Start the HTTPS MITM proxy. Auto-generates a CA certificate. Returns port, URL, cert fingerprint, and setup instructions for the target device.

Stop the MITM proxy. Traffic history and CA certificate are retained.

Get proxy running state, port, upstream config, rule count, and traffic count.

Get the CA certificate PEM and SPKI fingerprint for installing on the target device.

Set a global upstream proxy for all outgoing traffic. Supports socks4://, socks5://, http://, https://, and pac+http:// URLs.

Remove the global upstream proxy. Traffic will go directly to target servers.

Set a per-host upstream proxy override. Traffic to this hostname will use the specified proxy instead of the global one.

Remove a per-host upstream proxy override.

Add an interception rule with a matcher and handler. Rules are evaluated by priority (ascending), first match wins.

Modify an existing interception rule.

Delete an interception rule.

List all interception rules sorted by priority.

Test which interception rules would match a request, with detailed per-field pass/fail diagnostics and effective winner by priority.

Enable a disabled interception rule.

Disable an interception rule without removing it.

List captured HTTP exchanges with optional filters. Returns paginated results.

Get full details of a captured HTTP exchange including headers and body previews.

Full-text search across URLs, headers, and body previews of captured traffic.

Clear all captured traffic from the buffer.

Add or overwrite headers on matching traffic. Creates a passthrough rule with header transforms.

Rewrite request URLs matching a pattern. Creates a passthrough rule with body match-replace on the URL.

Return a mock response for matched requests. Creates a mock rule.

Get JA3/JA4 client fingerprints and JA3S server fingerprint for a specific captured exchange.

List unique client JA3/JA4 fingerprints across captured traffic with occurrence counts.

Legacy: enable fingerprint spoofing (deprecated, use proxy_set_fingerprint_spoof with a preset). The ja3 parameter is accepted but ignored — the default Chrome preset is used.

Enable outgoing TLS + HTTP/2 fingerprint spoofing via impit (native TLS impersonation, no Docker required). Supports browser presets that select an impit target (rustls, matching real Chrome/Firefox).

List available browser fingerprint presets for use with proxy_set_fingerprint_spoof.

Check fingerprint spoofing backend readiness without sending traffic.

Disable fingerprint spoofing.

Get current TLS capture and spoofing configuration.

Toggle server-side JA3S capture. When enabled, outgoing TLS connections are intercepted to extract the server's negotiated TLS parameters.

List all interceptors with their availability and active targets. Shows Browser, Terminal, Android ADB, Android Frida, and Docker interceptors.

Get detailed status of a specific interceptor, including all active targets and their details.

Kill ALL active interceptors across all types. Emergency cleanup — stops all browser instances, kills spawned processes, removes ADB tunnels, detaches Frida, cleans Docker.

Launch cloakbrowser (stealth Chromium) with proxy flags and SPKI certificate trust. Built-in source-level fingerprint patches + humanize mode. Driven via Playwright — locator-based tools replace CDP.

Navigate the browser target's page via Playwright and optionally wait for matching host traffic to be captured by the proxy.

Close a browser instance launched by interceptor_browser_launch (or interceptor_camoufox_launch).

Spawn a command with proxy env vars pre-configured (HTTP_PROXY, HTTPS_PROXY, SSL_CERT_FILE, NODE_EXTRA_CA_CERTS, CURL_CA_BUNDLE, and 15+ more). Traffic automatically routes through the MITM proxy.

Kill a spawned process by target ID. Also retrieves final stdout/stderr output.

List connected Android devices via ADB with model, version, root status, and whether they're actively intercepted.

Full Android interception: inject CA cert into system store (root required), set up ADB reverse tunnel, and optionally set Wi-Fi proxy. Proxy must be running.

Remove ADB reverse tunnel and clear Wi-Fi proxy on an Android device.

Quick setup: push CA cert + ADB reverse tunnel only (no Wi-Fi proxy). Equivalent to interceptor_android_activate with set_wifi_proxy=false.

List running apps on an Android device via Frida. Requires frida-server running on the device.

Attach to an Android app via Frida and inject SSL unpinning + proxy redirect scripts. Bypasses certificate pinning, OkHttp CertificatePinner, TrustManager, and native TLS verification.

Detach Frida session from an Android app, removing injected scripts.

Inject proxy env vars and CA certificate into a Docker container. Two modes: 'exec' (inject into running container) or 'restart' (stop + restart with proxy config).

Remove proxy configuration from a Docker container and clean up injected files.

Take an ARIA accessibility snapshot of the bound page (YAML-formatted role tree). Great for LLM-driven page understanding without parsing HTML.

Take a screenshot of the bound page. Saves to file_path if provided; otherwise reports byte count without embedding the image.

List console messages buffered since the browser was launched. Types: log, info, warning, error, debug, etc.

List cookies from the browser context with pagination and truncated value previews.

Get one cookie by cookie_id with full value (subject to a hard cap to keep output bounded).

List localStorage/sessionStorage keys for the current origin with pagination and truncated value previews.

Get one localStorage/sessionStorage value by item_id.

List request/response header fields from proxy-captured traffic since the browser was launched, with pagination and truncation.

Get one full header field value from proxy-captured traffic by field_id.

Execute a JS file in the page and return its result. Source is loaded from script_path (absolute path). The file body is wrapped in an arrow function receiving __args (so the file may return value; directly and access the optional args object). Worlds: isolated (default) or main (camoufox-only, requires main_world_eval: true at launch). Cloakbrowser (Chromium): isolated runs in Playwright's utility world (different window, same DOM). main is rejected — use interceptor_browser_inject_init_script for main-world patching there. Camoufox (cloverlabs/FF150): there is no separate isolated world — both permitted modes run in the page's main world. Reads are invisible to the page; mutations (window.x = …, Object.defineProperty, prototype patches) are observable by page scripts. Earlier daijro/FF135 had a Juggler scope that made isolated invisible to the page; that scope was removed in cloverlabs. Verify on your installed build with scripts/camoufox-world-probe.ts. Rate-limit on cloakbrowser before reCAPTCHA: each call emits CDP traffic that behavioural scorers count.

Inject a JS file as an init script (Playwright page.addInitScript). Runs before any page script on every subsequent navigation/frame. Cloakbrowser (Chromium): runs in the isolated utility world — no DOM artifact; patches to shared prototypes/globals reach the page main world via utility-world sharing. Camoufox (cloverlabs/FF150): runs directly in the page's main world. Patches (e.g. Object.defineProperty(navigator, 'webdriver', ...)) DO apply to the page, but are observable by anti-bot code on the page (Function.prototype.toString leak applies). For Camoufox stealth, prefer source-level fingerprint config at launch (os, webgl_config, fonts, humanize, …) over JS injection. Earlier daijro/FF135 ran init scripts in a Juggler scope that did NOT reach the page (camoufox#48); cloverlabs/FF150 removed that scope. Does NOT affect the currently loaded document — navigate again to apply.

Append a element to the current page (Playwright page.addScriptTag). WARNING: injects a real DOM node visible to MutationObserver, document.scripts, and CSP. Avoid for anti-bot stealth — prefer interceptor_browser_inject_init_script (no DOM node) when you need page-scope execution.

Start persistent on-disk capture for the current proxy run.

Stop persistent on-disk capture and finalize the active session.

Get current persistent capture runtime status.

List recorded sessions in storage.

Get manifest/details for a specific recorded session.

Import a HAR file from disk into a new persisted session for querying, findings, and replay.

Query indexed session exchanges by metadata (URL, hostname, method, status) with filters and pagination. Does NOT search body content — use proxy_search_session_bodies for that.

Search inside HTTP request/response bodies stored in a persistent session. Decompresses and searches actual body content — useful for finding specific text, prices, API responses, error messages, etc. in recorded traffic. Returns context snippets around each match (like grep -C).

Summarize TLS handshake/fingerprint availability (JA3/JA4/JA3S) for session exchanges.

Get one exchange from a recorded session by seq or exchange ID.

Replay selected requests from a recorded/imported session. Default mode is dry_run for safety.

Export a recorded session (or filtered subset) to HAR format.

Delete a recorded session from disk.

Rebuild session indexes from records after crash/corruption.

Move mouse to target coordinates via the backend Playwright page.

Click an element. Pass one of: selector (CSS/XPath), role + optional name, text, label, or raw x+y coords as fallback. Locator-based calls auto-wait for visible.

Type text into the focused element via page.keyboard.type.

Dispatch a wheel event. Raw page.mouse.wheel — single event, not multi-step.

Simulate idle behavior with mouse micro-jitter and occasional micro-scrolls. Keeps the page 'alive' to avoid idle detection by bot-detection scripts.

Start the transparent proxy listener. Receives iptables-redirected traffic (no CONNECT tunnels). Shares the same CA cert, rules, and traffic buffer as the explicit proxy. The explicit proxy must be started first.

Stop the transparent proxy listener.

Get status of the transparent proxy listener including port and traffic count.

One-command mobile capture: start explicit + transparent listeners, optionally inject the CA on an Android device, and emit a sudo-runnable script that wires iptables/sysctl/nmcli on the AP iface. Designed to pair with the proxy-ap-card firmware (ESP32-S3 rogue AP over USB-NCM).

Reverse proxy_mobile_setup: deactivate the Android target if any, stop the transparent + explicit listeners, and emit a sudo-runnable script that removes the iptables rules and restores NetworkManager management.

Auto-detect the USB-NCM interface the proxy-ap-card presents as (via the cdc_ncm driver). Returns null + iface list if none found.

Launch camoufox (anti-detect Firefox) as a Playwright WebSocket server, proxied through proxy-mcp with NSS CA trust. Returns a camoufox target_id, wsUrl, and safe fingerprint introspection; drive the target with interceptor_browser_* and humanizer_* tools, or use wsUrl for custom Playwright code. Requires pip install cloverlabs-camoufox[geoip] + python3 -m camoufox fetch official/150.0.2-alpha.26 on the host (and libnss3-tools for cert trust).

Get the wsUrl and ready-to-paste Playwright connect snippets (TS + Python) for a camoufox target.

List all active camoufox instances with their wsUrl and fingerprint details.

Close a camoufox instance launched by interceptor_camoufox_launch. Kills the Python launcher, removes the temp launcher dir, and removes the NSS profile dir if one was created.