docs: update standalone LS, MITM, and panel stream investigation

- Add panel-stream-investigation.md documenting dead end
- Update KNOWN_ISSUES: move polling and panel stream to resolved
- Update GEMINI.md with standalone LS section and new MITM setup
- Fix standalone-ls-todo to reflect default mode

GEMINI.md

@@ -8,11 +8,17 @@ OpenAI-compatible proxy that intercepts and relays requests to Google's Antigrav
 # Build
 cargo build --release
 
-# Run (language server must be running)
+# First-time setup (creates user + iptables for MITM)
+sudo ./scripts/mitm-redirect.sh install
+
+# Run (spawns standalone LS automatically)
 RUST_LOG=info ./target/release/antigravity-proxy
 
 # Custom port
 RUST_LOG=info ./target/release/antigravity-proxy --port 9000
+
+# Attach to existing LS instead of spawning standalone
+RUST_LOG=info ./target/release/antigravity-proxy --no-standalone
 ```
 
 Default port: **8741**
@@ -115,62 +121,75 @@ Version strings (Antigravity, Chrome, Electron, Client) are **auto-detected** at
 
 Falls back to hardcoded values if the app isn't installed. No manual updates needed when Antigravity updates.
 
+## Standalone LS
+
+By default, the proxy spawns its own Language Server instance for full isolation:
+
+1. Discovers the main LS config (`extension_server_port`, `csrf_token`) from the running Antigravity app
+2. Spawns a standalone LS binary on a random port
+3. Builds init metadata protobuf (model config, `detect_and_use_proxy=ENABLED`)
+4. If MITM is active, spawns as `antigravity-ls` user for UID-scoped traffic interception
+5. Kills the child on proxy shutdown
+
+Disable with `--no-standalone` to attach to the real LS instead.
+
+**Module:** `src/standalone.rs`
+
 ## Stealth Features
 
 - **TLS fingerprint**: BoringSSL with Chrome JA3/JA4 + H2 fingerprint via `wreq` (version auto-detected)
 - **Protobuf**: Hand-rolled encoder producing byte-exact match to real webview traffic
 - **Warmup**: Mimics real webview startup RPC calls
 - **Heartbeat**: Periodic keep-alive matching real webview lifecycle
-- **Jitter**: Randomized polling intervals to avoid automation fingerprint
-- **Session reuse**: Cascades are reused for multi-turn, matching real webview behavior
-- **MITM proxy**: TLS-intercepting proxy for real token usage capture (opt-in)
+- **Reactive streaming**: `StreamCascadeReactiveUpdates` for real-time state diffs (polling fallback)
+- **Jitter**: Randomized intervals to avoid automation fingerprint
+- **Session reuse**: Cascades reused for multi-turn, matching real webview behavior
+- **MITM proxy**: TLS-intercepting proxy for real token usage capture
 
 ## MITM Proxy
 
-Built-in MITM proxy intercepts LS ↔ Google/Anthropic traffic to capture **real** token usage (input, output, cache read, cache creation). Disabled with `--no-mitm`.
+Built-in MITM proxy intercepts LS ↔ Google API traffic to capture **real** token usage (input, output, thinking tokens). Enabled by default with the standalone LS. Disable with `--no-mitm`.
+
+### How It Works
+
+```
+Client → Proxy (8741) → Standalone LS (as antigravity-ls user)
+                           ↓ (port 443 traffic)
+                        iptables REDIRECT (UID-scoped)
+                           ↓
+                        MITM Proxy (8742)
+                           ↓ (TLS decrypt + parse SSE)
+                        Google API (daily-cloudcode-pa.googleapis.com)
+```
 
 ### Setup
 
 ```bash
-# 1. Start proxy (generates CA cert automatically)
+# One-time setup (creates user + iptables rule)
+sudo ./scripts/mitm-redirect.sh install
+
+# Run proxy (standalone LS + MITM are both on by default)
 RUST_LOG=info ./target/release/antigravity-proxy
 
-# 2. Patch extension to enable proxy detection (required!)
-#    The LS has a protobuf field `detect_and_use_proxy` that defaults to UNSPECIFIED,
-#    which means it ignores HTTPS_PROXY for LLM API calls. This patch sets it to ENABLED (1).
-#    Must be re-applied after every Antigravity update.
-sudo sed -i -E 's/detectAndUseProxy=[^,;)]+/detectAndUseProxy=1/g' \
-  /usr/share/antigravity/resources/app/extensions/antigravity/dist/extension.js
-
-# 3. Install wrapper (patches LS binary to route through MITM)
-./scripts/mitm-wrapper.sh install
-
-# 4. Restart Antigravity — done!
-
-# Check status
-./scripts/mitm-wrapper.sh status
-
-# Uninstall
-./scripts/mitm-wrapper.sh uninstall
-```
-
-### Extension Patch Details
-
-The LS uses `daily-cloudcode-pa.googleapis.com/v1internal:streamGenerateContent?alt=sse` for LLM API calls (regular HTTPS+SSE, NOT gRPC). The LS binary checks a protobuf field (`detect_and_use_proxy`, field 34 on init metadata) to decide whether to honor `HTTPS_PROXY`. The extension defaults this to `UNSPECIFIED` (ignore proxy). The sed patch above changes it to `ENABLED` (value `1`), allowing the MITM wrapper's env vars to take effect.
-
-**Verify patch:** `grep -o 'detectAndUseProxy=[^;]*' /usr/share/antigravity/resources/app/extensions/antigravity/dist/extension.js` should show `detectAndUseProxy=1`.
-
-**Model IDs** (for standalone LS testing): See `docs/ls-binary-analysis.md` for the full proto enum mapping.
-
-### Usage Stats
-
-```bash
+# Check intercepted usage
 curl -s http://localhost:8741/v1/usage | jq .
+
+# Cleanup
+sudo ./scripts/mitm-redirect.sh uninstall
 ```
 
-Returns aggregate token counts from all intercepted API calls.
+### Details
+
+- **UID-scoped iptables**: Only the standalone LS's traffic is intercepted (no side effects)
+- **Combined CA bundle**: System CAs + MITM CA → `/tmp/antigravity-mitm-combined-ca.pem`
+- **Google SSE parsing**: Extracts `promptTokenCount`, `candidatesTokenCount`, `thoughtsTokenCount`
+- **Init metadata**: Protobuf field 34 `detect_and_use_proxy` set to ENABLED (1)
+- See `docs/mitm-interception-status.md` for full technical details
+- See `docs/ls-binary-analysis.md` for proto enum mappings and model IDs
 
 ### CLI Flags
 
 - `--no-mitm`: Disable MITM proxy entirely
+- `--no-standalone`: Attach to existing LS instead of spawning standalone
 - `--mitm-port <PORT>`: Override MITM proxy port (default: auto-assign)
+- `--port <PORT>`: Override proxy listen port (default: 8741)