stealth-fetch-plus 0.1.1

package/dist/socket/wasm-tls-adapter.js

@@ -0,0 +1,97 @@
+import { Duplex } from "node:stream";
+import { CloudflareSocketAdapter } from "./adapter.js";
+import { performTlsHandshake } from "./wasm-tls-bridge.js";
+class WasmTlsSocketAdapter extends Duplex {
+  rawSocket = null;
+  tlsSession = null;
+  _connected = false;
+  hostname;
+  port;
+  alpnProtocols;
+  /** TCP-level hostname (may differ from TLS SNI hostname for NAT64) */
+  connectHostname;
+  constructor(options) {
+    super();
+    this.hostname = options.hostname;
+    this.port = options.port;
+    this.alpnProtocols = options.alpnProtocols ?? ["h2", "http/1.1"];
+    this.connectHostname = options.connectHostname ?? options.hostname;
+  }
+  /**
+   * Establish connection: raw TCP -> WASM TLS handshake -> ready.
+   */
+  async connect() {
+    this.rawSocket = new CloudflareSocketAdapter({
+      hostname: this.connectHostname,
+      port: this.port,
+      tls: false
+      // Critical: no CF built-in TLS
+    });
+    await this.rawSocket.connect();
+    this.tlsSession = await performTlsHandshake(this.rawSocket, {
+      hostname: this.hostname,
+      alpnProtocols: this.alpnProtocols
+    });
+    this.tlsSession.onPlaintext((data) => {
+      if (!this.destroyed) {
+        this.push(data);
+      }
+    });
+    this.tlsSession.onClose(() => {
+      this._connected = false;
+      if (!this.destroyed) {
+        this.push(null);
+        this.emit("close");
+      }
+    });
+    this.tlsSession.onError((err) => {
+      this._connected = false;
+      if (!this.destroyed) {
+        this.destroy(err);
+      }
+    });
+    this._connected = true;
+    this.emit("connect");
+  }
+  /** Get the negotiated ALPN protocol */
+  get negotiatedAlpn() {
+    return this.tlsSession?.negotiatedAlpn ?? null;
+  }
+  _read() {
+  }
+  _write(chunk, _encoding, callback) {
+    if (!this.tlsSession || !this._connected) {
+      callback(new Error("TLS socket not connected"));
+      return;
+    }
+    const data = chunk instanceof Uint8Array ? chunk : new Uint8Array(chunk);
+    this.tlsSession.write(data).then(
+      () => callback(),
+      (err) => callback(err)
+    );
+  }
+  _final(callback) {
+    if (this.tlsSession) {
+      this.tlsSession.close();
+    }
+    callback();
+  }
+  _destroy(error, callback) {
+    this._connected = false;
+    if (this.tlsSession) {
+      this.tlsSession.close();
+      this.tlsSession = null;
+    }
+    if (this.rawSocket) {
+      this.rawSocket.destroy();
+      this.rawSocket = null;
+    }
+    callback(error);
+  }
+  get isConnected() {
+    return this._connected;
+  }
+}
+export {
+  WasmTlsSocketAdapter
+};

package/dist/socket/wasm-tls-bridge.d.ts

@@ -0,0 +1,30 @@
+import { CloudflareSocketAdapter } from './adapter.js';
+import 'node:stream';
+
+/** Fire-and-forget preload of WASM TLS module to avoid lazy-init delay */
+declare function preloadWasmTls(): void;
+interface WasmTlsOptions {
+    hostname: string;
+    alpnProtocols?: string[];
+}
+interface WasmTlsSession {
+    /** Negotiated ALPN protocol (e.g. "h2", "http/1.1", or null) */
+    negotiatedAlpn: string | null;
+    /** Write plaintext to TLS layer (encrypts and sends to socket) */
+    write(data: Uint8Array): Promise<void>;
+    /** Register plaintext data callback */
+    onPlaintext(callback: (data: Uint8Array) => void): void;
+    /** Register close callback */
+    onClose(callback: () => void): void;
+    /** Register error callback */
+    onError(callback: (err: Error) => void): void;
+    /** Close TLS session */
+    close(): void;
+}
+/**
+ * Perform TLS handshake over an existing raw TCP socket.
+ * The rawSocket must have been created with secureTransport: "off".
+ */
+declare function performTlsHandshake(rawSocket: CloudflareSocketAdapter, options: WasmTlsOptions): Promise<WasmTlsSession>;
+
+export { type WasmTlsOptions, type WasmTlsSession, performTlsHandshake, preloadWasmTls };

package/dist/socket/wasm-tls-bridge.js

@@ -0,0 +1,160 @@
+import initWasm, { TlsConnection } from "./wasm-pkg/wasm_tls.js";
+import wasmModule from "./wasm-pkg/wasm_tls_bg.wasm";
+let wasmInitPromise = null;
+function ensureWasmInit() {
+  if (!wasmInitPromise) {
+    wasmInitPromise = initWasm(wasmModule).then(
+      () => {
+      },
+      (err) => {
+        wasmInitPromise = null;
+        throw err;
+      }
+    );
+  }
+  return wasmInitPromise;
+}
+function preloadWasmTls() {
+  ensureWasmInit().catch(() => {
+  });
+}
+async function performTlsHandshake(rawSocket, options) {
+  await ensureWasmInit();
+  const alpn = (options.alpnProtocols ?? ["h2", "http/1.1"]).join(",");
+  const tls = new TlsConnection(options.hostname, alpn);
+  try {
+    const clientHello = tls.flush_outgoing_tls();
+    if (clientHello.length > 0) {
+      await writeToSocket(rawSocket, clientHello);
+    }
+    await handshakeLoop(rawSocket, tls);
+  } catch (err) {
+    tls.free();
+    throw err;
+  }
+  const negotiatedAlpn = tls.negotiated_alpn() ?? null;
+  return createSession(rawSocket, tls, negotiatedAlpn);
+}
+async function handshakeLoop(socket, tls) {
+  return new Promise((resolve, reject) => {
+    const onData = async (chunk) => {
+      try {
+        const data = chunk instanceof Uint8Array ? chunk : new Uint8Array(chunk);
+        const needsWrite = tls.feed_ciphertext(data);
+        if (needsWrite) {
+          const out = tls.flush_outgoing_tls();
+          if (out.length > 0) {
+            await writeToSocket(socket, out);
+          }
+        }
+        if (!tls.is_handshaking()) {
+          socket.removeListener("data", onData);
+          socket.removeListener("error", onError);
+          resolve();
+        }
+      } catch (err) {
+        socket.removeListener("data", onData);
+        socket.removeListener("error", onError);
+        reject(err instanceof Error ? err : new Error(String(err)));
+      }
+    };
+    const onError = (err) => {
+      socket.removeListener("data", onData);
+      socket.removeListener("error", onError);
+      reject(err);
+    };
+    socket.on("data", onData);
+    socket.on("error", onError);
+  });
+}
+function createSession(socket, tls, negotiatedAlpn) {
+  let plaintextCallback = null;
+  let closeCallback = null;
+  let errorCallback = null;
+  let closed = false;
+  const onData = async (chunk) => {
+    try {
+      const data = chunk instanceof Uint8Array ? chunk : new Uint8Array(chunk);
+      const needsWrite = tls.feed_ciphertext(data);
+      const plaintext = tls.take_plaintext();
+      if (plaintext.length > 0 && plaintextCallback) {
+        plaintextCallback(plaintext);
+      }
+      if (needsWrite) {
+        const out = tls.flush_outgoing_tls();
+        if (out.length > 0) {
+          await writeToSocket(socket, out);
+        }
+      }
+    } catch (err) {
+      if (errorCallback) {
+        errorCallback(err instanceof Error ? err : new Error(String(err)));
+      }
+    }
+  };
+  const onEnd = () => {
+    if (!closed) {
+      closed = true;
+      closeCallback?.();
+    }
+  };
+  const onError = (err) => {
+    errorCallback?.(err);
+  };
+  socket.on("data", onData);
+  socket.on("end", onEnd);
+  socket.on("error", onError);
+  return {
+    negotiatedAlpn,
+    async write(data) {
+      if (closed) throw new Error("TLS session closed");
+      const needsWrite = tls.write_plaintext(data);
+      if (needsWrite) {
+        const out = tls.flush_outgoing_tls();
+        if (out.length > 0) {
+          await writeToSocket(socket, out);
+        }
+      }
+    },
+    onPlaintext(callback) {
+      plaintextCallback = callback;
+    },
+    onClose(callback) {
+      closeCallback = callback;
+    },
+    onError(callback) {
+      errorCallback = callback;
+    },
+    close() {
+      if (!closed) {
+        closed = true;
+        try {
+          tls.send_close_notify();
+          const out = tls.flush_outgoing_tls();
+          if (out.length > 0) {
+            writeToSocket(socket, out).catch(() => {
+            });
+          }
+        } catch {
+        }
+        socket.removeListener("data", onData);
+        socket.removeListener("end", onEnd);
+        socket.removeListener("error", onError);
+        socket.end();
+        tls.free();
+      }
+    }
+  };
+}
+function writeToSocket(socket, data) {
+  return new Promise((resolve, reject) => {
+    socket.write(data, (err) => {
+      if (err) reject(err);
+      else resolve();
+    });
+  });
+}
+export {
+  performTlsHandshake,
+  preloadWasmTls
+};

package/dist/utils/headers.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Header utilities for HTTP/1.1 and HTTP/2.
+ * HTTP/2 requires lowercase header names (RFC 7540 Section 8.1.2).
+ */
+/**
+ * Build HTTP/2 pseudo-headers from request parameters.
+ * Pseudo-headers must come before regular headers (RFC 7540 Section 8.1.2.1).
+ */
+declare function buildPseudoHeaders(method: string, hostname: string, path: string, scheme: "https" | "http"): Array<[string, string]>;
+/**
+ * Merge pseudo-headers and user headers into an ordered array.
+ * Pseudo-headers first, then regular headers (all lowercase).
+ */
+declare function mergeHeaders(pseudo: Array<[string, string]>, headers: Record<string, string>): Array<[string, string]>;
+/**
+ * Serialize headers into HTTP/1.1 format: "Key: Value\r\n"
+ * Validates against header injection (CR/LF/NUL).
+ */
+declare function serializeHttp1Headers(headers: Record<string, string>): string;
+
+export { buildPseudoHeaders, mergeHeaders, serializeHttp1Headers };

package/dist/utils/headers.js

@@ -0,0 +1,36 @@
+function buildPseudoHeaders(method, hostname, path, scheme) {
+  return [
+    [":method", method.toUpperCase()],
+    [":path", path],
+    [":scheme", scheme],
+    [":authority", hostname]
+  ];
+}
+function mergeHeaders(pseudo, headers) {
+  const result = [...pseudo];
+  for (const [key, value] of Object.entries(headers)) {
+    const lower = key.toLowerCase();
+    if (lower.startsWith(":") || lower === "connection" || lower === "transfer-encoding" || lower === "keep-alive" || lower === "upgrade") {
+      continue;
+    }
+    result.push([lower, value]);
+  }
+  return result;
+}
+const INVALID_HEADER_CHAR_RE = /[\r\n\0]/;
+function serializeHttp1Headers(headers) {
+  let result = "";
+  for (const [key, value] of Object.entries(headers)) {
+    if (INVALID_HEADER_CHAR_RE.test(key) || INVALID_HEADER_CHAR_RE.test(value)) {
+      throw new Error(`Invalid header: contains CR/LF/NUL in "${key}"`);
+    }
+    result += `${key}: ${value}\r
+`;
+  }
+  return result;
+}
+export {
+  buildPseudoHeaders,
+  mergeHeaders,
+  serializeHttp1Headers
+};

package/dist/utils/url.d.ts

@@ -0,0 +1,16 @@
+/**
+ * URL parsing utility.
+ */
+interface ParsedUrl {
+    protocol: "https" | "http";
+    hostname: string;
+    port: number;
+    path: string;
+}
+/**
+ * Parse a URL string into its components.
+ * Avoids using the full URL constructor to minimize CPU overhead.
+ */
+declare function parseUrl(url: string): ParsedUrl;
+
+export { type ParsedUrl, parseUrl };

package/dist/utils/url.js

@@ -0,0 +1,12 @@
+function parseUrl(url) {
+  const parsed = new URL(url);
+  const protocol = parsed.protocol === "https:" ? "https" : "http";
+  const hostname = parsed.hostname;
+  const defaultPort = protocol === "https" ? 443 : 80;
+  const port = parsed.port ? parseInt(parsed.port, 10) : defaultPort;
+  const path = parsed.pathname + parsed.search;
+  return { protocol, hostname, port, path: path || "/" };
+}
+export {
+  parseUrl
+};

package/package.json

@@ -0,0 +1,87 @@
+{
+  "name": "stealth-fetch-plus",
+  "version": "0.1.1",
+  "description": "HTTP/1.1 + HTTP/2 client for Cloudflare Workers via cloudflare:sockets, bypassing cf-* header injection",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "workerd": "./dist/index.js",
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      }
+    }
+  },
+  "scripts": {
+    "build:wasm": "bash scripts/build-wasm.sh",
+    "dev": "wrangler dev",
+    "build": "tsup && bash scripts/copy-wasm.sh",
+    "test": "vitest",
+    "test:run": "vitest run",
+    "test:coverage": "vitest run --coverage",
+    "lint": "eslint src/ test/ examples/",
+    "lint:fix": "eslint src/ test/ examples/ --fix",
+    "lint:commit": "commitlint --from=HEAD~1",
+    "format": "prettier --write \"src/**/*.ts\" \"test/**/*.ts\" \"examples/**/*.ts\" \"*.json\" \"*.ts\" \"*.js\" \"*.md\"",
+    "format:check": "prettier --check \"src/**/*.ts\" \"test/**/*.ts\" \"examples/**/*.ts\" \"*.json\" \"*.ts\" \"*.js\" \"*.md\"",
+    "type-check": "tsc --noEmit",
+    "prepublishOnly": "npm run type-check && npm run test:run && npm run build",
+    "prepare": "husky"
+  },
+  "dependencies": {
+    "hpack.js": "^2.1.6"
+  },
+  "devDependencies": {
+    "@cloudflare/vitest-pool-workers": "^0.12.0",
+    "@cloudflare/workers-types": "^4.20241230.0",
+    "@commitlint/cli": "^19.6.0",
+    "@commitlint/config-conventional": "^19.6.0",
+    "@types/node": "^25.2.1",
+    "eslint": "^9.0.0",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-jsdoc": "^62.5.3",
+    "husky": "^9.1.7",
+    "lint-staged": "^16.2.7",
+    "prettier": "^3.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.7.0",
+    "typescript-eslint": "^8.54.0",
+    "vitest": "^3.0.0",
+    "wrangler": "^4.0.0"
+  },
+  "sideEffects": false,
+  "files": [
+    "dist"
+  ],
+  "keywords": [
+    "cloudflare-workers",
+    "http2",
+    "h2",
+    "http-client",
+    "wasm",
+    "tls",
+    "alpn",
+    "cloudflare-sockets",
+    "stealth-fetch",
+    "no-cf-headers"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/0XwX/stealth-fetch.git"
+  },
+  "license": "MIT",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "lint-staged": {
+    "*.ts": [
+      "eslint --fix",
+      "prettier --write"
+    ],
+    "*.{json,md,yml,yaml,js}": [
+      "prettier --write"
+    ]
+  }
+}