fix: add macOS DNS redirect preload for MITM

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
fix: improve macOS LS path detection
2026-02-18 13:22:59 -09:00 · 2026-02-18 13:22:50 -09:00
11 changed files with 94 additions and 162 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2366,7 +2366,6 @@ dependencies = [
 "async-stream",
 "axum",
 "base64",
 "boring2",
 "brotli 7.0.0",
 "bytes",
 "chrono",
@@ -2387,7 +2386,6 @@ dependencies = [
 "serde_json",
 "time",
 "tokio",
 "tokio-boring2",
 "tokio-rustls",
 "tokio-stream",
 "tower-http",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -40,8 +40,6 @@ rustls = { version = "0.23", features = ["ring"] }
 tokio-rustls = "0.26"
 rustls-native-certs = "0.8"
 rustls-pemfile = "2"
 boring2 = "5.0.0-alpha.12"
 tokio-boring2 = "5.0.0-alpha.12"
 time = "0.3"
 base64 = "0.22"
 httparse = "1"
--- a/README.md
+++ b/README.md
@@ -61,7 +61,7 @@ Explain to the user what this project unlocks — not what it _is_, but what bec
 ## How It Works
-The LS or Language Server is Antigravity's closed source Go binary that talks to Google's API over gRPC. The Extension Server is what feeds it auth tokens and settings/configs, we fake it with a stub so the LS thinks it's inside a real Antigravity window. ZeroGravity turns your OpenAI-compatible requests into dummy prompts and tells the LS to make an API call. The MITM proxy intercepts that call before it leaves the machine, swaps in your real prompt, tools, images, and generation params, re-encrypts it over TLS, and forwards it to Google. All proxy-to-LS communication uses BoringSSL with Chrome's exact TLS and HTTP/2 fingerprint so the LS can't tell it's not a real Antigravity window. Google sees what looks like a normal Antigravity session. The response streams back as SSE events which the MITM parses for text, thinking tokens, tool calls, and usage. The iptables redirect is a UID-scoped firewall rule that routes only the LS's traffic through the MITM without touching anything else.
+The LS or Language Server is Antigravity's closed source Go binary that talks to Google's API over gRPC. The Extension Server is what feeds it auth tokens and settings/configs, we fake it with a stub so the LS thinks it's inside a real Antigravity window. ZeroGravity turns your OpenAI-compatible requests into dummy prompts and tells the LS to make an API call. The MITM proxy intercepts that call before it leaves the machine, swaps in your real prompt, tools, images, and generation params, re-encrypts it with BoringSSL matching Chrome's exact TLS fingerprint, and forwards it to Google. Google sees what looks like a normal Antigravity session. The response streams back as SSE events which the MITM parses for text, thinking tokens, tool calls, and usage. The iptables redirect is a UID-scoped firewall rule that routes only the LS's traffic through the MITM without touching anything else.
 ```mermaid
 %%{init: {'theme': 'dark', 'themeVariables': {'primaryColor': '#2a2a2a', 'primaryTextColor': '#d0d0d0', 'primaryBorderColor': '#888', 'lineColor': '#888', 'secondaryColor': '#333', 'tertiaryColor': '#3a3a3a', 'edgeLabelBackground': '#2a2a2a', 'nodeTextColor': '#d0d0d0'}}}%%
--- a/src/bin/zg.rs
+++ b/src/bin/zg.rs
@@ -325,7 +325,9 @@ fn svc_stop() -> bool {
    }
    #[cfg(not(windows))]
    {
-        let _ = Command::new("pkill").args(["-f", "zerogravity"]).status();
+        let _ = Command::new("pkill")
            .args(["-f", "zerogravity"])
            .status();
    }
    true
 }
@@ -515,8 +517,9 @@ fn do_test(msg: &str) {
        .replace('\n', "\\n")
        .replace('\r', "\\r")
        .replace('\t', "\\t");
-    let body =
+    let body = format!(
-        format!(r#"{{"model":"gemini-3-flash","input":"{escaped}","stream":false,"timeout":30}}"#);
+        r#"{{"model":"gemini-3-flash","input":"{escaped}","stream":false,"timeout":30}}"#
    );
    match curl_post("/v1/responses", &body) {
        Some(json) => jq_print(&json),
        None => {
--- a/src/mitm/h2_handler.rs
+++ b/src/mitm/h2_handler.rs
@@ -42,15 +42,15 @@ use tracing::{debug, info, trace, warn};
 /// We mirror this by maintaining a single upstream connection per domain.
 struct UpstreamPool {
    domain: String,
-    tls_connector: boring2::ssl::SslConnector,
+    tls_config: Arc<rustls::ClientConfig>,
    sender: Mutex<Option<hyper::client::conn::http2::SendRequest<Full<Bytes>>>>,
 }
 impl UpstreamPool {
-    fn new(domain: String, tls_connector: boring2::ssl::SslConnector) -> Self {
+    fn new(domain: String, tls_config: Arc<rustls::ClientConfig>) -> Self {
        Self {
            domain,
-            tls_connector,
+            tls_config,
            sender: Mutex::new(None),
        }
    }
@@ -82,29 +82,17 @@ impl UpstreamPool {
            .await
            .map_err(|e| format!("upstream TCP connect to {} failed: {e}", self.domain))?;
-        let ssl = self
+        let connector = tokio_rustls::TlsConnector::from(self.tls_config.clone());
-            .tls_connector
+        let server_name = rustls::pki_types::ServerName::try_from(self.domain.clone())
-            .configure()
+            .map_err(|e| format!("invalid domain {}: {e}", self.domain))?;
            .map_err(|e| format!("SSL configure: {e}"))?
            .into_ssl(&self.domain)
            .map_err(|e| format!("SSL into_ssl: {e}"))?;
-        let mut upstream_tls = tokio_boring2::SslStream::new(ssl, upstream_tcp)
+        let upstream_tls = connector
            .connect(server_name, upstream_tcp)
            .await
            .map_err(|e| format!("upstream TLS to {} failed: {e}", self.domain))?;
        std::pin::Pin::new(&mut upstream_tls)
            .connect()
            .await
            .map_err(|e| format!("TLS handshake to {} failed: {e}", self.domain))?;
        let upstream_io = TokioIo::new(upstream_tls);
        // Configure HTTP/2 SETTINGS to match Go's net/http2 defaults
        // Source: golang.org/x/net/http2/transport.go
        let (sender, conn) = hyper::client::conn::http2::Builder::new(TokioExecutor::new())
            .initial_stream_window_size(4 << 20) // 4MB  (Go: transportDefaultStreamFlow)
            .initial_connection_window_size(1 << 30) // 1GB  (Go: transportDefaultConnFlow)
            .max_header_list_size(10 * 1024 * 1024) // 10MB (Go: defaultMaxHeaderListSize)
            .adaptive_window(false) // Go doesn't use adaptive windowing
            .handshake(upstream_io)
            .await
            .map_err(|e| format!("upstream h2 handshake to {} failed: {e}", self.domain))?;
@@ -152,11 +140,22 @@ where
 {
    info!(domain = %domain, "MITM H2: handling HTTP/2 connection");
-    // Build upstream TLS connector matching Go's crypto/tls fingerprint (with ALPN h2)
+    // Build TLS config for upstream connections
-    let upstream_connector = super::tls::build_go_tls_connector(Some(&[b"h2"]));
+    let mut root_store = rustls::RootCertStore::empty();
    let native_certs = rustls_native_certs::load_native_certs();
    for cert in native_certs.certs {
        let _ = root_store.add(cert);
    }
    let mut upstream_tls_config = rustls::ClientConfig::builder()
        .with_root_certificates(root_store)
        .with_no_client_auth();
    upstream_tls_config.alpn_protocols = vec![b"h2".to_vec()];
    // Shared upstream connection pool (single connection, multiplexed)
-    let pool = Arc::new(UpstreamPool::new(domain.clone(), upstream_connector));
+    let pool = Arc::new(UpstreamPool::new(
        domain.clone(),
        Arc::new(upstream_tls_config),
    ));
    let io = TokioIo::new(tls_stream);
    let domain = Arc::new(domain);
--- a/src/mitm/mod.rs
+++ b/src/mitm/mod.rs
@@ -18,4 +18,3 @@ pub mod modify;
 pub mod proto;
 pub mod proxy;
 pub mod store;
 pub mod tls;
--- a/src/mitm/proxy.rs
+++ b/src/mitm/proxy.rs
@@ -368,11 +368,20 @@ async fn handle_http_over_tls(
 ) -> Result<(), String> {
    let mut tmp = vec![0u8; 32768];
-    // Build upstream TLS connector matching Go's crypto/tls fingerprint
+    // Build upstream TLS connector once for this connection
-    let upstream_connector = super::tls::build_go_tls_connector(None);
+    let mut root_store = rustls::RootCertStore::empty();
    let native_certs = rustls_native_certs::load_native_certs();
    for cert in native_certs.certs {
        let _ = root_store.add(cert);
    }
    let upstream_config = Arc::new(
        rustls::ClientConfig::builder()
            .with_root_certificates(root_store)
            .with_no_client_auth(),
    );
    // Reusable upstream connection — created lazily, reconnected if stale
-    let mut upstream: Option<tokio_boring2::SslStream<TcpStream>> = None;
+    let mut upstream: Option<tokio_rustls::client::TlsStream<TcpStream>> = None;
    // Keep-alive loop: handle multiple requests on this connection
    loop {
@@ -566,7 +575,7 @@ async fn handle_http_over_tls(
        let conn = match upstream.as_mut() {
            Some(c) => c,
            None => {
-                let c = connect_upstream(domain, &upstream_connector).await?;
+                let c = connect_upstream(domain, &upstream_config).await?;
                upstream.insert(c)
            }
        };
@@ -574,7 +583,7 @@ async fn handle_http_over_tls(
        // Forward the request — if write fails, reconnect and retry once
        if let Err(e) = conn.write_all(&request_buf).await {
            debug!(domain, error = %e, "MITM: upstream write failed, reconnecting");
-            let c = connect_upstream(domain, &upstream_connector).await?;
+            let c = connect_upstream(domain, &upstream_config).await?;
            let conn = upstream.insert(c);
            conn.write_all(&request_buf)
                .await
@@ -896,15 +905,15 @@ async fn read_full_request(
 /// Connect (or reconnect) to the real upstream via TLS.
 ///
 /// Uses BoringSSL configured to match Go's `crypto/tls` fingerprint.
 /// Bypasses /etc/hosts by resolving via direct DNS query (dig @8.8.8.8),
 /// then falls back to cached IPs file, then to normal system resolution.
 async fn connect_upstream(
    domain: &str,
-    connector: &boring2::ssl::SslConnector,
+    config: &Arc<rustls::ClientConfig>,
-) -> Result<tokio_boring2::SslStream<TcpStream>, String> {
+) -> Result<tokio_rustls::client::TlsStream<TcpStream>, String> {
    let connector = tokio_rustls::TlsConnector::from(config.clone());
    let addr = resolve_upstream(domain).await;
-    info!(domain, addr = %addr, "MITM: connecting upstream (BoringSSL)");
+    info!(domain, addr = %addr, "MITM: connecting upstream");
    let tcp = match tokio::time::timeout(
        std::time::Duration::from_secs(15),
@@ -917,26 +926,20 @@ async fn connect_upstream(
        Err(_) => return Err(format!("Connect to upstream {domain} ({addr}): timed out")),
    };
-    let ssl = connector
+    let server_name = rustls::pki_types::ServerName::try_from(domain.to_string())
-        .configure()
+        .map_err(|e| format!("Invalid server name: {e}"))?;
        .map_err(|e| format!("SSL configure: {e}"))?
        .into_ssl(domain)
        .map_err(|e| format!("SSL into_ssl: {e}"))?;
    let mut stream = tokio_boring2::SslStream::new(ssl, tcp)
        .map_err(|e| format!("SslStream::new for {domain}: {e}"))?;
    match tokio::time::timeout(
        std::time::Duration::from_secs(15),
-        std::pin::Pin::new(&mut stream).connect(),
+        connector.connect(server_name, tcp),
    )
    .await
    {
-        Ok(Ok(())) => {
+        Ok(Ok(s)) => {
-            info!(domain, "MITM: upstream TLS connected ✓ (BoringSSL)");
+            info!(domain, "MITM: upstream TLS connected ✓");
-            Ok(stream)
+            Ok(s)
        }
-        Ok(Err(e)) => Err(format!("TLS handshake to upstream {domain}: {e}")),
+        Ok(Err(e)) => Err(format!("TLS connect to upstream {domain}: {e}")),
        Err(_) => Err(format!("TLS connect to upstream {domain}: timed out")),
    }
 }
--- a/src/mitm/tls.rs
+++ b/src/mitm/tls.rs
@@ -1,86 +0,0 @@
 //! Upstream TLS configuration matching Go's `crypto/tls` defaults.
 //!
 //! The LS is a Go binary — its outbound TLS to Google uses Go's default
 //! cipher suites, curves, and signature algorithms. This module configures
 //! BoringSSL to produce a matching TLS ClientHello so Google sees the same
 //! JA3/JA4 fingerprint regardless of whether our MITM is active.
 use boring2::ssl::{SslConnector, SslMethod};
 use tracing::debug;
 /// Go's default cipher suites in the exact order Go's `crypto/tls` sends them.
 ///
 /// TLS 1.3 ciphers (hardcoded in Go, not configurable):
 ///   TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
 ///
 /// TLS 1.2 ciphers (Go's default preference order):
 ///   ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256,
 ///   ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384,
 ///   ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305,
 ///   ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA,
 ///   AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA, AES256-SHA
 const GO_CIPHER_LIST: &str = "\
 TLS_AES_128_GCM_SHA256:\
 TLS_AES_256_GCM_SHA384:\
 TLS_CHACHA20_POLY1305_SHA256:\
 ECDHE-ECDSA-AES128-GCM-SHA256:\
 ECDHE-RSA-AES128-GCM-SHA256:\
 ECDHE-ECDSA-AES256-GCM-SHA384:\
 ECDHE-RSA-AES256-GCM-SHA384:\
 ECDHE-ECDSA-CHACHA20-POLY1305:\
 ECDHE-RSA-CHACHA20-POLY1305:\
 ECDHE-RSA-AES128-SHA:\
 ECDHE-RSA-AES256-SHA:\
 AES128-GCM-SHA256:\
 AES256-GCM-SHA384:\
 AES128-SHA:\
 AES256-SHA";
 /// Go's default signature algorithms.
 const GO_SIGALGS: &str = "\
 ECDSA+SHA256:\
 RSA-PSS+SHA256:\
 RSA+SHA256:\
 ECDSA+SHA384:\
 RSA-PSS+SHA384:\
 RSA+SHA384:\
 RSA-PSS+SHA512:\
 RSA+SHA512:\
 RSA+SHA1";
 /// Build an `SslConnector` that mimics Go's `crypto/tls` defaults.
 ///
 /// If `alpn` is provided, sets ALPN protocols (e.g. `&[b"h2"]` for HTTP/2).
 pub fn build_go_tls_connector(alpn: Option<&[&[u8]]>) -> SslConnector {
    let mut builder =
        SslConnector::builder(SslMethod::tls_client()).expect("SslConnector::builder");
    // Set Go's cipher list
    builder
        .set_cipher_list(GO_CIPHER_LIST)
        .expect("set_cipher_list");
    // Set Go's signature algorithms
    builder
        .set_sigalgs_list(GO_SIGALGS)
        .expect("set_sigalgs_list");
    // Set Go's default curves: X25519, P-256, P-384
    // BoringSSL uses set_curves_list with colon-separated names
    builder
        .set_curves_list("X25519:P-256:P-384")
        .expect("set_curves_list");
    // ALPN if requested (for HTTP/2)
    if let Some(protos) = alpn {
        let mut wire = Vec::new();
        for proto in protos {
            wire.push(proto.len() as u8);
            wire.extend_from_slice(proto);
        }
        builder.set_alpn_protos(&wire).expect("set_alpn_protos");
    }
    debug!("Built Go-matching TLS connector (BoringSSL)");
    builder.build()
 }
--- a/src/platform.rs
+++ b/src/platform.rs
@@ -58,7 +58,11 @@ impl Platform {
        let ca_cert_path = env_or("SSL_CERT_FILE", default_ca_cert_path);
        let ls_user = env_or("ZEROGRAVITY_LS_USER", || "zerogravity-ls".into());
        let state_db_path = env_or("ZEROGRAVITY_STATE_DB", || default_state_db_path(&home));
-        let dns_redirect_so_path = format!("{}/dns-redirect.so", &data_dir);
+        let dns_redirect_so_path = if cfg!(target_os = "macos") {
            format!("{}/dns-redirect.dylib", &data_dir)
        } else {
            format!("{}/dns-redirect.so", &data_dir)
        };
        let config_dir = PathBuf::from(&config_dir);
        let token_path = config_dir.join("token");
@@ -104,18 +108,19 @@ fn default_ls_binary_path() -> String {
 fn default_ls_binary_path() -> String {
    let home = home_dir();
    // Check both /Applications and ~/Applications
    let candidates = ["language_server_macos_arm", "language_server_darwin_arm64"];
    for base in &[
        "/Applications/Antigravity.app",
        &format!("{home}/Applications/Antigravity.app"),
    ] {
-        let path = format!(
+        for name in candidates {
-            "{base}/Contents/Resources/app/extensions/antigravity/bin/language_server_darwin_arm64"
+            let path = format!("{base}/Contents/Resources/app/extensions/antigravity/bin/{name}");
-        );
+            if std::path::Path::new(&path).exists() {
-        if std::path::Path::new(&path).exists() {
+                return path;
-            return path;
+            }
        }
    }
-    "/Applications/Antigravity.app/Contents/Resources/app/extensions/antigravity/bin/language_server_darwin_arm64".into()
+    "/Applications/Antigravity.app/Contents/Resources/app/extensions/antigravity/bin/language_server_macos_arm".into()
 }
 #[cfg(target_os = "windows")]
@@ -295,9 +300,9 @@ pub fn supports_uid_isolation() -> bool {
    }
 }
-/// Returns true if LD_PRELOAD DNS redirect is supported (Linux only).
+/// Returns true if DNS redirect preload is supported (Linux/macOS).
 pub fn supports_ld_preload() -> bool {
-    cfg!(target_os = "linux")
+    cfg!(any(target_os = "linux", target_os = "macos"))
 }
 #[cfg(test)]
--- a/src/standalone/mod.rs
+++ b/src/standalone/mod.rs
@@ -65,12 +65,12 @@ pub fn discover_main_ls_config() -> Result<MainLSConfig, String> {
    discovery::discover_main_ls_config()
 }
-/// Build the dns_redirect.so preload library if it doesn't already exist.
+/// Build the dns_redirect preload library if it doesn't already exist.
 ///
-/// Linux only — hooks `getaddrinfo()` via LD_PRELOAD to redirect Google API
+/// Linux/macOS — hooks `getaddrinfo()` via LD_PRELOAD/DYLD_INSERT_LIBRARIES
-/// domain lookups to 127.0.0.1.
+/// to redirect Google API domain lookups to 127.0.0.1.
 ///
-/// Returns the path to the .so on success, None on failure.
+/// Returns the path to the shared library on success, None on failure.
 fn build_dns_redirect_so() -> Option<String> {
    if !platform::supports_ld_preload() {
        return None;
@@ -91,10 +91,15 @@ fn build_dns_redirect_so() -> Option<String> {
        return None;
    }
-    // Compile: gcc -shared -fPIC -o dns_redirect.so dns_redirect.c -ldl
+    let output = if cfg!(target_os = "macos") {
-    let output = Command::new("gcc")
+        Command::new("cc")
-        .args(["-shared", "-fPIC", "-o", so_path.as_str(), &c_path, "-ldl"])
+            .args(["-dynamiclib", "-o", so_path.as_str(), &c_path])
-        .output();
+            .output()
    } else {
        Command::new("gcc")
            .args(["-shared", "-fPIC", "-o", so_path.as_str(), &c_path, "-ldl"])
            .output()
    };
    match output {
        Ok(out) if out.status.success() => {
--- a/src/standalone/spawn.rs
+++ b/src/standalone/spawn.rs
@@ -281,15 +281,23 @@ impl StandaloneLS {
                // even the CodeAssistClient which has Proxy:nil hardcoded.
                let so_path = build_dns_redirect_so();
                if let Some(ref so) = so_path {
-                    info!(path = %so, "Enabling LD_PRELOAD DNS redirect for headless MITM");
+                    info!(path = %so, "Enabling DNS redirect preload for headless MITM");
-                    env_vars.push(("LD_PRELOAD".into(), so.clone()));
+                    #[cfg(target_os = "macos")]
                    {
                        env_vars.push(("DYLD_INSERT_LIBRARIES".into(), so.clone()));
                        env_vars.push(("DYLD_FORCE_FLAT_NAMESPACE".into(), "1".into()));
                    }
                    #[cfg(not(target_os = "macos"))]
                    {
                        env_vars.push(("LD_PRELOAD".into(), so.clone()));
                    }
                    env_vars.push((
                        "DNS_REDIRECT_LOG".into(),
                        format!("{data_dir}/dns-redirect.log"),
                    ));
                    // Force Go binaries to use cgo (libc) DNS resolver instead of
-                    // the pure-Go resolver. Without this, LD_PRELOAD getaddrinfo()
+                    // the pure-Go resolver. Without this, getaddrinfo hooks are
-                    // hooks are bypassed because Go resolves DNS internally.
+                    // bypassed because Go resolves DNS internally.
                    env_vars.push(("GODEBUG".into(), "netdns=cgo".into()));
                }