npm - preflite - Versions diffs - 1.1.3 → 1.1.6 - Mend

preflite 1.1.3 → 1.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/mcp/server.js +0 -203
package/dist/mcp/setup.js +144 -12
package/dist/mcp/visual-flow/validate.js +0 -171
package/docs/visual-flow-ir-llm.md +0 -68
package/package.json +1 -1
package/dist/mcp/network-mocks/NetworkMockServer.js +0 -579
package/dist/mcp/network-mocks/NetworkMockService.js +0 -156
package/dist/mcp/network-mocks/device-proxy.js +0 -31
package/dist/mcp/network-mocks/index.js +0 -3
package/dist/mcp/network-mocks/types.js +0 -1

package/docs/visual-flow-ir-llm.md CHANGED Viewed

@@ -11,7 +11,6 @@
 | ------------ | --- | ------------------------------------ |
 | `version`    | 是   | 固定为数字 `2`，其它值保存失败。                   |
 | `scriptVars` | 否   | 执行前由人填的变量声明数组；步骤文案里用 `{{变量名}}` 引用。   |
-| `networkMocks` | 否   | 网络 mock 规则数组，在测试开始前启动代理并配置到设备。每条规则描述一个 API 的 URL 匹配与 mock 响应序列。 |
 | `steps`      | 是   | 顶层步骤数组，按顺序执行；**展开后总条数 ≤ 500**（含子步骤）。 |
@@ -26,70 +25,6 @@
 | `scope`        | 否   | `global`、`local` 或 `temp`；缺省按平台约定。 |
-### 1.2 `networkMocks[]` 每项
-| 字段           | 必填  | 说明                                   |
-| -------------- | --- | -------------------------------------- |
-| `urlPattern`   | 是   | 请求 URL 的子串匹配（`includes` 语义）。首个匹配的规则生效。 |
-| `method`       | 否   | HTTP 方法：`GET`、`POST`、`PUT`、`DELETE` 或 `PATCH`。不填则匹配任意方法。 |
-| `responses`    | 是   | 非空响应序列数组，按顺序匹配第一项满足条件的响应。 |
-| `description`  | 否   | 给人看的说明。 |
-#### `responses[]` 每项
-| 字段               | 必填  | 说明                                   |
-| ------------------ | --- | -------------------------------------- |
-| `body`             | 是   | 响应体字符串（通常为 JSON）。上限 1MB。 |
-| `status`           | 否   | HTTP 状态码，默认 200。范围 100～599。 |
-| `callIndex`        | 否   | 仅第 n 次调用时匹配（1-based）。用于实现状态性 mock：首次返回错误，二次返回成功。 |
-| `requestBodyMatch` | 否   | 键值对映射，必须在请求体的 JSON 中存在且值匹配才会命中。 |
-| `headers`          | 否   | 额外的响应头。Content-Type 默认为 `application/json; charset=utf-8`。 |
-| `delay`            | 否   | 响应延迟毫秒数。范围 0～60000。 |
-#### 匹配规则
-1. 遍历 `networkMocks`，找到第一条 `urlPattern` 是请求 URL 子串的规则。
-2. 递增该规则的调用计数器。
-3. 按顺序遍历 `responses`，找到第一项满足 `callIndex` 和 `requestBodyMatch` 的响应并返回。
-4. 若无匹配响应或请求不匹配任何规则，透明转发到真实服务器。
-#### 示例
-```json
-{
-  "networkMocks": [
-    {
-      "urlPattern": "getMafangRosterNewFlowSwitch",
-      "description": "启用码放新流程",
-      "responses": [
-        {
-          "status": 200,
-          "body": "{\"code\":200,\"data\":{\"newFlowEnabled\":true},\"subcode\":200}"
-        }
-      ]
-    },
-    {
-      "urlPattern": "copyWorkScheduleGroup",
-      "method": "POST",
-      "description": "日复制先弹确认再成功",
-      "responses": [
-        {
-          "callIndex": 1,
-          "status": 200,
-          "body": "{\"code\":\"WORK_SCHEDULE_PARTITION_MAFANG_COPY_SKIP_CONFIRM\",\"data\":{\"blockedCount\":2}}"
-        },
-        {
-          "callIndex": 2,
-          "requestBodyMatch": {"mafangSkipConfirmed": "true"},
-          "status": 200,
-          "body": "{\"code\":200,\"data\":{\"flag\":true}}"
-        }
-      ]
-    }
-  ]
-}
-```
 ---
 ## 2. 步骤类型与设计原则
@@ -166,9 +101,6 @@
 ## 4. 易错校验（生成后自查）
 - `version !== 2` → 失败。
-- `networkMocks` 超过 50 条规则或单条规则的 `responses` 超过 50 项 → 失败。
-- `networkMocks[].urlPattern` 为空或过长（>1000）→ 失败。
-- `networkMocks[].responses` 为空数组 → 失败。
 - `if` / `ifDeviceType` 的 `thenSteps` 为空，或 `whileLoop` / `forLoop` 的 `bodySteps` 为空 → 失败。
 - `sleep.ms`、`whileLoop.maxIterations`、`forLoop.count` 超出上表范围 → 失败。
 - `callScript.targetTestCaseId` 非 24 位 hex，或 `scopeId` 不符合 `sub`+12hex → 失败。

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "preflite",
-  "version": "1.1.3",
+  "version": "1.1.6",
   "description": "Preflight — Local mobile AI testing via MCP. AI-assisted testing on real Android/iOS/Harmony devices.",
   "license": "Apache-2.0",
   "type": "module",

package/dist/mcp/network-mocks/NetworkMockServer.js DELETED Viewed

@@ -1,579 +0,0 @@
-import { createServer, request as httpRequest } from "node:http";
-import { request as httpsRequest } from "node:https";
-import { connect as netConnect } from "node:net";
-import tls from "node:tls";
-import { TLSSocket } from "node:tls";
-import { execSync } from "node:child_process";
-import { randomUUID } from "node:crypto";
-import { writeFileSync, unlinkSync, readFileSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-function findJsonValue(obj, key) {
-    if (!obj || typeof obj !== "object")
-        return undefined;
-    if (key in obj)
-        return obj[key];
-    for (const v of Object.values(obj)) {
-        const result = findJsonValue(v, key);
-        if (result !== undefined)
-            return result;
-    }
-    return undefined;
-}
-function getRuleKey(rule) { return (rule.urlPattern ?? rule.urlRegex ?? "") ?? rule.urlRegex ?? ""; }
-export class NetworkMockServer {
-    server = null;
-    rules = [];
-    callCounts = new Map();
-    port = 0;
-    rootCA = null;
-    certCache = new Map();
-    mitmHttpServer = null;
-    recording = false;
-    recorded = [];
-    start(rules, bindAddress = "0.0.0.0", preferredPort = 0) {
-        this.rules = rules;
-        this.callCounts.clear();
-        this.certCache.clear();
-        this.rootCA = this.loadOrGenerateRootCA();
-        for (const rule of rules) {
-            this.callCounts.set((rule.urlPattern ?? rule.urlRegex ?? ""), 0);
-        }
-        this.mitmHttpServer = createServer((req, res) => {
-            // hostname/port are stored on the socket during handleConnectEvent
-            const sock = req.socket;
-            void this.handleMitmRequest(req, res, sock.__mitmHostname ?? "unknown", sock.__mitmPort ?? 443);
-        });
-        this.mitmHttpServer.on("error", () => { });
-        return new Promise((resolve, reject) => {
-            this.server = createServer((req, res) => this.handleRequest(req, res));
-            this.server.on("connect", (req, socket, head) => this.handleConnectEvent(req, socket, head));
-            this.server.on("error", reject);
-            this.server.listen(preferredPort, bindAddress, () => {
-                const addr = this.server.address();
-                if (!addr || typeof addr === "string") {
-                    reject(new Error("Failed to get server address"));
-                    return;
-                }
-                this.port = addr.port;
-                resolve(this.port);
-            });
-        });
-    }
-    stop() {
-        this.certCache.clear();
-        return new Promise((resolve) => {
-            if (this.mitmHttpServer) {
-                this.mitmHttpServer.close();
-                this.mitmHttpServer = null;
-            }
-            if (!this.server)
-                return resolve();
-            this.server.close(() => { this.server = null; this.port = 0; resolve(); });
-        });
-    }
-    getPort() { return this.port; }
-    getRootCACert() { return this.rootCA?.cert ?? null; }
-    /** Generate an iOS .mobileconfig profile that installs the CA cert + proxy settings. */
-    generateMobileConfig(proxyHost, proxyPort) {
-        if (!this.rootCA)
-            return null;
-        const payloadContent = this.rootCA.cert
-            .replace(/-----BEGIN CERTIFICATE-----/, "")
-            .replace(/-----END CERTIFICATE-----/, "")
-            .replace(/\n/g, "");
-        return `<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-  <key>PayloadContent</key>
-  <array>
-    <dict>
-      <key>PayloadCertificateFileName</key>
-      <string>Preflight Mock CA</string>
-      <key>PayloadContent</key>
-      <data>${payloadContent}</data>
-      <key>PayloadDescription</key>
-      <string>信任此证书以启用 Preflight HTTPS 拦截</string>
-      <key>PayloadDisplayName</key>
-      <string>Preflight Mock CA</string>
-      <key>PayloadIdentifier</key>
-      <string>com.preflight.ca</string>
-      <key>PayloadType</key>
-      <string>com.apple.security.root</string>
-      <key>PayloadUUID</key>
-      <string>${randomUUID().toUpperCase()}</string>
-      <key>PayloadVersion</key>
-      <integer>1</integer>
-    </dict>
-    <dict>
-      <key>PayloadContent</key>
-      <dict>
-        <key>HTTPProxy</key>
-        <string>${proxyHost}</string>
-        <key>HTTPPort</key>
-        <integer>${proxyPort}</integer>
-        <key>HTTPSProxy</key>
-        <string>${proxyHost}</string>
-        <key>HTTPSPort</key>
-        <integer>${proxyPort}</integer>
-        <key>ProxyAutoConfigEnable</key>
-        <false/>
-        <key>ProxyAutoDiscoveryEnable</key>
-        <false/>
-      </dict>
-      <key>PayloadDescription</key>
-      <string>配置 WiFi 代理到 Preflight Mock Server</string>
-      <key>PayloadDisplayName</key>
-      <string>WiFi Proxy (Preflight)</string>
-      <key>PayloadIdentifier</key>
-      <string>com.preflight.proxy</string>
-      <key>PayloadType</key>
-      <string>com.apple.SystemConfiguration</string>
-      <key>PayloadUUID</key>
-      <string>${randomUUID().toUpperCase()}</string>
-      <key>PayloadVersion</key>
-      <integer>1</integer>
-    </dict>
-  </array>
-  <key>PayloadDescription</key>
-  <string>安装 Preflight Mock CA 证书和 WiFi 代理配置。安装后前往 Settings > General > About > Certificate Trust Settings 开启信任。</string>
-  <key>PayloadDisplayName</key>
-  <string>Preflight Network Mock</string>
-  <key>PayloadIdentifier</key>
-  <string>com.preflight.mocks</string>
-  <key>PayloadOrganization</key>
-  <string>Preflight</string>
-  <key>PayloadType</key>
-  <string>Configuration</string>
-  <key>PayloadUUID</key>
-  <string>${randomUUID().toUpperCase()}</string>
-  <key>PayloadVersion</key>
-  <integer>1</integer>
-</dict>
-</plist>`;
-    }
-    getStats() {
-        return {
-            running: this.server !== null,
-            port: this.port,
-            mitmEnabled: this.rootCA !== null,
-            rules: this.rules.map((rule) => ({
-                urlPattern: (rule.urlPattern ?? rule.urlRegex ?? ""),
-                description: rule.description,
-                callCount: this.callCounts.get((rule.urlPattern ?? rule.urlRegex ?? "")) ?? 0,
-            })),
-        };
-    }
-    updateRules(rules) {
-        this.rules = rules;
-        this.callCounts.clear();
-        for (const rule of rules) {
-            this.callCounts.set((rule.urlPattern ?? rule.urlRegex ?? ""), 0);
-        }
-    }
-    setRecording(enabled) {
-        this.recording = enabled;
-        if (enabled)
-            this.recorded = [];
-    }
-    clearRecording() { this.recorded = []; }
-    isRecording() { return this.recording; }
-    getRecordedCount() { return this.recorded.length; }
-    exportRecordedRules() {
-        const dedup = new Map();
-        for (const r of this.recorded) {
-            const key = r.url;
-            let entry = dedup.get(key);
-            if (!entry) {
-                entry = { url: r.url, method: r.method !== "GET" ? r.method : undefined, requestBodies: new Map() };
-                dedup.set(key, entry);
-            }
-            const bodyKey = r.requestBody || "(empty)";
-            entry.requestBodies.set(bodyKey, (entry.requestBodies.get(bodyKey) ?? 0) + 1);
-        }
-        const rules = [];
-        for (const entry of dedup.values()) {
-            const responses = this.recorded
-                .filter((r) => r.url === entry.url)
-                .map((r, i) => {
-                const resp = {
-                    status: r.status,
-                    body: r.responseBody.slice(0, 500_000),
-                };
-                if (i > 0)
-                    resp.callIndex = i + 1;
-                if (r.requestBody) {
-                    try {
-                        const parsed = JSON.parse(r.requestBody);
-                        const flat = {};
-                        for (const [k, v] of Object.entries(parsed)) {
-                            if (typeof v === "string")
-                                flat[k] = v;
-                            else if (typeof v === "number" || typeof v === "boolean")
-                                flat[k] = String(v);
-                        }
-                        if (Object.keys(flat).length > 0)
-                            resp.requestBodyMatch = flat;
-                    }
-                    catch { /* ignore */ }
-                }
-                return resp;
-            });
-            rules.push({
-                urlPattern: entry.url,
-                ...(entry.method ? { method: entry.method } : {}),
-                responses: responses.slice(0, 50),
-                description: "recorded",
-            });
-        }
-        return rules;
-    }
-    // ── HTTP proxy handler ──
-    handleRequest(clientReq, clientRes) {
-        if (clientReq.method === "CONNECT")
-            return;
-        const requestUrl = this.resolveUrl(clientReq);
-        if (!requestUrl) {
-            clientRes.writeHead(400);
-            clientRes.end();
-            return;
-        }
-        const match = this.findMatch(clientReq.method ?? "GET", requestUrl);
-        match ? this.serveMock(match, clientRes) : this.forwardRequest(clientReq, clientRes, requestUrl);
-    }
-    resolveUrl(req) {
-        if (req.url && (req.url.startsWith("http://") || req.url.startsWith("https://"))) {
-            try {
-                return new URL(req.url);
-            }
-            catch {
-                return null;
-            }
-        }
-        if (req.headers.host && req.url) {
-            try {
-                return new URL(req.url, `http://${req.headers.host}`);
-            }
-            catch {
-                return null;
-            }
-        }
-        return null;
-    }
-    findMatch(method, url, reqBody) {
-        const urlStr = url.toString();
-        for (const rule of this.rules) {
-            if (rule.urlPattern && !urlStr.includes(rule.urlPattern))
-                continue;
-            if (rule.urlRegex && !new RegExp(rule.urlRegex).test(urlStr))
-                continue;
-            if (!rule.urlPattern && !rule.urlRegex)
-                continue;
-            if (rule.method && rule.method.toUpperCase() !== method.toUpperCase())
-                continue;
-            if (rule.queryParams) {
-                let qm = true;
-                for (const [k, v] of Object.entries(rule.queryParams)) {
-                    if (url.searchParams.get(k) !== v) {
-                        qm = false;
-                        break;
-                    }
-                }
-                if (!qm)
-                    continue;
-            }
-            const currentCount = (this.callCounts.get((rule.urlPattern ?? rule.urlRegex ?? "")) ?? 0) + 1;
-            this.callCounts.set((rule.urlPattern ?? rule.urlRegex ?? ""), currentCount);
-            for (const resp of rule.responses) {
-                if (resp.callIndex != null && resp.callIndex !== currentCount)
-                    continue;
-                if (resp.requestBodyMatch && reqBody) {
-                    for (const [key, expected] of Object.entries(resp.requestBodyMatch)) {
-                        const actual = findJsonValue(reqBody, key);
-                        if (actual === undefined || String(actual) !== expected)
-                            continue;
-                    }
-                }
-                return resp;
-            }
-            return null;
-        }
-        return null;
-    }
-    serveMock(mock, res) {
-        const { status = 200, body, headers = {}, delay = 0 } = mock;
-        const send = () => {
-            res.writeHead(status, {
-                "Content-Type": "application/json; charset=utf-8",
-                "Access-Control-Allow-Origin": "*",
-                "X-Preflight-Mock": "true",
-                ...headers,
-            });
-            res.end(body);
-        };
-        delay > 0 ? setTimeout(send, delay) : send();
-    }
-    forwardRequest(clientReq, clientRes, url) {
-        const opts = {
-            hostname: url.hostname, port: url.port || 80,
-            path: url.pathname + url.search, method: clientReq.method,
-            headers: { ...clientReq.headers },
-        };
-        delete opts.headers["proxy-connection"];
-        const pr = httpRequest(opts, (pres) => { clientRes.writeHead(pres.statusCode ?? 502, pres.headers); pres.pipe(clientRes); });
-        pr.on("error", () => { if (!clientRes.headersSent) {
-            clientRes.writeHead(502);
-            clientRes.end("Bad Gateway");
-        } });
-        clientReq.pipe(pr);
-    }
-    // ── HTTPS MITM handler ──
-    handleConnectEvent(req, socket, _head) {
-        const sock = socket;
-        const [hostname, portStr] = (req.url ?? "").split(":");
-        const port = Number.parseInt(portStr, 10) || 443;
-        if (!hostname) {
-            sock.write("HTTP/1.1 400 Bad Request\r\n\r\n");
-            sock.destroy();
-            return;
-        }
-        // Skip MITM for Apple captive-portal detection & connectivity checks
-        if (this.shouldSkipMitm(hostname)) {
-            this.tunnelConnect(sock, hostname, port);
-            return;
-        }
-        const secCtx = this.getServerSecureContext(hostname);
-        if (!secCtx) {
-            this.tunnelConnect(sock, hostname, port);
-            return;
-        }
-        sock.write("HTTP/1.1 200 Connection Established\r\n\r\n");
-        sock.__mitmHostname = hostname;
-        sock.__mitmPort = port;
-        const tlsSocket = new TLSSocket(sock, {
-            isServer: true,
-            secureContext: secCtx,
-            ALPNProtocols: ["http/1.1"],
-        });
-        tlsSocket.__mitmHostname = hostname;
-        tlsSocket.__mitmPort = port;
-        tlsSocket.on("error", () => { if (!tlsSocket.destroyed)
-            tlsSocket.destroy(); });
-        // Route through shared HTTP server
-        this.mitmHttpServer.emit("connection", tlsSocket);
-    }
-    async handleMitmRequest(innerReq, innerRes, hostname, port) {
-        const fullUrl = `https://${hostname}${innerReq.url ?? "/"}`;
-        let url;
-        try {
-            url = new URL(fullUrl);
-        }
-        catch {
-            innerRes.writeHead(400);
-            innerRes.end();
-            return;
-        }
-        const match = this.findMatch(innerReq.method ?? "GET", url);
-        if (match) {
-            if (this.recording)
-                this.recordMatched(url.toString(), innerReq.method ?? "GET", match);
-            this.serveMock(match, innerRes);
-        }
-        else {
-            if (this.recording)
-                this.recordForwarded(url.toString(), innerReq.method ?? "GET", innerReq, innerRes);
-            this.forwardHttpsRequest(innerReq, innerRes, hostname, port);
-        }
-    }
-    recordMatched(urlStr, method, mock) {
-        if (this.recorded.length >= 1000)
-            return;
-        this.recorded.push({
-            url: urlStr,
-            method,
-            requestBody: "",
-            responseBody: mock.body,
-            status: mock.status ?? 200,
-        });
-    }
-    recordForwarded(urlStr, method, req, res) {
-        if (this.recorded.length >= 1000)
-            return;
-        let reqBody = "";
-        req.on("data", (chunk) => { reqBody += chunk.toString(); });
-        const origWriteHead = res.writeHead.bind(res);
-        let status = 0;
-        res.writeHead = function (code, ...args) {
-            status = code;
-            return origWriteHead(code, ...args);
-        };
-        const self = this;
-        const origEnd = res.end.bind(res);
-        res.end = function (chunk, ...args) {
-            const respBody = chunk ? (typeof chunk === "string" ? chunk : Buffer.from(chunk).toString()) : "";
-            if (status > 0) {
-                self.recorded.push({ url: urlStr, method, requestBody: reqBody.slice(0, 10000), responseBody: respBody.slice(0, 10000), status });
-            }
-            return origEnd(chunk, ...args);
-        };
-    }
-    forwardHttpsRequest(clientReq, clientRes, hostname, port) {
-        const opts = {
-            hostname, port, path: clientReq.url, method: clientReq.method,
-            headers: { ...clientReq.headers }, rejectUnauthorized: false,
-        };
-        delete opts.headers["proxy-connection"];
-        delete opts.headers["proxy-authorization"];
-        const pr = httpsRequest(opts, (pres) => { clientRes.writeHead(pres.statusCode ?? 502, pres.headers); pres.pipe(clientRes); });
-        pr.on("error", () => { if (!clientRes.headersSent) {
-            clientRes.writeHead(502);
-            clientRes.end("Bad Gateway");
-        } });
-        clientReq.pipe(pr);
-    }
-    tunnelConnect(sock, hostname, port) {
-        let connected = false;
-        const upstream = netConnect({ host: hostname, port }, () => {
-            connected = true;
-            sock.write("HTTP/1.1 200 Connection Established\r\n\r\n");
-            upstream.pipe(sock);
-            sock.pipe(upstream);
-        });
-        upstream.on("error", () => {
-            if (!connected)
-                sock.write("HTTP/1.1 502 Bad Gateway\r\n\r\n");
-            upstream.destroy();
-            sock.destroy();
-        });
-        sock.on("error", () => upstream.destroy());
-        setTimeout(() => {
-            if (!connected) {
-                sock.write("HTTP/1.1 504 Gateway Timeout\r\n\r\n");
-                upstream.destroy();
-                sock.destroy();
-            }
-        }, 30_000);
-    }
-    shouldSkipMitm(hostname) {
-        // Apple captive portal detection and connectivity checks — must passthrough
-        const passthroughSuffixes = [
-            ".apple.com",
-            ".icloud.com",
-            "captive.apple.com",
-            "gsp10-ssl.apple.com",
-            "gsp11-ssl.apple.com",
-            "gsp12-ssl.apple.com",
-            "gsp13-ssl.apple.com",
-        ];
-        return passthroughSuffixes.some((s) => hostname === s || hostname.endsWith(s));
-    }
-    // ── Certificate generation (openssl CLI) ──
-    loadOrGenerateRootCA() {
-        const caDir = join(tmpdir(), "preflight-ca");
-        const keyPath = join(caDir, "ca.key");
-        const certPath = join(caDir, "ca.pem");
-        try {
-            const existingKey = readFileSync(keyPath, "utf8");
-            const existingCert = readFileSync(certPath, "utf8");
-            if (existingKey && existingCert) {
-                // Validate the cert works by creating a test context
-                try {
-                    tls.createSecureContext({ key: existingKey, cert: existingCert });
-                    return { key: existingKey, cert: existingCert };
-                }
-                catch { /* regenerate */ }
-            }
-        }
-        catch { /* generate new */ }
-        const ca = this.generateRootCA();
-        try {
-            execSync(`mkdir -p "${caDir}"`, { stdio: "pipe" });
-            writeFileSync(keyPath, ca.key, { mode: 0o600 });
-            writeFileSync(certPath, ca.cert);
-        }
-        catch { /* non-fatal */ }
-        return ca;
-    }
-    generateRootCA() {
-        const id = randomUUID().slice(0, 8);
-        const dir = tmpdir();
-        const keyPath = join(dir, `preflight-ca-${id}.key`);
-        const certPath = join(dir, `preflight-ca-${id}.pem`);
-        try {
-            execSync(`openssl req -x509 -newkey rsa:2048 -nodes -keyout "${keyPath}" -out "${certPath}" -days 3650 ` +
-                `-subj "/CN=Preflight Mock CA/O=Preflight/OU=MITM Proxy" ` +
-                `-addext "basicConstraints=critical,CA:TRUE" ` +
-                `-addext "keyUsage=critical,keyCertSign,cRLSign"`, { stdio: "pipe", timeout: 10_000 });
-            const key = readFileSync(keyPath, "utf8");
-            const cert = readFileSync(certPath, "utf8");
-            return { key, cert };
-        }
-        finally {
-            try {
-                unlinkSync(keyPath);
-            }
-            catch { }
-            try {
-                unlinkSync(certPath);
-            }
-            catch { }
-        }
-    }
-    getServerSecureContext(hostname) {
-        if (!this.rootCA)
-            return null;
-        const cached = this.certCache.get(hostname);
-        if (cached)
-            return cached;
-        const { key, cert } = this.generateServerCert(hostname);
-        const ctx = tls.createSecureContext({ key, cert });
-        this.certCache.set(hostname, ctx);
-        return ctx;
-    }
-    generateServerCert(hostname) {
-        const id = randomUUID().slice(0, 8);
-        const dir = tmpdir();
-        const keyPath = join(dir, `preflight-srv-${id}.key`);
-        const csrPath = join(dir, `preflight-srv-${id}.csr`);
-        const certPath = join(dir, `preflight-srv-${id}.pem`);
-        const caKeyPath = join(dir, `preflight-ca-${id}.key`);
-        const caCertPath = join(dir, `preflight-ca-${id}.pem`);
-        try {
-            writeFileSync(caKeyPath, this.rootCA.key);
-            writeFileSync(caCertPath, this.rootCA.cert);
-            execSync(`openssl req -newkey rsa:2048 -nodes -keyout "${keyPath}" -out "${csrPath}" -subj "/CN=${hostname}"`, { stdio: "pipe", timeout: 10_000 });
-            execSync(`openssl x509 -req -in "${csrPath}" -CA "${caCertPath}" -CAkey "${caKeyPath}" -CAcreateserial ` +
-                `-out "${certPath}" -days 365 -extfile <(printf "subjectAltName=DNS:${hostname}\\nbasicConstraints=CA:FALSE\\nkeyUsage=digitalSignature,keyEncipherment\\nextendedKeyUsage=serverAuth")`, { stdio: "pipe", timeout: 10_000, shell: "/bin/bash" });
-            const key = readFileSync(keyPath, "utf8");
-            const cert = readFileSync(certPath, "utf8");
-            return { key, cert };
-        }
-        catch {
-            // Fall back to tunnel mode if cert generation fails
-            throw new Error(`Failed to generate cert for ${hostname}`);
-        }
-        finally {
-            try {
-                unlinkSync(keyPath);
-            }
-            catch { }
-            try {
-                unlinkSync(csrPath);
-            }
-            catch { }
-            try {
-                unlinkSync(certPath);
-            }
-            catch { }
-            try {
-                unlinkSync(caKeyPath);
-            }
-            catch { }
-            try {
-                unlinkSync(caCertPath);
-            }
-            catch { }
-        }
-    }
-}