stealth-fetch 0.1.2

package/dist/socket/adapter.js

@@ -0,0 +1,145 @@
+import { Duplex } from "node:stream";
+class CloudflareSocketAdapter extends Duplex {
+  reader = null;
+  writer = null;
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  cfSocket = null;
+  reading = false;
+  connected = false;
+  hostname;
+  port;
+  useTls;
+  constructor(options) {
+    super();
+    this.hostname = options.hostname;
+    this.port = options.port;
+    this.useTls = options.tls;
+  }
+  /**
+   * Establish the underlying cloudflare:sockets connection.
+   * Must be called before using the stream.
+   */
+  async connect() {
+    const { connect } = await import("cloudflare:sockets");
+    const address = { hostname: this.hostname, port: this.port };
+    console.debug(`[socket] connect(${this.hostname}:${this.port} tls=${this.useTls})`);
+    this.cfSocket = this.useTls ? connect(address, { secureTransport: "on" }) : connect(address);
+    this.writer = this.cfSocket.writable.getWriter();
+    this.reader = this.cfSocket.readable.getReader();
+    this.connected = true;
+    this.cfSocket.closed.then(() => {
+      console.debug(`[socket] closed(${this.hostname}:${this.port}) destroyed=${this.destroyed}`);
+      this.connected = false;
+      if (!this.destroyed) {
+        this.push(null);
+        this.emit("close");
+      }
+    }).catch((err) => {
+      console.debug(
+        `[socket] closed-error(${this.hostname}:${this.port}) destroyed=${this.destroyed} err=${err.message}`
+      );
+      this.connected = false;
+      if (!this.destroyed) {
+        this.destroy(err);
+      }
+    });
+    this.emit("connect");
+  }
+  /**
+   * Node.js Duplex _read: pull data from the CF socket's ReadableStream.
+   * Starts a read loop that pushes data into the Duplex readable side.
+   */
+  _read() {
+    if (this.reading || !this.reader) return;
+    this.reading = true;
+    this.readLoop();
+  }
+  async readLoop() {
+    const reader = this.reader;
+    if (!reader) {
+      this.reading = false;
+      return;
+    }
+    try {
+      while (this.reading) {
+        const { done, value } = await reader.read();
+        if (done) {
+          this.reading = false;
+          this.push(null);
+          return;
+        }
+        if (!this.push(value)) {
+          this.reading = false;
+          return;
+        }
+      }
+    } catch (err) {
+      this.reading = false;
+      if (!this.destroyed) {
+        this.destroy(err);
+      }
+    }
+  }
+  /**
+   * Node.js Duplex _write: write data to the CF socket's WritableStream.
+   */
+  _write(chunk, _encoding, callback) {
+    if (!this.writer || !this.connected) {
+      callback(new Error("Socket not connected"));
+      return;
+    }
+    const data = chunk instanceof Uint8Array ? chunk : new Uint8Array(chunk);
+    this.writer.write(data).then(
+      () => callback(),
+      (err) => callback(err)
+    );
+  }
+  /**
+   * Node.js Duplex _final: signal end of writes.
+   */
+  _final(callback) {
+    if (this.writer) {
+      this.writer.close().then(
+        () => callback(),
+        (err) => callback(err)
+      );
+    } else {
+      callback();
+    }
+  }
+  /**
+   * Node.js Duplex _destroy: clean up all resources.
+   * Uses synchronous close() calls to avoid leaving pending promises
+   * that can corrupt CF Workers isolate state.
+   */
+  _destroy(error, callback) {
+    console.debug(
+      `[socket] _destroy(${this.hostname}:${this.port}) error=${error?.message ?? "none"}`
+    );
+    this.reading = false;
+    this.connected = false;
+    if (this.reader) {
+      this.reader.cancel().catch(() => {
+      });
+      this.reader = null;
+    }
+    if (this.writer) {
+      this.writer.abort().catch(() => {
+      });
+      this.writer = null;
+    }
+    if (this.cfSocket) {
+      this.cfSocket.close().catch(() => {
+      });
+      this.cfSocket = null;
+    }
+    callback(error);
+  }
+  /** Whether the socket is currently connected */
+  get isConnected() {
+    return this.connected;
+  }
+}
+export {
+  CloudflareSocketAdapter
+};

package/dist/socket/nat64.d.ts

@@ -0,0 +1,69 @@
+/**
+ * NAT64 address resolution for bypassing Cloudflare Workers
+ * outbound socket restrictions.
+ *
+ * Converts IPv4 targets to NAT64 IPv6 addresses using public NAT64 gateways.
+ * Prefixes verified via RFC 7050 (querying DNS64 servers for ipv4only.arpa).
+ */
+/**
+ * NAT64 /96 prefixes, ordered by reliability.
+ * Format: full expanded prefix ending with ":" (no trailing "::").
+ * The last 32 bits (2 hextets) are filled with the embedded IPv4 address.
+ *
+ * To convert: prefix + hex(octet1)hex(octet2):hex(octet3)hex(octet4)
+ * Example: "2602:fc59:b0:64::" + 108.160.165.8 → [2602:fc59:b0:64::6ca0:a508]
+ */
+declare const NAT64_PREFIXES: string[];
+
+interface DnsARecord {
+    ipv4: string;
+    ttl: number;
+}
+/**
+ * Resolve hostname to IPv4 via DNS-over-HTTPS (Cloudflare 1.1.1.1).
+ * Uses fetch() which is always available in CF Workers.
+ */
+declare function resolveIPv4(hostname: string): Promise<DnsARecord | null>;
+/**
+ * Convert IPv4 string to NAT64 IPv6 address (bracketed for connect()).
+ *
+ * Handles two prefix formats:
+ * - Ending with "::" (short prefix, e.g. "2602:fc59:b0:64::")
+ *   → [2602:fc59:b0:64::6ca0:a508]
+ * - Ending with ":" (full prefix, e.g. "2a00:1098:2b:0:0:1:")
+ *   → [2a00:1098:2b:0:0:1:6ca0:a508]
+ */
+declare function ipv4ToNAT64(ipv4: string, prefix: string): string;
+interface BypassResult {
+    strategy: "nat64";
+    /** The hostname to pass to connect() */
+    connectHostname: string;
+    /** NAT64 prefix used */
+    nat64Prefix: string;
+    /** Original IPv4 resolved from DNS */
+    resolvedIPv4: string;
+}
+/**
+ * Generate NAT64 bypass hostname candidates for a given domain.
+ * Returns an array of { connectHostname, nat64Prefix } to try in order.
+ */
+declare function generateBypassCandidates(hostname: string): Promise<BypassResult[]>;
+/** Check if an error is a CF Workers network restriction error */
+declare function isCloudflareNetworkError(err: unknown): boolean;
+declare function isCloudflareIPv4(ipv4: string): boolean;
+declare function isCloudflareIPv6(ipv6: string): boolean;
+interface CfCheckResult {
+    isCf: boolean;
+    ipv4: string | null;
+    ipv6: string | null;
+    dnsMs: number;
+    /** Minimum TTL from A/AAAA records (seconds). 0 if no records found. */
+    ttl: number;
+}
+/**
+ * Resolve hostname via DoH (parallel A + AAAA), check if IP is in CF ranges.
+ * Used to pre-detect CF CDN targets that need NAT64 bypass.
+ */
+declare function resolveAndCheckCloudflare(hostname: string): Promise<CfCheckResult>;
+
+export { type BypassResult, type CfCheckResult, type DnsARecord, NAT64_PREFIXES, generateBypassCandidates, ipv4ToNAT64, isCloudflareIPv4, isCloudflareIPv6, isCloudflareNetworkError, resolveAndCheckCloudflare, resolveIPv4 };

package/dist/socket/nat64.js

@@ -0,0 +1,196 @@
+const NAT64_PREFIXES = [
+  // === Verified working from CF Workers (deploy tested) ===
+  "2602:fc59:b0:64::",
+  // ZTVI/ForwardingPlane, Fremont CA, USA — 12ms
+  "2602:fc59:11:64::",
+  // ZTVI/ForwardingPlane, Chicago, USA — 60ms
+  "2a00:1098:2b:0:0:1:",
+  // Kasper Dupont (nat64.net), Amsterdam — 150ms
+  "2a00:1098:2c:0:0:5:",
+  // Kasper Dupont (nat64.net), London — 140ms
+  "2a02:898:146:64::",
+  // IPng Networks, Netherlands — 155ms
+  "2001:67c:2b0:db32::",
+  // Trex, Tampere, Finland — 195ms
+  // === Additional ZTVI/ForwardingPlane prefixes ===
+  "2602:fc59:20::",
+  // ZTVI/ForwardingPlane, unknown location
+  // === Kasper Dupont (nat64.net) additional locations ===
+  "2a00:1098:2c:1::",
+  // nat64.net, London (official /96 prefix)
+  "2a01:4f8:c2c:123f:64:5:",
+  // nat64.net, Nuremberg, Germany
+  "2a01:4f8:c2c:123f:64::",
+  // nat64.net, Nuremberg (alternate form)
+  "2a01:4f9:c010:3f02:64:0:",
+  // nat64.net, Helsinki, Finland
+  "2a01:4f9:c010:3f02:64::",
+  // nat64.net, Helsinki (alternate form)
+  // === level66.network ===
+  "2001:67c:2960:6464::",
+  // level66.network, Germany (Anycast)
+  "2a09:11c0:f1:be00::",
+  // level66.network, Frankfurt
+  // === go6Labs, Slovenia ===
+  "2001:67c:27e4:642::",
+  // go6Labs, Slovenia
+  "2001:67c:27e4:64::",
+  // go6Labs, Slovenia
+  "2001:67c:27e4:1064::",
+  // go6Labs, Slovenia
+  "2001:67c:27e4:11::",
+  // go6Labs, Slovenia
+  // === Other providers ===
+  "2a03:7900:6446::",
+  // Tuxis, Netherlands
+  "2001:67c:2b0:db32:0:1:"
+  // Trex, second prefix, Finland
+];
+async function resolveIPv4(hostname) {
+  const resp = await fetch(
+    `https://1.1.1.1/dns-query?name=${encodeURIComponent(hostname)}&type=A`,
+    { headers: { Accept: "application/dns-json" }, signal: AbortSignal.timeout(3e3) }
+  );
+  if (!resp.ok) return null;
+  const data = await resp.json();
+  if (!data.Answer) return null;
+  const aRecord = data.Answer.find((r) => r.type === 1);
+  if (!aRecord) return null;
+  return { ipv4: aRecord.data, ttl: aRecord.TTL };
+}
+function ipv4ToNAT64(ipv4, prefix) {
+  const parts = ipv4.split(".");
+  if (parts.length !== 4) throw new Error(`Invalid IPv4: ${ipv4}`);
+  const hex = parts.map((p) => {
+    const n = parseInt(p, 10);
+    if (n < 0 || n > 255) throw new Error(`Invalid IPv4 octet: ${p}`);
+    return n.toString(16).padStart(2, "0");
+  });
+  const suffix = `${hex[0]}${hex[1]}:${hex[2]}${hex[3]}`;
+  return `[${prefix}${suffix}]`;
+}
+async function generateBypassCandidates(hostname) {
+  const dns = await resolveIPv4(hostname);
+  if (!dns) return [];
+  return NAT64_PREFIXES.map((prefix) => ({
+    strategy: "nat64",
+    connectHostname: ipv4ToNAT64(dns.ipv4, prefix),
+    nat64Prefix: prefix,
+    resolvedIPv4: dns.ipv4
+  }));
+}
+function isCloudflareNetworkError(err) {
+  const msg = err instanceof Error ? err.message : String(err);
+  return msg.includes("cannot connect to the specified address") || msg.includes("A network issue was detected") || msg.includes("TCP Loop detected");
+}
+const CF_IPV4_RANGES = (() => {
+  const toU32 = (ip) => {
+    const p = ip.split(".").map(Number);
+    return (p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]) >>> 0;
+  };
+  return [
+    [toU32("173.245.48.0"), toU32("173.245.63.255")],
+    // /20
+    [toU32("103.21.244.0"), toU32("103.21.247.255")],
+    // /22
+    [toU32("103.22.200.0"), toU32("103.22.203.255")],
+    // /22
+    [toU32("103.31.4.0"), toU32("103.31.7.255")],
+    // /22
+    [toU32("141.101.64.0"), toU32("141.101.127.255")],
+    // /18
+    [toU32("108.162.192.0"), toU32("108.162.255.255")],
+    // /18
+    [toU32("190.93.240.0"), toU32("190.93.255.255")],
+    // /20
+    [toU32("188.114.96.0"), toU32("188.114.111.255")],
+    // /20
+    [toU32("197.234.240.0"), toU32("197.234.243.255")],
+    // /22
+    [toU32("198.41.128.0"), toU32("198.41.255.255")],
+    // /17
+    [toU32("162.158.0.0"), toU32("162.159.255.255")],
+    // /15
+    [toU32("104.16.0.0"), toU32("104.27.255.255")],
+    // /12
+    [toU32("172.64.0.0"), toU32("172.71.255.255")],
+    // /13
+    [toU32("131.0.72.0"), toU32("131.0.75.255")]
+    // /22
+  ];
+})();
+const CF_IPV6_PREFIXES = [
+  "2400:cb00",
+  // 2400:cb00::/32
+  "2606:4700",
+  // 2606:4700::/32
+  "2803:f800",
+  // 2803:f800::/32
+  "2405:8100",
+  // 2405:8100::/32
+  "2a06:98c0",
+  // 2a06:98c0::/29
+  "2c0f:f248"
+  // 2c0f:f248::/32
+];
+function ipv4ToUint32(ip) {
+  const p = ip.split(".").map(Number);
+  return (p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3]) >>> 0;
+}
+function isCloudflareIPv4(ipv4) {
+  const num = ipv4ToUint32(ipv4);
+  return CF_IPV4_RANGES.some(([start, end]) => num >= start && num <= end);
+}
+function isCloudflareIPv6(ipv6) {
+  const lower = ipv6.toLowerCase();
+  return CF_IPV6_PREFIXES.some((prefix) => lower.startsWith(prefix));
+}
+async function resolveAndCheckCloudflare(hostname) {
+  const t0 = Date.now();
+  const dnsSignal = AbortSignal.timeout(3e3);
+  const [aResp, aaaaResp] = await Promise.all([
+    fetch(`https://1.1.1.1/dns-query?name=${encodeURIComponent(hostname)}&type=A`, {
+      headers: { Accept: "application/dns-json" },
+      signal: dnsSignal
+    }),
+    fetch(`https://1.1.1.1/dns-query?name=${encodeURIComponent(hostname)}&type=AAAA`, {
+      headers: { Accept: "application/dns-json" },
+      signal: dnsSignal
+    })
+  ]);
+  const dnsMs = Date.now() - t0;
+  let ipv4 = null;
+  let ipv6 = null;
+  let isCf = false;
+  const ttls = [];
+  if (aResp.ok) {
+    const data = await aResp.json();
+    const aRecord = data.Answer?.find((r) => r.type === 1);
+    if (aRecord) {
+      ipv4 = aRecord.data;
+      ttls.push(aRecord.TTL);
+      if (isCloudflareIPv4(ipv4)) isCf = true;
+    }
+  }
+  if (aaaaResp.ok) {
+    const data = await aaaaResp.json();
+    const aaaaRecord = data.Answer?.find((r) => r.type === 28);
+    if (aaaaRecord) {
+      ipv6 = aaaaRecord.data;
+      ttls.push(aaaaRecord.TTL);
+      if (isCloudflareIPv6(ipv6)) isCf = true;
+    }
+  }
+  const ttl = ttls.length > 0 ? Math.min(...ttls) : 0;
+  return { isCf, ipv4, ipv6, dnsMs, ttl };
+}
+export {
+  NAT64_PREFIXES,
+  generateBypassCandidates,
+  ipv4ToNAT64,
+  isCloudflareIPv4,
+  isCloudflareIPv6,
+  isCloudflareNetworkError,
+  resolveAndCheckCloudflare,
+  resolveIPv4
+};

package/dist/socket/tls.d.ts

@@ -0,0 +1,28 @@
+import { CloudflareSocketAdapter } from './adapter.js';
+import { WasmTlsSocketAdapter } from './wasm-tls-adapter.js';
+import 'node:stream';
+
+/**
+ * TLS/TCP connection factory functions.
+ * Creates CloudflareSocketAdapter instances with appropriate TLS settings.
+ */
+
+/** Create a TLS-encrypted socket connection (using CF built-in TLS, no ALPN control) */
+declare function createTLSSocket(hostname: string, port?: number): Promise<CloudflareSocketAdapter>;
+/** Create a plain TCP socket connection (no TLS) */
+declare function createPlainSocket(hostname: string, port?: number): Promise<CloudflareSocketAdapter>;
+/** Create a socket with auto TLS based on port/protocol */
+declare function createSocket(hostname: string, port: number, tls: boolean): Promise<CloudflareSocketAdapter>;
+/**
+ * Create a WASM TLS socket with full ALPN control.
+ * Uses raw TCP (secureTransport: "off") + rustls in WASM for TLS.
+ * This allows ALPN negotiation (required for HTTP/2 over TLS).
+ * @param hostname - Target hostname (used for TLS SNI)
+ * @param port - Target port
+ * @param alpnProtocols - ALPN protocol list
+ * @param connectHostname - Optional override for TCP connection hostname
+ *   (e.g. NAT64 IPv6 address). TLS SNI will still use `hostname`.
+ */
+declare function createWasmTLSSocket(hostname: string, port?: number, alpnProtocols?: string[], connectHostname?: string, signal?: AbortSignal): Promise<WasmTlsSocketAdapter>;
+
+export { createPlainSocket, createSocket, createTLSSocket, createWasmTLSSocket };

package/dist/socket/tls.js

@@ -0,0 +1,33 @@
+import { CloudflareSocketAdapter } from "./adapter.js";
+import { WasmTlsSocketAdapter } from "./wasm-tls-adapter.js";
+async function createTLSSocket(hostname, port = 443) {
+  const socket = new CloudflareSocketAdapter({ hostname, port, tls: true });
+  await socket.connect();
+  return socket;
+}
+async function createPlainSocket(hostname, port = 80) {
+  const socket = new CloudflareSocketAdapter({ hostname, port, tls: false });
+  await socket.connect();
+  return socket;
+}
+async function createSocket(hostname, port, tls) {
+  const socket = new CloudflareSocketAdapter({ hostname, port, tls });
+  await socket.connect();
+  return socket;
+}
+async function createWasmTLSSocket(hostname, port = 443, alpnProtocols = ["h2", "http/1.1"], connectHostname, signal) {
+  const socket = new WasmTlsSocketAdapter({
+    hostname,
+    port,
+    alpnProtocols,
+    connectHostname
+  });
+  await socket.connect(signal);
+  return socket;
+}
+export {
+  createPlainSocket,
+  createSocket,
+  createTLSSocket,
+  createWasmTLSSocket
+};

package/dist/socket/wasm-pkg/wasm_tls.d.ts

@@ -0,0 +1,107 @@
+/* tslint:disable */
+/* eslint-disable */
+
+/**
+ * TLS connection state, exposed to JS via wasm-bindgen.
+ * Uses rustls with buffer-based sync IO — JS layer drives socket IO asynchronously.
+ */
+export class TlsConnection {
+    free(): void;
+    [Symbol.dispose](): void;
+    /**
+     * Feed ciphertext received from the network into the TLS engine.
+     * Returns true if rustls has outgoing data to send (call `flush_outgoing_tls`).
+     */
+    feed_ciphertext(data: Uint8Array): boolean;
+    /**
+     * Flush ciphertext produced by rustls (to be sent over the network).
+     * Returns the ciphertext bytes as a Vec<u8> (becomes Uint8Array in JS).
+     */
+    flush_outgoing_tls(): Uint8Array;
+    /**
+     * Whether the TLS handshake is still in progress.
+     */
+    is_handshaking(): boolean;
+    /**
+     * Get the negotiated ALPN protocol (e.g. "h2" or "http/1.1").
+     * Returns null if no ALPN was negotiated.
+     */
+    negotiated_alpn(): string | undefined;
+    /**
+     * Create a new TLS client connection.
+     * `hostname`: server hostname for SNI
+     * `alpn_protocols`: comma-separated ALPN protocol list, e.g. "h2,http/1.1"
+     */
+    constructor(hostname: string, alpn_protocols: string);
+    /**
+     * Send a TLS close_notify alert.
+     */
+    send_close_notify(): void;
+    /**
+     * Take decrypted plaintext data (for the upper layer to consume).
+     */
+    take_plaintext(): Uint8Array;
+    /**
+     * Whether rustls needs more data from the network.
+     */
+    wants_read(): boolean;
+    /**
+     * Whether rustls has data to write to the network.
+     */
+    wants_write(): boolean;
+    /**
+     * Write plaintext data (from the upper layer) into the TLS engine for encryption.
+     * Returns true if rustls has outgoing data to send.
+     */
+    write_plaintext(data: Uint8Array): boolean;
+}
+
+/**
+ * Get the library version string (for verification).
+ */
+export function wasm_tls_version(): string;
+
+export type InitInput = RequestInfo | URL | Response | BufferSource | WebAssembly.Module;
+
+export interface InitOutput {
+    readonly memory: WebAssembly.Memory;
+    readonly __wbg_tlsconnection_free: (a: number, b: number) => void;
+    readonly tlsconnection_feed_ciphertext: (a: number, b: number, c: number, d: number) => void;
+    readonly tlsconnection_flush_outgoing_tls: (a: number, b: number) => void;
+    readonly tlsconnection_is_handshaking: (a: number) => number;
+    readonly tlsconnection_negotiated_alpn: (a: number, b: number) => void;
+    readonly tlsconnection_new: (a: number, b: number, c: number, d: number, e: number) => void;
+    readonly tlsconnection_send_close_notify: (a: number) => void;
+    readonly tlsconnection_take_plaintext: (a: number, b: number) => void;
+    readonly tlsconnection_wants_read: (a: number) => number;
+    readonly tlsconnection_wants_write: (a: number) => number;
+    readonly tlsconnection_write_plaintext: (a: number, b: number, c: number, d: number) => void;
+    readonly wasm_tls_version: (a: number) => void;
+    readonly __wbindgen_export: (a: number) => void;
+    readonly __wbindgen_add_to_stack_pointer: (a: number) => number;
+    readonly __wbindgen_export2: (a: number, b: number) => number;
+    readonly __wbindgen_export3: (a: number, b: number, c: number) => void;
+    readonly __wbindgen_export4: (a: number, b: number, c: number, d: number) => number;
+}
+
+export type SyncInitInput = BufferSource | WebAssembly.Module;
+
+/**
+ * Instantiates the given `module`, which can either be bytes or
+ * a precompiled `WebAssembly.Module`.
+ *
+ * @param {{ module: SyncInitInput }} module - Passing `SyncInitInput` directly is deprecated.
+ *
+ * @returns {InitOutput}
+ */
+export function initSync(module: { module: SyncInitInput } | SyncInitInput): InitOutput;
+
+/**
+ * If `module_or_path` is {RequestInfo} or {URL}, makes a request and
+ * for everything else, calls `WebAssembly.instantiate` directly.
+ *
+ * @param {{ module_or_path: InitInput | Promise<InitInput> }} module_or_path - Passing `InitInput` directly is deprecated.
+ *
+ * @returns {Promise<InitOutput>}
+ */
+export default function __wbg_init (module_or_path?: { module_or_path: InitInput | Promise<InitInput> } | InitInput | Promise<InitInput>): Promise<InitOutput>;