@singbox-iac/cli 0.1.17 → 0.1.19

package/dist/modules/verification/index.js

@@ -1,10 +1,11 @@
 import { spawn } from "node:child_process";
 import { constants } from "node:fs";
 import { access } from "node:fs/promises";
-import { mkdir, mkdtemp, readFile, writeFile } from "node:fs/promises";
+import { chmod, mkdir, mkdtemp, readFile, writeFile } from "node:fs/promises";
 import net from "node:net";
 import { tmpdir } from "node:os";
 import path from "node:path";
+import { isProcessRoot } from "../desktop-runtime/index.js";
 import { checkConfig, resolveSingBoxBinary } from "../manager/index.js";
 import { resolveChromeDependency } from "../runtime-dependencies/index.js";
 export function assertVerificationReportPassed(report) {
@@ -16,6 +17,7 @@ export function assertVerificationReportPassed(report) {
         .map((scenario) => `- ${scenario.name}\n  url: ${scenario.url}\n  details: ${scenario.details}`)
         .join("\n")}`);
 }
+const nativeProcessProbeUrl = "https://example.com/";
 export async function verifyConfigRoutes(input) {
     const singBoxBinary = await resolveSingBoxBinary(input.singBoxBinary);
     const requestBinary = await resolveCurlBinary();
@@ -90,20 +92,175 @@ export function verifyDnsPlan(plan, dnsPlan) {
 export function verifyAppPlan(plan, config) {
     const route = asObject(config.route, "Config is missing route.");
     const rules = ensureArray(route.rules, "Route is missing rules.");
-    const proxifierProtected = rules.some((rule) => Array.isArray(rule.inbound) &&
-        rule.inbound.includes("in-proxifier") &&
-        rule.action === "route" &&
-        rule.outbound === "Process-Proxy");
     return plan.appChecks.map((check) => ({
         app: check.app,
-        passed: check.expectedInbound === "in-proxifier" ? proxifierProtected : true,
-        expectedInbound: check.expectedInbound,
+        passed: hasExpectedProcessAwareRoute(rules, check),
+        expectedCaptureBackend: check.expectedCaptureBackend,
         expectedOutboundGroup: check.expectedOutboundGroup,
-        details: check.expectedInbound === "in-proxifier"
-            ? "Protected in-proxifier route is present."
-            : "No special app inbound is required.",
+        details: describeProcessAwareRouteResult(rules, check),
     }));
 }
+export async function verifyNativeProcessE2E(input) {
+    const nativeChecks = input.plan.appChecks.filter((check) => check.expectedCaptureBackend === "native-process");
+    if (nativeChecks.length === 0) {
+        return [];
+    }
+    if (!isProcessRoot()) {
+        return nativeChecks.map((check) => ({
+            app: check.app,
+            status: "SKIP",
+            expectedOutboundGroup: check.expectedOutboundGroup,
+            details: "Native-process e2e requires root. Re-run `sudo singbox-iac verify app -c <builder.config.yaml>`.",
+        }));
+    }
+    const singBoxBinary = await resolveSingBoxBinary(input.singBoxBinary);
+    const cCompilerBinary = await resolveCCompilerBinary();
+    const rawConfig = JSON.parse(await readFile(input.configPath, "utf8"));
+    const results = [];
+    for (const check of nativeChecks) {
+        const prepared = await prepareVerificationConfig(rawConfig);
+        const conflictingOutbound = chooseConflictingOutbound(prepared.config, check.expectedOutboundGroup);
+        if (!conflictingOutbound) {
+            results.push({
+                app: check.app,
+                status: "SKIP",
+                expectedOutboundGroup: check.expectedOutboundGroup,
+                details: "No conflicting fallback outbound is available in the compiled config for native-process e2e.",
+            });
+            continue;
+        }
+        injectNativeProcessProbeRule(prepared.config, conflictingOutbound);
+        const processName = selectNativeProcessProbeName(prepared.config, check.expectedOutboundGroup);
+        if (!processName) {
+            results.push({
+                app: check.app,
+                status: "SKIP",
+                expectedOutboundGroup: check.expectedOutboundGroup,
+                details: "No concrete process_name matcher was available for native-process e2e. Add a plain processName matcher to the bundle or explicit process policy.",
+            });
+            continue;
+        }
+        const runDir = await mkdtemp(path.join(tmpdir(), "singbox-iac-native-process-"));
+        const verifyConfigPath = path.join(runDir, "native-process.config.json");
+        const logPath = path.join(runDir, "native-process.log");
+        const probeBinaryPath = path.join(runDir, processName);
+        await compileNativeProcessProbe({
+            runDir,
+            compilerBinary: cCompilerBinary,
+            probeBinaryPath,
+        });
+        injectNativeProcessPathProbeRule(prepared.config, probeBinaryPath, check.expectedOutboundGroup);
+        await writeFile(verifyConfigPath, `${JSON.stringify(prepared.config, null, 2)}\n`, "utf8");
+        await checkConfig({ configPath: verifyConfigPath, singBoxBinary });
+        const logBuffer = { text: "" };
+        const appender = async (chunk) => {
+            const text = chunk.toString();
+            logBuffer.text += text;
+            await writeFile(logPath, text, { encoding: "utf8", flag: "a" });
+        };
+        const child = spawn(singBoxBinary, ["run", "-c", verifyConfigPath], {
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        child.stdout.on("data", (chunk) => void appender(chunk));
+        child.stderr.on("data", (chunk) => void appender(chunk));
+        const exitPromise = new Promise((resolve, reject) => {
+            child.on("error", reject);
+            child.on("close", (code) => resolve(code ?? 0));
+        });
+        try {
+            await waitForLog(logBuffer, /sing-box started/, 15_000, "Timed out waiting for sing-box startup during native-process verification.");
+            const scenario = await verifyNativeProcessRuntimeScenario({
+                id: `native-process-${slugifyProcessName(processName)}`,
+                name: `native-process e2e for ${check.app}`,
+                url: nativeProcessProbeUrl,
+                inboundTag: "in-tun",
+                proxyPort: prepared.mixedPort,
+                expectedOutboundGroup: check.expectedOutboundGroup,
+                processName,
+                probeBinaryPath,
+            }, logBuffer);
+            results.push({
+                app: check.app,
+                status: scenario.passed ? "PASS" : "FAIL",
+                expectedOutboundGroup: check.expectedOutboundGroup,
+                processName,
+                details: scenario.passed
+                    ? `Probe binary=${probeBinaryPath}; compiled process_name=${processName}; conflicting fallback=${conflictingOutbound}. ${scenario.details}`
+                    : `Probe binary=${probeBinaryPath}; compiled process_name=${processName}; conflicting fallback=${conflictingOutbound}. ${scenario.details}`,
+            });
+        }
+        catch (error) {
+            results.push({
+                app: check.app,
+                status: "FAIL",
+                expectedOutboundGroup: check.expectedOutboundGroup,
+                processName,
+                details: error instanceof Error ? error.message : String(error),
+            });
+        }
+        finally {
+            child.kill("SIGINT");
+            await Promise.race([exitPromise, new Promise((resolve) => setTimeout(resolve, 2_000))]);
+        }
+    }
+    return results;
+}
+export function assertNativeProcessE2EPassed(results) {
+    const failures = results.filter((result) => result.status === "FAIL");
+    if (failures.length === 0) {
+        return;
+    }
+    throw new Error(`Native-process e2e failed:\n${failures
+        .map((result) => `- ${result.app}${result.processName ? ` (${result.processName})` : ""}: ${result.details}`)
+        .join("\n")}`);
+}
+function hasExpectedProcessAwareRoute(rules, check) {
+    switch (check.expectedCaptureBackend) {
+        case "fallback":
+            return true;
+        case "proxifier":
+            return rules.some((rule) => Array.isArray(rule.inbound) &&
+                rule.inbound.includes("in-proxifier") &&
+                rule.outbound === check.expectedOutboundGroup);
+        case "native-process":
+            return rules.some((rule) => rule.outbound === check.expectedOutboundGroup &&
+                (Array.isArray(rule.process_name) ||
+                    Array.isArray(rule.process_path) ||
+                    Array.isArray(rule.process_path_regex)));
+    }
+}
+function describeProcessAwareRouteResult(rules, check) {
+    if (check.expectedCaptureBackend === "fallback") {
+        return "No capture backend was required for this app check.";
+    }
+    const matchedRule = rules.find((rule) => {
+        if (check.expectedCaptureBackend === "proxifier") {
+            return (Array.isArray(rule.inbound) &&
+                rule.inbound.includes("in-proxifier") &&
+                rule.outbound === check.expectedOutboundGroup);
+        }
+        return (rule.outbound === check.expectedOutboundGroup &&
+            (Array.isArray(rule.process_name) ||
+                Array.isArray(rule.process_path) ||
+                Array.isArray(rule.process_path_regex)));
+    });
+    if (!matchedRule) {
+        return `Expected ${check.expectedCaptureBackend} rule for ${check.expectedOutboundGroup}, but none was found.`;
+    }
+    const matchers = [
+        Array.isArray(matchedRule.inbound) ? `inbound=${matchedRule.inbound.join(",")}` : undefined,
+        Array.isArray(matchedRule.process_name)
+            ? `process_name=${matchedRule.process_name.join(",")}`
+            : undefined,
+        Array.isArray(matchedRule.process_path)
+            ? `process_path=${matchedRule.process_path.join(",")}`
+            : undefined,
+        Array.isArray(matchedRule.process_path_regex)
+            ? `process_path_regex=${matchedRule.process_path_regex.join(",")}`
+            : undefined,
+    ].filter((value) => typeof value === "string" && value.length > 0);
+    return `Matched ${check.expectedCaptureBackend} route to ${check.expectedOutboundGroup}${matchers.length > 0 ? ` (${matchers.join("; ")})` : ""}.`;
+}
 export function verifyProtocolPlan(plan, config) {
     const route = asObject(config.route, "Config is missing route.");
     const rules = ensureArray(route.rules, "Route is missing rules.");
@@ -277,6 +434,52 @@ async function verifyRuntimeScenario(scenario, logBuffer, requestBinary) {
         expectedOutboundTag: scenario.expectedOutboundTag,
     };
 }
+async function verifyNativeProcessRuntimeScenario(scenario, logBuffer) {
+    const hostname = new URL(scenario.url).hostname;
+    const inboundLog = new RegExp(`inbound/mixed\\[${escapeRegExp(scenario.inboundTag)}\\]: inbound connection to ${escapeRegExp(hostname)}:443`);
+    const routeLogAlternatives = [
+        new RegExp(`router: match\\[\\d+\\].*process_path[^\\n]*${escapeRegExp(scenario.probeBinaryPath)}[^\\n]*=> route\\(${escapeRegExp(scenario.expectedOutboundGroup)}\\)`),
+        new RegExp(`router: match\\[\\d+\\].*process_path[^\\n]*${escapeRegExp(path.basename(scenario.probeBinaryPath))}[^\\n]*=> route\\(${escapeRegExp(scenario.expectedOutboundGroup)}\\)`),
+        new RegExp(`router: match\\[\\d+\\].*process_name[^\\n]*${escapeRegExp(scenario.processName)}[^\\n]*=> route\\(${escapeRegExp(scenario.expectedOutboundGroup)}\\)`),
+    ];
+    let lastFailure = `Expected native-process logs were not observed for ${hostname} within the timeout.`;
+    for (let attempt = 1; attempt <= 2; attempt += 1) {
+        const offset = logBuffer.text.length;
+        const requestResult = await runNativeProcessProbeScenario({
+            probeBinaryPath: scenario.probeBinaryPath,
+            proxyPort: scenario.proxyPort,
+            targetHost: hostname,
+            targetPort: 443,
+        });
+        const excerpt = await waitForScenarioLogsWithAlternatives(logBuffer, offset, [inboundLog], routeLogAlternatives, 20_000);
+        const requestFailure = detectRequestFailure(requestResult);
+        if (excerpt !== undefined) {
+            return {
+                name: scenario.name,
+                passed: true,
+                details: requestFailure === undefined
+                    ? excerpt.trim()
+                    : `${excerpt.trim()}\nRequest note: ${requestFailure}`,
+                url: scenario.url,
+                inboundTag: scenario.inboundTag,
+                expectedOutboundTag: scenario.expectedOutboundGroup,
+            };
+        }
+        lastFailure =
+            requestFailure ?? `Expected native-process logs were not observed for ${hostname} within the timeout.`;
+        if (attempt < 2) {
+            await sleep(500);
+        }
+    }
+    return {
+        name: scenario.name,
+        passed: false,
+        details: lastFailure,
+        url: scenario.url,
+        inboundTag: scenario.inboundTag,
+        expectedOutboundTag: scenario.expectedOutboundGroup,
+    };
+}
 export function isRouteLevelProxySuccess(scenario, requestResult) {
     if (scenario.inboundTag !== "in-proxifier") {
         return false;
@@ -344,18 +547,59 @@ export async function resolveCurlBinary(explicitPath) {
     }
     throw new Error("Unable to find a usable curl binary for route verification.");
 }
+export async function resolveCCompilerBinary(explicitPath) {
+    const candidates = [
+        explicitPath,
+        process.env.CC,
+        "/usr/bin/cc",
+        "/usr/bin/clang",
+        ...resolvePathCandidates("cc"),
+        ...resolvePathCandidates("clang"),
+    ].filter((candidate) => typeof candidate === "string" && candidate.length > 0);
+    for (const candidate of candidates) {
+        if (await isExecutable(candidate)) {
+            return candidate;
+        }
+    }
+    throw new Error("Unable to find a usable C compiler for native-process verification.");
+}
 export async function prepareVerificationConfig(config) {
     const cloned = structuredClone(config);
     const mixedPort = await findAvailablePort();
     const proxifierPort = await findAvailablePort();
     const inbounds = ensureArray(cloned.inbounds, "Config is missing inbounds.");
+    let hasMixedInbound = false;
+    let hasProxifierInbound = false;
     for (const inbound of inbounds) {
         if (inbound.tag === "in-mixed") {
+            hasMixedInbound = true;
             inbound.listen_port = mixedPort;
         }
         if (inbound.tag === "in-proxifier") {
+            hasProxifierInbound = true;
             inbound.listen_port = proxifierPort;
         }
+        if (inbound.tag === "in-tun") {
+            for (const key of Object.keys(inbound)) {
+                delete inbound[key];
+            }
+            Object.assign(inbound, {
+                type: "mixed",
+                tag: "in-tun",
+                listen: "127.0.0.1",
+                listen_port: mixedPort,
+            });
+        }
+    }
+    if (!hasMixedInbound &&
+        !hasProxifierInbound &&
+        !inbounds.some((inbound) => inbound.tag === "in-tun")) {
+        inbounds.push({
+            type: "mixed",
+            tag: "in-mixed",
+            listen: "127.0.0.1",
+            listen_port: mixedPort,
+        });
     }
     cloned.log = { level: "debug" };
     const dns = asObject(cloned.dns, "Config is missing dns.");
@@ -365,9 +609,16 @@ export async function prepareVerificationConfig(config) {
             tag: "dns-local-verify",
         },
     ];
+    dns.rules = [];
     dns.final = "dns-local-verify";
+    dns.reverse_mapping = false;
     const route = asObject(cloned.route, "Config is missing route.");
     route.default_domain_resolver = "dns-local-verify";
+    if (typeof cloned.experimental === "object" && cloned.experimental !== null) {
+        const experimental = asObject(cloned.experimental, "Config has an invalid experimental block.");
+        const { cache_file: _cacheFile, ...remaining } = experimental;
+        cloned.experimental = Object.keys(remaining).length === 0 ? undefined : remaining;
+    }
     const outbounds = ensureArray(cloned.outbounds, "Config is missing outbounds.");
     const globalIndex = outbounds.findIndex((outbound) => outbound.tag === "Global");
     if (globalIndex >= 0) {
@@ -389,6 +640,59 @@ export async function prepareVerificationConfig(config) {
         proxifierPort,
     };
 }
+export function chooseConflictingOutbound(config, expectedOutboundGroup) {
+    const outbounds = ensureArray(config.outbounds, "Config is missing outbounds.");
+    const preferred = ["direct", "Global", "AI-Out", "Dev-Common-Out", "Stitch-Out", "Process-Proxy"];
+    for (const tag of preferred) {
+        if (tag === expectedOutboundGroup) {
+            continue;
+        }
+        if (outbounds.some((outbound) => outbound.tag === tag)) {
+            return tag;
+        }
+    }
+    return outbounds
+        .map((outbound) => (typeof outbound.tag === "string" ? outbound.tag : undefined))
+        .find((tag) => typeof tag === "string" && tag !== expectedOutboundGroup);
+}
+export function injectNativeProcessProbeRule(config, conflictingOutbound) {
+    const route = asObject(config.route, "Config is missing route.");
+    const rules = ensureArray(route.rules, "Route is missing rules.");
+    const probeHost = new URL(nativeProcessProbeUrl).hostname;
+    const insertionIndex = findLastProcessAwareRuleIndex(rules) + 1;
+    rules.splice(insertionIndex, 0, {
+        domain: [probeHost],
+        action: "route",
+        outbound: conflictingOutbound,
+    });
+}
+export function injectNativeProcessPathProbeRule(config, probeBinaryPath, expectedOutboundGroup) {
+    const route = asObject(config.route, "Config is missing route.");
+    const rules = ensureArray(route.rules, "Route is missing rules.");
+    const insertionIndex = findLastProcessAwareRuleIndex(rules) + 1;
+    rules.splice(insertionIndex, 0, {
+        process_path: [probeBinaryPath],
+        action: "route",
+        outbound: expectedOutboundGroup,
+    });
+}
+export function selectNativeProcessProbeName(config, expectedOutboundGroup) {
+    const route = asObject(config.route, "Config is missing route.");
+    const rules = ensureArray(route.rules, "Route is missing rules.");
+    for (const rule of rules) {
+        if (rule.outbound !== expectedOutboundGroup || !Array.isArray(rule.process_name)) {
+            continue;
+        }
+        const candidate = rule.process_name.find((value) => typeof value === "string" &&
+            value.length > 0 &&
+            !value.includes("/") &&
+            !value.includes("*"));
+        if (candidate) {
+            return candidate;
+        }
+    }
+    return undefined;
+}
 export function validateConfigInvariants(config) {
     const route = asObject(config.route, "Config is missing route.");
     const rules = ensureArray(route.rules, "Route is missing rules.");
@@ -400,6 +704,10 @@ export function validateConfigInvariants(config) {
     const proxifierIndex = rules.findIndex((rule) => Array.isArray(rule.inbound) &&
         rule.inbound.includes("in-proxifier") &&
         rule.outbound === "Process-Proxy");
+    const nativeProcessIndex = rules.findIndex((rule) => rule.outbound === "Process-Proxy" &&
+        (Array.isArray(rule.process_name) ||
+            Array.isArray(rule.process_path) ||
+            Array.isArray(rule.process_path_regex)));
     const stitchIndex = rules.findIndex((rule) => Array.isArray(rule.domain_suffix) &&
         rule.domain_suffix.includes("stitch.withgoogle.com") &&
         rule.outbound === "Stitch-Out");
@@ -418,7 +726,13 @@ export function validateConfigInvariants(config) {
     const priorityOrder = [
         { name: "quic", index: quicIndex, required: true },
         { name: "dns", index: dnsIndex, required: true },
-        { name: "proxifier", index: proxifierIndex, required: true },
+        {
+            name: "processAware",
+            index: nativeProcessIndex >= 0 && proxifierIndex >= 0
+                ? Math.min(nativeProcessIndex, proxifierIndex)
+                : Math.max(nativeProcessIndex, proxifierIndex),
+            required: false,
+        },
         { name: "stitch", index: stitchIndex, required: true },
         { name: "explicitAi", index: explicitAiIndex, required: true },
         { name: "aiRuleSet", index: aiRuleSetIndex, required: false },
@@ -435,16 +749,31 @@ export function validateConfigInvariants(config) {
             const previous = entries[index - 1];
             return previous !== undefined && previous.index < entry.index;
         });
-    checks.push(makeCheck("route-priority", routePriorityPassed, `Rule order indices: quic=${quicIndex}, dns=${dnsIndex}, proxifier=${proxifierIndex}, stitch=${stitchIndex}, explicitAi=${explicitAiIndex}, aiRuleSet=${aiRuleSetIndex}, devRuleSet=${devRuleSetIndex}, china=${chinaIndex}`));
+    checks.push(makeCheck("route-priority", routePriorityPassed, `Rule order indices: quic=${quicIndex}, dns=${dnsIndex}, proxifier=${proxifierIndex}, nativeProcess=${nativeProcessIndex}, stitch=${stitchIndex}, explicitAi=${explicitAiIndex}, aiRuleSet=${aiRuleSetIndex}, devRuleSet=${devRuleSetIndex}, china=${chinaIndex}`));
     checks.push(makeCheck("default-domain-resolver", typeof route.default_domain_resolver === "string" &&
         dnsServers.some((server) => server.tag === route.default_domain_resolver), `default_domain_resolver=${String(route.default_domain_resolver)}`));
     checks.push(makeCheck("dns-shape", dnsServers.some((server) => server.type === "local" && server.tag === "dns-local-default") &&
         dnsServers.some((server) => (server.type === "tcp" || server.type === "udp") && server.server === "1.1.1.1") &&
-        dnsServers.some((server) => (server.type === "tcp" || server.type === "udp") && server.server === "223.5.5.5"), `dns servers=${dnsServers
+        dnsServers.some((server) => (server.type === "tcp" || server.type === "udp") && server.server === "223.5.5.5") &&
+        (!dnsServers.some((server) => server.type === "fakeip") ||
+            (dnsServers.some((server) => server.type === "fakeip" && server.tag === "dns-fakeip") &&
+                ensureArray(dns.rules ?? [], "DNS rules are missing.").some((rule) => Array.isArray(rule.query_type) &&
+                    rule.query_type.includes("A") &&
+                    rule.server === "dns-fakeip"))), `dns servers=${dnsServers
         .map((server) => `${String(server.tag)}:${String(server.server)}`)
         .join(", ")}`));
     return checks;
 }
+function findLastProcessAwareRuleIndex(rules) {
+    return rules.reduce((lastIndex, rule, index) => Array.isArray(rule.process_name) ||
+        Array.isArray(rule.process_path) ||
+        Array.isArray(rule.process_path_regex)
+        ? index
+        : lastIndex, -1);
+}
+function slugifyProcessName(processName) {
+    return processName.replaceAll(/[^A-Za-z0-9._-]+/g, "-");
+}
 export function resolveDefaultLeafOutboundTag(config, tag) {
     const outbounds = ensureArray(config.outbounds, "Config is missing outbounds.");
     const byTag = new Map();
@@ -481,20 +810,44 @@ export function resolveDefaultLeafOutboundTag(config, tag) {
     }
 }
 function buildRuntimeScenarios(config, mixedPort, proxifierPort, configuredScenarios) {
-    const sourceScenarios = configuredScenarios && configuredScenarios.length > 0
+    const sourceScenarios = normalizeConfiguredVerificationScenarios(config, configuredScenarios && configuredScenarios.length > 0
         ? configuredScenarios
-        : defaultConfiguredScenarios;
-    return sourceScenarios.map((scenario) => ({
+        : defaultConfiguredScenarios);
+    const fallbackScenarios = sourceScenarios.length > 0
+        ? sourceScenarios
+        : normalizeConfiguredVerificationScenarios(config, defaultConfiguredScenarios);
+    return fallbackScenarios.map((scenario) => ({
         id: scenario.id,
         name: scenario.name,
         url: scenario.url,
         inboundTag: scenario.inbound,
         proxyPort: scenario.inbound === "in-proxifier" ? proxifierPort : mixedPort,
-        expectedOutboundTag: scenario.expectedOutbound === "direct" || scenario.expectedOutbound === "block"
-            ? scenario.expectedOutbound
-            : resolveDefaultLeafOutboundTag(config, scenario.expectedOutbound),
+        expectedOutboundTag: resolveExpectedVerificationOutboundTag(config, scenario.expectedOutbound),
     }));
 }
+export function resolveExpectedVerificationOutboundTag(config, expectedOutboundTag) {
+    return expectedOutboundTag === "direct" || expectedOutboundTag === "block"
+        ? expectedOutboundTag
+        : resolveDefaultLeafOutboundTag(config, expectedOutboundTag);
+}
+export function normalizeConfiguredVerificationScenarios(config, scenarios) {
+    const availableInbounds = new Set(ensureArray(config.inbounds, "Config is missing inbounds.")
+        .map((inbound) => inbound.tag)
+        .filter((tag) => typeof tag === "string" && tag.length > 0));
+    const hasTun = availableInbounds.has("in-tun");
+    const hasMixed = availableInbounds.has("in-mixed");
+    const hasProxifier = availableInbounds.has("in-proxifier");
+    const prefersTunFallback = hasTun && !hasMixed && !hasProxifier;
+    return scenarios.flatMap((scenario) => {
+        if (availableInbounds.has(scenario.inbound)) {
+            return [scenario];
+        }
+        if (scenario.inbound === "in-mixed" && (hasTun || prefersTunFallback)) {
+            return [{ ...scenario, inbound: "in-tun" }];
+        }
+        return [];
+    });
+}
 const defaultConfiguredScenarios = [
     {
         id: "stitch",
@@ -551,11 +904,49 @@ async function runProxyRequestScenario(input) {
         "5",
         "--proxy",
         `http://127.0.0.1:${input.proxyPort}`,
+        "--noproxy",
+        "",
         input.url,
     ];
     return new Promise((resolve, reject) => {
         const child = spawn(input.requestBinary, args, {
             stdio: ["ignore", "pipe", "pipe"],
+            env: buildVerificationRequestEnv(),
+        });
+        let stdout = "";
+        let stderr = "";
+        let timedOut = false;
+        const timeout = setTimeout(() => {
+            timedOut = true;
+            child.kill("SIGKILL");
+        }, 12_000);
+        child.stdout.on("data", (chunk) => {
+            stdout += chunk.toString();
+        });
+        child.stderr.on("data", (chunk) => {
+            stderr += chunk.toString();
+        });
+        child.on("error", (error) => {
+            clearTimeout(timeout);
+            reject(error);
+        });
+        child.on("close", (code) => {
+            clearTimeout(timeout);
+            resolve({
+                exitCode: code ?? 0,
+                stdout,
+                stderr,
+                timedOut,
+            });
+        });
+    });
+}
+async function runNativeProcessProbeScenario(input) {
+    const args = ["127.0.0.1", String(input.proxyPort), input.targetHost, String(input.targetPort)];
+    return new Promise((resolve, reject) => {
+        const child = spawn(input.probeBinaryPath, args, {
+            stdio: ["ignore", "pipe", "pipe"],
+            env: buildVerificationRequestEnv(),
         });
         let stdout = "";
         let stderr = "";
@@ -600,11 +991,12 @@ async function runJsonRequestScenario(input) {
         input.url,
     ];
     if (typeof input.proxyPort === "number") {
-        args.splice(args.length - 1, 0, "--proxy", `http://127.0.0.1:${input.proxyPort}`);
+        args.splice(args.length - 1, 0, "--proxy", `http://127.0.0.1:${input.proxyPort}`, "--noproxy", "");
     }
     return new Promise((resolve, reject) => {
         const child = spawn(input.requestBinary, args, {
             stdio: ["ignore", "pipe", "pipe"],
+            env: buildVerificationRequestEnv(),
         });
         let stdout = "";
         let stderr = "";
@@ -724,6 +1116,18 @@ async function waitForScenarioLogs(buffer, offset, patterns, timeoutMs) {
     }
     return undefined;
 }
+async function waitForScenarioLogsWithAlternatives(buffer, offset, requiredPatterns, alternativePatterns, timeoutMs) {
+    const startedAt = Date.now();
+    while (Date.now() - startedAt < timeoutMs) {
+        const excerpt = buffer.text.slice(offset);
+        if (requiredPatterns.every((pattern) => pattern.test(excerpt)) &&
+            alternativePatterns.some((pattern) => pattern.test(excerpt))) {
+            return excerpt;
+        }
+        await sleep(250);
+    }
+    return undefined;
+}
 async function waitForLog(buffer, pattern, timeoutMs, errorMessage) {
     const startedAt = Date.now();
     while (Date.now() - startedAt < timeoutMs) {
@@ -774,6 +1178,124 @@ function makeCheck(name, passed, details) {
 function escapeRegExp(input) {
     return input.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
+export function buildVerificationRequestEnv(baseEnv = process.env) {
+    const stripped = {};
+    for (const [key, value] of Object.entries(baseEnv)) {
+        if (/^(http_proxy|https_proxy|all_proxy|no_proxy)$/i.test(key)) {
+            continue;
+        }
+        stripped[key] = value;
+    }
+    return stripped;
+}
+async function compileNativeProcessProbe(input) {
+    const sourcePath = path.join(input.runDir, "native-process-probe.c");
+    await writeFile(sourcePath, buildNativeProcessProbeSource(), "utf8");
+    await new Promise((resolve, reject) => {
+        const child = spawn(input.compilerBinary, ["-O2", "-Wall", "-Wextra", "-o", input.probeBinaryPath, sourcePath], {
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        let stderr = "";
+        child.stdout.on("data", () => {
+            // ignore compiler stdout
+        });
+        child.stderr.on("data", (chunk) => {
+            stderr += chunk.toString();
+        });
+        child.on("error", reject);
+        child.on("close", (code) => {
+            if ((code ?? 0) === 0) {
+                resolve();
+                return;
+            }
+            reject(new Error(`Failed to compile native-process probe with ${input.compilerBinary}.\n${stderr.trim()}`));
+        });
+    });
+    await chmod(input.probeBinaryPath, 0o755);
+}
+function buildNativeProcessProbeSource() {
+    return `#include <arpa/inet.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <unistd.h>
+
+int main(int argc, char **argv) {
+  if (argc != 5) {
+    fprintf(stderr, "usage: %s <proxy-host> <proxy-port> <target-host> <target-port>\\n", argv[0]);
+    return 2;
+  }
+
+  const char *proxyHost = argv[1];
+  const char *proxyPort = argv[2];
+  const char *targetHost = argv[3];
+  const char *targetPort = argv[4];
+
+  int socketFd = socket(AF_INET, SOCK_STREAM, 0);
+  if (socketFd < 0) {
+    perror("socket");
+    return 3;
+  }
+
+  struct timeval timeout;
+  timeout.tv_sec = 3;
+  timeout.tv_usec = 0;
+  setsockopt(socketFd, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout));
+  setsockopt(socketFd, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout));
+
+  struct sockaddr_in proxyAddress;
+  memset(&proxyAddress, 0, sizeof(proxyAddress));
+  proxyAddress.sin_family = AF_INET;
+  proxyAddress.sin_port = htons((uint16_t) atoi(proxyPort));
+
+  if (inet_pton(AF_INET, proxyHost, &proxyAddress.sin_addr) != 1) {
+    fprintf(stderr, "invalid proxy host: %s\\n", proxyHost);
+    close(socketFd);
+    return 4;
+  }
+
+  if (connect(socketFd, (struct sockaddr *) &proxyAddress, sizeof(proxyAddress)) != 0) {
+    perror("connect");
+    close(socketFd);
+    return 5;
+  }
+
+  char request[1024];
+  int written = snprintf(
+    request,
+    sizeof(request),
+    "CONNECT %s:%s HTTP/1.1\\r\\nHost: %s:%s\\r\\nProxy-Connection: Keep-Alive\\r\\n\\r\\n",
+    targetHost,
+    targetPort,
+    targetHost,
+    targetPort
+  );
+  if (written < 0 || written >= (int) sizeof(request)) {
+    fprintf(stderr, "failed to encode request\\n");
+    close(socketFd);
+    return 6;
+  }
+
+  ssize_t sent = send(socketFd, request, (size_t) written, 0);
+  if (sent < 0) {
+    perror("send");
+    close(socketFd);
+    return 7;
+  }
+
+  char response[512];
+  recv(socketFd, response, sizeof(response) - 1, 0);
+  usleep(250000);
+  close(socketFd);
+  return 0;
+}
+`;
+}
 async function isExecutable(filePath) {
     try {
         await access(filePath, constants.X_OK);