npm - @jshookmcp/jshook - Versions diffs - 0.2.9 → 0.3.0 - Mend

@jshookmcp/jshook 0.2.9 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (187) hide show

package/dist/manifest-NvH_a-av.mjs ADDED Viewed

@@ -0,0 +1,786 @@
+import { i as asToolResponse } from "./response-CWhh2aLo.mjs";
+import { n as toolLookup } from "./registry-Bl8ZQW61.mjs";
+import { n as defineMethodRegistrations } from "./bind-helpers-ClV34xdn.mjs";
+//#region src/server/domains/boringssl-inspector/definitions/support.ts
+const TLS_VERSION_VALUES = [
+	"TLSv1",
+	"TLSv1.1",
+	"TLSv1.2",
+	"TLSv1.3"
+];
+function objectTool(name, description, properties = {}, required = []) {
+	return {
+		name,
+		description,
+		inputSchema: {
+			type: "object",
+			properties,
+			required
+		}
+	};
+}
+//#endregion
+//#region src/server/domains/boringssl-inspector/definitions/frida-tools.ts
+const fridaTools = [objectTool("tls_cert_pin_bypass_frida", "Bypass certificate pinning via Frida injection (supports BoringSSL, Chrome, OkHttp).")];
+//#endregion
+//#region src/server/domains/boringssl-inspector/definitions/raw-socket-tools.ts
+const rawSocketTools = [
+	objectTool("net_raw_tcp_send", "Send raw TCP data to a remote host; accepts hex or text input.", {
+		host: {
+			type: "string",
+			default: "127.0.0.1",
+			description: "Target host address"
+		},
+		port: {
+			type: "number",
+			description: "Target port number (1-65535)"
+		},
+		dataHex: {
+			type: "string",
+			description: "Hex-encoded data to send"
+		},
+		dataText: {
+			type: "string",
+			description: "Text data to send (alternative to dataHex)"
+		},
+		timeout: {
+			type: "number",
+			default: 5e3,
+			description: "Connection timeout in ms"
+		}
+	}, ["port"]),
+	objectTool("net_raw_tcp_listen", "Listen on a local TCP port for one incoming connection.", {
+		port: {
+			type: "number",
+			description: "Local port to listen on (1-65535)"
+		},
+		timeout: {
+			type: "number",
+			default: 1e4,
+			description: "Listen timeout in ms"
+		}
+	}, ["port"]),
+	objectTool("net_raw_udp_send", "Send a raw UDP datagram and wait for a response.", {
+		host: {
+			type: "string",
+			default: "127.0.0.1",
+			description: "Target host address"
+		},
+		port: {
+			type: "number",
+			description: "Target port number (1-65535)"
+		},
+		dataHex: {
+			type: "string",
+			description: "Hex-encoded data to send"
+		},
+		dataText: {
+			type: "string",
+			description: "Text data to send (alternative to dataHex)"
+		},
+		timeout: {
+			type: "number",
+			default: 5e3,
+			description: "Response timeout in ms"
+		}
+	}, ["port"]),
+	objectTool("net_raw_udp_listen", "Listen on a local UDP port for an incoming datagram.", {
+		port: {
+			type: "number",
+			description: "Local port to listen on (1-65535)"
+		},
+		timeout: {
+			type: "number",
+			default: 1e4,
+			description: "Listen timeout in ms"
+		}
+	}, ["port"])
+];
+//#endregion
+//#region src/server/domains/boringssl-inspector/definitions/session-tools.ts
+const sessionTools = [
+	objectTool("tcp_open", "Open a TCP session.", {
+		host: {
+			type: "string",
+			default: "127.0.0.1",
+			description: "Target host name or IP address"
+		},
+		port: {
+			type: "number",
+			description: "Target TCP port"
+		},
+		timeoutMs: {
+			type: "number",
+			default: 5e3,
+			description: "Connection timeout in milliseconds"
+		},
+		noDelay: {
+			type: "boolean",
+			default: true,
+			description: "Enable TCP_NODELAY on the socket after connect"
+		}
+	}, ["port"]),
+	objectTool("tcp_write", "Write data to an open TCP session.", {
+		sessionId: {
+			type: "string",
+			description: "TCP session ID"
+		},
+		dataHex: {
+			type: "string",
+			description: "Hex-encoded payload to write"
+		},
+		dataText: {
+			type: "string",
+			description: "UTF-8 text payload to write"
+		},
+		timeoutMs: {
+			type: "number",
+			default: 5e3,
+			description: "Write timeout in milliseconds"
+		}
+	}, ["sessionId"]),
+	objectTool("tcp_read_until", "Read from an open TCP session until a delimiter or byte limit is reached.", {
+		sessionId: {
+			type: "string",
+			description: "TCP session ID"
+		},
+		delimiterHex: {
+			type: "string",
+			description: "Hex-encoded delimiter to stop at"
+		},
+		delimiterText: {
+			type: "string",
+			description: "UTF-8 delimiter to stop at"
+		},
+		includeDelimiter: {
+			type: "boolean",
+			default: true,
+			description: "Include the delimiter bytes in the returned payload"
+		},
+		maxBytes: {
+			type: "number",
+			description: "Optional maximum number of bytes to return even if no delimiter matches"
+		},
+		timeoutMs: {
+			type: "number",
+			default: 5e3,
+			description: "Read timeout in milliseconds"
+		}
+	}, ["sessionId"]),
+	objectTool("tcp_close", "Close an open TCP session.", {
+		sessionId: {
+			type: "string",
+			description: "TCP session ID"
+		},
+		force: {
+			type: "boolean",
+			default: false,
+			description: "Destroy the socket immediately instead of sending FIN first"
+		},
+		timeoutMs: {
+			type: "number",
+			default: 1e3,
+			description: "Close wait timeout in milliseconds before forcing socket destruction"
+		}
+	}, ["sessionId"]),
+	objectTool("tls_open", "Open a TLS session.", {
+		host: {
+			type: "string",
+			description: "Target host name or IP address"
+		},
+		port: {
+			type: "number",
+			default: 443,
+			description: "Target TLS port"
+		},
+		servername: {
+			type: "string",
+			description: "Optional SNI and hostname validation override"
+		},
+		alpnProtocols: {
+			type: "array",
+			items: { type: "string" },
+			description: "Optional ALPN protocols to offer"
+		},
+		timeoutMs: {
+			type: "number",
+			default: 5e3,
+			description: "Connection timeout in milliseconds"
+		},
+		minVersion: {
+			type: "string",
+			enum: [...TLS_VERSION_VALUES],
+			description: "Optional minimum TLS version"
+		},
+		maxVersion: {
+			type: "string",
+			enum: [...TLS_VERSION_VALUES],
+			description: "Optional maximum TLS version"
+		},
+		caPem: {
+			type: "string",
+			description: "Optional PEM-encoded CA bundle"
+		},
+		caPath: {
+			type: "string",
+			description: "Optional path to a PEM-encoded CA bundle"
+		},
+		allowInvalidCertificates: {
+			type: "boolean",
+			default: false,
+			description: "Allow untrusted certificate chains while still reporting the failure"
+		},
+		skipHostnameCheck: {
+			type: "boolean",
+			default: false,
+			description: "Skip hostname verification while still reporting the requested target"
+		}
+	}, ["host"]),
+	objectTool("tls_write", "Write data to an open TLS session.", {
+		sessionId: {
+			type: "string",
+			description: "TLS session ID"
+		},
+		dataHex: {
+			type: "string",
+			description: "Hex-encoded payload to write"
+		},
+		dataText: {
+			type: "string",
+			description: "UTF-8 text payload to write"
+		},
+		timeoutMs: {
+			type: "number",
+			default: 5e3,
+			description: "Write timeout in milliseconds"
+		}
+	}, ["sessionId"]),
+	objectTool("tls_read_until", "Read from an open TLS session until a delimiter or byte limit is reached.", {
+		sessionId: {
+			type: "string",
+			description: "TLS session ID"
+		},
+		delimiterHex: {
+			type: "string",
+			description: "Hex-encoded delimiter to stop at"
+		},
+		delimiterText: {
+			type: "string",
+			description: "UTF-8 delimiter to stop at"
+		},
+		includeDelimiter: {
+			type: "boolean",
+			default: true,
+			description: "Include the delimiter bytes in the returned payload"
+		},
+		maxBytes: {
+			type: "number",
+			description: "Optional maximum number of bytes to return even if no delimiter matches"
+		},
+		timeoutMs: {
+			type: "number",
+			default: 5e3,
+			description: "Read timeout in milliseconds"
+		}
+	}, ["sessionId"]),
+	objectTool("tls_close", "Close an open TLS session.", {
+		sessionId: {
+			type: "string",
+			description: "TLS session ID"
+		},
+		force: {
+			type: "boolean",
+			default: false,
+			description: "Destroy the TLS socket immediately instead of sending close_notify/FIN first"
+		},
+		timeoutMs: {
+			type: "number",
+			default: 1e3,
+			description: "Close wait timeout in milliseconds before forcing socket destruction"
+		}
+	}, ["sessionId"])
+];
+//#endregion
+//#region src/server/domains/boringssl-inspector/definitions/tls-analysis-tools.ts
+const tlsAnalysisTools = [
+	objectTool("tls_keylog_enable", "Enable SSLKEYLOGFILE output for BoringSSL-compatible clients."),
+	objectTool("tls_keylog_parse", "Parse an SSLKEYLOGFILE and summarize available key material.", { path: {
+		type: "string",
+		description: "Path to SSLKEYLOGFILE"
+	} }),
+	objectTool("tls_keylog_disable", "Disable SSLKEYLOGFILE capture and unset the environment variable.", { path: {
+		type: "string",
+		description: "Path to disable"
+	} }),
+	objectTool("tls_decrypt_payload", "Decrypt a TLS payload using a provided key, nonce, and algorithm.", {
+		encryptedHex: {
+			type: "string",
+			description: "Hex-encoded encrypted payload"
+		},
+		keyHex: {
+			type: "string",
+			description: "Hex-encoded decryption key"
+		},
+		nonceHex: {
+			type: "string",
+			description: "Hex-encoded nonce/IV"
+		},
+		algorithm: {
+			type: "string",
+			description: "Cipher algorithm",
+			default: "aes-256-gcm"
+		},
+		authTagHex: {
+			type: "string",
+			description: "Hex-encoded authentication tag"
+		}
+	}, [
+		"encryptedHex",
+		"keyHex",
+		"nonceHex"
+	]),
+	objectTool("tls_keylog_summarize", "Summarize the contents of an SSLKEYLOGFILE by label distribution.", { content: {
+		type: "string",
+		description: "Inline keylog content to summarize"
+	} }),
+	objectTool("tls_keylog_lookup_secret", "Look up a TLS secret by client random hex from the parsed keylog.", {
+		clientRandom: {
+			type: "string",
+			description: "Hex-encoded client random"
+		},
+		label: {
+			type: "string",
+			description: "Optional label filter"
+		}
+	}, ["clientRandom"]),
+	objectTool("tls_cert_pin_bypass", "Return a certificate pinning bypass strategy for the selected platform.", { target: {
+		type: "string",
+		enum: [
+			"android",
+			"ios",
+			"desktop"
+		],
+		description: "Target platform for bypass strategy"
+	} }, ["target"]),
+	objectTool("tls_parse_handshake", "Parse TLS handshake metadata from raw hex.", {
+		rawHex: {
+			type: "string",
+			description: "Hex-encoded TLS handshake record"
+		},
+		decrypt: {
+			type: "boolean",
+			description: "Attempt payload decryption using the loaded keylog"
+		}
+	}, ["rawHex"]),
+	objectTool("tls_cipher_suites", "List TLS cipher suites.", { filter: {
+		type: "string",
+		description: "Keyword filter for cipher suite names"
+	} }),
+	objectTool("tls_parse_certificate", "Parse a TLS Certificate message from raw hex and extract fingerprints.", { rawHex: {
+		type: "string",
+		description: "Hex-encoded certificate data"
+	} }, ["rawHex"]),
+	objectTool("tls_probe_endpoint", "Probe a TLS endpoint and report handshake and certificate details.", {
+		host: {
+			type: "string",
+			description: "Target host name or IP address"
+		},
+		port: {
+			type: "number",
+			default: 443,
+			description: "Target TLS port"
+		},
+		servername: {
+			type: "string",
+			description: "Optional SNI and hostname validation override"
+		},
+		alpnProtocols: {
+			type: "array",
+			items: { type: "string" },
+			description: "Optional ALPN protocols to offer"
+		},
+		timeoutMs: {
+			type: "number",
+			default: 5e3,
+			description: "Probe timeout in milliseconds"
+		},
+		minVersion: {
+			type: "string",
+			enum: [...TLS_VERSION_VALUES],
+			description: "Optional minimum TLS version"
+		},
+		maxVersion: {
+			type: "string",
+			enum: [...TLS_VERSION_VALUES],
+			description: "Optional maximum TLS version"
+		},
+		caPem: {
+			type: "string",
+			description: "Optional PEM-encoded CA bundle"
+		},
+		caPath: {
+			type: "string",
+			description: "Optional path to a PEM-encoded CA bundle"
+		},
+		allowInvalidCertificates: {
+			type: "boolean",
+			default: false,
+			description: "Allow untrusted certificate chains while still reporting the failure"
+		},
+		skipHostnameCheck: {
+			type: "boolean",
+			default: false,
+			description: "Skip hostname verification while still reporting the requested target"
+		}
+	}, ["host"])
+];
+//#endregion
+//#region src/server/domains/boringssl-inspector/definitions/websocket-tools.ts
+const websocketTools = [
+	objectTool("websocket_open", "Open a WebSocket session.", {
+		url: {
+			type: "string",
+			description: "WebSocket URL"
+		},
+		scheme: {
+			type: "string",
+			enum: ["ws", "wss"],
+			default: "ws",
+			description: "WebSocket transport scheme"
+		},
+		host: {
+			type: "string",
+			description: "Target host name or IP address"
+		},
+		port: {
+			type: "number",
+			description: "Target port"
+		},
+		path: {
+			type: "string",
+			default: "/",
+			description: "Request path"
+		},
+		subprotocols: {
+			type: "array",
+			items: { type: "string" },
+			description: "Optional subprotocols to offer"
+		},
+		timeoutMs: {
+			type: "number",
+			default: 5e3,
+			description: "Handshake timeout in milliseconds"
+		},
+		servername: {
+			type: "string",
+			description: "Optional SNI and hostname validation override"
+		},
+		alpnProtocols: {
+			type: "array",
+			items: { type: "string" },
+			description: "Optional ALPN protocols to offer"
+		},
+		minVersion: {
+			type: "string",
+			enum: [...TLS_VERSION_VALUES],
+			description: "Optional minimum TLS version"
+		},
+		maxVersion: {
+			type: "string",
+			enum: [...TLS_VERSION_VALUES],
+			description: "Optional maximum TLS version"
+		},
+		caPem: {
+			type: "string",
+			description: "Optional PEM-encoded CA bundle"
+		},
+		caPath: {
+			type: "string",
+			description: "Optional path to a PEM-encoded CA bundle"
+		},
+		allowInvalidCertificates: {
+			type: "boolean",
+			default: false,
+			description: "Allow untrusted certificate chains"
+		},
+		skipHostnameCheck: {
+			type: "boolean",
+			default: false,
+			description: "Skip hostname verification"
+		}
+	}),
+	objectTool("websocket_send_frame", "Send a WebSocket frame.", {
+		sessionId: {
+			type: "string",
+			description: "WebSocket session ID"
+		},
+		frameType: {
+			type: "string",
+			enum: [
+				"text",
+				"binary",
+				"ping",
+				"pong",
+				"close"
+			],
+			description: "Outgoing frame opcode"
+		},
+		dataText: {
+			type: "string",
+			description: "UTF-8 payload for text/ping/pong/close frames"
+		},
+		dataHex: {
+			type: "string",
+			description: "Hex-encoded payload for binary/ping/pong/close frames"
+		},
+		closeCode: {
+			type: "number",
+			description: "Optional close status code"
+		},
+		closeReason: {
+			type: "string",
+			description: "Optional close reason"
+		},
+		timeoutMs: {
+			type: "number",
+			default: 5e3,
+			description: "Write timeout in milliseconds"
+		}
+	}, ["sessionId", "frameType"]),
+	objectTool("websocket_read_frame", "Read the next queued WebSocket frame from an open session.", {
+		sessionId: {
+			type: "string",
+			description: "WebSocket session ID"
+		},
+		timeoutMs: {
+			type: "number",
+			default: 5e3,
+			description: "Read timeout in milliseconds"
+		}
+	}, ["sessionId"]),
+	objectTool("websocket_close", "Close an open WebSocket session.", {
+		sessionId: {
+			type: "string",
+			description: "WebSocket session ID"
+		},
+		force: {
+			type: "boolean",
+			default: false,
+			description: "Destroy the underlying socket immediately without sending a close frame first"
+		},
+		closeCode: {
+			type: "number",
+			description: "Optional close status code"
+		},
+		closeReason: {
+			type: "string",
+			description: "Optional close reason"
+		},
+		timeoutMs: {
+			type: "number",
+			default: 1e3,
+			description: "Close wait timeout in milliseconds before forcing socket destruction"
+		}
+	}, ["sessionId"])
+];
+//#endregion
+//#region src/server/domains/boringssl-inspector/definitions.ts
+const boringsslInspectorTools = [
+	...tlsAnalysisTools,
+	...sessionTools,
+	...websocketTools,
+	...fridaTools,
+	...rawSocketTools
+];
+//#endregion
+//#region src/server/domains/boringssl-inspector/manifest.ts
+const DOMAIN = "boringssl-inspector";
+const DEP_KEY = "boringsslInspectorHandlers";
+const PROFILES = ["workflow", "full"];
+const registrations = defineMethodRegistrations({
+	domain: DOMAIN,
+	depKey: DEP_KEY,
+	lookup: toolLookup(boringsslInspectorTools),
+	wrapResult: asToolResponse,
+	entries: [
+		{
+			tool: "tls_keylog_enable",
+			method: "handleTlsKeylogEnable"
+		},
+		{
+			tool: "tls_keylog_parse",
+			method: "handleTlsKeylogParse"
+		},
+		{
+			tool: "tls_keylog_disable",
+			method: "handleTlsKeylogDisable"
+		},
+		{
+			tool: "tls_decrypt_payload",
+			method: "handleTlsDecryptPayload"
+		},
+		{
+			tool: "tls_keylog_summarize",
+			method: "handleTlsKeylogSummarize"
+		},
+		{
+			tool: "tls_keylog_lookup_secret",
+			method: "handleTlsKeylogLookupSecret"
+		},
+		{
+			tool: "tls_cert_pin_bypass",
+			method: "handleTlsCertPinBypass"
+		},
+		{
+			tool: "tls_parse_handshake",
+			method: "handleParseHandshake"
+		},
+		{
+			tool: "tls_cipher_suites",
+			method: "handleCipherSuites"
+		},
+		{
+			tool: "tls_parse_certificate",
+			method: "handleParseCertificate"
+		},
+		{
+			tool: "tls_probe_endpoint",
+			method: "handleTlsProbeEndpoint"
+		},
+		{
+			tool: "tcp_open",
+			method: "handleTcpOpen"
+		},
+		{
+			tool: "tcp_write",
+			method: "handleTcpWrite"
+		},
+		{
+			tool: "tcp_read_until",
+			method: "handleTcpReadUntil"
+		},
+		{
+			tool: "tcp_close",
+			method: "handleTcpClose"
+		},
+		{
+			tool: "tls_open",
+			method: "handleTlsOpen"
+		},
+		{
+			tool: "tls_write",
+			method: "handleTlsWrite"
+		},
+		{
+			tool: "tls_read_until",
+			method: "handleTlsReadUntil"
+		},
+		{
+			tool: "tls_close",
+			method: "handleTlsClose"
+		},
+		{
+			tool: "websocket_open",
+			method: "handleWebSocketOpen"
+		},
+		{
+			tool: "websocket_send_frame",
+			method: "handleWebSocketSendFrame"
+		},
+		{
+			tool: "websocket_read_frame",
+			method: "handleWebSocketReadFrame"
+		},
+		{
+			tool: "websocket_close",
+			method: "handleWebSocketClose"
+		},
+		{
+			tool: "tls_cert_pin_bypass_frida",
+			method: "handleBypassCertPinning"
+		},
+		{
+			tool: "net_raw_tcp_send",
+			method: "handleRawTcpSend"
+		},
+		{
+			tool: "net_raw_tcp_listen",
+			method: "handleRawTcpListen"
+		},
+		{
+			tool: "net_raw_udp_send",
+			method: "handleRawUdpSend"
+		},
+		{
+			tool: "net_raw_udp_listen",
+			method: "handleRawUdpListen"
+		}
+	]
+});
+async function ensure(ctx) {
+	const { BoringsslInspectorHandlers } = await import("./handlers-BOs9b907.mjs");
+	const { TLSKeyLogExtractor } = await import("./boringssl-inspector-Bo_LOLaS.mjs").then((n) => n.t);
+	const existing = ctx.getDomainInstance(DEP_KEY);
+	if (existing) return existing;
+	const handlers = new BoringsslInspectorHandlers(new TLSKeyLogExtractor());
+	handlers.setExtensionInvoke(async (args) => {
+		try {
+			const binaryInstrument = ctx.getDomainInstance("binaryInstrumentHandlers");
+			if (binaryInstrument && typeof binaryInstrument.handleFridaRunScript === "function") return binaryInstrument.handleFridaRunScript(args);
+		} catch {}
+		return null;
+	});
+	handlers.setEventBus(ctx.eventBus);
+	ctx.setDomainInstance(DEP_KEY, handlers);
+	return handlers;
+}
+const manifest = {
+	kind: "domain-manifest",
+	version: 1,
+	domain: DOMAIN,
+	depKey: DEP_KEY,
+	profiles: PROFILES,
+	registrations,
+	ensure,
+	workflowRule: {
+		patterns: [/\b(tls|ssl|boringssl|cert(ificate)?|pinning|handshake|keylog|websocket)\b/i, /(tls|ssl|cert|pinning|websocket).*(hook|bypass|intercept|dump|log|frame|session)/i],
+		priority: 80,
+		tools: [
+			"tls_probe_endpoint",
+			"websocket_open",
+			"websocket_send_frame",
+			"websocket_read_frame",
+			"tls_keylog_enable",
+			"tls_keylog_parse",
+			"tls_decrypt_payload",
+			"tls_cert_pin_bypass"
+		],
+		hint: "TLS/WebSocket analysis: probe endpoint → open ws/wss session → exchange frames → inspect trust/cipher/ALPN → enable keylog or bypass pinning when needed."
+	},
+	prerequisites: {
+		tls_probe_endpoint: [{
+			condition: "Target scope must be explicitly authorized and routable from the MCP host",
+			fix: "Verify target authorization, port reachability, and provide servername/custom CA options when needed"
+		}],
+		tls_keylog_enable: [{
+			condition: "Target process must allow SSLKEYLOGFILE or be attachable by Frida",
+			fix: "Launch the target with SSLKEYLOGFILE env set, or enable Frida-based hooking"
+		}],
+		tls_decrypt_payload: [{
+			condition: "A keylog session must be active with captured secrets",
+			fix: "Run tls_keylog_enable and reproduce TLS traffic before decrypting"
+		}],
+		tls_cert_pin_bypass_frida: [{
+			condition: "Frida must be available on PATH and attached to the target",
+			fix: "Install Frida and attach via binary-instrument:frida_attach before running the bypass"
+		}]
+	},
+	toolDependencies: [{
+		from: "network",
+		to: "boringssl-inspector",
+		relation: "uses",
+		weight: .8
+	}]
+};
+//#endregion
+export { manifest as default };