@thangnm.nip/arouter 0.1.3 → 0.1.4

package/.next/standalone/node_modules/node-machine-id/types/index.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Module based on OS native UUID/GUID which used for internal needs.
+ */
+declare module 'node-machine-id' {
+
+    /**
+     * This function gets the OS native UUID/GUID synchronously, hashed by default.
+     * @param {boolean} [original=false] - If true return original value of machine id, otherwise return hashed value (sha - 256)
+     */
+    function machineIdSync(original?: boolean): string;
+
+    /**
+     * This function gets the OS native UUID/GUID asynchronously (recommended), hashed by default.
+     * @param {boolean} [original=false] - If true return original value of machine id, otherwise return hashed value (sha - 256)
+     */
+    function machineId(original?: boolean): Promise<string>;
+}

package/.next/standalone/node_modules/node-machine-id/webpack.config.babel.js

@@ -0,0 +1,59 @@
+import fs from 'fs';
+import webpack from 'webpack';
+
+let nodeModules = fs.readdirSync('./node_modules')
+    .filter((module) => {
+        return module !== '.bin';
+    })
+    .reduce((prev, module) => {
+        return Object.assign(prev, {[module]: 'commonjs ' + module});
+    }, {});
+
+export default {
+    entry: ['./index.js'],
+    output: {
+        path: './dist',
+        filename: 'index.js',
+        library: 'electron-machine-id',
+        libraryTarget: 'umd'
+    },
+    target: 'electron',
+    module: {
+        loaders: [
+            {
+                test: /\.js$/,
+                exclude: /node_modules/,
+                loader: 'babel',
+                query: {
+                    cacheDirectory: true
+                }
+            },
+            {
+                test: /\.json$/,
+                loader: 'json'
+            }
+        ]
+    },
+    plugins: [
+        new webpack.IgnorePlugin(/node_modules/),
+        new webpack.optimize.OccurrenceOrderPlugin(),
+        new webpack.optimize.DedupePlugin(),
+        new webpack.optimize.UglifyJsPlugin({
+            compress: { warnings: false },
+            output: { comments: false },
+        })
+    ],
+    node: {
+        //do not include polyfills...
+        //http://webpack.github.io/docs/configuration.html#node
+        console: false,
+        process: false,
+        child_process: false,
+        global: false,
+        buffer: false,
+        crypto: false,
+        __filename: false,
+        __dirname: false
+    },
+    externals: nodeModules
+};

package/.next/standalone/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@thangnm.nip/arouter",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "description": "aRouter",
   "bin": {
     "arouter": "./bin/arouter.mjs"

package/.next/standalone/src/mitm/cert/generate.js

@@ -0,0 +1,32 @@
+const path = require("path");
+const fs = require("fs");
+const { MITM_DIR } = require("../paths");
+const { generateRootCA, loadRootCA, generateLeafCert } = require("./rootCA");
+
+/**
+ * Generate Root CA certificate (one-time setup)
+ * This replaces the old static wildcard cert approach
+ */
+async function generateCert() {
+  return await generateRootCA();
+}
+
+/**
+ * Get certificate for a specific domain (dynamic generation)
+ * Used by SNICallback in server.js
+ */
+function getCertForDomain(domain) {
+  try {
+    const rootCA = loadRootCA();
+    const leafCert = generateLeafCert(domain, rootCA);
+    return {
+      key: leafCert.key,
+      cert: leafCert.cert
+    };
+  } catch (error) {
+    console.error(`Failed to generate cert for ${domain}:`, error.message);
+    return null;
+  }
+}
+
+module.exports = { generateCert, getCertForDomain };

package/.next/standalone/src/mitm/cert/install.js

@@ -0,0 +1,176 @@
+const fs = require("fs");
+const crypto = require("crypto");
+const { exec } = require("child_process");
+const { execWithPassword } = require("../dns/dnsConfig.js");
+const { log, err } = require("../logger");
+
+const IS_WIN = process.platform === "win32";
+const IS_MAC = process.platform === "darwin";
+const LINUX_CERT_DIR = "/usr/local/share/ca-certificates";
+
+// Get SHA1 fingerprint from cert file using Node.js crypto
+function getCertFingerprint(certPath) {
+  const pem = fs.readFileSync(certPath, "utf-8");
+  const der = Buffer.from(pem.replace(/-----[^-]+-----/g, "").replace(/\s/g, ""), "base64");
+  return crypto.createHash("sha1").update(der).digest("hex").toUpperCase().match(/.{2}/g).join(":");
+}
+
+/**
+ * Check if certificate is already installed in system store
+ */
+async function checkCertInstalled(certPath) {
+  if (IS_WIN) return checkCertInstalledWindows(certPath);
+  if (IS_MAC) return checkCertInstalledMac(certPath);
+  return checkCertInstalledLinux();
+}
+
+function checkCertInstalledMac(certPath) {
+  return new Promise((resolve) => {
+    try {
+      const fingerprint = getCertFingerprint(certPath).replace(/:/g, "");
+      // security verify-cert returns 0 only if cert is trusted by system policy
+      exec(`security verify-cert -c "${certPath}" -p ssl -k /Library/Keychains/System.keychain 2>/dev/null`, (error) => {
+        if (!error) return resolve(true);
+        // Fallback: check if fingerprint appears in System keychain with trust
+        exec(`security dump-trust-settings -d 2>/dev/null | grep -i "${fingerprint}"`, (err2, stdout2) => {
+          resolve(!err2 && !!stdout2?.trim());
+        });
+      });
+    } catch {
+      resolve(false);
+    }
+  });
+}
+
+function checkCertInstalledWindows(certPath) {
+  return new Promise((resolve) => {
+    // Check Root store for our Root CA by common name
+    exec("certutil -store Root \"arouter MITM Root CA\"", { windowsHide: true }, (error) => {
+      resolve(!error);
+    });
+  });
+}
+
+/**
+ * Install SSL certificate to system trust store
+ */
+async function installCert(sudoPassword, certPath) {
+  if (!fs.existsSync(certPath)) {
+    throw new Error(`Certificate file not found: ${certPath}`);
+  }
+
+  const isInstalled = await checkCertInstalled(certPath);
+  if (isInstalled) {
+    log("🔐 Cert: already trusted ✅");
+    return;
+  }
+
+  if (IS_WIN) {
+    await installCertWindows(certPath);
+  } else if (IS_MAC) {
+    await installCertMac(sudoPassword, certPath);
+  } else {
+    await installCertLinux(sudoPassword, certPath);
+  }
+}
+
+async function installCertMac(sudoPassword, certPath) {
+  // Remove all old certs with same name first to avoid duplicate/stale cert conflict
+  const deleteOld = `security delete-certificate -c "arouter MITM Root CA" /Library/Keychains/System.keychain 2>/dev/null || true`;
+  const install = `security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${certPath}"`;
+  try {
+    await execWithPassword(`${deleteOld} && ${install}`, sudoPassword);
+    log("🔐 Cert: ✅ installed to system keychain");
+  } catch (error) {
+    const msg = error.message?.includes("canceled") ? "User canceled authorization" : "Certificate install failed";
+    throw new Error(msg);
+  }
+}
+
+async function installCertWindows(certPath) {
+  // Process already has admin rights — run certutil directly, no UAC needed
+  return new Promise((resolve, reject) => {
+    exec(
+      `certutil -addstore Root "${certPath}"`,
+      { windowsHide: true },
+      (error) => {
+        if (error) reject(new Error(`Failed to install certificate: ${error.message}`));
+        else { log("🔐 Cert: ✅ installed to Windows Root store"); resolve(); }
+      }
+    );
+  });
+}
+
+/**
+ * Uninstall SSL certificate from system store
+ */
+async function uninstallCert(sudoPassword, certPath) {
+  const isInstalled = await checkCertInstalled(certPath);
+  if (!isInstalled) {
+    log("🔐 Cert: not found in system store");
+    return;
+  }
+
+  if (IS_WIN) {
+    await uninstallCertWindows();
+  } else if (IS_MAC) {
+    await uninstallCertMac(sudoPassword, certPath);
+  } else {
+    await uninstallCertLinux(sudoPassword);
+  }
+}
+
+async function uninstallCertMac(sudoPassword, certPath) {
+  const fingerprint = getCertFingerprint(certPath).replace(/:/g, "");
+  const command = `security delete-certificate -Z "${fingerprint}" /Library/Keychains/System.keychain`;
+  try {
+    await execWithPassword(command, sudoPassword);
+    log("🔐 Cert: ✅ uninstalled from system keychain");
+  } catch (err) {
+    throw new Error("Failed to uninstall certificate");
+  }
+}
+
+async function uninstallCertWindows() {
+  // Process already has admin rights — run certutil directly, no UAC needed
+  return new Promise((resolve, reject) => {
+    exec(
+      `certutil -delstore Root "arouter MITM Root CA"`,
+      { windowsHide: true },
+      (error) => {
+        if (error) reject(new Error(`Failed to uninstall certificate: ${error.message}`));
+        else { log("🔐 Cert: ✅ uninstalled from Windows Root store"); resolve(); }
+      }
+    );
+  });
+}
+
+function checkCertInstalledLinux() {
+  const certFile = `${LINUX_CERT_DIR}/arouter-root-ca.crt`;
+  return Promise.resolve(fs.existsSync(certFile));
+}
+
+async function installCertLinux(sudoPassword, certPath) {
+  const destFile = `${LINUX_CERT_DIR}/arouter-root-ca.crt`;
+  // Try update-ca-certificates (Debian/Ubuntu), fallback to update-ca-trust (Fedora/RHEL)
+  const cmd = `cp "${certPath}" "${destFile}" && (update-ca-certificates 2>/dev/null || update-ca-trust 2>/dev/null || true)`;
+  try {
+    await execWithPassword(cmd, sudoPassword);
+    log("🔐 Cert: ✅ installed to Linux trust store");
+  } catch (error) {
+    throw new Error("Certificate install failed");
+  }
+}
+
+async function uninstallCertLinux(sudoPassword) {
+  const destFile = `${LINUX_CERT_DIR}/arouter-root-ca.crt`;
+  const cmd = `rm -f "${destFile}" && (update-ca-certificates 2>/dev/null || update-ca-trust 2>/dev/null || true)`;
+  try {
+    await execWithPassword(cmd, sudoPassword);
+    log("🔐 Cert: ✅ uninstalled from Linux trust store");
+  } catch (error) {
+    throw new Error("Failed to uninstall certificate");
+  }
+}
+
+module.exports = { installCert, uninstallCert, checkCertInstalled };

package/.next/standalone/src/mitm/cert/rootCA.js

@@ -0,0 +1,173 @@
+const path = require("path");
+const fs = require("fs");
+const forge = require("node-forge");
+const { MITM_DIR } = require("../paths");
+
+const ROOT_CA_KEY_PATH = path.join(MITM_DIR, "rootCA.key");
+const ROOT_CA_CERT_PATH = path.join(MITM_DIR, "rootCA.crt");
+
+/**
+ * Check if cert file is expired or expiring within 30 days
+ */
+function isCertExpired(certPath) {
+  try {
+    const cert = forge.pki.certificateFromPem(fs.readFileSync(certPath, "utf8"));
+    const expiryThreshold = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);
+    return cert.validity.notAfter < expiryThreshold;
+  } catch {
+    return true; // treat unreadable cert as expired
+  }
+}
+
+/**
+ * Generate Root CA certificate (only once, auto-regenerate if expired)
+ * This Root CA will sign all dynamic leaf certificates
+ */
+async function generateRootCA() {
+  const exists = fs.existsSync(ROOT_CA_KEY_PATH) && fs.existsSync(ROOT_CA_CERT_PATH);
+  if (exists && !isCertExpired(ROOT_CA_CERT_PATH)) {
+    console.log("✅ Root CA already exists");
+    return { key: ROOT_CA_KEY_PATH, cert: ROOT_CA_CERT_PATH };
+  }
+  if (exists) {
+    console.log("🔐 Root CA expired or expiring soon — regenerating...");
+    try { fs.unlinkSync(ROOT_CA_KEY_PATH); } catch { /* ignore */ }
+    try { fs.unlinkSync(ROOT_CA_CERT_PATH); } catch { /* ignore */ }
+  }
+
+  if (!fs.existsSync(MITM_DIR)) {
+    fs.mkdirSync(MITM_DIR, { recursive: true });
+  }
+
+  console.log("🔐 Generating Root CA certificate...");
+
+  // Generate RSA key pair
+  const keys = forge.pki.rsa.generateKeyPair(2048);
+
+  // Create Root CA certificate
+  const cert = forge.pki.createCertificate();
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = "01";
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 10);
+
+  const attrs = [
+    { name: "commonName", value: "arouter MITM Root CA" },
+    { name: "organizationName", value: "arouter" },
+    { name: "countryName", value: "US" }
+  ];
+
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs); // Self-signed
+
+  cert.setExtensions([
+    {
+      name: "basicConstraints",
+      cA: true,
+      critical: true
+    },
+    {
+      name: "keyUsage",
+      keyCertSign: true,
+      cRLSign: true,
+      critical: true
+    },
+    {
+      name: "subjectKeyIdentifier"
+    }
+  ]);
+
+  // Self-sign the certificate
+  cert.sign(keys.privateKey, forge.md.sha256.create());
+
+  // Save to disk
+  const privateKeyPem = forge.pki.privateKeyToPem(keys.privateKey);
+  const certPem = forge.pki.certificateToPem(cert);
+
+  fs.writeFileSync(ROOT_CA_KEY_PATH, privateKeyPem);
+  fs.writeFileSync(ROOT_CA_CERT_PATH, certPem);
+
+  console.log("✅ Root CA generated successfully");
+  return { key: ROOT_CA_KEY_PATH, cert: ROOT_CA_CERT_PATH };
+}
+
+/**
+ * Load Root CA from disk
+ */
+function loadRootCA() {
+  if (!fs.existsSync(ROOT_CA_KEY_PATH) || !fs.existsSync(ROOT_CA_CERT_PATH)) {
+    throw new Error("Root CA not found. Generate it first.");
+  }
+
+  const keyPem = fs.readFileSync(ROOT_CA_KEY_PATH, "utf8");
+  const certPem = fs.readFileSync(ROOT_CA_CERT_PATH, "utf8");
+
+  return {
+    key: forge.pki.privateKeyFromPem(keyPem),
+    cert: forge.pki.certificateFromPem(certPem)
+  };
+}
+
+/**
+ * Generate leaf certificate for a specific domain, signed by Root CA
+ */
+function generateLeafCert(domain, rootCA) {
+  // Generate key pair for leaf cert
+  const keys = forge.pki.rsa.generateKeyPair(2048);
+
+  // Create leaf certificate
+  const cert = forge.pki.createCertificate();
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = Math.floor(Math.random() * 1000000).toString();
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);
+
+  cert.setSubject([
+    { name: "commonName", value: domain }
+  ]);
+
+  cert.setIssuer(rootCA.cert.subject.attributes);
+
+  cert.setExtensions([
+    {
+      name: "basicConstraints",
+      cA: false
+    },
+    {
+      name: "keyUsage",
+      digitalSignature: true,
+      keyEncipherment: true
+    },
+    {
+      name: "extKeyUsage",
+      serverAuth: true,
+      clientAuth: true
+    },
+    {
+      name: "subjectAltName",
+      altNames: [
+        { type: 2, value: domain }, // DNS
+        { type: 2, value: `*.${domain}` } // Wildcard
+      ]
+    }
+  ]);
+
+  // Sign with Root CA
+  cert.sign(rootCA.key, forge.md.sha256.create());
+
+  return {
+    key: forge.pki.privateKeyToPem(keys.privateKey),
+    cert: forge.pki.certificateToPem(cert)
+  };
+}
+
+module.exports = {
+  generateRootCA,
+  loadRootCA,
+  generateLeafCert,
+  isCertExpired,
+  ROOT_CA_CERT_PATH,
+  ROOT_CA_KEY_PATH
+};

package/.next/standalone/src/mitm/dns/dnsConfig.js

@@ -0,0 +1,216 @@
+const { exec, spawn } = require("child_process");
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+const { log, err } = require("../logger");
+
+// Per-tool DNS hosts mapping
+const TOOL_HOSTS = {
+  antigravity: ["daily-cloudcode-pa.googleapis.com", "cloudcode-pa.googleapis.com"],
+  copilot: ["api.individual.githubcopilot.com"],
+};
+
+const IS_WIN = process.platform === "win32";
+const IS_MAC = process.platform === "darwin";
+const HOSTS_FILE = IS_WIN
+  ? path.join(process.env.SystemRoot || "C:\\Windows", "System32", "drivers", "etc", "hosts")
+  : "/etc/hosts";
+
+/**
+ * Execute elevated PowerShell script on Windows via Start-Process -Verb RunAs.
+ * Only UAC consent dialog appears, no CMD/PS window popup.
+ */
+function executeElevatedPowerShell(psScriptPath, timeoutMs = 30000) {
+  const flagFile = path.join(os.tmpdir(), `ps_done_${Date.now()}.flag`);
+  const psSQ = (s) => s.replace(/'/g, "''");
+  
+  let psContent = fs.readFileSync(psScriptPath, "utf8");
+  psContent += `\nSet-Content -Path '${psSQ(flagFile)}' -Value 'done' -Encoding UTF8\n`;
+  fs.writeFileSync(psScriptPath, psContent, "utf8");
+
+  const outerCmd = `Start-Process powershell -ArgumentList '-NoProfile','-ExecutionPolicy','Bypass','-WindowStyle','Hidden','-File','${psSQ(psScriptPath)}' -Verb RunAs -WindowStyle Hidden`;
+
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    const settle = (fn, arg) => { if (!settled) { settled = true; fn(arg); } };
+
+    exec(
+      `powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command "${outerCmd}"`,
+      { windowsHide: true },
+      () => {}
+    );
+
+    const deadline = Date.now() + timeoutMs;
+    const poll = () => {
+      if (settled) return;
+      if (fs.existsSync(flagFile)) {
+        try { fs.unlinkSync(flagFile); fs.unlinkSync(psScriptPath); } catch { /* ignore */ }
+        return settle(resolve);
+      }
+      if (Date.now() > deadline) {
+        try { fs.unlinkSync(psScriptPath); } catch { /* ignore */ }
+        return settle(reject, new Error("Timed out waiting for UAC confirmation"));
+      }
+      setTimeout(poll, 500);
+    };
+    setTimeout(poll, 300);
+  });
+}
+
+/**
+ * Execute command with sudo password via stdin (macOS/Linux only)
+ */
+function execWithPassword(command, password) {
+  return new Promise((resolve, reject) => {
+    const child = spawn("sudo", ["-S", "sh", "-c", command], {
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (d) => { stdout += d; });
+    child.stderr.on("data", (d) => { stderr += d; });
+
+    child.on("close", (code) => {
+      if (code === 0) resolve(stdout);
+      else reject(new Error(stderr || `Exit code ${code}`));
+    });
+
+    child.stdin.write(`${password}\n`);
+    child.stdin.end();
+  });
+}
+
+/**
+ * Flush DNS cache (macOS/Linux)
+ */
+async function flushDNS(sudoPassword) {
+  if (IS_WIN) return; // Windows flushes inline via ipconfig
+  if (IS_MAC) {
+    await execWithPassword("dscacheutil -flushcache && killall -HUP mDNSResponder", sudoPassword);
+  } else {
+    await execWithPassword("resolvectl flush-caches 2>/dev/null || true", sudoPassword);
+  }
+}
+
+/**
+ * Check if DNS entry exists for a specific host
+ */
+function checkDNSEntry(host = null) {
+  try {
+    const hostsContent = fs.readFileSync(HOSTS_FILE, "utf8");
+    if (host) return hostsContent.includes(host);
+    // Legacy: check all antigravity hosts (backward compat)
+    return TOOL_HOSTS.antigravity.every(h => hostsContent.includes(h));
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check DNS status per tool — returns { [tool]: boolean }
+ */
+function checkAllDNSStatus() {
+  try {
+    const hostsContent = fs.readFileSync(HOSTS_FILE, "utf8");
+    const result = {};
+    for (const [tool, hosts] of Object.entries(TOOL_HOSTS)) {
+      result[tool] = hosts.every(h => hostsContent.includes(h));
+    }
+    return result;
+  } catch {
+    return Object.fromEntries(Object.keys(TOOL_HOSTS).map(t => [t, false]));
+  }
+}
+
+/**
+ * Add DNS entries for a specific tool
+ */
+async function addDNSEntry(tool, sudoPassword) {
+  const hosts = TOOL_HOSTS[tool];
+  if (!hosts) throw new Error(`Unknown tool: ${tool}`);
+
+  const entriesToAdd = hosts.filter(h => !checkDNSEntry(h));
+  if (entriesToAdd.length === 0) {
+    log(`🌐 DNS ${tool}: already active`);
+    return;
+  }
+
+  const entries = entriesToAdd.map(h => `127.0.0.1 ${h}`).join("\n");
+
+  try {
+    if (IS_WIN) {
+      // Process already has admin rights — edit hosts file directly
+      const toAppend = entriesToAdd.map(h => `127.0.0.1 ${h}`).join("\r\n") + "\r\n";
+      fs.appendFileSync(HOSTS_FILE, toAppend, "utf8");
+      require("child_process").execSync("ipconfig /flushdns", { windowsHide: true });
+    } else {
+      await execWithPassword(`echo "${entries}" >> ${HOSTS_FILE}`, sudoPassword);
+      await flushDNS(sudoPassword);
+    }
+    log(`🌐 DNS ${tool}: ✅ added ${entriesToAdd.join(", ")}`);
+  } catch (error) {
+    const msg = error.message?.includes("incorrect password") ? "Wrong sudo password" : "Failed to add DNS entry";
+    throw new Error(msg);
+  }
+}
+
+/**
+ * Remove DNS entries for a specific tool
+ */
+async function removeDNSEntry(tool, sudoPassword) {
+  const hosts = TOOL_HOSTS[tool];
+  if (!hosts) throw new Error(`Unknown tool: ${tool}`);
+
+  const entriesToRemove = hosts.filter(h => checkDNSEntry(h));
+  if (entriesToRemove.length === 0) {
+    log(`🌐 DNS ${tool}: already inactive`);
+    return;
+  }
+
+  try {
+    if (IS_WIN) {
+      // Process already has admin rights — edit hosts file directly
+      const content = fs.readFileSync(HOSTS_FILE, "utf8");
+      const filtered = content.split(/\r?\n/).filter(l => !entriesToRemove.some(h => l.includes(h))).join("\r\n");
+      fs.writeFileSync(HOSTS_FILE, filtered, "utf8");
+      require("child_process").execSync("ipconfig /flushdns", { windowsHide: true });
+    } else {
+      for (const host of entriesToRemove) {
+        const sedCmd = IS_MAC
+          ? `sed -i '' '/${host}/d' ${HOSTS_FILE}`
+          : `sed -i '/${host}/d' ${HOSTS_FILE}`;
+        await execWithPassword(sedCmd, sudoPassword);
+      }
+      await flushDNS(sudoPassword);
+    }
+    log(`🌐 DNS ${tool}: ✅ removed ${entriesToRemove.join(", ")}`);
+  } catch (error) {
+    const msg = error.message?.includes("incorrect password") ? "Wrong sudo password" : "Failed to remove DNS entry";
+    throw new Error(msg);
+  }
+}
+
+/**
+ * Remove ALL tool DNS entries (used when stopping server)
+ */
+async function removeAllDNSEntries(sudoPassword) {
+  for (const tool of Object.keys(TOOL_HOSTS)) {
+    try {
+      await removeDNSEntry(tool, sudoPassword);
+    } catch (e) {
+      err(`DNS ${tool}: failed to remove — ${e.message}`);
+    }
+  }
+}
+
+module.exports = {
+  TOOL_HOSTS,
+  addDNSEntry,
+  removeDNSEntry,
+  removeAllDNSEntries,
+  execWithPassword,
+  executeElevatedPowerShell,
+  checkDNSEntry,
+  checkAllDNSStatus,
+};

package/.next/standalone/src/mitm/logger.js

@@ -0,0 +1,8 @@
+function time() {
+  return new Date().toLocaleTimeString("en-US", { hour12: false });
+}
+
+const log = (msg) => console.log(`[${time()}] [MITM] ${msg}`);
+const err = (msg) => console.error(`[${time()}] ❌ [MITM] ${msg}`);
+
+module.exports = { log, err };