docs: add MITM interception research and redirect scripts

scripts/dns-redirect.sh

@@ -0,0 +1,163 @@
+#!/usr/bin/env bash
+# ╔═══════════════════════════════════════════════════════════════════════════╗
+# ║  Antigravity MITM — DNS-based redirect for targeted interception         ║
+# ║                                                                          ║
+# ║  Instead of redirecting ALL port 443 traffic (which breaks everything),  ║
+# ║  this uses /etc/hosts to redirect ONLY the LLM API domain to localhost,  ║
+# ║  then iptables redirects only localhost:443 → MITM port.                 ║
+# ║                                                                          ║
+# ║  Also adds the MITM CA to the system trust store so Go trusts it.        ║
+# ╚═══════════════════════════════════════════════════════════════════════════╝
+set -euo pipefail
+
+MITM_PORT="${ANTIGRAVITY_MITM_PORT:-8742}"
+MITM_CA="${HOME}/.config/antigravity-proxy/mitm-ca.pem"
+# If run with sudo, use SUDO_USER's home
+if [[ -n "${SUDO_USER:-}" ]]; then
+    MITM_CA="$(eval echo "~${SUDO_USER}")/.config/antigravity-proxy/mitm-ca.pem"
+fi
+
+HOSTS_MARKER="# antigravity-mitm"
+API_DOMAINS=(
+    "daily-cloudcode-pa.googleapis.com"
+)
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[0;33m'
+CYAN='\033[0;36m'
+BOLD='\033[1m'
+NC='\033[0m'
+
+cmd_install() {
+    echo -e "${BOLD}${CYAN}Antigravity MITM DNS Redirect Setup${NC}"
+    echo -e "────────────────────────────────────"
+    echo ""
+
+    # 1. Add MITM CA to system trust store
+    if [[ ! -f "$MITM_CA" ]]; then
+        echo -e "  ${RED}✗${NC} MITM CA not found: ${MITM_CA}"
+        echo -e "    Start the proxy once first to generate it."
+        exit 1
+    fi
+
+    local sys_cert="/usr/local/share/ca-certificates/antigravity-mitm.crt"
+    cp "$MITM_CA" "$sys_cert"
+    update-ca-certificates >/dev/null 2>&1
+    echo -e "  ${GREEN}✓${NC} MITM CA added to system trust store"
+
+    # 2. Add /etc/hosts entries for API domains → 127.0.0.1
+    # First, cache the real IPs for the MITM to use later
+    local real_ips_file="/tmp/antigravity-mitm-real-ips"
+    > "$real_ips_file"
+
+    for domain in "${API_DOMAINS[@]}"; do
+        # Remove old entries
+        sed -i "/${domain}.*${HOSTS_MARKER}/d" /etc/hosts
+
+        # Resolve and cache the real IPs BEFORE redirecting
+        local real_ip
+        real_ip=$(dig +short "$domain" 2>/dev/null | grep -E '^[0-9]+\.' | head -1)
+        if [[ -n "$real_ip" ]]; then
+            echo "${domain}=${real_ip}" >> "$real_ips_file"
+        fi
+
+        # Add the /etc/hosts redirect
+        echo "127.0.0.1 ${domain} ${HOSTS_MARKER}" >> /etc/hosts
+        echo -e "  ${GREEN}✓${NC} /etc/hosts: ${domain} → 127.0.0.1 (real: ${real_ip:-unknown})"
+    done
+
+    # 3. iptables: redirect ONLY 127.0.0.1:443 → MITM port
+    # This catches only the /etc/hosts redirected domains, nothing else!
+    iptables -t nat -D OUTPUT -d 127.0.0.1 -p tcp --dport 443 \
+        -j REDIRECT --to-port "$MITM_PORT" 2>/dev/null || true
+    iptables -t nat -A OUTPUT -d 127.0.0.1 -p tcp --dport 443 \
+        -j REDIRECT --to-port "$MITM_PORT"
+    echo -e "  ${GREEN}✓${NC} iptables: 127.0.0.1:443 → localhost:${MITM_PORT}"
+
+    echo ""
+    echo -e "  ${GREEN}Done!${NC}"
+    echo ""
+    echo -e "  ${BOLD}How it works:${NC}"
+    echo -e "    1. LS resolves ${API_DOMAINS[0]} → 127.0.0.1 (via /etc/hosts)"
+    echo -e "    2. LS connects to 127.0.0.1:443"
+    echo -e "    3. iptables redirects to MITM proxy on :${MITM_PORT}"
+    echo -e "    4. MITM intercepts, decrypts (CA is trusted), proxies to real Google"
+    echo ""
+    echo -e "  Real upstream IPs cached in: ${real_ips_file}"
+    echo -e "  Restart Antigravity for changes to take effect."
+    echo -e "  Undo: sudo $0 uninstall"
+    echo ""
+}
+
+cmd_uninstall() {
+    echo -e "${BOLD}${CYAN}Removing MITM DNS Redirect${NC}"
+    echo ""
+
+    # Remove /etc/hosts entries
+    sed -i "/${HOSTS_MARKER}/d" /etc/hosts
+    echo -e "  ${GREEN}✓${NC} Removed /etc/hosts entries"
+
+    # Remove iptables rule
+    iptables -t nat -D OUTPUT -d 127.0.0.1 -p tcp --dport 443 \
+        -j REDIRECT --to-port "$MITM_PORT" 2>/dev/null || true
+    echo -e "  ${GREEN}✓${NC} Removed iptables rule"
+
+    # Remove system CA (optional)
+    rm -f /usr/local/share/ca-certificates/antigravity-mitm.crt
+    update-ca-certificates >/dev/null 2>&1
+    echo -e "  ${GREEN}✓${NC} Removed MITM CA from system trust store"
+
+    echo ""
+}
+
+cmd_status() {
+    echo -e "${BOLD}${CYAN}MITM DNS Redirect Status${NC}"
+    echo ""
+
+    # Check /etc/hosts
+    local hosts_count
+    hosts_count=$(grep -c "$HOSTS_MARKER" /etc/hosts 2>/dev/null || echo 0)
+    if [[ "$hosts_count" -gt 0 ]]; then
+        echo -e "  ${GREEN}✓${NC} /etc/hosts: ${hosts_count} domain(s) redirected"
+        grep "$HOSTS_MARKER" /etc/hosts | sed 's/^/    /'
+    else
+        echo -e "  ${YELLOW}○${NC} /etc/hosts: no redirects"
+    fi
+
+    echo ""
+    # Check iptables
+    if iptables -t nat -L OUTPUT -n 2>/dev/null | grep -q "127.0.0.1.*REDIRECT.*${MITM_PORT}"; then
+        echo -e "  ${GREEN}✓${NC} iptables: 127.0.0.1:443 → :${MITM_PORT}"
+    else
+        echo -e "  ${YELLOW}○${NC} iptables: no redirect"
+    fi
+
+    echo ""
+    # Check system CA
+    if [[ -f /usr/local/share/ca-certificates/antigravity-mitm.crt ]]; then
+        echo -e "  ${GREEN}✓${NC} System CA: installed"
+    else
+        echo -e "  ${YELLOW}○${NC} System CA: not installed"
+    fi
+    echo ""
+}
+
+case "${1:-}" in
+    install)
+        cmd_install
+        ;;
+    uninstall)
+        cmd_uninstall
+        ;;
+    status)
+        cmd_status
+        ;;
+    *)
+        echo "Usage: sudo $0 {install|uninstall|status}"
+        echo ""
+        echo "Redirects LLM API domain to localhost via /etc/hosts + iptables."
+        echo "Only intercepts API traffic, everything else is untouched."
+        exit 1
+        ;;
+esac

scripts/iptables-redirect.sh

@@ -0,0 +1,168 @@
+#!/usr/bin/env bash
+# ╔═══════════════════════════════════════════════════════════════════════════╗
+# ║  Antigravity MITM — iptables redirect for transparent interception       ║
+# ║                                                                          ║
+# ║  Redirects outbound port 443 traffic to the MITM proxy.                  ║
+# ║  Uses a dedicated GID to exclude the proxy's own upstream traffic,       ║
+# ║  preventing redirect loops.                                              ║
+# ║                                                                          ║
+# ║  Usage: sudo ./iptables-redirect.sh install                              ║
+# ║         sudo ./iptables-redirect.sh uninstall                            ║
+# ║         sudo ./iptables-redirect.sh status                               ║
+# ╚═══════════════════════════════════════════════════════════════════════════╝
+set -euo pipefail
+
+MITM_PORT="${ANTIGRAVITY_MITM_PORT:-8742}"
+CHAIN="ANTIGRAVITY_MITM"
+BYPASS_GROUP="mitm-bypass"
+
+# Resolve target user (the one whose traffic we redirect)
+TARGET_USER="${SUDO_USER:-$(whoami)}"
+TARGET_UID=$(id -u "$TARGET_USER" 2>/dev/null || echo "")
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[0;33m'
+CYAN='\033[0;36m'
+BOLD='\033[1m'
+NC='\033[0m'
+
+cmd_install() {
+    echo -e "${BOLD}${CYAN}Antigravity MITM iptables Setup${NC}"
+    echo -e "────────────────────────────────"
+    echo ""
+
+    if [[ -z "$TARGET_UID" ]]; then
+        echo -e "  ${RED}✗${NC} Cannot resolve UID for user '${TARGET_USER}'"
+        exit 1
+    fi
+
+    # Create bypass group (proxy runs with this GID to avoid redirect loop)
+    if ! getent group "$BYPASS_GROUP" >/dev/null 2>&1; then
+        groupadd "$BYPASS_GROUP"
+        echo -e "  ${GREEN}✓${NC} Created group: ${BYPASS_GROUP}"
+    else
+        echo -e "  ${GREEN}✓${NC} Group exists: ${BYPASS_GROUP}"
+    fi
+
+    # Add user to bypass group (so they can use 'sg' to run proxy)
+    if ! id -nG "$TARGET_USER" 2>/dev/null | grep -qw "$BYPASS_GROUP"; then
+        usermod -aG "$BYPASS_GROUP" "$TARGET_USER"
+        echo -e "  ${GREEN}✓${NC} Added ${TARGET_USER} to ${BYPASS_GROUP}"
+    fi
+
+    local bypass_gid
+    bypass_gid=$(getent group "$BYPASS_GROUP" | cut -d: -f3)
+
+    # Check MITM proxy is running
+    if ! ss -tlnp 2>/dev/null | grep -q ":${MITM_PORT}"; then
+        echo -e "  ${YELLOW}!${NC} MITM proxy not running on :${MITM_PORT} (will work once started)"
+    else
+        echo -e "  ${GREEN}✓${NC} MITM proxy listening on :${MITM_PORT}"
+    fi
+
+    # Create our chain
+    iptables -t nat -N "$CHAIN" 2>/dev/null || true
+    iptables -t nat -F "$CHAIN"
+
+    # THE KEY RULE: redirect port 443 traffic UNLESS it's from the bypass group.
+    # This prevents redirect loops — the proxy runs with GID=mitm-bypass,
+    # so its upstream connections to Google are NOT redirected back to itself.
+    iptables -t nat -A "$CHAIN" \
+        -m owner ! --gid-owner "$bypass_gid" \
+        -p tcp --dport 443 \
+        -j REDIRECT --to-port "$MITM_PORT"
+
+    echo -e "  ${GREEN}✓${NC} Redirect rule: tcp/443 → :${MITM_PORT} (skip GID ${bypass_gid})"
+
+    # Hook into OUTPUT for target user only
+    iptables -t nat -D OUTPUT -m owner --uid-owner "$TARGET_UID" \
+        -p tcp --dport 443 -j "$CHAIN" 2>/dev/null || true
+    iptables -t nat -A OUTPUT -m owner --uid-owner "$TARGET_UID" \
+        -p tcp --dport 443 -j "$CHAIN"
+
+    echo -e "  ${GREEN}✓${NC} OUTPUT hook: UID ${TARGET_UID} (${TARGET_USER})"
+
+    echo ""
+    echo -e "  ${GREEN}Done!${NC}"
+    echo ""
+    echo -e "  ${BOLD}IMPORTANT:${NC} Run the proxy with the bypass group to avoid loops:"
+    echo -e "    ${CYAN}sg ${BYPASS_GROUP} -c 'RUST_LOG=info ./target/release/antigravity-proxy'${NC}"
+    echo ""
+    echo -e "  Then restart Antigravity to re-establish connections."
+    echo -e "  Undo: sudo $0 uninstall"
+    echo ""
+}
+
+cmd_uninstall() {
+    echo -e "${BOLD}${CYAN}Removing iptables MITM redirect${NC}"
+    echo ""
+
+    local target_uid
+    target_uid=$(id -u "$TARGET_USER" 2>/dev/null || echo "1000")
+
+    # Remove jump from OUTPUT
+    iptables -t nat -D OUTPUT -m owner --uid-owner "$target_uid" \
+        -p tcp --dport 443 -j "$CHAIN" 2>/dev/null || true
+    echo -e "  ${GREEN}✓${NC} Removed OUTPUT jump"
+
+    # Flush and delete our chain
+    iptables -t nat -F "$CHAIN" 2>/dev/null || true
+    iptables -t nat -X "$CHAIN" 2>/dev/null || true
+    echo -e "  ${GREEN}✓${NC} Removed ${CHAIN} chain"
+
+    echo ""
+    echo -e "  ${YELLOW}Note:${NC} Group '${BYPASS_GROUP}' left intact (harmless)."
+    echo -e "        Remove with: sudo groupdel ${BYPASS_GROUP}"
+    echo ""
+}
+
+cmd_status() {
+    echo -e "${BOLD}${CYAN}iptables MITM Status${NC}"
+    echo ""
+
+    if iptables -t nat -L "$CHAIN" -n 2>/dev/null | grep -q "REDIRECT"; then
+        echo -e "  ${GREEN}✓${NC} Chain ${CHAIN}: active"
+        iptables -t nat -L "$CHAIN" -nv --line-numbers 2>/dev/null | \
+            sed 's/^/    /'
+    else
+        echo -e "  ${YELLOW}○${NC} Chain ${CHAIN}: not installed"
+    fi
+
+    echo ""
+    if iptables -t nat -L OUTPUT -n 2>/dev/null | grep -q "$CHAIN"; then
+        echo -e "  ${GREEN}✓${NC} OUTPUT hook: installed"
+        iptables -t nat -L OUTPUT -n 2>/dev/null | grep "$CHAIN" | sed 's/^/    /'
+    else
+        echo -e "  ${YELLOW}○${NC} OUTPUT hook: not installed"
+    fi
+
+    echo ""
+    if getent group "$BYPASS_GROUP" >/dev/null 2>&1; then
+        local gid
+        gid=$(getent group "$BYPASS_GROUP" | cut -d: -f3)
+        echo -e "  ${GREEN}✓${NC} Bypass group: ${BYPASS_GROUP} (GID ${gid})"
+    else
+        echo -e "  ${YELLOW}○${NC} Bypass group: not created"
+    fi
+    echo ""
+}
+
+case "${1:-}" in
+    install)
+        cmd_install
+        ;;
+    uninstall)
+        cmd_uninstall
+        ;;
+    status)
+        cmd_status
+        ;;
+    *)
+        echo "Usage: sudo $0 {install|uninstall|status}"
+        echo ""
+        echo "Redirects outbound port 443 traffic to the MITM proxy."
+        echo "The proxy must be run with 'sg mitm-bypass' to avoid redirect loops."
+        exit 1
+        ;;
+esac