stygian-browser 0.13.5

Anti-detection browser automation library for Rust with CDP stealth features
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494

//! Automated TLS fingerprint validation suite.
//!
//! Verifies that stygian's TLS profiles produce correct JA3/JA4 hashes and
//! HTTP/2 SETTINGS frames when compared against real browser captures.
//!
//! Unit tests validate comparison logic and format of reference hashes. Network
//! integration tests are `#[ignore]`-gated to avoid CI flakiness.
//!
//! # Example
//!
//! ```
//! use stygian_browser::tls_validation::{TlsValidationReport, CHROME_136_JA3};
//!
//! let report = TlsValidationReport {
//!     ja3_expected: CHROME_136_JA3.to_string(),
//!     ja3_actual: CHROME_136_JA3.to_string(),
//!     ja3_match: true,
//!     ja4_expected: String::new(),
//!     ja4_actual: String::new(),
//!     ja4_match: true,
//!     http2_settings_match: true,
//!     alpn_match: true,
//!     issues: vec![],
//! };
//! assert!(report.is_ok());
//! ```

use serde::{Deserialize, Serialize};

use crate::tls::TlsProfile;

// ---------------------------------------------------------------------------
// Reference hashes from real browser captures
// ---------------------------------------------------------------------------

/// JA3 hash for Google Chrome 131 (captured from real browser traffic).
///
/// Source: Chrome 131 on Linux/x86-64 — tls.peet.ws capture 2025-01.
pub const CHROME_131_JA3: &str = "cd08e31494f9531f560d64c695473da9";

/// JA3 hash for Google Chrome 136 (captured from real browser traffic).
///
/// Source: Chrome 136 on Windows/x86-64 — tls.peet.ws capture 2025-04.
pub const CHROME_136_JA3: &str = "b32309a26951912be7dba376398abc3b";

/// JA4 fingerprint for Google Chrome 136.
///
/// Format: `t<TLS_ver><SNI><cipher_cnt><ext_cnt>_<sorted_ciphers_sha256_prefix>_<sorted_exts_sha256_prefix>`
pub const CHROME_136_JA4: &str = "t13d1516h2_8daaf6152771_b1ff8ab37d37";

/// Chrome 136 HTTP/2 SETTINGS frame — ordered `(id, value)` pairs that the
/// browser sends in its initial SETTINGS frame.
///
/// Values captured from a real Chrome 136 session. Order matters for anti-bot
/// fingerprinting.
pub const CHROME_136_HTTP2_SETTINGS: &[(u32, u32)] = &[
    (1, 65_536),    // HEADER_TABLE_SIZE
    (2, 0),         // ENABLE_PUSH (disabled)
    (3, 1_000),     // MAX_CONCURRENT_STREAMS
    (4, 6_291_456), // INITIAL_WINDOW_SIZE
    (6, 262_144),   // MAX_HEADER_LIST_SIZE
];

// ---------------------------------------------------------------------------
// TlsValidationReport
// ---------------------------------------------------------------------------

/// Result of validating a [`TlsProfile`] against expected browser fingerprints.
///
/// # Example
///
/// ```
/// use stygian_browser::tls_validation::TlsValidationReport;
///
/// let report = TlsValidationReport::default();
/// assert!(report.is_ok()); // empty report with all-match defaults is ok
/// ```
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Default)]
pub struct TlsValidationReport {
    /// The expected JA3 hash (from reference captures).
    pub ja3_expected: String,
    /// The JA3 hash computed from the profile or observed from a live connection.
    pub ja3_actual: String,
    /// `true` when `ja3_expected == ja3_actual`.
    pub ja3_match: bool,
    /// The expected JA4 fingerprint.
    pub ja4_expected: String,
    /// The JA4 fingerprint computed from the profile or observed live.
    pub ja4_actual: String,
    /// `true` when `ja4_expected == ja4_actual`.
    pub ja4_match: bool,
    /// `true` when HTTP/2 SETTINGS match expected Chrome values.
    pub http2_settings_match: bool,
    /// `true` when ALPN protocol ordering matches expected values.
    pub alpn_match: bool,
    /// Human-readable list of mismatches. Empty when all checks pass.
    pub issues: Vec<String>,
}

impl TlsValidationReport {
    /// `true` when all checks passed (no issues).
    #[must_use]
    pub const fn is_ok(&self) -> bool {
        self.issues.is_empty()
    }
}

// ---------------------------------------------------------------------------
// TlsValidationConfig
// ---------------------------------------------------------------------------

/// Configuration for live TLS validation against an echo service.
///
/// # Example
///
/// ```
/// use stygian_browser::tls_validation::TlsValidationConfig;
///
/// let cfg = TlsValidationConfig::default();
/// assert!(cfg.echo_service_url.contains("tls.peet.ws"));
/// ```
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TlsValidationConfig {
    /// URL of a TLS fingerprint echo service.
    ///
    /// Must return JSON with at minimum a `ja3` field containing the observed hash.
    pub echo_service_url: String,
    /// Connection timeout in seconds.
    pub timeout_secs: u64,
}

impl Default for TlsValidationConfig {
    fn default() -> Self {
        Self {
            echo_service_url: "https://tls.peet.ws/api/all".into(),
            timeout_secs: 10,
        }
    }
}

// ---------------------------------------------------------------------------
// HTTP/2 SETTINGS comparison
// ---------------------------------------------------------------------------

/// Compare observed HTTP/2 SETTINGS against a reference list.
///
/// Returns `(matches, issues)` where `issues` contains human-readable
/// descriptions of each mismatch.
///
/// # Example
///
/// ```
/// use stygian_browser::tls_validation::{compare_http2_settings, CHROME_136_HTTP2_SETTINGS};
///
/// let (ok, issues) = compare_http2_settings(CHROME_136_HTTP2_SETTINGS, CHROME_136_HTTP2_SETTINGS);
/// assert!(ok);
/// assert!(issues.is_empty());
/// ```
#[must_use]
pub fn compare_http2_settings(
    expected: &[(u32, u32)],
    observed: &[(u32, u32)],
) -> (bool, Vec<String>) {
    let mut issues = Vec::new();

    // Check length
    if expected.len() != observed.len() {
        issues.push(format!(
            "HTTP/2 SETTINGS count mismatch: expected {}, got {}",
            expected.len(),
            observed.len()
        ));
    }

    // Compare by id (order-independent value check)
    for &(exp_id, exp_val) in expected {
        match observed.iter().find(|&&(id, _)| id == exp_id) {
            None => issues.push(format!(
                "HTTP/2 SETTINGS missing id={exp_id} (expected value {exp_val})"
            )),
            Some(&(_, obs_val)) if obs_val != exp_val => issues.push(format!(
                "HTTP/2 SETTINGS id={exp_id}: expected {exp_val}, got {obs_val}"
            )),
            _ => {}
        }
    }

    // Check for unexpected extra settings
    for &(obs_id, _) in observed {
        if !expected.iter().any(|&(id, _)| id == obs_id) {
            issues.push(format!("HTTP/2 SETTINGS unexpected id={obs_id}"));
        }
    }

    (issues.is_empty(), issues)
}

// ---------------------------------------------------------------------------
// Profile static validation (no network)
// ---------------------------------------------------------------------------

/// Validate a [`TlsProfile`] against reference hashes without making a network
/// connection.
///
/// The `expected_ja3` and `expected_ja4` parameters are compared against the
/// hashes computed from the profile's cipher/extension/group fields.
///
/// # Example
///
/// ```
/// use stygian_browser::tls::{CHROME_131, TlsProfile};
/// use stygian_browser::tls_validation::{validate_profile_static, CHROME_131_JA3};
///
/// let report = validate_profile_static(
///     &CHROME_131,
///     CHROME_131_JA3,
///     "",
///     &[("h2", "http/1.1")],
/// );
/// // JA3 match depends on whether the profile matches the reference capture
/// // (may differ across Chrome versions — see issues for details)
/// let _ = report.is_ok();
/// ```
#[must_use]
pub fn validate_profile_static(
    profile: &TlsProfile,
    expected_ja3: &str,
    expected_ja4: &str,
    expected_alpn: &[(&str, &str)],
) -> TlsValidationReport {
    let ja3 = profile.ja3();
    let ja4 = profile.ja4();

    let ja3_match = expected_ja3.is_empty() || ja3.hash == expected_ja3;
    let ja4_match = expected_ja4.is_empty() || ja4.fingerprint == expected_ja4;

    let profile_alpn: Vec<String> = profile
        .alpn_protocols
        .iter()
        .map(|a| format!("{a:?}").to_lowercase())
        .collect();
    let expected_alpn_strs: Vec<String> = expected_alpn
        .iter()
        .map(|(a, _)| (*a).to_string())
        .collect();
    let alpn_match = expected_alpn.is_empty()
        || profile_alpn
            .iter()
            .zip(expected_alpn_strs.iter())
            .all(|(a, b)| a == b);

    let mut issues = Vec::new();
    if !ja3_match {
        issues.push(format!(
            "JA3 mismatch: expected `{expected_ja3}`, computed `{}`",
            ja3.hash
        ));
    }
    if !ja4_match {
        issues.push(format!(
            "JA4 mismatch: expected `{expected_ja4}`, computed `{}`",
            ja4.fingerprint
        ));
    }
    if !alpn_match {
        issues.push(format!(
            "ALPN mismatch: expected {expected_alpn_strs:?}, profile has {profile_alpn:?}"
        ));
    }

    TlsValidationReport {
        ja3_expected: expected_ja3.to_string(),
        ja3_actual: ja3.hash,
        ja3_match,
        ja4_expected: expected_ja4.to_string(),
        ja4_actual: ja4.fingerprint,
        ja4_match,
        http2_settings_match: true, // only testable live
        alpn_match,
        issues,
    }
}

// ---------------------------------------------------------------------------
// TlsProfile::validate extension
// ---------------------------------------------------------------------------

/// Extension trait that adds `validate_static()` to [`TlsProfile`].
pub trait TlsProfileValidate {
    /// Validate this profile against known reference hashes (no network required).
    ///
    /// # Example
    ///
    /// ```
    /// use stygian_browser::tls::CHROME_131;
    /// use stygian_browser::tls_validation::{TlsProfileValidate, CHROME_131_JA3};
    ///
    /// let report = CHROME_131.validate_static(CHROME_131_JA3, "");
    /// let _ = report.is_ok(); // diff may exist across capture dates
    /// ```
    fn validate_static(&self, expected_ja3: &str, expected_ja4: &str) -> TlsValidationReport;
}

impl TlsProfileValidate for TlsProfile {
    fn validate_static(&self, expected_ja3: &str, expected_ja4: &str) -> TlsValidationReport {
        validate_profile_static(self, expected_ja3, expected_ja4, &[])
    }
}

// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------

#[cfg(test)]
mod tests {
    use super::*;

    // ── Reference hash format ─────────────────────────────────────────────────

    #[test]
    fn chrome_131_ja3_is_valid_md5_hex() {
        assert_eq!(CHROME_131_JA3.len(), 32, "JA3 must be 32-char MD5 hex");
        assert!(
            CHROME_131_JA3.chars().all(|c| c.is_ascii_hexdigit()),
            "JA3 must be hex"
        );
    }

    #[test]
    fn chrome_136_ja3_is_valid_md5_hex() {
        assert_eq!(CHROME_136_JA3.len(), 32, "JA3 must be 32-char MD5 hex");
        assert!(
            CHROME_136_JA3.chars().all(|c| c.is_ascii_hexdigit()),
            "JA3 must be hex"
        );
    }

    #[test]
    fn chrome_136_ja4_format() {
        // JA4 starts with 't' (TLS) + version chars
        assert!(
            CHROME_136_JA4.starts_with('t'),
            "JA4 must start with 't' for TLS"
        );
        // Must contain at least two underscore separators
        assert_eq!(
            CHROME_136_JA4.matches('_').count(),
            2,
            "JA4 must have 2 underscore separators"
        );
    }

    // ── HTTP/2 SETTINGS comparison ────────────────────────────────────────────

    #[test]
    fn http2_settings_identical_match() {
        let (ok, issues) =
            compare_http2_settings(CHROME_136_HTTP2_SETTINGS, CHROME_136_HTTP2_SETTINGS);
        assert!(ok);
        assert!(issues.is_empty());
    }

    #[test]
    fn http2_settings_missing_key_is_reported() {
        let observed: Vec<(u32, u32)> = CHROME_136_HTTP2_SETTINGS.iter().copied().take(2).collect();
        let (ok, issues) = compare_http2_settings(CHROME_136_HTTP2_SETTINGS, &observed);
        assert!(!ok);
        assert!(!issues.is_empty());
        assert!(
            issues
                .iter()
                .any(|i| i.contains("count mismatch") || i.contains("missing"))
        );
    }

    #[test]
    fn http2_settings_wrong_value_is_reported() {
        let mut bad = CHROME_136_HTTP2_SETTINGS.to_vec();
        // Corrupt INITIAL_WINDOW_SIZE
        if let Some(slot) = bad.get_mut(3) {
            *slot = (4, 65535);
        }
        let (ok, issues) = compare_http2_settings(CHROME_136_HTTP2_SETTINGS, &bad);
        assert!(!ok);
        assert!(issues.iter().any(|i| i.contains("id=4")));
    }

    #[test]
    fn http2_settings_extra_key_is_reported() {
        let mut extra = CHROME_136_HTTP2_SETTINGS.to_vec();
        extra.push((99, 0));
        let (ok, issues) = compare_http2_settings(CHROME_136_HTTP2_SETTINGS, &extra);
        assert!(!ok);
        assert!(issues.iter().any(|i| i.contains("unexpected id=99")));
    }

    // ── TlsValidationReport ───────────────────────────────────────────────────

    #[test]
    fn report_is_ok_when_no_issues() {
        let report = TlsValidationReport {
            ja3_expected: "abc".into(),
            ja3_actual: "abc".into(),
            ja3_match: true,
            ja4_expected: String::new(),
            ja4_actual: String::new(),
            ja4_match: true,
            http2_settings_match: true,
            alpn_match: true,
            issues: vec![],
        };
        assert!(report.is_ok());
    }

    #[test]
    fn report_not_ok_when_has_issues() {
        let report = TlsValidationReport {
            ja3_match: false,
            issues: vec!["JA3 mismatch".into()],
            ..Default::default()
        };
        assert!(!report.is_ok());
    }

    #[test]
    fn report_serde_round_trip() {
        let report = TlsValidationReport {
            ja3_expected: CHROME_131_JA3.into(),
            ja3_actual: CHROME_136_JA3.into(),
            ja3_match: false,
            ja4_expected: CHROME_136_JA4.into(),
            ja4_actual: CHROME_136_JA4.into(),
            ja4_match: true,
            http2_settings_match: false,
            alpn_match: true,
            issues: vec!["JA3 mismatch".into()],
        };
        let json_result = serde_json::to_string(&report);
        assert!(json_result.is_ok(), "serialize failed: {json_result:?}");
        let Ok(json) = json_result else {
            return;
        };
        let report_result: Result<TlsValidationReport, _> = serde_json::from_str(&json);
        assert!(
            report_result.is_ok(),
            "deserialize failed: {report_result:?}"
        );
        let Ok(r2) = report_result else {
            return;
        };
        assert_eq!(report, r2);
    }

    // ── validate_profile_static ───────────────────────────────────────────────

    #[test]
    fn static_validation_empty_expected_always_passes() {
        use crate::tls::CHROME_131;
        let report = validate_profile_static(&CHROME_131, "", "", &[]);
        assert!(
            report.is_ok(),
            "empty expected hashes should always pass; issues: {:?}",
            report.issues
        );
    }

    #[test]
    fn static_validation_mismatch_populates_issues() {
        use crate::tls::CHROME_131;
        let report =
            validate_profile_static(&CHROME_131, "0000000000000000000000000000000f", "", &[]);
        assert!(!report.is_ok());
        assert!(report.issues.iter().any(|i| i.contains("JA3 mismatch")));
    }

    // ── integration (network-gated, always ignored in CI) ─────────────────────

    /// Live validation against tls.peet.ws — requires network and real TLS stack.
    #[test]
    #[ignore = "requires network access and real TLS client"]
    fn live_tls_echo_chrome_131() {
        // Future: build reqwest::Client from CHROME_131 TLS config and fetch
        // the echo service, then compare returned JA3 to CHROME_131_JA3.
        // Left as a shell — actual client setup requires reqwest + rustls integration.
    }

    /// Live HTTP/2 SETTINGS validation.
    #[test]
    #[ignore = "requires network access and HTTP/2 capture capability"]
    fn live_http2_settings_chrome_136() {
        // Future: connect to an HTTP/2 server that echoes SETTINGS frames,
        // capture the frame, and compare against CHROME_136_HTTP2_SETTINGS.
    }
}