation = {
-					checked: !skipHostnameCheck,
-					target: skipHostnameCheck ? null : target.validationTarget,
-					matched: skipHostnameCheck ? null : hostnameError === void 0,
-					error: !skipHostnameCheck && !hasLeafCertificate ? "Peer certificate was not presented by the server" : hostnameError?.message ?? null
-				};
-				const authorizationReasons = [
-					socket.authorized ? "Certificate chain validated against the active trust store." : `Certificate chain validation failed: ${socket.authorizationError ?? "unknown_authority"}`,
-					skipHostnameCheck ? "Hostname validation was skipped by request." : hostnameValidation.matched ? "Hostname validation passed." : `Hostname validation failed: ${hostnameValidation.error ?? "unknown_error"}`,
-					!socket.authorized && allowInvalidCertificates ? "Policy allowed the session to continue despite certificate trust failure." : null
-				].filter((reason) => Boolean(reason));
-				const cipher = socket.getCipher();
-				const metadata = {
-					target,
-					policy,
-					transport: {
-						protocol: socket.getProtocol() ?? null,
-						alpnProtocol: normalizeAlpnProtocol(socket.alpnProtocol),
-						cipher: {
-							name: cipher.name,
-							standardName: cipher.standardName,
-							version: cipher.version
-						},
-						localAddress: socket.localAddress ?? null,
-						localPort: socket.localPort ?? null,
-						remoteAddress: socket.remoteAddress ?? null,
-						remotePort: socket.remotePort ?? null,
-						servernameSent: normalizeSocketServername(socket.servername),
-						sessionReused: socket.isSessionReused()
-					},
-					authorization: {
-						socketAuthorized: socket.authorized,
-						authorizationError: typeof socket.authorizationError === "string" ? socket.authorizationError : socket.authorizationError?.message ?? null,
-						hostnameValidation,
-						policyAllowed: (socket.authorized || allowInvalidCertificates) && (skipHostnameCheck || hostnameValidation.matched === true),
-						reasons: authorizationReasons
-					},
-					certificates: {
-						leaf: leafCertificate,
-						chain: certificateChain
-					}
-				};
-				if (!metadata.authorization.policyAllowed) {
-					socket.destroy();
-					this.eventBus?.emit("tls:probe_completed", {
-						host,
-						port,
-						success: false,
-						timestamp: (/* @__PURE__ */ new Date()).toISOString()
-					});
-					finish({
-						ok: false,
-						error: "TLS session authorization failed",
-						...metadata,
-						timing: { handshakeMs }
-					});
-					return;
-				}
-				const sessionId = makeSessionId("tls");
-				const session = {
-					id: sessionId,
-					kind: "tls",
-					socket,
-					host,
-					port,
-					createdAt: Date.now(),
-					buffer: Buffer.alloc(0),
-					ended: false,
-					closed: false,
-					error: null,
-					waiters: /* @__PURE__ */ new Set(),
-					activeRead: false,
-					metadata
-				};
-				attachBufferedSession(session);
-				this.tlsSessions.set(sessionId, session);
-				this.eventBus?.emit("tls:session_opened", {
+				session.socket.off("close", onClose);
+				session.socket.off("error", onError);
+				this.websocketSessions.delete(sessionId);
+				this.emitWebSocketEvent("websocket:session_closed", {
 					sessionId,
-					host,
-					port,
-					timestamp: (/* @__PURE__ */ new Date()).toISOString()
-				});
-				this.eventBus?.emit("tls:probe_completed", {
-					host,
-					port,
-					success: true,
+					reason: session.error,
 					timestamp: (/* @__PURE__ */ new Date()).toISOString()
 				});
-				finish({
+				resolve({
 					ok: true,
 					sessionId,
-					kind: "tls",
-					...metadata,
-					timing: { handshakeMs },
-					state: serializeSessionState(session)
+					kind: session.kind,
+					force,
+					closed,
+					queuedFramesDiscarded,
+					state: serializeWebSocketSessionState(session)
 				});
 			};
-			socket.once("error", onError);
-			socket.once("secureConnect", onSecureConnect);
+			const onClose = () => finish(true);
+			const onError = () => finish(session.socket.destroyed || session.closed);
+			const timer = setTimeout(() => {
+				session.socket.destroy();
+				finish(session.socket.destroyed || session.closed);
+			}, timeoutMs);
+			session.socket.once("close", onClose);
+			session.socket.once("error", onError);
+			if (force) {
+				session.socket.destroy();
+				return;
+			}
+			if (!session.closeSent) {
+				session.closeSent = true;
+				session.socket.write(encodeWebSocketFrame("close", Buffer.alloc(0), closeCode, closeReason));
+				this.emitWebSocketEvent("websocket:session_written", {
+					sessionId,
+					frameType: "close",
+					byteLength: closeReason ? Buffer.byteLength(closeReason) + 2 : closeCode ? 2 : 0,
+					automatic: false,
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+			}
 		});
 	}
-	async handleTlsWrite(args) {
+	async handleWebSocketSendFrame(args) {
 		const sessionId = argString(args, "sessionId")?.trim() ?? null;
 		if (!sessionId) return {
 			ok: false,
 			error: "sessionId is required"
 		};
-		const session = this.getTlsSession(sessionId);
+		const session = this.getWebSocketSession(sessionId);
 		if (!session) return {
 			ok: false,
-			error: `Unknown tls sessionId "${sessionId}"`
+			error: `Unknown websocket sessionId "${sessionId}"`
 		};
-		return this.writeBufferedSession(session, args);
+		return this.sendWebSocketFrame(session, args);
 	}
-	async handleTlsReadUntil(args) {
+	async handleWebSocketReadFrame(args) {
 		const sessionId = argString(args, "sessionId")?.trim() ?? null;
 		if (!sessionId) return {
 			ok: false,
 			error: "sessionId is required"
 		};
-		const session = this.getTlsSession(sessionId);
+		const session = this.getWebSocketSession(sessionId);
 		if (!session) return {
 			ok: false,
-			error: `Unknown tls sessionId "${sessionId}"`
+			error: `Unknown websocket sessionId "${sessionId}"`
 		};
-		return this.readBufferedSessionUntil(session, args);
+		return this.readWebSocketFrame(session, args);
 	}
-	async handleTlsClose(args) {
+	async handleWebSocketClose(args) {
 		const sessionId = argString(args, "sessionId")?.trim() ?? null;
 		if (!sessionId) return {
 			ok: false,
 			error: "sessionId is required"
 		};
-		return this.closeBufferedSession(sessionId, this.tlsSessions, "tls", args);
+		return this.closeWebSocketSession(sessionId, args);
 	}
+};
+//#endregion
+//#region src/server/domains/boringssl-inspector/handlers/websocket-handlers.ts
+/**
+* BoringsslInspectorWebSocketHandlers — WebSocket upgrade/open handlers and bypass helpers.
+*/
+const TLS_VERSION_ORDER = [
+	"TLSv1",
+	"TLSv1.1",
+	"TLSv1.2",
+	"TLSv1.3"
+];
+var BoringsslInspectorWebSocketHandlers = class extends BoringsslInspectorWebSocketFrameHandlers {
 	async handleWebSocketOpen(args) {
 		const rawUrl = argString(args, "url")?.trim() ?? null;
 		const rawHost = argString(args, "host")?.trim() ?? null;
@@ -2007,13 +2090,7 @@ var BoringsslInspectorHandlers = class {
 				error: errorMessage(error)
 			};
 		}
-		const versionOrder = [
-			"TLSv1",
-			"TLSv1.1",
-			"TLSv1.2",
-			"TLSv1.3"
-		];
-		if (minVersion && maxVersion && versionOrder.indexOf(minVersion) > versionOrder.indexOf(maxVersion)) return {
+		if (minVersion && maxVersion && TLS_VERSION_ORDER.indexOf(minVersion) > TLS_VERSION_ORDER.indexOf(maxVersion)) return {
 			ok: false,
 			error: "minVersion must not be greater than maxVersion"
 		};
@@ -2110,14 +2187,6 @@ var BoringsslInspectorHandlers = class {
 				sendHandshake();
 			};
 			const onSecureConnect = () => {
-				if (!(socket instanceof Object) || !("getPeerCertificate" in socket)) {
-					finish({
-						ok: false,
-						error: "Expected a TLS socket for wss session",
-						target
-					});
-					return;
-				}
 				const tlsSocket = socket;
 				const peerCertificate = tlsSocket.getPeerCertificate(true);
 				const hasLeafCertificate = hasPeerCertificate(peerCertificate);
@@ -2300,40 +2369,6 @@ var BoringsslInspectorHandlers = class {
 			}
 		});
 	}
-	async handleWebSocketSendFrame(args) {
-		const sessionId = argString(args, "sessionId")?.trim() ?? null;
-		if (!sessionId) return {
-			ok: false,
-			error: "sessionId is required"
-		};
-		const session = this.getWebSocketSession(sessionId);
-		if (!session) return {
-			ok: false,
-			error: `Unknown websocket sessionId "${sessionId}"`
-		};
-		return this.sendWebSocketFrame(session, args);
-	}
-	async handleWebSocketReadFrame(args) {
-		const sessionId = argString(args, "sessionId")?.trim() ?? null;
-		if (!sessionId) return {
-			ok: false,
-			error: "sessionId is required"
-		};
-		const session = this.getWebSocketSession(sessionId);
-		if (!session) return {
-			ok: false,
-			error: `Unknown websocket sessionId "${sessionId}"`
-		};
-		return this.readWebSocketFrame(session, args);
-	}
-	async handleWebSocketClose(args) {
-		const sessionId = argString(args, "sessionId")?.trim() ?? null;
-		if (!sessionId) return {
-			ok: false,
-			error: "sessionId is required"
-		};
-		return this.closeWebSocketSession(sessionId, args);
-	}
 	async handleBypassCertPinning(args) {
 		if (this.extensionInvoke) try {
 			const result = await this.extensionInvoke(args);
@@ -2354,6 +2389,13 @@ var BoringsslInspectorHandlers = class {
 			args
 		});
 	}
+};
+//#endregion
+//#region src/server/domains/boringssl-inspector/handlers/raw-socket-handlers.ts
+/**
+* BoringsslInspectorRawSocketHandlers — stateless raw TCP/UDP helpers.
+*/
+var BoringsslInspectorRawSocketHandlers = class extends BoringsslInspectorWebSocketHandlers {
 	async handleRawTcpSend(args) {
 		const host = argString(args, "host") ?? "127.0.0.1";
 		const port = argNumber(args, "port");
@@ -2420,7 +2462,7 @@ var BoringsslInspectorHandlers = class {
 				server.close();
 				resolve({
 					ok: false,
-					error: "Listen timed out — no connection received"
+					error: "Listen timed out - no connection received"
 				});
 			}, timeout);
 			server.on("connection", (socket) => {
@@ -2549,4 +2591,10 @@ var BoringsslInspectorHandlers = class {
 	}
 };
 //#endregion
+//#region src/server/domains/boringssl-inspector/handlers/handler-class.ts
+/**
+* BoringsslInspectorHandlers — thin facade over the split handler chain.
+*/
+var BoringsslInspectorHandlers = class extends BoringsslInspectorRawSocketHandlers {};
+//#endregion
 export { BoringsslInspectorHandlers };