b3nw/zerogravity
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: b3nw:main
Branches Tags
b3nw:main b3nw:macos-mitm-fixes
b3nw:v1.0.1 b3nw:v1.0.0
..
compare: b3nw:macos-mitm-fixes
Branches Tags
b3nw:macos-mitm-fixes b3nw:main
b3nw:v1.0.1 b3nw:v1.0.0

2 Commits
main ... macos-mitm

Author SHA1 Message Date
trifatale
511c486a5e fix: add macOS DNS redirect preload for MITM 
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
 2026-02-18 13:22:59 -09:00
trifatale
7982aebcd7 fix: improve macOS LS path detection 
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
 2026-02-18 13:22:50 -09:00
11 changed files with 94 additions and 162 deletions
Expand all files Collapse all files

2
Cargo.lock generated
View File

@@ -2366,7 +2366,6 @@ dependencies = [
"async-stream",
"axum",
"base64",
"boring2",
"brotli 7.0.0",
"bytes",
"chrono",
@@ -2387,7 +2386,6 @@ dependencies = [
"serde_json",
"time",
"tokio",
"tokio-boring2",
"tokio-rustls",
"tokio-stream",
"tower-http",

2
Cargo.toml
View File

@@ -40,8 +40,6 @@ rustls = { version = "0.23", features = ["ring"] }
tokio-rustls = "0.26"
rustls-native-certs = "0.8"
rustls-pemfile = "2"
boring2 = "5.0.0-alpha.12"
tokio-boring2 = "5.0.0-alpha.12"
time = "0.3"
base64 = "0.22"
httparse = "1"

2
README.md
View File

@@ -61,7 +61,7 @@ Explain to the user what this project unlocks — not what it _is_, but what bec
## How It Works
The LS or Language Server is Antigravity's closed source Go binary that talks to Google's API over gRPC. The Extension Server is what feeds it auth tokens and settings/configs, we fake it with a stub so the LS thinks it's inside a real Antigravity window. ZeroGravity turns your OpenAI-compatible requests into dummy prompts and tells the LS to make an API call. The MITM proxy intercepts that call before it leaves the machine, swaps in your real prompt, tools, images, and generation params, re-encrypts it over TLS, and forwards it to Google. All proxy-to-LS communication uses BoringSSL with Chrome's exact TLS and HTTP/2 fingerprint so the LS can't tell it's not a real Antigravity window. Google sees what looks like a normal Antigravity session. The response streams back as SSE events which the MITM parses for text, thinking tokens, tool calls, and usage. The iptables redirect is a UID-scoped firewall rule that routes only the LS's traffic through the MITM without touching anything else.
The LS or Language Server is Antigravity's closed source Go binary that talks to Google's API over gRPC. The Extension Server is what feeds it auth tokens and settings/configs, we fake it with a stub so the LS thinks it's inside a real Antigravity window. ZeroGravity turns your OpenAI-compatible requests into dummy prompts and tells the LS to make an API call. The MITM proxy intercepts that call before it leaves the machine, swaps in your real prompt, tools, images, and generation params, re-encrypts it with BoringSSL matching Chrome's exact TLS fingerprint, and forwards it to Google. Google sees what looks like a normal Antigravity session. The response streams back as SSE events which the MITM parses for text, thinking tokens, tool calls, and usage. The iptables redirect is a UID-scoped firewall rule that routes only the LS's traffic through the MITM without touching anything else.
```mermaid
%%{init: {'theme': 'dark', 'themeVariables': {'primaryColor': '#2a2a2a', 'primaryTextColor': '#d0d0d0', 'primaryBorderColor': '#888', 'lineColor': '#888', 'secondaryColor': '#333', 'tertiaryColor': '#3a3a3a', 'edgeLabelBackground': '#2a2a2a', 'nodeTextColor': '#d0d0d0'}}}%%

9
src/bin/zg.rs
View File

@@ -325,7 +325,9 @@ fn svc_stop() -> bool {
}
#[cfg(not(windows))]
{
let _ = Command::new("pkill").args(["-f", "zerogravity"]).status();
let _ = Command::new("pkill")
.args(["-f", "zerogravity"])
.status();
}
true
}
@@ -515,8 +517,9 @@ fn do_test(msg: &str) {
.replace('\n', "\\n")
.replace('\r', "\\r")
.replace('\t', "\\t");
let body =
format!(r#"{{"model":"gemini-3-flash","input":"{escaped}","stream":false,"timeout":30}}"#);
let body = format!(
r#"{{"model":"gemini-3-flash","input":"{escaped}","stream":false,"timeout":30}}"#
);
match curl_post("/v1/responses", &body) {
Some(json) => jq_print(&json),
None => {

47
src/mitm/h2_handler.rs
View File

@@ -42,15 +42,15 @@ use tracing::{debug, info, trace, warn};
/// We mirror this by maintaining a single upstream connection per domain.
struct UpstreamPool {
domain: String,
tls_connector: boring2::ssl::SslConnector,
tls_config: Arc<rustls::ClientConfig>,
sender: Mutex<Option<hyper::client::conn::http2::SendRequest<Full<Bytes>>>>,
}
impl UpstreamPool {
fn new(domain: String, tls_connector: boring2::ssl::SslConnector) -> Self {
fn new(domain: String, tls_config: Arc<rustls::ClientConfig>) -> Self {
Self {
domain,
tls_connector,
tls_config,
sender: Mutex::new(None),
}
}
@@ -82,29 +82,17 @@ impl UpstreamPool {
.await
.map_err(|e| format!("upstream TCP connect to {} failed: {e}", self.domain))?;
let ssl = self
.tls_connector
.configure()
.map_err(|e| format!("SSL configure: {e}"))?
.into_ssl(&self.domain)
.map_err(|e| format!("SSL into_ssl: {e}"))?;
let connector = tokio_rustls::TlsConnector::from(self.tls_config.clone());
let server_name = rustls::pki_types::ServerName::try_from(self.domain.clone())
.map_err(|e| format!("invalid domain {}: {e}", self.domain))?;
let mut upstream_tls = tokio_boring2::SslStream::new(ssl, upstream_tcp)
let upstream_tls = connector
.connect(server_name, upstream_tcp)
.await
.map_err(|e| format!("upstream TLS to {} failed: {e}", self.domain))?;
std::pin::Pin::new(&mut upstream_tls)
.connect()
.await
.map_err(|e| format!("TLS handshake to {} failed: {e}", self.domain))?;
let upstream_io = TokioIo::new(upstream_tls);
// Configure HTTP/2 SETTINGS to match Go's net/http2 defaults
// Source: golang.org/x/net/http2/transport.go
let (sender, conn) = hyper::client::conn::http2::Builder::new(TokioExecutor::new())
.initial_stream_window_size(4 << 20) // 4MB (Go: transportDefaultStreamFlow)
.initial_connection_window_size(1 << 30) // 1GB (Go: transportDefaultConnFlow)
.max_header_list_size(10 * 1024 * 1024) // 10MB (Go: defaultMaxHeaderListSize)
.adaptive_window(false) // Go doesn't use adaptive windowing
.handshake(upstream_io)
.await
.map_err(|e| format!("upstream h2 handshake to {} failed: {e}", self.domain))?;
@@ -152,11 +140,22 @@ where
{
info!(domain = %domain, "MITM H2: handling HTTP/2 connection");
// Build upstream TLS connector matching Go's crypto/tls fingerprint (with ALPN h2)
let upstream_connector = super::tls::build_go_tls_connector(Some(&[b"h2"]));
// Build TLS config for upstream connections
let mut root_store = rustls::RootCertStore::empty();
let native_certs = rustls_native_certs::load_native_certs();
for cert in native_certs.certs {
let _ = root_store.add(cert);
}
let mut upstream_tls_config = rustls::ClientConfig::builder()
.with_root_certificates(root_store)
.with_no_client_auth();
upstream_tls_config.alpn_protocols = vec![b"h2".to_vec()];
// Shared upstream connection pool (single connection, multiplexed)
let pool = Arc::new(UpstreamPool::new(domain.clone(), upstream_connector));
let pool = Arc::new(UpstreamPool::new(
domain.clone(),
Arc::new(upstream_tls_config),
));
let io = TokioIo::new(tls_stream);
let domain = Arc::new(domain);

1
src/mitm/mod.rs
View File

@@ -18,4 +18,3 @@ pub mod modify;
pub mod proto;
pub mod proxy;
pub mod store;
pub mod tls;

47
src/mitm/proxy.rs
View File

@@ -368,11 +368,20 @@ async fn handle_http_over_tls(
) -> Result<(), String> {
let mut tmp = vec![0u8; 32768];
// Build upstream TLS connector matching Go's crypto/tls fingerprint
let upstream_connector = super::tls::build_go_tls_connector(None);
// Build upstream TLS connector once for this connection
let mut root_store = rustls::RootCertStore::empty();
let native_certs = rustls_native_certs::load_native_certs();
for cert in native_certs.certs {
let _ = root_store.add(cert);
}
let upstream_config = Arc::new(
rustls::ClientConfig::builder()
.with_root_certificates(root_store)
.with_no_client_auth(),
);
// Reusable upstream connection — created lazily, reconnected if stale
let mut upstream: Option<tokio_boring2::SslStream<TcpStream>> = None;
let mut upstream: Option<tokio_rustls::client::TlsStream<TcpStream>> = None;
// Keep-alive loop: handle multiple requests on this connection
loop {
@@ -566,7 +575,7 @@ async fn handle_http_over_tls(
let conn = match upstream.as_mut() {
Some(c) => c,
None => {
let c = connect_upstream(domain, &upstream_connector).await?;
let c = connect_upstream(domain, &upstream_config).await?;
upstream.insert(c)
}
};
@@ -574,7 +583,7 @@ async fn handle_http_over_tls(
// Forward the request — if write fails, reconnect and retry once
if let Err(e) = conn.write_all(&request_buf).await {
debug!(domain, error = %e, "MITM: upstream write failed, reconnecting");
let c = connect_upstream(domain, &upstream_connector).await?;
let c = connect_upstream(domain, &upstream_config).await?;
let conn = upstream.insert(c);
conn.write_all(&request_buf)
.await
@@ -896,15 +905,15 @@ async fn read_full_request(
/// Connect (or reconnect) to the real upstream via TLS.
///
/// Uses BoringSSL configured to match Go's `crypto/tls` fingerprint.
/// Bypasses /etc/hosts by resolving via direct DNS query (dig @8.8.8.8),
/// then falls back to cached IPs file, then to normal system resolution.
async fn connect_upstream(
domain: &str,
connector: &boring2::ssl::SslConnector,
) -> Result<tokio_boring2::SslStream<TcpStream>, String> {
config: &Arc<rustls::ClientConfig>,
) -> Result<tokio_rustls::client::TlsStream<TcpStream>, String> {
let connector = tokio_rustls::TlsConnector::from(config.clone());
let addr = resolve_upstream(domain).await;
info!(domain, addr = %addr, "MITM: connecting upstream (BoringSSL)");
info!(domain, addr = %addr, "MITM: connecting upstream");
let tcp = match tokio::time::timeout(
std::time::Duration::from_secs(15),
@@ -917,26 +926,20 @@ async fn connect_upstream(
Err(_) => return Err(format!("Connect to upstream {domain} ({addr}): timed out")),
};
let ssl = connector
.configure()
.map_err(|e| format!("SSL configure: {e}"))?
.into_ssl(domain)
.map_err(|e| format!("SSL into_ssl: {e}"))?;
let mut stream = tokio_boring2::SslStream::new(ssl, tcp)
.map_err(|e| format!("SslStream::new for {domain}: {e}"))?;
let server_name = rustls::pki_types::ServerName::try_from(domain.to_string())
.map_err(|e| format!("Invalid server name: {e}"))?;
match tokio::time::timeout(
std::time::Duration::from_secs(15),
std::pin::Pin::new(&mut stream).connect(),
connector.connect(server_name, tcp),
)
.await
{
Ok(Ok(())) => {
info!(domain, "MITM: upstream TLS connected ✓ (BoringSSL)");
Ok(stream)
Ok(Ok(s)) => {
info!(domain, "MITM: upstream TLS connected ✓");
Ok(s)
}
Ok(Err(e)) => Err(format!("TLS handshake to upstream {domain}: {e}")),
Ok(Err(e)) => Err(format!("TLS connect to upstream {domain}: {e}")),
Err(_) => Err(format!("TLS connect to upstream {domain}: timed out")),
}
}

86
src/mitm/tls.rs
View File

@@ -1,86 +0,0 @@
//! Upstream TLS configuration matching Go's `crypto/tls` defaults.
//!
//! The LS is a Go binary — its outbound TLS to Google uses Go's default
//! cipher suites, curves, and signature algorithms. This module configures
//! BoringSSL to produce a matching TLS ClientHello so Google sees the same
//! JA3/JA4 fingerprint regardless of whether our MITM is active.
use boring2::ssl::{SslConnector, SslMethod};
use tracing::debug;
/// Go's default cipher suites in the exact order Go's `crypto/tls` sends them.
///
/// TLS 1.3 ciphers (hardcoded in Go, not configurable):
/// TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
///
/// TLS 1.2 ciphers (Go's default preference order):
/// ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256,
/// ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384,
/// ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305,
/// ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA,
/// AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA, AES256-SHA
const GO_CIPHER_LIST: &str = "\
TLS_AES_128_GCM_SHA256:\
TLS_AES_256_GCM_SHA384:\
TLS_CHACHA20_POLY1305_SHA256:\
ECDHE-ECDSA-AES128-GCM-SHA256:\
ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-AES256-GCM-SHA384:\
ECDHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-CHACHA20-POLY1305:\
ECDHE-RSA-CHACHA20-POLY1305:\
ECDHE-RSA-AES128-SHA:\
ECDHE-RSA-AES256-SHA:\
AES128-GCM-SHA256:\
AES256-GCM-SHA384:\
AES128-SHA:\
AES256-SHA";
/// Go's default signature algorithms.
const GO_SIGALGS: &str = "\
ECDSA+SHA256:\
RSA-PSS+SHA256:\
RSA+SHA256:\
ECDSA+SHA384:\
RSA-PSS+SHA384:\
RSA+SHA384:\
RSA-PSS+SHA512:\
RSA+SHA512:\
RSA+SHA1";
/// Build an `SslConnector` that mimics Go's `crypto/tls` defaults.
///
/// If `alpn` is provided, sets ALPN protocols (e.g. `&[b"h2"]` for HTTP/2).
pub fn build_go_tls_connector(alpn: Option<&[&[u8]]>) -> SslConnector {
let mut builder =
SslConnector::builder(SslMethod::tls_client()).expect("SslConnector::builder");
// Set Go's cipher list
builder
.set_cipher_list(GO_CIPHER_LIST)
.expect("set_cipher_list");
// Set Go's signature algorithms
builder
.set_sigalgs_list(GO_SIGALGS)
.expect("set_sigalgs_list");
// Set Go's default curves: X25519, P-256, P-384
// BoringSSL uses set_curves_list with colon-separated names
builder
.set_curves_list("X25519:P-256:P-384")
.expect("set_curves_list");
// ALPN if requested (for HTTP/2)
if let Some(protos) = alpn {
let mut wire = Vec::new();
for proto in protos {
wire.push(proto.len() as u8);
wire.extend_from_slice(proto);
}
builder.set_alpn_protos(&wire).expect("set_alpn_protos");
}
debug!("Built Go-matching TLS connector (BoringSSL)");
builder.build()
}

19
src/platform.rs
View File

@@ -58,7 +58,11 @@ impl Platform {
let ca_cert_path = env_or("SSL_CERT_FILE", default_ca_cert_path);
let ls_user = env_or("ZEROGRAVITY_LS_USER", || "zerogravity-ls".into());
let state_db_path = env_or("ZEROGRAVITY_STATE_DB", || default_state_db_path(&home));
let dns_redirect_so_path = format!("{}/dns-redirect.so", &data_dir);
let dns_redirect_so_path = if cfg!(target_os = "macos") {
format!("{}/dns-redirect.dylib", &data_dir)
} else {
format!("{}/dns-redirect.so", &data_dir)
};
let config_dir = PathBuf::from(&config_dir);
let token_path = config_dir.join("token");
@@ -104,18 +108,19 @@ fn default_ls_binary_path() -> String {
fn default_ls_binary_path() -> String {
let home = home_dir();
// Check both /Applications and ~/Applications
let candidates = ["language_server_macos_arm", "language_server_darwin_arm64"];
for base in &[
"/Applications/Antigravity.app",
&format!("{home}/Applications/Antigravity.app"),
] {
let path = format!(
"{base}/Contents/Resources/app/extensions/antigravity/bin/language_server_darwin_arm64"
);
for name in candidates {
let path = format!("{base}/Contents/Resources/app/extensions/antigravity/bin/{name}");
if std::path::Path::new(&path).exists() {
return path;
}
}
"/Applications/Antigravity.app/Contents/Resources/app/extensions/antigravity/bin/language_server_darwin_arm64".into()
}
"/Applications/Antigravity.app/Contents/Resources/app/extensions/antigravity/bin/language_server_macos_arm".into()
}
#[cfg(target_os = "windows")]
@@ -295,9 +300,9 @@ pub fn supports_uid_isolation() -> bool {
}
}
/// Returns true if LD_PRELOAD DNS redirect is supported (Linux only).
/// Returns true if DNS redirect preload is supported (Linux/macOS).
pub fn supports_ld_preload() -> bool {
cfg!(target_os = "linux")
cfg!(any(target_os = "linux", target_os = "macos"))
}
#[cfg(test)]

19
src/standalone/mod.rs
View File

@@ -65,12 +65,12 @@ pub fn discover_main_ls_config() -> Result<MainLSConfig, String> {
discovery::discover_main_ls_config()
}
/// Build the dns_redirect.so preload library if it doesn't already exist.
/// Build the dns_redirect preload library if it doesn't already exist.
///
/// Linux only — hooks `getaddrinfo()` via LD_PRELOAD to redirect Google API
/// domain lookups to 127.0.0.1.
/// Linux/macOS — hooks `getaddrinfo()` via LD_PRELOAD/DYLD_INSERT_LIBRARIES
/// to redirect Google API domain lookups to 127.0.0.1.
///
/// Returns the path to the .so on success, None on failure.
/// Returns the path to the shared library on success, None on failure.
fn build_dns_redirect_so() -> Option<String> {
if !platform::supports_ld_preload() {
return None;
@@ -91,10 +91,15 @@ fn build_dns_redirect_so() -> Option<String> {
return None;
}
// Compile: gcc -shared -fPIC -o dns_redirect.so dns_redirect.c -ldl
let output = Command::new("gcc")
let output = if cfg!(target_os = "macos") {
Command::new("cc")
.args(["-dynamiclib", "-o", so_path.as_str(), &c_path])
.output()
} else {
Command::new("gcc")
.args(["-shared", "-fPIC", "-o", so_path.as_str(), &c_path, "-ldl"])
.output();
.output()
};
match output {
Ok(out) if out.status.success() => {

14
src/standalone/spawn.rs
View File

@@ -281,15 +281,23 @@ impl StandaloneLS {
// even the CodeAssistClient which has Proxy:nil hardcoded.
let so_path = build_dns_redirect_so();
if let Some(ref so) = so_path {
info!(path = %so, "Enabling LD_PRELOAD DNS redirect for headless MITM");
info!(path = %so, "Enabling DNS redirect preload for headless MITM");
#[cfg(target_os = "macos")]
{
env_vars.push(("DYLD_INSERT_LIBRARIES".into(), so.clone()));
env_vars.push(("DYLD_FORCE_FLAT_NAMESPACE".into(), "1".into()));
}
#[cfg(not(target_os = "macos"))]
{
env_vars.push(("LD_PRELOAD".into(), so.clone()));
}
env_vars.push((
"DNS_REDIRECT_LOG".into(),
format!("{data_dir}/dns-redirect.log"),
));
// Force Go binaries to use cgo (libc) DNS resolver instead of
// the pure-Go resolver. Without this, LD_PRELOAD getaddrinfo()
// hooks are bypassed because Go resolves DNS internally.
// the pure-Go resolver. Without this, getaddrinfo hooks are
// bypassed because Go resolves DNS internally.
env_vars.push(("GODEBUG".into(), "netdns=cgo".into()));
}