feat: add libcurl-impersonate FFI transport for Chrome TLS fingerprint

Windows lacks curl-impersonate CLI, so use koffi FFI to call
libcurl-impersonate DLL directly. Introduces TlsTransport abstraction
with auto-selection: FFI on Windows, CLI subprocess on macOS/Linux.
All three API protocols (OpenAI/Anthropic/Gemini) verified working.

- New: src/tls/transport.ts (interface + singleton factory)
- New: src/tls/curl-cli-transport.ts (extracted from codex-api.ts)
- New: src/tls/libcurl-ffi-transport.ts (koffi FFI, curl_multi streaming)
- New: scripts/poc-libcurl-ffi.ts (POC verification script)
- Updated: setup-curl.ts auto-downloads DLL + cacert.pem on Windows
- Updated: codex-api.ts uses transport abstraction (~200 lines removed)
- Updated: curl-fetch.ts delegates to transport singleton

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

config/default.yaml

@@ -38,6 +38,9 @@ session:
   cleanup_interval_minutes: 5
 
 tls:
+  # Transport layer: "auto" | "curl-cli" | "libcurl-ffi"
+  # auto = Windows+DLL → libcurl-ffi, macOS/Linux → curl-cli
+  transport: "auto"
   # curl binary path. "auto" = detect bin/curl-impersonate-chrome, fallback to system curl
   curl_binary: "auto"
   # Chrome profile for --impersonate flag (auto-detected when curl-impersonate supports it)

package-lock.json

@@ -7,18 +7,43 @@
     "": {
       "name": "codex-proxy",
       "version": "1.0.0",
+      "hasInstallScript": true,
       "dependencies": {
         "@hono/node-server": "^1.0.0",
         "hono": "^4.0.0",
         "js-yaml": "^4.1.0",
+        "koffi": "^2.15.1",
         "undici": "^7.0.0",
         "zod": "^3.23.0"
       },
       "devDependencies": {
+        "@electron/asar": "^3.2.0",
         "@types/js-yaml": "^4.0.0",
         "@types/node": "^22.0.0",
+        "js-beautify": "^1.15.0",
         "tsx": "^4.0.0",
         "typescript": "^5.5.0"
+      },
+      "optionalDependencies": {
+        "koffi": "^2.15.1"
+      }
+    },
+    "node_modules/@electron/asar": {
+      "version": "3.4.1",
+      "resolved": "https://registry.npmmirror.com/@electron/asar/-/asar-3.4.1.tgz",
+      "integrity": "sha512-i4/rNPRS84t0vSRa2HorerGRXWyF4vThfHesw0dmcWHp+cspK743UanA0suA5Q5y8kzY2y6YKrvbIUn69BCAiA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "commander": "^5.0.0",
+        "glob": "^7.1.6",
+        "minimatch": "^3.0.4"
+      },
+      "bin": {
+        "asar": "bin/asar.js"
+      },
+      "engines": {
+        "node": ">=10.12.0"
       }
     },
     "node_modules/@esbuild/aix-ppc64": {
@@ -475,6 +500,42 @@
         "hono": "^4"
       }
     },
+    "node_modules/@isaacs/cliui": {
+      "version": "8.0.2",
+      "resolved": "https://registry.npmmirror.com/@isaacs/cliui/-/cliui-8.0.2.tgz",
+      "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "string-width": "^5.1.2",
+        "string-width-cjs": "npm:string-width@^4.2.0",
+        "strip-ansi": "^7.0.1",
+        "strip-ansi-cjs": "npm:strip-ansi@^6.0.1",
+        "wrap-ansi": "^8.1.0",
+        "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@one-ini/wasm": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmmirror.com/@one-ini/wasm/-/wasm-0.1.1.tgz",
+      "integrity": "sha512-XuySG1E38YScSJoMlqovLru4KTUNSjgVTIjyh7qMX6aNN5HY5Ct5LhRJdxO79JtTzKfzV/bnWpz+zquYrISsvw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@pkgjs/parseargs": {
+      "version": "0.11.0",
+      "resolved": "https://registry.npmmirror.com/@pkgjs/parseargs/-/parseargs-0.11.0.tgz",
+      "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=14"
+      }
+    },
     "node_modules/@types/js-yaml": {
       "version": "4.0.9",
       "resolved": "https://registry.npmmirror.com/@types/js-yaml/-/js-yaml-4.0.9.tgz",
@@ -492,12 +553,198 @@
         "undici-types": "~6.21.0"
       }
     },
+    "node_modules/abbrev": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmmirror.com/abbrev/-/abbrev-2.0.0.tgz",
+      "integrity": "sha512-6/mh1E2u2YgEsCHdY0Yx5oW+61gZU+1vXaoiHHrpKeuRNNgFvS+/jrwHiQhB5apAf5oB7UB7E19ol2R2LKH8hQ==",
+      "dev": true,
+      "license": "ISC",
+      "engines": {
+        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
+      }
+    },
+    "node_modules/ansi-regex": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmmirror.com/ansi-regex/-/ansi-regex-6.2.2.tgz",
+      "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
+      }
+    },
+    "node_modules/ansi-styles": {
+      "version": "6.2.3",
+      "resolved": "https://registry.npmmirror.com/ansi-styles/-/ansi-styles-6.2.3.tgz",
+      "integrity": "sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
     "node_modules/argparse": {
       "version": "2.0.1",
       "resolved": "https://registry.npmmirror.com/argparse/-/argparse-2.0.1.tgz",
       "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==",
       "license": "Python-2.0"
     },
+    "node_modules/balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmmirror.com/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/brace-expansion": {
+      "version": "1.1.12",
+      "resolved": "https://registry.npmmirror.com/brace-expansion/-/brace-expansion-1.1.12.tgz",
+      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "node_modules/color-convert": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmmirror.com/color-convert/-/color-convert-2.0.1.tgz",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "color-name": "~1.1.4"
+      },
+      "engines": {
+        "node": ">=7.0.0"
+      }
+    },
+    "node_modules/color-name": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmmirror.com/color-name/-/color-name-1.1.4.tgz",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/commander": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmmirror.com/commander/-/commander-5.1.0.tgz",
+      "integrity": "sha512-P0CysNDQ7rtVw4QIQtm+MRxV66vKFSvlsQvGYXZWR3qFU0jlMKHZZZgw8e+8DSah4UDKMqnknRDQz+xuQXQ/Zg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/concat-map": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmmirror.com/concat-map/-/concat-map-0.0.1.tgz",
+      "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/config-chain": {
+      "version": "1.1.13",
+      "resolved": "https://registry.npmmirror.com/config-chain/-/config-chain-1.1.13.tgz",
+      "integrity": "sha512-qj+f8APARXHrM0hraqXYb2/bOVSV4PvJQlNZ/DVj0QrmNM2q2euizkeuVckQ57J+W0mRH6Hvi+k50M4Jul2VRQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ini": "^1.3.4",
+        "proto-list": "~1.2.1"
+      }
+    },
+    "node_modules/cross-spawn": {
+      "version": "7.0.6",
+      "resolved": "https://registry.npmmirror.com/cross-spawn/-/cross-spawn-7.0.6.tgz",
+      "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "path-key": "^3.1.0",
+        "shebang-command": "^2.0.0",
+        "which": "^2.0.1"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/eastasianwidth": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmmirror.com/eastasianwidth/-/eastasianwidth-0.2.0.tgz",
+      "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/editorconfig": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmmirror.com/editorconfig/-/editorconfig-1.0.4.tgz",
+      "integrity": "sha512-L9Qe08KWTlqYMVvMcTIvMAdl1cDUubzRNYL+WfA4bLDMHe4nemKkpmYzkznE1FwLKu0EEmy6obgQKzMJrg4x9Q==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@one-ini/wasm": "0.1.1",
+        "commander": "^10.0.0",
+        "minimatch": "9.0.1",
+        "semver": "^7.5.3"
+      },
+      "bin": {
+        "editorconfig": "bin/editorconfig"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/editorconfig/node_modules/brace-expansion": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmmirror.com/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0"
+      }
+    },
+    "node_modules/editorconfig/node_modules/commander": {
+      "version": "10.0.1",
+      "resolved": "https://registry.npmmirror.com/commander/-/commander-10.0.1.tgz",
+      "integrity": "sha512-y4Mg2tXshplEbSGzx7amzPwKKOCGuoSRP/CjEdwwk0FOGlUbq6lKuoyDZTNZkmxHdJtp54hdfY/JUrdL7Xfdug==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/editorconfig/node_modules/minimatch": {
+      "version": "9.0.1",
+      "resolved": "https://registry.npmmirror.com/minimatch/-/minimatch-9.0.1.tgz",
+      "integrity": "sha512-0jWhJpD/MdhPXwPuiRkCbfYfSKp2qnn2eOc279qI7f+osl/l+prKSrvhg157zSYvx/1nmgn2NqdT6k2Z7zSH9w==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "brace-expansion": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/emoji-regex": {
+      "version": "9.2.2",
+      "resolved": "https://registry.npmmirror.com/emoji-regex/-/emoji-regex-9.2.2.tgz",
+      "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/esbuild": {
       "version": "0.27.3",
       "resolved": "https://registry.npmmirror.com/esbuild/-/esbuild-0.27.3.tgz",
@@ -540,6 +787,30 @@
         "@esbuild/win32-x64": "0.27.3"
       }
     },
+    "node_modules/foreground-child": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmmirror.com/foreground-child/-/foreground-child-3.3.1.tgz",
+      "integrity": "sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "cross-spawn": "^7.0.6",
+        "signal-exit": "^4.0.1"
+      },
+      "engines": {
+        "node": ">=14"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/fs.realpath": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmmirror.com/fs.realpath/-/fs.realpath-1.0.0.tgz",
+      "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/fsevents": {
       "version": "2.3.3",
       "resolved": "https://registry.npmmirror.com/fsevents/-/fsevents-2.3.3.tgz",
@@ -568,6 +839,28 @@
         "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1"
       }
     },
+    "node_modules/glob": {
+      "version": "7.2.3",
+      "resolved": "https://registry.npmmirror.com/glob/-/glob-7.2.3.tgz",
+      "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
+      "deprecated": "Glob versions prior to v9 are no longer supported",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "fs.realpath": "^1.0.0",
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "^3.1.1",
+        "once": "^1.3.0",
+        "path-is-absolute": "^1.0.0"
+      },
+      "engines": {
+        "node": "*"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
     "node_modules/hono": {
       "version": "4.11.9",
       "resolved": "https://registry.npmmirror.com/hono/-/hono-4.11.9.tgz",
@@ -577,6 +870,144 @@
         "node": ">=16.9.0"
       }
     },
+    "node_modules/inflight": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmmirror.com/inflight/-/inflight-1.0.6.tgz",
+      "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",
+      "deprecated": "This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "once": "^1.3.0",
+        "wrappy": "1"
+      }
+    },
+    "node_modules/inherits": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmmirror.com/inherits/-/inherits-2.0.4.tgz",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/ini": {
+      "version": "1.3.8",
+      "resolved": "https://registry.npmmirror.com/ini/-/ini-1.3.8.tgz",
+      "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/is-fullwidth-code-point": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmmirror.com/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
+      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/isexe": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmmirror.com/isexe/-/isexe-2.0.0.tgz",
+      "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/jackspeak": {
+      "version": "3.4.3",
+      "resolved": "https://registry.npmmirror.com/jackspeak/-/jackspeak-3.4.3.tgz",
+      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "dependencies": {
+        "@isaacs/cliui": "^8.0.2"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      },
+      "optionalDependencies": {
+        "@pkgjs/parseargs": "^0.11.0"
+      }
+    },
+    "node_modules/js-beautify": {
+      "version": "1.15.4",
+      "resolved": "https://registry.npmmirror.com/js-beautify/-/js-beautify-1.15.4.tgz",
+      "integrity": "sha512-9/KXeZUKKJwqCXUdBxFJ3vPh467OCckSBmYDwSK/EtV090K+iMJ7zx2S3HLVDIWFQdqMIsZWbnaGiba18aWhaA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "config-chain": "^1.1.13",
+        "editorconfig": "^1.0.4",
+        "glob": "^10.4.2",
+        "js-cookie": "^3.0.5",
+        "nopt": "^7.2.1"
+      },
+      "bin": {
+        "css-beautify": "js/bin/css-beautify.js",
+        "html-beautify": "js/bin/html-beautify.js",
+        "js-beautify": "js/bin/js-beautify.js"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/js-beautify/node_modules/brace-expansion": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmmirror.com/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0"
+      }
+    },
+    "node_modules/js-beautify/node_modules/glob": {
+      "version": "10.4.5",
+      "resolved": "https://registry.npmmirror.com/glob/-/glob-10.4.5.tgz",
+      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "foreground-child": "^3.1.0",
+        "jackspeak": "^3.1.2",
+        "minimatch": "^9.0.4",
+        "minipass": "^7.1.2",
+        "package-json-from-dist": "^1.0.0",
+        "path-scurry": "^1.11.1"
+      },
+      "bin": {
+        "glob": "dist/esm/bin.mjs"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/js-beautify/node_modules/minimatch": {
+      "version": "9.0.5",
+      "resolved": "https://registry.npmmirror.com/minimatch/-/minimatch-9.0.5.tgz",
+      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "brace-expansion": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/js-cookie": {
+      "version": "3.0.5",
+      "resolved": "https://registry.npmmirror.com/js-cookie/-/js-cookie-3.0.5.tgz",
+      "integrity": "sha512-cEiJEAEoIbWfCZYKWhVwFuvPX1gETRYPw6LlaTKoxD3s2AkXzkCjnp6h0V77ozyqj0jakteJ4YqDJT830+lVGw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=14"
+      }
+    },
     "node_modules/js-yaml": {
       "version": "4.1.1",
       "resolved": "https://registry.npmmirror.com/js-yaml/-/js-yaml-4.1.1.tgz",
@@ -589,6 +1020,124 @@
         "js-yaml": "bin/js-yaml.js"
       }
     },
+    "node_modules/koffi": {
+      "version": "2.15.1",
+      "resolved": "https://registry.npmmirror.com/koffi/-/koffi-2.15.1.tgz",
+      "integrity": "sha512-mnc0C0crx/xMSljb5s9QbnLrlFHprioFO1hkXyuSuO/QtbpLDa0l/uM21944UfQunMKmp3/r789DTDxVyyH6aA==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "funding": {
+        "url": "https://liberapay.com/Koromix"
+      }
+    },
+    "node_modules/lru-cache": {
+      "version": "10.4.3",
+      "resolved": "https://registry.npmmirror.com/lru-cache/-/lru-cache-10.4.3.tgz",
+      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/minimatch": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmmirror.com/minimatch/-/minimatch-3.1.2.tgz",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "brace-expansion": "^1.1.7"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/minipass": {
+      "version": "7.1.3",
+      "resolved": "https://registry.npmmirror.com/minipass/-/minipass-7.1.3.tgz",
+      "integrity": "sha512-tEBHqDnIoM/1rXME1zgka9g6Q2lcoCkxHLuc7ODJ5BxbP5d4c2Z5cGgtXAku59200Cx7diuHTOYfSBD8n6mm8A==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
+      }
+    },
+    "node_modules/nopt": {
+      "version": "7.2.1",
+      "resolved": "https://registry.npmmirror.com/nopt/-/nopt-7.2.1.tgz",
+      "integrity": "sha512-taM24ViiimT/XntxbPyJQzCG+p4EKOpgD3mxFwW38mGjVUrfERQOeY4EDHjdnptttfHuHQXFx+lTP08Q+mLa/w==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "abbrev": "^2.0.0"
+      },
+      "bin": {
+        "nopt": "bin/nopt.js"
+      },
+      "engines": {
+        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
+      }
+    },
+    "node_modules/once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmmirror.com/once/-/once-1.4.0.tgz",
+      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "wrappy": "1"
+      }
+    },
+    "node_modules/package-json-from-dist": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmmirror.com/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz",
+      "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==",
+      "dev": true,
+      "license": "BlueOak-1.0.0"
+    },
+    "node_modules/path-is-absolute": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmmirror.com/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
+      "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/path-key": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmmirror.com/path-key/-/path-key-3.1.1.tgz",
+      "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/path-scurry": {
+      "version": "1.11.1",
+      "resolved": "https://registry.npmmirror.com/path-scurry/-/path-scurry-1.11.1.tgz",
+      "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "dependencies": {
+        "lru-cache": "^10.2.0",
+        "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0"
+      },
+      "engines": {
+        "node": ">=16 || 14 >=14.18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/proto-list": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmmirror.com/proto-list/-/proto-list-1.2.4.tgz",
+      "integrity": "sha512-vtK/94akxsTMhe0/cbfpR+syPuszcuwhqVjJq26CuNDgFGj682oRBXOP5MJpv2r7JtE8MsiepGIqvvOTBwn2vA==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/resolve-pkg-maps": {
       "version": "1.0.0",
       "resolved": "https://registry.npmmirror.com/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz",
@@ -599,6 +1148,159 @@
         "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1"
       }
     },
+    "node_modules/semver": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmmirror.com/semver/-/semver-7.7.4.tgz",
+      "integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==",
+      "dev": true,
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/shebang-command": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmmirror.com/shebang-command/-/shebang-command-2.0.0.tgz",
+      "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "shebang-regex": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/shebang-regex": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmmirror.com/shebang-regex/-/shebang-regex-3.0.0.tgz",
+      "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/signal-exit": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmmirror.com/signal-exit/-/signal-exit-4.1.0.tgz",
+      "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==",
+      "dev": true,
+      "license": "ISC",
+      "engines": {
+        "node": ">=14"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/string-width": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmmirror.com/string-width/-/string-width-5.1.2.tgz",
+      "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "eastasianwidth": "^0.2.0",
+        "emoji-regex": "^9.2.2",
+        "strip-ansi": "^7.0.1"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/string-width-cjs": {
+      "name": "string-width",
+      "version": "4.2.3",
+      "resolved": "https://registry.npmmirror.com/string-width/-/string-width-4.2.3.tgz",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/string-width-cjs/node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmmirror.com/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/string-width-cjs/node_modules/emoji-regex": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmmirror.com/emoji-regex/-/emoji-regex-8.0.0.tgz",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/string-width-cjs/node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmmirror.com/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/strip-ansi": {
+      "version": "7.1.2",
+      "resolved": "https://registry.npmmirror.com/strip-ansi/-/strip-ansi-7.1.2.tgz",
+      "integrity": "sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/strip-ansi?sponsor=1"
+      }
+    },
+    "node_modules/strip-ansi-cjs": {
+      "name": "strip-ansi",
+      "version": "6.0.1",
+      "resolved": "https://registry.npmmirror.com/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/strip-ansi-cjs/node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmmirror.com/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/tsx": {
       "version": "4.21.0",
       "resolved": "https://registry.npmmirror.com/tsx/-/tsx-4.21.0.tgz",
@@ -649,6 +1351,127 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/which": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmmirror.com/which/-/which-2.0.2.tgz",
+      "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "isexe": "^2.0.0"
+      },
+      "bin": {
+        "node-which": "bin/node-which"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/wrap-ansi": {
+      "version": "8.1.0",
+      "resolved": "https://registry.npmmirror.com/wrap-ansi/-/wrap-ansi-8.1.0.tgz",
+      "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-styles": "^6.1.0",
+        "string-width": "^5.0.1",
+        "strip-ansi": "^7.0.1"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
+      }
+    },
+    "node_modules/wrap-ansi-cjs": {
+      "name": "wrap-ansi",
+      "version": "7.0.0",
+      "resolved": "https://registry.npmmirror.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz",
+      "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
+      }
+    },
+    "node_modules/wrap-ansi-cjs/node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmmirror.com/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/wrap-ansi-cjs/node_modules/ansi-styles": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmmirror.com/ansi-styles/-/ansi-styles-4.3.0.tgz",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "color-convert": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
+    "node_modules/wrap-ansi-cjs/node_modules/emoji-regex": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmmirror.com/emoji-regex/-/emoji-regex-8.0.0.tgz",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/wrap-ansi-cjs/node_modules/string-width": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmmirror.com/string-width/-/string-width-4.2.3.tgz",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/wrap-ansi-cjs/node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmmirror.com/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmmirror.com/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/zod": {
       "version": "3.25.76",
       "resolved": "https://registry.npmmirror.com/zod/-/zod-3.25.76.tgz",

package.json

@@ -19,18 +19,21 @@
     "postinstall": "tsx scripts/setup-curl.ts"
   },
   "dependencies": {
-    "hono": "^4.0.0",
     "@hono/node-server": "^1.0.0",
-    "undici": "^7.0.0",
+    "hono": "^4.0.0",
     "js-yaml": "^4.1.0",
+    "undici": "^7.0.0",
     "zod": "^3.23.0"
   },
+  "optionalDependencies": {
+    "koffi": "^2.15.1"
+  },
   "devDependencies": {
-    "typescript": "^5.5.0",
-    "tsx": "^4.0.0",
+    "@electron/asar": "^3.2.0",
     "@types/js-yaml": "^4.0.0",
     "@types/node": "^22.0.0",
     "js-beautify": "^1.15.0",
-    "@electron/asar": "^3.2.0"
+    "tsx": "^4.0.0",
+    "typescript": "^5.5.0"
   }
 }

scripts/poc-libcurl-ffi.ts

@@ -0,0 +1,282 @@
+#!/usr/bin/env tsx
+/**
+ * POC: Verify libcurl-impersonate FFI transport works on Windows.
+ *
+ * Tests:
+ * 1. koffi can load libcurl.dll
+ * 2. curl_easy_impersonate("chrome136") works
+ * 3. WRITEFUNCTION callback receives data
+ * 4. TLS fingerprint matches Chrome (checked via tls.peet.ws)
+ * 5. curl_multi async loop doesn't block event loop
+ */
+
+import { resolve } from "path";
+import { existsSync } from "fs";
+
+const BIN_DIR = resolve(process.cwd(), "bin");
+
+async function main() {
+  console.log("=== libcurl-impersonate FFI POC ===\n");
+
+  // 1. Load koffi
+  console.log("[1/5] Loading koffi...");
+  let koffi: any;
+  try {
+    koffi = (await import("koffi")).default ?? await import("koffi");
+    console.log("  ✓ koffi loaded");
+  } catch (err: any) {
+    console.error("  ✗ koffi not available:", err.message);
+    process.exit(1);
+  }
+
+  // 2. Load libcurl.dll
+  console.log("[2/5] Loading libcurl.dll...");
+  const dllPath = resolve(BIN_DIR, "libcurl.dll");
+  if (!existsSync(dllPath)) {
+    console.error(`  ✗ ${dllPath} not found. Run: npm run setup`);
+    process.exit(1);
+  }
+  let lib: any;
+  try {
+    lib = koffi.load(dllPath);
+    console.log(`  ✓ Loaded ${dllPath}`);
+  } catch (err: any) {
+    console.error("  ✗ Failed to load DLL:", err.message);
+    process.exit(1);
+  }
+
+  // 3. Bind functions
+  console.log("[3/5] Binding curl functions...");
+  const CURL = koffi.pointer("CURL", koffi.opaque());
+  const CURLM = koffi.pointer("CURLM", koffi.opaque());
+  koffi.pointer("curl_slist", koffi.opaque());
+
+  const writeCbType = koffi.proto("size_t write_cb(const uint8_t *ptr, size_t size, size_t nmemb, intptr_t userdata)");
+
+  const fns = {
+    curl_global_init: lib.func("int curl_global_init(int flags)"),
+    curl_easy_init: lib.func("CURL *curl_easy_init()"),
+    curl_easy_cleanup: lib.func("void curl_easy_cleanup(CURL *handle)"),
+    curl_easy_setopt_long: lib.func("int curl_easy_setopt(CURL *handle, int option, long value)"),
+    curl_easy_setopt_str: lib.func("int curl_easy_setopt(CURL *handle, int option, const char *value)"),
+    curl_easy_setopt_cb: lib.func("int curl_easy_setopt(CURL *handle, int option, write_cb *value)"),
+    curl_easy_getinfo_long: lib.func("int curl_easy_getinfo(CURL *handle, int info, _Out_ int *value)"),
+    curl_easy_impersonate: lib.func("int curl_easy_impersonate(CURL *handle, const char *target, int default_headers)"),
+    curl_easy_perform: lib.func("int curl_easy_perform(CURL *handle)"),
+    curl_multi_init: lib.func("CURLM *curl_multi_init()"),
+    curl_multi_add_handle: lib.func("int curl_multi_add_handle(CURLM *multi, CURL *easy)"),
+    curl_multi_remove_handle: lib.func("int curl_multi_remove_handle(CURLM *multi, CURL *easy)"),
+    curl_multi_perform: lib.func("int curl_multi_perform(CURLM *multi, _Out_ int *running_handles)"),
+    curl_multi_poll: lib.func("int curl_multi_poll(CURLM *multi, void *extra_fds, int extra_nfds, int timeout_ms, _Out_ int *numfds)"),
+    curl_multi_cleanup: lib.func("int curl_multi_cleanup(CURLM *multi)"),
+    curl_slist_append: lib.func("curl_slist *curl_slist_append(curl_slist *list, const char *string)"),
+    curl_slist_free_all: lib.func("void curl_slist_free_all(curl_slist *list)"),
+    curl_easy_setopt_ptr: lib.func("int curl_easy_setopt(CURL *handle, int option, curl_slist *value)"),
+  };
+
+  // Constants
+  const CURLOPT_URL = 10002;
+  const CURLOPT_HTTPHEADER = 10023;
+  const CURLOPT_WRITEFUNCTION = 20011;
+  const CURLOPT_NOSIGNAL = 99;
+  const CURLOPT_ACCEPT_ENCODING = 10102;
+  const CURLOPT_HTTP_VERSION = 84;
+  const CURL_HTTP_VERSION_2_0 = 3;
+  const CURLOPT_CAINFO = 10065;
+  const CURLINFO_RESPONSE_CODE = 0x200002;
+
+  fns.curl_global_init(3); // CURL_GLOBAL_DEFAULT
+  console.log("  ✓ Functions bound, curl_global_init OK");
+
+  // 4. Simple GET to tls.peet.ws using curl_easy_perform.async()
+  console.log("[4/5] Testing simple GET with Chrome TLS fingerprint...");
+
+  const easy = fns.curl_easy_init();
+  if (!easy) {
+    console.error("  ✗ curl_easy_init returned null");
+    process.exit(1);
+  }
+
+  // Impersonate Chrome 136
+  const impResult = fns.curl_easy_impersonate(easy, "chrome136", 0);
+  console.log(`  curl_easy_impersonate result: ${impResult} (0 = OK)`);
+
+  fns.curl_easy_setopt_str(easy, CURLOPT_URL, "https://tls.peet.ws/api/all");
+  fns.curl_easy_setopt_long(easy, CURLOPT_NOSIGNAL, 1);
+  fns.curl_easy_setopt_long(easy, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2_0);
+  fns.curl_easy_setopt_str(easy, CURLOPT_ACCEPT_ENCODING, "");
+
+  // CA bundle for BoringSSL (not Schannel)
+  const caPath = resolve(BIN_DIR, "cacert.pem");
+  if (existsSync(caPath)) {
+    fns.curl_easy_setopt_str(easy, CURLOPT_CAINFO, caPath);
+    console.log(`  Using CA bundle: ${caPath}`);
+  }
+
+  // Set User-Agent to match Chrome
+  let slist: any = null;
+  slist = fns.curl_slist_append(slist, "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36");
+  slist = fns.curl_slist_append(slist, "Expect:");
+  fns.curl_easy_setopt_ptr(easy, CURLOPT_HTTPHEADER, slist);
+
+  const chunks: Buffer[] = [];
+  const writeCallback = koffi.register(
+    (ptr: any, size: number, nmemb: number, _userdata: any): number => {
+      const totalBytes = size * nmemb;
+      if (totalBytes === 0) return 0;
+      const arr = koffi.decode(ptr, "uint8_t", totalBytes);
+      chunks.push(Buffer.from(arr));
+      return totalBytes;
+    },
+    koffi.pointer(writeCbType as Parameters<typeof koffi.pointer>[0]),
+  );
+  fns.curl_easy_setopt_cb(easy, CURLOPT_WRITEFUNCTION, writeCallback);
+
+  console.log("  Sending request to https://tls.peet.ws/api/all ...");
+  const startTime = Date.now();
+
+  // Use .async() to run on worker thread (non-blocking)
+  // koffi .async() requires callback as last arg — wrap in promise
+  const performResult = await new Promise<number>((res, rej) => {
+    fns.curl_easy_perform.async(easy, (err: any, result: number) => {
+      if (err) rej(err); else res(result);
+    });
+  });
+
+  const elapsed = Date.now() - startTime;
+  console.log(`  curl_easy_perform result: ${performResult} (0 = OK), took ${elapsed}ms`);
+
+  const statusBuf = new Int32Array(1);
+  fns.curl_easy_getinfo_long(easy, CURLINFO_RESPONSE_CODE, statusBuf);
+  console.log(`  HTTP status: ${statusBuf[0]}`);
+
+  fns.curl_easy_cleanup(easy);
+  if (slist) fns.curl_slist_free_all(slist);
+  koffi.unregister(writeCallback);
+
+  if (performResult !== 0 || statusBuf[0] !== 200) {
+    console.error("  ✗ Request failed");
+    process.exit(1);
+  }
+
+  const body = Buffer.concat(chunks).toString("utf-8");
+  let tlsData: any;
+  try {
+    tlsData = JSON.parse(body);
+  } catch {
+    console.error("  ✗ Invalid JSON response:", body.slice(0, 200));
+    process.exit(1);
+  }
+
+  console.log("\n  === TLS Fingerprint Results ===");
+  console.log(`  IP:         ${tlsData.ip ?? "?"}`);
+  console.log(`  HTTP/2:     ${tlsData.http_version ?? "?"}`);
+  console.log(`  TLS:        ${tlsData.tls?.version ?? "?"}`);
+  console.log(`  JA3:        ${tlsData.tls?.ja3 ?? "N/A"}`);
+  console.log(`  JA3 Hash:   ${tlsData.tls?.ja3_hash ?? "N/A"}`);
+  console.log(`  JA4:        ${tlsData.tls?.ja4 ?? "N/A"}`);
+  console.log(`  Peetprint:  ${tlsData.tls?.peetprint_hash ?? "N/A"}`);
+  console.log(`  Akamai H2:  ${tlsData.http2?.akamai_fingerprint_hash ?? "N/A"}`);
+
+  // Check if it looks like Chrome
+  const ja4 = tlsData.tls?.ja4 ?? "";
+  const httpVersion = tlsData.http_version ?? "";
+  const isChromeLike = ja4.startsWith("t") && httpVersion === "h2";
+  console.log(`\n  Chrome-like: ${isChromeLike ? "✓ YES" : "✗ NO"}`);
+
+  // 5. Test curl_multi async (non-blocking) — verify event loop stays free
+  console.log("\n[5/5] Testing curl_multi async (non-blocking)...");
+
+  const easy2 = fns.curl_easy_init();
+  fns.curl_easy_impersonate(easy2, "chrome136", 0);
+  fns.curl_easy_setopt_str(easy2, CURLOPT_URL, "https://httpbin.org/get");
+  fns.curl_easy_setopt_long(easy2, CURLOPT_NOSIGNAL, 1);
+  fns.curl_easy_setopt_str(easy2, CURLOPT_ACCEPT_ENCODING, "");
+  if (existsSync(caPath)) {
+    fns.curl_easy_setopt_str(easy2, CURLOPT_CAINFO, caPath);
+  }
+
+  const chunks2: Buffer[] = [];
+  const writeCallback2 = koffi.register(
+    (ptr: any, size: number, nmemb: number, _userdata: any): number => {
+      const totalBytes = size * nmemb;
+      if (totalBytes === 0) return 0;
+      const arr = koffi.decode(ptr, "uint8_t", totalBytes);
+      chunks2.push(Buffer.from(arr));
+      return totalBytes;
+    },
+    koffi.pointer(writeCbType as Parameters<typeof koffi.pointer>[0]),
+  );
+  fns.curl_easy_setopt_cb(easy2, CURLOPT_WRITEFUNCTION, writeCallback2);
+
+  const multi = fns.curl_multi_init();
+  fns.curl_multi_add_handle(multi, easy2);
+
+  const runningHandles = new Int32Array(1);
+  const numfds = new Int32Array(1);
+
+  // Track event loop freedom
+  let timerFired = false;
+  const timer = setTimeout(() => { timerFired = true; }, 50);
+
+  const asyncPoll = (m: any, nfds: Int32Array) =>
+    new Promise<number>((res, rej) => {
+      fns.curl_multi_poll.async(m, null, 0, 200, nfds, (err: any, r: number) => {
+        if (err) rej(err); else res(r);
+      });
+    });
+  const asyncPerform = (m: any, rh: Int32Array) =>
+    new Promise<number>((res, rej) => {
+      fns.curl_multi_perform.async(m, rh, (err: any, r: number) => {
+        if (err) rej(err); else res(r);
+      });
+    });
+
+  const multiStart = Date.now();
+  let iterations = 0;
+  while (true) {
+    const pollResult = await asyncPoll(multi, numfds);
+    if (pollResult !== 0) break;
+
+    const perfResult = await asyncPerform(multi, runningHandles);
+    if (perfResult !== 0) break;
+
+    iterations++;
+    if (runningHandles[0] === 0) break;
+  }
+  const multiElapsed = Date.now() - multiStart;
+  clearTimeout(timer);
+
+  fns.curl_multi_remove_handle(multi, easy2);
+  fns.curl_multi_cleanup(multi);
+  fns.curl_easy_cleanup(easy2);
+  koffi.unregister(writeCallback2);
+
+  const body2 = Buffer.concat(chunks2).toString("utf-8");
+  const multiOk = body2.length > 0;
+
+  console.log(`  curl_multi iterations: ${iterations}`);
+  console.log(`  Response size: ${body2.length} bytes`);
+  console.log(`  Time: ${multiElapsed}ms`);
+  console.log(`  Event loop free during transfer: ${timerFired ? "✓ YES" : "✗ NO (blocked)"}`);
+  console.log(`  curl_multi result: ${multiOk ? "✓ OK" : "✗ FAILED"}`);
+
+  // Summary
+  console.log("\n=== POC Summary ===");
+  console.log(`  koffi load:         ✓`);
+  console.log(`  DLL load:           ✓`);
+  console.log(`  impersonate:        ${impResult === 0 ? "✓" : "✗"}`);
+  console.log(`  simple GET:         ✓ (${elapsed}ms)`);
+  console.log(`  Chrome fingerprint: ${isChromeLike ? "✓" : "✗"}`);
+  console.log(`  curl_multi async:   ${multiOk ? "✓" : "✗"} (${multiElapsed}ms)`);
+  console.log(`  event loop free:    ${timerFired ? "✓" : "✗"}`);
+
+  const allPassed = impResult === 0 && isChromeLike && multiOk && timerFired;
+  console.log(`\n  Overall: ${allPassed ? "ALL PASSED ✓" : "SOME FAILED ✗"}`);
+  process.exit(allPassed ? 0 : 1);
+}
+
+main().catch((err) => {
+  console.error("Fatal:", err);
+  process.exit(1);
+});

scripts/setup-curl.ts

@@ -10,12 +10,13 @@
  */
 
 import { execSync } from "child_process";
-import { existsSync, mkdirSync, chmodSync, readdirSync, copyFileSync, rmSync } from "fs";
+import { existsSync, mkdirSync, chmodSync, readdirSync, copyFileSync, rmSync, writeFileSync } from "fs";
 import { resolve, join } from "path";
 
 const REPO = "lexiforest/curl-impersonate";
 const FALLBACK_VERSION = "v1.4.4";
 const BIN_DIR = resolve(process.cwd(), "bin");
+const CACERT_URL = "https://curl.se/ca/cacert.pem";
 
 interface PlatformInfo {
   /** Pattern to match the asset name in GitHub Releases */
@@ -49,11 +50,12 @@ function getPlatformInfo(version: string): PlatformInfo {
   }
 
   if (platform === "win32") {
-    throw new Error(
-      "curl-impersonate CLI binary is not available for Windows.\n" +
-      "The proxy will fall back to system curl.\n" +
-      "For full TLS fingerprint matching, run the proxy on Linux or macOS.",
-    );
+    // Windows: download libcurl-impersonate package (DLL named libcurl.dll)
+    return {
+      assetPattern: /libcurl-impersonate-.*\.x86_64-win32\.tar\.gz/,
+      binaryName: "libcurl.dll",
+      destName: "libcurl.dll",
+    };
   }
 
   throw new Error(`Unsupported platform: ${platform}-${arch}`);
@@ -88,12 +90,14 @@ async function getDownloadUrl(info: PlatformInfo, version: string): Promise<stri
   const asset = release.assets.find((a) => info.assetPattern.test(a.name));
 
   if (!asset) {
-    const cliAssets = release.assets
-      .filter((a) => a.name.startsWith("curl-impersonate-") && !a.name.startsWith("libcurl"))
+    const relevantAssets = release.assets
+      .filter((a) =>
+        a.name.startsWith("curl-impersonate-") || a.name.startsWith("libcurl-impersonate-"),
+      )
       .map((a) => a.name)
       .join("\n  ");
     throw new Error(
-      `No matching asset for pattern ${info.assetPattern}.\nAvailable CLI assets:\n  ${cliAssets}`,
+      `No matching asset for pattern ${info.assetPattern}.\nAvailable assets:\n  ${relevantAssets}`,
     );
   }
 
@@ -118,7 +122,14 @@ function downloadAndExtract(url: string, info: PlatformInfo): void {
   execSync(`curl -L -o "${archivePath}" "${url}"`, { stdio: "inherit" });
 
   console.log(`[setup] Extracting...`);
-  execSync(`tar xzf "${archivePath}" -C "${tmpDir}"`, { stdio: "inherit" });
+  // Windows: tar interprets D: as remote host; --force-local + forward slashes fix this
+  if (process.platform === "win32") {
+    const tarArchive = archivePath.replaceAll("\\", "/");
+    const tarDest = tmpDir.replaceAll("\\", "/");
+    execSync(`tar xzf "${tarArchive}" --force-local -C "${tarDest}"`, { stdio: "inherit" });
+  } else {
+    execSync(`tar xzf "${archivePath}" -C "${tmpDir}"`, { stdio: "inherit" });
+  }
 
   // Find the binary in extracted files (may be in a subdirectory)
   const binary = findFile(tmpDir, info.binaryName);
@@ -132,14 +143,18 @@ function downloadAndExtract(url: string, info: PlatformInfo): void {
   const destPath = resolve(BIN_DIR, info.destName);
   copyFileSync(binary, destPath);
 
-  // Also copy shared libraries (.so/.dylib) if present alongside the binary
+  // Also copy shared libraries (.so/.dylib/.dll) if present alongside the binary
   const libDir = resolve(binary, "..");
   if (existsSync(libDir)) {
     const libs = readdirSync(libDir).filter(
-      (f) => f.endsWith(".so") || f.includes(".so.") || f.endsWith(".dylib"),
+      (f) =>
+        f.endsWith(".so") || f.includes(".so.") ||
+        f.endsWith(".dylib") ||
+        (f.endsWith(".dll") && f !== info.destName),
     );
     for (const lib of libs) {
       copyFileSync(resolve(libDir, lib), resolve(BIN_DIR, lib));
+      console.log(`[setup] Copied companion library: ${lib}`);
     }
   }
 
@@ -178,6 +193,33 @@ function listFilesRecursive(dir: string): string[] {
   return results;
 }
 
+/**
+ * Download Mozilla CA certificate bundle for BoringSSL (used on Windows).
+ * libcurl-impersonate uses BoringSSL which doesn't read the Windows cert store,
+ * so we need an explicit CA bundle.
+ */
+async function downloadCaCert(force: boolean): Promise<void> {
+  const caPath = resolve(BIN_DIR, "cacert.pem");
+  if (existsSync(caPath) && !force) {
+    console.log(`[setup] cacert.pem already exists`);
+    return;
+  }
+
+  console.log(`[setup] Downloading CA bundle from ${CACERT_URL}...`);
+  const resp = await fetch(CACERT_URL);
+  if (!resp.ok) {
+    console.warn(`[setup] Warning: could not download CA bundle (${resp.status}). HTTPS may fail.`);
+    return;
+  }
+
+  const content = await resp.text();
+  if (!existsSync(BIN_DIR)) {
+    mkdirSync(BIN_DIR, { recursive: true });
+  }
+  writeFileSync(caPath, content, "utf-8");
+  console.log(`[setup] Installed CA bundle to ${caPath}`);
+}
+
 async function main() {
   const checkOnly = process.argv.includes("--check");
   const force = process.argv.includes("--force");
@@ -187,26 +229,23 @@ async function main() {
   console.log(`[setup] curl-impersonate setup (${version})`);
   console.log(`[setup] Platform: ${process.platform}-${process.arch}`);
 
-  if (process.platform === "win32") {
-    console.warn(
-      "[setup] curl-impersonate CLI binary is not available for Windows.\n" +
-      "[setup] The proxy will use system curl. For full TLS fingerprint matching,\n" +
-      "[setup] deploy on Linux or macOS.",
-    );
-    return;
-  }
-
-  const destBinary = resolve(BIN_DIR, "curl-impersonate");
+  const info = getPlatformInfo(version);
+  const isWindowsDll = process.platform === "win32";
+  const destBinary = resolve(BIN_DIR, info.destName);
 
   if (checkOnly) {
     if (existsSync(destBinary)) {
-      try {
-        const ver = execSync(`"${destBinary}" --version`, { encoding: "utf-8" }).trim().split("\n")[0];
-        console.log(`[setup] Current: ${ver}`);
-        console.log(`[setup] Latest:  ${version}`);
-      } catch {
-        console.log(`[setup] Binary exists but version check failed`);
+      if (isWindowsDll) {
+        console.log(`[setup] ${info.destName} exists`);
+      } else {
+        try {
+          const ver = execSync(`"${destBinary}" --version`, { encoding: "utf-8" }).trim().split("\n")[0];
+          console.log(`[setup] Current: ${ver}`);
+        } catch {
+          console.log(`[setup] Binary exists but version check failed`);
+        }
       }
+      console.log(`[setup] Latest:  ${version}`);
     } else {
       console.log(`[setup] Not installed. Latest: ${version}`);
     }
@@ -223,16 +262,21 @@ async function main() {
     console.log(`[setup] Removed existing binary for forced re-download.`);
   }
 
-  const info = getPlatformInfo(version);
   const url = await getDownloadUrl(info, version);
   downloadAndExtract(url, info);
 
-  // Verify the binary runs
-  try {
-    const ver = execSync(`"${destBinary}" --version`, { encoding: "utf-8" }).trim().split("\n")[0];
-    console.log(`[setup] Verified: ${ver}`);
-  } catch {
-    console.warn(`[setup] Warning: could not verify binary. It may need shared libraries.`);
+  // Verify the binary runs (skip for Windows DLL — no CLI to test)
+  if (!isWindowsDll) {
+    try {
+      const ver = execSync(`"${destBinary}" --version`, { encoding: "utf-8" }).trim().split("\n")[0];
+      console.log(`[setup] Verified: ${ver}`);
+    } catch {
+      console.warn(`[setup] Warning: could not verify binary. It may need shared libraries.`);
+    }
+  } else {
+    console.log(`[setup] Installed libcurl-impersonate DLL for FFI transport`);
+    // BoringSSL needs a CA bundle — download it
+    await downloadCaCert(force);
   }
 
   console.log(`[setup] Done! curl-impersonate is ready.`);

src/config.ts

@@ -47,6 +47,7 @@ const ConfigSchema = z.object({
     curl_binary: z.string().default("auto"),
     impersonate_profile: z.string().default("chrome136"),
     proxy_url: z.string().nullable().default(null),
+    transport: z.enum(["auto", "curl-cli", "libcurl-ffi"]).default("auto"),
   }).default({}),
   streaming: z.object({
     status_as_content: z.boolean().default(false),

src/index.ts

@@ -16,6 +16,7 @@ import { createWebRoutes } from "./routes/web.js";
 import { CookieJar } from "./proxy/cookie-jar.js";
 import { startUpdateChecker, stopUpdateChecker } from "./update-checker.js";
 import { initProxy } from "./tls/curl-binary.js";
+import { initTransport } from "./tls/transport.js";
 
 async function main() {
   // Load configuration
@@ -34,6 +35,9 @@ async function main() {
   // Detect proxy (config > env > auto-detect local ports)
   await initProxy();
 
+  // Initialize TLS transport (auto-selects curl CLI or libcurl FFI)
+  await initTransport();
+
   // Initialize managers
   const accountPool = new AccountPool();
   const refreshScheduler = new RefreshScheduler(accountPool);

src/proxy/codex-api.ts

@@ -5,13 +5,12 @@
  * This is the API the Codex CLI actually uses.
  * It requires: instructions, store: false, stream: true.
  *
- * Both GET and POST requests use curl subprocess to avoid
- * Cloudflare TLS fingerprinting of Node.js/undici.
+ * All upstream requests go through the TLS transport layer
+ * (curl CLI or libcurl FFI) to avoid Cloudflare TLS fingerprinting.
  */
 
-import { spawn, execFile } from "child_process";
 import { getConfig } from "../config.js";
-import { resolveCurlBinary, getChromeTlsArgs, getProxyArgs, isImpersonate } from "../tls/curl-binary.js";
+import { getTransport } from "../tls/transport.js";
 import {
   buildHeaders,
   buildHeadersWithContentType,
@@ -43,13 +42,6 @@ export interface CodexSSEEvent {
   data: unknown;
 }
 
-interface CurlResponse {
-  status: number;
-  headers: Headers;
-  body: ReadableStream<Uint8Array>;
-  setCookieHeaders: string[];
-}
-
 export class CodexApi {
   private token: string;
   private accountId: string | null;
@@ -81,195 +73,40 @@ export class CodexApi {
     return headers;
   }
 
-  /** Capture Set-Cookie headers from curl response into the jar. */
-  private captureCookiesFromCurl(setCookieHeaders: string[]): void {
+  /** Capture Set-Cookie headers from transport response into the jar. */
+  private captureCookies(setCookieHeaders: string[]): void {
     if (this.cookieJar && this.entryId && setCookieHeaders.length > 0) {
       this.cookieJar.captureRaw(this.entryId, setCookieHeaders);
     }
   }
 
-  /**
-   * Execute a POST request via curl subprocess.
-   * Returns headers + streaming body as a CurlResponse.
-   */
-  private curlPost(
-    url: string,
-    headers: Record<string, string>,
-    body: string,
-    signal?: AbortSignal,
-    timeoutSec?: number,
-  ): Promise<CurlResponse> {
-    return new Promise((resolve, reject) => {
-      const args = [
-        ...getChromeTlsArgs(), // Chrome TLS profile (ciphers, HTTP/2, etc.)
-        ...getProxyArgs(),     // HTTP/SOCKS5 proxy if configured
-        "-s", "-S",            // silent but show errors
-        "--compressed",         // curl negotiates compression
-        "-N",                   // no output buffering (SSE)
-        "-i",                   // include response headers in stdout
-        "-X", "POST",
-        "--data-binary", "@-",  // read body from stdin
-      ];
-
-      if (timeoutSec) {
-        args.push("--max-time", String(timeoutSec));
-      }
-
-      // Pass all headers explicitly in our fingerprint order.
-      // Accept-Encoding is kept so curl doesn't inject its own at position 2.
-      // --compressed still handles auto-decompression of the response.
-      for (const [key, value] of Object.entries(headers)) {
-        args.push("-H", `${key}: ${value}`);
-      }
-      // Suppress curl's auto Expect: 100-continue (Chromium never sends it)
-      args.push("-H", "Expect:");
-      args.push(url);
-
-      const child = spawn(resolveCurlBinary(), args, {
-        stdio: ["pipe", "pipe", "pipe"],
-      });
-
-      // Abort handling
-      const onAbort = () => {
-        child.kill("SIGTERM");
-      };
-      if (signal) {
-        if (signal.aborted) {
-          child.kill("SIGTERM");
-          reject(new Error("Aborted"));
-          return;
-        }
-        signal.addEventListener("abort", onAbort, { once: true });
-      }
-
-      // Write body to stdin then close
-      child.stdin.write(body);
-      child.stdin.end();
-
-      let headerBuf = Buffer.alloc(0);
-      let headersParsed = false;
-      let bodyController: ReadableStreamDefaultController<Uint8Array> | null = null;
-
-      // P0-1: Header parse timeout — kill curl if headers aren't received within 30s
-      const HEADER_TIMEOUT_MS = 30_000;
-      const headerTimer = setTimeout(() => {
-        if (!headersParsed) {
-          child.kill("SIGTERM");
-          reject(new CodexApiError(0, `curl header parse timeout after ${HEADER_TIMEOUT_MS}ms`));
-        }
-      }, HEADER_TIMEOUT_MS);
-      if (headerTimer.unref) headerTimer.unref();
-
-      const bodyStream = new ReadableStream<Uint8Array>({
-        start(c) {
-          bodyController = c;
-        },
-        cancel() {
-          child.kill("SIGTERM");
-        },
-      });
-
-      child.stdout.on("data", (chunk: Buffer) => {
-        if (headersParsed) {
-          bodyController?.enqueue(new Uint8Array(chunk));
-          return;
-        }
-
-        // Accumulate until we find \r\n\r\n header separator
-        headerBuf = Buffer.concat([headerBuf, chunk]);
-        const separatorIdx = headerBuf.indexOf("\r\n\r\n");
-        if (separatorIdx === -1) return;
-
-        headersParsed = true;
-        clearTimeout(headerTimer);
-        const headerBlock = headerBuf.subarray(0, separatorIdx).toString("utf-8");
-        const remaining = headerBuf.subarray(separatorIdx + 4);
-
-        // Parse status and headers
-        const { status, headers: parsedHeaders, setCookieHeaders } = parseHeaderDump(headerBlock);
-
-        // Push remaining data (body after separator) into stream
-        if (remaining.length > 0) {
-          bodyController?.enqueue(new Uint8Array(remaining));
-        }
-
-        if (signal) {
-          signal.removeEventListener("abort", onAbort);
-        }
-
-        resolve({
-          status,
-          headers: parsedHeaders,
-          body: bodyStream,
-          setCookieHeaders,
-        });
-      });
-
-      let stderrBuf = "";
-      child.stderr.on("data", (chunk: Buffer) => {
-        stderrBuf += chunk.toString();
-      });
-
-      child.on("close", (code) => {
-        clearTimeout(headerTimer);
-        if (signal) {
-          signal.removeEventListener("abort", onAbort);
-        }
-        if (!headersParsed) {
-          reject(new CodexApiError(0, `curl exited with code ${code}: ${stderrBuf}`));
-        }
-        bodyController?.close();
-      });
-
-      child.on("error", (err) => {
-        clearTimeout(headerTimer);
-        if (signal) {
-          signal.removeEventListener("abort", onAbort);
-        }
-        reject(new CodexApiError(0, `curl spawn error: ${err.message}`));
-      });
-    });
-  }
-
   /**
    * Query official Codex usage/quota.
    * GET /backend-api/codex/usage
-   *
-   * Uses curl subprocess instead of Node.js fetch because Cloudflare
-   * fingerprints the TLS handshake and blocks Node.js/undici requests
-   * with a JS challenge (403). System curl uses native TLS (WinSSL/SecureTransport)
-   * which Cloudflare accepts.
    */
   async getUsage(): Promise<CodexUsageResponse> {
     const config = getConfig();
+    const transport = getTransport();
     const url = `${config.api.base_url}/codex/usage`;
 
     const headers = this.applyHeaders(
       buildHeaders(this.token, this.accountId),
     );
     headers["Accept"] = "application/json";
-    // When using system curl (not curl-impersonate), downgrade Accept-Encoding
-    // to encodings it can always decompress. curl-impersonate supports br/zstd.
-    if (!isImpersonate()) {
+    // When transport lacks Chrome TLS fingerprint, downgrade Accept-Encoding
+    // to encodings system curl can always decompress.
+    if (!transport.isImpersonate()) {
       headers["Accept-Encoding"] = "gzip, deflate";
     }
 
-    // Build curl args (Chrome TLS profile + proxy + request params)
-    const args = [...getChromeTlsArgs(), ...getProxyArgs(), "-s", "--compressed", "--max-time", "15"];
-    for (const [key, value] of Object.entries(headers)) {
-      args.push("-H", `${key}: ${value}`);
+    let body: string;
+    try {
+      const result = await transport.get(url, headers, 15);
+      body = result.body;
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      throw new CodexApiError(0, `transport GET failed: ${msg}`);
     }
-    args.push(url);
-
-    const body = await new Promise<string>((resolve, reject) => {
-      execFile(resolveCurlBinary(), args, { maxBuffer: 1024 * 1024 }, (err, stdout, stderr) => {
-        if (err) {
-          reject(new CodexApiError(0, `curl failed: ${err.message} ${stderr}`));
-        } else {
-          resolve(stdout);
-        }
-      });
-    });
 
     try {
       const parsed = JSON.parse(body) as CodexUsageResponse;
@@ -287,13 +124,13 @@ export class CodexApi {
   /**
    * Create a response (streaming).
    * Returns the raw Response so the caller can process the SSE stream.
-   * Uses curl subprocess for native TLS fingerprint.
    */
   async createResponse(
     request: CodexResponsesRequest,
     signal?: AbortSignal,
   ): Promise<Response> {
     const config = getConfig();
+    const transport = getTransport();
     const baseUrl = config.api.base_url;
     const url = `${baseUrl}/codex/responses`;
 
@@ -304,15 +141,21 @@ export class CodexApi {
 
     const timeout = config.api.timeout_seconds;
 
-    const curlRes = await this.curlPost(url, headers, JSON.stringify(request), signal, timeout);
+    let transportRes;
+    try {
+      transportRes = await transport.post(url, headers, JSON.stringify(request), signal, timeout);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      throw new CodexApiError(0, msg);
+    }
 
     // Capture cookies
-    this.captureCookiesFromCurl(curlRes.setCookieHeaders);
+    this.captureCookies(transportRes.setCookieHeaders);
 
-    if (curlRes.status < 200 || curlRes.status >= 300) {
-      // Read the body for error details (P0-3: cap at 1MB to prevent memory spikes)
+    if (transportRes.status < 200 || transportRes.status >= 300) {
+      // Read the body for error details (cap at 1MB to prevent memory spikes)
       const MAX_ERROR_BODY = 1024 * 1024; // 1MB
-      const reader = curlRes.body.getReader();
+      const reader = transportRes.body.getReader();
       const chunks: Uint8Array[] = [];
       let totalSize = 0;
       while (true) {
@@ -322,7 +165,6 @@ export class CodexApi {
         if (totalSize <= MAX_ERROR_BODY) {
           chunks.push(value);
         } else {
-          // Truncate: push only the part that fits
           const overshoot = totalSize - MAX_ERROR_BODY;
           if (value.byteLength > overshoot) {
             chunks.push(value.subarray(0, value.byteLength - overshoot));
@@ -332,12 +174,12 @@ export class CodexApi {
         }
       }
       const errorBody = Buffer.concat(chunks).toString("utf-8");
-      throw new CodexApiError(curlRes.status, errorBody);
+      throw new CodexApiError(transportRes.status, errorBody);
     }
 
-    return new Response(curlRes.body, {
-      status: curlRes.status,
-      headers: curlRes.headers,
+    return new Response(transportRes.body, {
+      status: transportRes.status,
+      headers: transportRes.headers,
     });
   }
 
@@ -415,38 +257,6 @@ export class CodexApi {
   }
 }
 
-/** Parse the HTTP response header block from curl -i output. */
-function parseHeaderDump(headerBlock: string): {
-  status: number;
-  headers: Headers;
-  setCookieHeaders: string[];
-} {
-  const lines = headerBlock.split("\r\n");
-  let status = 0;
-  const headers = new Headers();
-  const setCookieHeaders: string[] = [];
-
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    if (i === 0) {
-      // Status line: HTTP/1.1 200 OK
-      const match = line.match(/^HTTP\/[\d.]+ (\d+)/);
-      if (match) status = parseInt(match[1], 10);
-      continue;
-    }
-    const colonIdx = line.indexOf(":");
-    if (colonIdx === -1) continue;
-    const key = line.slice(0, colonIdx).trim();
-    const value = line.slice(colonIdx + 1).trim();
-    if (key.toLowerCase() === "set-cookie") {
-      setCookieHeaders.push(value);
-    }
-    headers.append(key, value);
-  }
-
-  return { status, headers, setCookieHeaders };
-}
-
 /** Response from GET /backend-api/codex/usage */
 export interface CodexUsageRateWindow {
   used_percent: number;

src/tls/curl-binary.ts

@@ -219,6 +219,14 @@ export function isImpersonate(): boolean {
   return _isImpersonate;
 }
 
+/**
+ * Get the detected proxy URL (or null if no proxy).
+ * Used by LibcurlFfiTransport which needs the URL directly (not CLI args).
+ */
+export function getProxyUrl(): string | null {
+  return _proxyUrl ?? null;
+}
+
 /**
  * Reset the cached binary path (useful for testing).
  */

src/tls/curl-cli-transport.ts

@@ -0,0 +1,273 @@
+/**
+ * CurlCliTransport — TLS transport using curl CLI subprocess.
+ *
+ * Extracted from codex-api.ts (curlPost) and curl-fetch.ts (execCurl).
+ * Supports both streaming POST (SSE) and simple GET/POST.
+ *
+ * Used on macOS/Linux (curl-impersonate CLI) and as fallback on Windows (system curl).
+ */
+
+import { spawn, execFile } from "child_process";
+import { resolveCurlBinary, getChromeTlsArgs, getProxyArgs, isImpersonate as curlIsImpersonate } from "./curl-binary.js";
+import type { TlsTransport, TlsTransportResponse } from "./transport.js";
+
+const STATUS_SEPARATOR = "\n__CURL_HTTP_STATUS__";
+const HEADER_TIMEOUT_MS = 30_000;
+
+export class CurlCliTransport implements TlsTransport {
+  /**
+   * Streaming POST — spawns curl with -i to capture headers + stream body.
+   * Used for SSE requests to Codex Responses API.
+   */
+  post(
+    url: string,
+    headers: Record<string, string>,
+    body: string,
+    signal?: AbortSignal,
+    timeoutSec?: number,
+  ): Promise<TlsTransportResponse> {
+    return new Promise((resolve, reject) => {
+      const args = [
+        ...getChromeTlsArgs(),
+        ...getProxyArgs(),
+        "-s", "-S",
+        "--compressed",
+        "-N",            // no output buffering (SSE)
+        "-i",            // include response headers in stdout
+        "-X", "POST",
+        "--data-binary", "@-",  // read body from stdin
+      ];
+
+      if (timeoutSec) {
+        args.push("--max-time", String(timeoutSec));
+      }
+
+      for (const [key, value] of Object.entries(headers)) {
+        args.push("-H", `${key}: ${value}`);
+      }
+      // Suppress curl's auto Expect: 100-continue (Chromium never sends it)
+      args.push("-H", "Expect:");
+      args.push(url);
+
+      const child = spawn(resolveCurlBinary(), args, {
+        stdio: ["pipe", "pipe", "pipe"],
+      });
+
+      // Abort handling
+      const onAbort = () => {
+        child.kill("SIGTERM");
+      };
+      if (signal) {
+        if (signal.aborted) {
+          child.kill("SIGTERM");
+          reject(new Error("Aborted"));
+          return;
+        }
+        signal.addEventListener("abort", onAbort, { once: true });
+      }
+
+      // Write body to stdin then close
+      child.stdin.write(body);
+      child.stdin.end();
+
+      let headerBuf = Buffer.alloc(0);
+      let headersParsed = false;
+      let bodyController: ReadableStreamDefaultController<Uint8Array> | null = null;
+
+      // Header parse timeout — kill curl if headers aren't received
+      const headerTimer = setTimeout(() => {
+        if (!headersParsed) {
+          child.kill("SIGTERM");
+          reject(new Error(`curl header parse timeout after ${HEADER_TIMEOUT_MS}ms`));
+        }
+      }, HEADER_TIMEOUT_MS);
+      if (headerTimer.unref) headerTimer.unref();
+
+      const bodyStream = new ReadableStream<Uint8Array>({
+        start(c) {
+          bodyController = c;
+        },
+        cancel() {
+          child.kill("SIGTERM");
+        },
+      });
+
+      child.stdout.on("data", (chunk: Buffer) => {
+        if (headersParsed) {
+          bodyController?.enqueue(new Uint8Array(chunk));
+          return;
+        }
+
+        // Accumulate until we find \r\n\r\n header separator
+        headerBuf = Buffer.concat([headerBuf, chunk]);
+        const separatorIdx = headerBuf.indexOf("\r\n\r\n");
+        if (separatorIdx === -1) return;
+
+        headersParsed = true;
+        clearTimeout(headerTimer);
+        const headerBlock = headerBuf.subarray(0, separatorIdx).toString("utf-8");
+        const remaining = headerBuf.subarray(separatorIdx + 4);
+
+        const { status, headers: parsedHeaders, setCookieHeaders } = parseHeaderDump(headerBlock);
+
+        if (remaining.length > 0) {
+          bodyController?.enqueue(new Uint8Array(remaining));
+        }
+
+        if (signal) {
+          signal.removeEventListener("abort", onAbort);
+        }
+
+        resolve({
+          status,
+          headers: parsedHeaders,
+          body: bodyStream,
+          setCookieHeaders,
+        });
+      });
+
+      let stderrBuf = "";
+      child.stderr.on("data", (chunk: Buffer) => {
+        stderrBuf += chunk.toString();
+      });
+
+      child.on("close", (code) => {
+        clearTimeout(headerTimer);
+        if (signal) {
+          signal.removeEventListener("abort", onAbort);
+        }
+        if (!headersParsed) {
+          reject(new Error(`curl exited with code ${code}: ${stderrBuf}`));
+        }
+        bodyController?.close();
+      });
+
+      child.on("error", (err) => {
+        clearTimeout(headerTimer);
+        if (signal) {
+          signal.removeEventListener("abort", onAbort);
+        }
+        reject(new Error(`curl spawn error: ${err.message}`));
+      });
+    });
+  }
+
+  /**
+   * Simple GET — execFile curl, returns full body as string.
+   */
+  get(
+    url: string,
+    headers: Record<string, string>,
+    timeoutSec = 30,
+  ): Promise<{ status: number; body: string }> {
+    const args = [
+      ...getChromeTlsArgs(),
+      ...getProxyArgs(),
+      "-s", "-S",
+      "--compressed",
+      "--max-time", String(timeoutSec),
+    ];
+
+    for (const [key, value] of Object.entries(headers)) {
+      args.push("-H", `${key}: ${value}`);
+    }
+    args.push("-H", "Expect:");
+    args.push("-w", STATUS_SEPARATOR + "%{http_code}");
+    args.push(url);
+
+    return execCurl(args);
+  }
+
+  /**
+   * Simple (non-streaming) POST — execFile curl, returns full body as string.
+   * Used for OAuth token exchange, device code requests, etc.
+   */
+  simplePost(
+    url: string,
+    headers: Record<string, string>,
+    body: string,
+    timeoutSec = 30,
+  ): Promise<{ status: number; body: string }> {
+    const args = [
+      ...getChromeTlsArgs(),
+      ...getProxyArgs(),
+      "-s", "-S",
+      "--compressed",
+      "--max-time", String(timeoutSec),
+      "-X", "POST",
+    ];
+
+    for (const [key, value] of Object.entries(headers)) {
+      args.push("-H", `${key}: ${value}`);
+    }
+    args.push("-H", "Expect:");
+    args.push("-d", body);
+    args.push("-w", STATUS_SEPARATOR + "%{http_code}");
+    args.push(url);
+
+    return execCurl(args);
+  }
+
+  isImpersonate(): boolean {
+    return curlIsImpersonate();
+  }
+}
+
+/** Execute curl via execFile and parse the status code from the output. */
+function execCurl(args: string[]): Promise<{ status: number; body: string }> {
+  return new Promise((resolve, reject) => {
+    execFile(
+      resolveCurlBinary(),
+      args,
+      { maxBuffer: 2 * 1024 * 1024 },
+      (err, stdout, stderr) => {
+        if (err) {
+          reject(new Error(`curl failed: ${err.message} ${stderr}`));
+          return;
+        }
+
+        const sepIdx = stdout.lastIndexOf(STATUS_SEPARATOR);
+        if (sepIdx === -1) {
+          reject(new Error("curl: missing status separator in output"));
+          return;
+        }
+
+        const body = stdout.slice(0, sepIdx);
+        const status = parseInt(stdout.slice(sepIdx + STATUS_SEPARATOR.length), 10);
+
+        resolve({ status, body });
+      },
+    );
+  });
+}
+
+/** Parse HTTP response header block from curl -i output. */
+function parseHeaderDump(headerBlock: string): {
+  status: number;
+  headers: Headers;
+  setCookieHeaders: string[];
+} {
+  const lines = headerBlock.split("\r\n");
+  let status = 0;
+  const headers = new Headers();
+  const setCookieHeaders: string[] = [];
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (i === 0) {
+      const match = line.match(/^HTTP\/[\d.]+ (\d+)/);
+      if (match) status = parseInt(match[1], 10);
+      continue;
+    }
+    const colonIdx = line.indexOf(":");
+    if (colonIdx === -1) continue;
+    const key = line.slice(0, colonIdx).trim();
+    const value = line.slice(colonIdx + 1).trim();
+    if (key.toLowerCase() === "set-cookie") {
+      setCookieHeaders.push(value);
+    }
+    headers.append(key, value);
+  }
+
+  return { status, headers, setCookieHeaders };
+}

src/tls/curl-fetch.ts

@@ -1,14 +1,14 @@
 /**
- * Simple GET/POST helpers using curl-impersonate.
+ * Simple GET/POST helpers using the TLS transport layer.
  *
  * Drop-in replacement for Node.js fetch() that routes through
- * curl-impersonate with Chrome TLS profile to avoid fingerprinting.
+ * the active transport (curl CLI or libcurl FFI) with Chrome TLS profile.
  *
+ * Automatically injects anonymous fingerprint headers.
  * Used for non-streaming requests (OAuth, appcast, etc.).
  */
 
-import { execFile } from "child_process";
-import { resolveCurlBinary, getChromeTlsArgs, getProxyArgs } from "./curl-binary.js";
+import { getTransport } from "./transport.js";
 import { buildAnonymousHeaders } from "../fingerprint/manager.js";
 
 export interface CurlFetchResponse {
@@ -17,96 +17,37 @@ export interface CurlFetchResponse {
   ok: boolean;
 }
 
-const STATUS_SEPARATOR = "\n__CURL_HTTP_STATUS__";
-
 /**
- * Perform a GET request via curl-impersonate.
+ * Perform a GET request via the TLS transport.
  */
-export function curlFetchGet(url: string): Promise<CurlFetchResponse> {
-  const args = [
-    ...getChromeTlsArgs(),
-    ...getProxyArgs(),
-    "-s", "-S",
-    "--compressed",
-    "--max-time", "30",
-  ];
-
-  // Inject fingerprint headers (User-Agent, sec-ch-ua, Accept-Encoding, etc.)
-  const fpHeaders = buildAnonymousHeaders();
-  for (const [key, value] of Object.entries(fpHeaders)) {
-    args.push("-H", `${key}: ${value}`);
-  }
-  args.push("-H", "Expect:");
-
-  args.push(
-    "-w", STATUS_SEPARATOR + "%{http_code}",
-    url,
-  );
-
-  return execCurl(args);
+export async function curlFetchGet(url: string): Promise<CurlFetchResponse> {
+  const transport = getTransport();
+  const headers = buildAnonymousHeaders();
+
+  const result = await transport.get(url, headers, 30);
+  return {
+    status: result.status,
+    body: result.body,
+    ok: result.status >= 200 && result.status < 300,
+  };
 }
 
 /**
- * Perform a POST request via curl-impersonate.
+ * Perform a POST request via the TLS transport.
  */
-export function curlFetchPost(
+export async function curlFetchPost(
   url: string,
   contentType: string,
   body: string,
 ): Promise<CurlFetchResponse> {
-  const args = [
-    ...getChromeTlsArgs(),
-    ...getProxyArgs(),
-    "-s", "-S",
-    "--compressed",
-    "--max-time", "30",
-    "-X", "POST",
-  ];
-
-  // Inject fingerprint headers (User-Agent, sec-ch-ua, Accept-Encoding, etc.)
-  const fpHeaders = buildAnonymousHeaders();
-  for (const [key, value] of Object.entries(fpHeaders)) {
-    args.push("-H", `${key}: ${value}`);
-  }
-  args.push("-H", `Content-Type: ${contentType}`);
-  args.push("-H", "Expect:");
-
-  args.push(
-    "-d", body,
-    "-w", STATUS_SEPARATOR + "%{http_code}",
-    url,
-  );
-
-  return execCurl(args);
-}
-
-function execCurl(args: string[]): Promise<CurlFetchResponse> {
-  return new Promise((resolve, reject) => {
-    execFile(
-      resolveCurlBinary(),
-      args,
-      { maxBuffer: 2 * 1024 * 1024 },
-      (err, stdout, stderr) => {
-        if (err) {
-          reject(new Error(`curl failed: ${err.message} ${stderr}`));
-          return;
-        }
-
-        const sepIdx = stdout.lastIndexOf(STATUS_SEPARATOR);
-        if (sepIdx === -1) {
-          reject(new Error(`curl: missing status separator in output`));
-          return;
-        }
-
-        const body = stdout.slice(0, sepIdx);
-        const status = parseInt(stdout.slice(sepIdx + STATUS_SEPARATOR.length), 10);
-
-        resolve({
-          status,
-          body,
-          ok: status >= 200 && status < 300,
-        });
-      },
-    );
-  });
+  const transport = getTransport();
+  const headers = buildAnonymousHeaders();
+  headers["Content-Type"] = contentType;
+
+  const result = await transport.simplePost(url, headers, body, 30);
+  return {
+    status: result.status,
+    body: result.body,
+    ok: result.status >= 200 && result.status < 300,
+  };
 }

src/tls/libcurl-ffi-transport.ts

@@ -0,0 +1,505 @@
+/**
+ * LibcurlFfiTransport — TLS transport using koffi FFI to libcurl-impersonate.
+ *
+ * Loads libcurl-impersonate shared library (DLL on Windows, .so/.dylib on others)
+ * and calls the C API directly. Uses curl_multi for non-blocking streaming.
+ *
+ * This provides Chrome TLS fingerprint on Windows where the curl-impersonate
+ * CLI binary is not available.
+ */
+
+import { resolve } from "path";
+import { existsSync } from "fs";
+import type { IKoffiLib, IKoffiCType, IKoffiRegisteredCallback, KoffiFunction } from "koffi";
+import type { TlsTransport, TlsTransportResponse } from "./transport.js";
+import { getProxyUrl } from "./curl-binary.js";
+
+// ── libcurl constants ──────────────────────────────────────────────
+
+const CURLOPT_URL = 10002;
+const CURLOPT_HTTPHEADER = 10023;
+const CURLOPT_POSTFIELDS = 10015;
+const CURLOPT_POSTFIELDSIZE = 60;
+const CURLOPT_WRITEFUNCTION = 20011;
+const CURLOPT_HEADERFUNCTION = 20079;
+const CURLOPT_POST = 47;
+const CURLOPT_NOSIGNAL = 99;
+const CURLOPT_TIMEOUT = 13;
+const CURLOPT_PROXY = 10004;
+const CURLOPT_CAINFO = 10065;
+const CURLOPT_ACCEPT_ENCODING = 10102;
+const CURLOPT_HTTP_VERSION = 84;
+const CURL_HTTP_VERSION_2_0 = 3;
+const CURLINFO_RESPONSE_CODE = 0x200002;
+const CURLM_OK = 0;
+const HEADER_TIMEOUT_MS = 30_000;
+
+// ── Branded opaque handle types ──────────────────────────────────
+
+/** Opaque C pointer returned by curl_easy_init(). */
+type CurlHandle = { readonly __brand: "CURL" };
+/** Opaque C pointer returned by curl_multi_init(). */
+type CurlMultiHandle = { readonly __brand: "CURLM" };
+/** Opaque C pointer for curl_slist linked list. */
+type SlistHandle = { readonly __brand: "curl_slist" } | null;
+
+/** koffi module loaded via dynamic import (same shape as `typeof import("koffi")`). */
+type KoffiModule = typeof import("koffi");
+
+// ── CurlBindings: strongly typed FFI function signatures ─────────
+
+interface CurlBindings {
+  koffi: KoffiModule;
+  lib: IKoffiLib;
+  writeCallbackType: IKoffiCType;
+  headerCallbackType: IKoffiCType;
+  caPath: string | null;
+
+  curl_easy_init: KoffiFunction;
+  curl_easy_cleanup: KoffiFunction;
+  curl_easy_setopt_long: KoffiFunction;
+  curl_easy_setopt_str: KoffiFunction;
+  curl_easy_setopt_ptr: KoffiFunction;
+  curl_easy_setopt_cb: KoffiFunction;
+  curl_easy_setopt_header_cb: KoffiFunction;
+  curl_easy_getinfo_long: KoffiFunction;
+  curl_easy_impersonate: KoffiFunction;
+  curl_easy_perform: KoffiFunction;
+  curl_slist_append: KoffiFunction;
+  curl_slist_free_all: KoffiFunction;
+  curl_multi_init: KoffiFunction;
+  curl_multi_add_handle: KoffiFunction;
+  curl_multi_remove_handle: KoffiFunction;
+  curl_multi_perform: KoffiFunction;
+  curl_multi_poll: KoffiFunction;
+  curl_multi_cleanup: KoffiFunction;
+}
+
+/** Promisify a koffi KoffiFunction.async() call (callback as last arg). */
+function asyncCall(fn: KoffiFunction, ...args: unknown[]): Promise<number> {
+  return new Promise((resolve, reject) => {
+    fn.async(...args, (err: unknown, result: number) => {
+      if (err) reject(err); else resolve(result);
+    });
+  });
+}
+
+// ── FFI initialization ─────────────────────────────────────────────
+
+function resolveLibPath(): string | null {
+  const binDir = resolve(process.cwd(), "bin");
+  const candidates: string[] = [];
+
+  if (process.platform === "win32") {
+    // lexiforest/curl-impersonate ships the Windows DLL as libcurl.dll
+    candidates.push(resolve(binDir, "libcurl.dll"));
+  } else if (process.platform === "darwin") {
+    candidates.push(resolve(binDir, "libcurl-impersonate.dylib"));
+  } else {
+    candidates.push(resolve(binDir, "libcurl-impersonate.so"));
+  }
+
+  for (const p of candidates) {
+    if (existsSync(p)) return p;
+  }
+  return null;
+}
+
+function resolveCaPath(): string | null {
+  const candidate = resolve(process.cwd(), "bin", "cacert.pem");
+  return existsSync(candidate) ? candidate : null;
+}
+
+async function initBindings(): Promise<CurlBindings> {
+  let koffi: KoffiModule;
+  try {
+    const mod = await import("koffi");
+    koffi = mod.default ?? mod;
+  } catch {
+    throw new Error("koffi package not installed. Run: npm install koffi");
+  }
+
+  const dllPath = resolveLibPath();
+  if (!dllPath) {
+    throw new Error(
+      "libcurl-impersonate shared library not found. Run: npm run setup",
+    );
+  }
+
+  const lib: IKoffiLib = koffi.load(dllPath);
+
+  // Define opaque pointer types (referenced by string name in signatures)
+  koffi.pointer("CURL", koffi.opaque());
+  koffi.pointer("CURLM", koffi.opaque());
+  koffi.pointer("curl_slist", koffi.opaque());
+
+  // Callback prototypes
+  const writeCallbackType: IKoffiCType = koffi.proto("size_t write_cb(const uint8_t *ptr, size_t size, size_t nmemb, intptr_t userdata)");
+  const headerCallbackType: IKoffiCType = koffi.proto("size_t header_cb(const uint8_t *ptr, size_t size, size_t nmemb, intptr_t userdata)");
+
+  // Bind functions — use string names for pointer types (not template literals)
+  const curl_global_init = lib.func("int curl_global_init(int flags)");
+  const curl_easy_init = lib.func("CURL *curl_easy_init()");
+  const curl_easy_cleanup = lib.func("void curl_easy_cleanup(CURL *handle)");
+  const curl_easy_setopt_long = lib.func("int curl_easy_setopt(CURL *handle, int option, long value)");
+  const curl_easy_setopt_str = lib.func("int curl_easy_setopt(CURL *handle, int option, const char *value)");
+  const curl_easy_setopt_ptr = lib.func("int curl_easy_setopt(CURL *handle, int option, curl_slist *value)");
+  const curl_easy_setopt_cb = lib.func("int curl_easy_setopt(CURL *handle, int option, write_cb *value)");
+  const curl_easy_setopt_header_cb = lib.func("int curl_easy_setopt(CURL *handle, int option, header_cb *value)");
+  const curl_easy_getinfo_long = lib.func("int curl_easy_getinfo(CURL *handle, int info, _Out_ int *value)");
+  const curl_easy_impersonate = lib.func("int curl_easy_impersonate(CURL *handle, const char *target, int default_headers)");
+  const curl_easy_perform = lib.func("int curl_easy_perform(CURL *handle)");
+  const curl_slist_append = lib.func("curl_slist *curl_slist_append(curl_slist *list, const char *string)");
+  const curl_slist_free_all = lib.func("void curl_slist_free_all(curl_slist *list)");
+  const curl_multi_init = lib.func("CURLM *curl_multi_init()");
+  const curl_multi_add_handle = lib.func("int curl_multi_add_handle(CURLM *multi, CURL *easy)");
+  const curl_multi_remove_handle = lib.func("int curl_multi_remove_handle(CURLM *multi, CURL *easy)");
+  const curl_multi_perform = lib.func("int curl_multi_perform(CURLM *multi, _Out_ int *running_handles)");
+  const curl_multi_poll = lib.func("int curl_multi_poll(CURLM *multi, void *extra_fds, int extra_nfds, int timeout_ms, _Out_ int *numfds)");
+  const curl_multi_cleanup = lib.func("int curl_multi_cleanup(CURLM *multi)");
+
+  // Global init (CURL_GLOBAL_DEFAULT = 3)
+  curl_global_init(3);
+
+  const caPath = resolveCaPath();
+  if (caPath) {
+    console.log(`[TLS/FFI] Using CA bundle: ${caPath}`);
+  } else {
+    console.warn("[TLS/FFI] No CA bundle at bin/cacert.pem — HTTPS may fail");
+  }
+
+  return {
+    koffi,
+    lib,
+    writeCallbackType,
+    headerCallbackType,
+    caPath,
+    curl_easy_init,
+    curl_easy_cleanup,
+    curl_easy_setopt_long,
+    curl_easy_setopt_str,
+    curl_easy_setopt_ptr,
+    curl_easy_setopt_cb,
+    curl_easy_setopt_header_cb,
+    curl_easy_getinfo_long,
+    curl_easy_impersonate,
+    curl_easy_perform,
+    curl_slist_append,
+    curl_slist_free_all,
+    curl_multi_init,
+    curl_multi_add_handle,
+    curl_multi_remove_handle,
+    curl_multi_perform,
+    curl_multi_poll,
+    curl_multi_cleanup,
+  };
+}
+
+// ── Transport implementation ───────────────────────────────────────
+
+export class LibcurlFfiTransport implements TlsTransport {
+  private b: CurlBindings;
+
+  constructor(bindings: CurlBindings) {
+    this.b = bindings;
+  }
+
+  /**
+   * Streaming POST using curl_multi event loop.
+   * Data arrives via WRITEFUNCTION callback → pushed into ReadableStream.
+   */
+  post(
+    url: string,
+    headers: Record<string, string>,
+    body: string,
+    signal?: AbortSignal,
+    timeoutSec?: number,
+  ): Promise<TlsTransportResponse> {
+    return new Promise((resolve, reject) => {
+      if (signal?.aborted) {
+        reject(new Error("Aborted"));
+        return;
+      }
+
+      const { easy, slist } = this.setupEasyHandle(url, headers, {
+        method: "POST",
+        body,
+        timeoutSec,
+      });
+
+      const b = this.b;
+      let bodyController: ReadableStreamDefaultController<Uint8Array> | null = null;
+      let headersParsed = false;
+      let statusCode = 0;
+      const responseHeaders = new Headers();
+      const setCookieHeaders: string[] = [];
+
+      // Register persistent WRITEFUNCTION callback
+      const writeCallback: IKoffiRegisteredCallback = b.koffi.register(
+        (ptr: unknown, size: number, nmemb: number, _userdata: unknown): number => {
+          const totalBytes = size * nmemb;
+          if (totalBytes === 0) return 0;
+          const arr = b.koffi.decode(ptr, "uint8_t", totalBytes) as number[];
+          const chunk = new Uint8Array(arr);
+          bodyController?.enqueue(chunk);
+          return totalBytes;
+        },
+        b.koffi.pointer(b.writeCallbackType),
+      );
+
+      // Register HEADERFUNCTION callback to capture response headers
+      const headerCallback: IKoffiRegisteredCallback = b.koffi.register(
+        (ptr: unknown, size: number, nmemb: number, _userdata: unknown): number => {
+          const totalBytes = size * nmemb;
+          if (totalBytes === 0) return 0;
+          const arr = b.koffi.decode(ptr, "uint8_t", totalBytes) as number[];
+          const line = Buffer.from(arr).toString("utf-8");
+
+          const statusMatch = line.match(/^HTTP\/[\d.]+ (\d+)/);
+          if (statusMatch) {
+            statusCode = parseInt(statusMatch[1], 10);
+            return totalBytes;
+          }
+
+          const colonIdx = line.indexOf(":");
+          if (colonIdx !== -1) {
+            const key = line.slice(0, colonIdx).trim();
+            const value = line.slice(colonIdx + 1).trim();
+            if (key.toLowerCase() === "set-cookie") {
+              setCookieHeaders.push(value);
+            }
+            responseHeaders.append(key, value);
+          }
+
+          return totalBytes;
+        },
+        b.koffi.pointer(b.headerCallbackType),
+      );
+
+      b.curl_easy_setopt_cb(easy, CURLOPT_WRITEFUNCTION, writeCallback);
+      b.curl_easy_setopt_header_cb(easy, CURLOPT_HEADERFUNCTION, headerCallback);
+
+      // Create ReadableStream for the body
+      let aborted = false;
+      const bodyStream = new ReadableStream<Uint8Array>({
+        start(c) {
+          bodyController = c;
+        },
+        cancel() {
+          aborted = true;
+        },
+      });
+
+      const onAbort = () => {
+        aborted = true;
+      };
+      if (signal) {
+        signal.addEventListener("abort", onAbort, { once: true });
+      }
+
+      // Use curl_multi for non-blocking operation
+      const multi = b.curl_multi_init() as CurlMultiHandle;
+      b.curl_multi_add_handle(multi, easy);
+
+      const runningHandles = new Int32Array(1);
+      const numfds = new Int32Array(1);
+      let resolved = false;
+
+      const cleanup = () => {
+        b.curl_multi_remove_handle(multi, easy);
+        b.curl_multi_cleanup(multi);
+        b.curl_easy_cleanup(easy);
+        if (slist) b.curl_slist_free_all(slist);
+        b.koffi.unregister(writeCallback);
+        b.koffi.unregister(headerCallback);
+        if (signal) signal.removeEventListener("abort", onAbort);
+      };
+
+      const pollLoop = async () => {
+        try {
+          while (!aborted) {
+            const pollResult = await asyncCall(b.curl_multi_poll, multi, null, 0, 100, numfds);
+            if (pollResult !== CURLM_OK) break;
+
+            const performResult = await asyncCall(b.curl_multi_perform, multi, runningHandles);
+            if (performResult !== CURLM_OK) break;
+
+            // After headers are received, resolve the promise
+            if (!resolved && statusCode > 0) {
+              resolved = true;
+              headersParsed = true;
+              resolve({
+                status: statusCode,
+                headers: responseHeaders,
+                body: bodyStream,
+                setCookieHeaders,
+              });
+            }
+
+            if (runningHandles[0] === 0) break;
+          }
+        } catch (err) {
+          if (!resolved) {
+            reject(err instanceof Error ? err : new Error(String(err)));
+          }
+        } finally {
+          cleanup();
+          bodyController?.close();
+
+          if (!resolved) {
+            reject(new Error("curl: transfer completed without receiving headers"));
+          }
+        }
+      };
+
+      // Header timeout
+      const headerTimer = setTimeout(() => {
+        if (!headersParsed) {
+          aborted = true;
+          if (!resolved) {
+            reject(new Error(`curl header parse timeout after ${HEADER_TIMEOUT_MS}ms`));
+          }
+        }
+      }, HEADER_TIMEOUT_MS);
+      if (headerTimer.unref) headerTimer.unref();
+
+      pollLoop().finally(() => clearTimeout(headerTimer));
+    });
+  }
+
+  async get(
+    url: string,
+    headers: Record<string, string>,
+    timeoutSec = 30,
+  ): Promise<{ status: number; body: string }> {
+    return this.simpleRequest(url, headers, undefined, timeoutSec);
+  }
+
+  async simplePost(
+    url: string,
+    headers: Record<string, string>,
+    body: string,
+    timeoutSec = 30,
+  ): Promise<{ status: number; body: string }> {
+    return this.simpleRequest(url, headers, body, timeoutSec);
+  }
+
+  isImpersonate(): boolean {
+    return true;
+  }
+
+  private async simpleRequest(
+    url: string,
+    headers: Record<string, string>,
+    body: string | undefined,
+    timeoutSec: number,
+  ): Promise<{ status: number; body: string }> {
+    const b = this.b;
+    const { easy, slist } = this.setupEasyHandle(url, headers, {
+      method: body !== undefined ? "POST" : "GET",
+      body,
+      timeoutSec,
+    });
+
+    const chunks: Buffer[] = [];
+
+    const writeCallback: IKoffiRegisteredCallback = b.koffi.register(
+      (ptr: unknown, size: number, nmemb: number, _userdata: unknown): number => {
+        const totalBytes = size * nmemb;
+        if (totalBytes === 0) return 0;
+        const arr = b.koffi.decode(ptr, "uint8_t", totalBytes) as number[];
+        chunks.push(Buffer.from(arr));
+        return totalBytes;
+      },
+      b.koffi.pointer(b.writeCallbackType),
+    );
+
+    b.curl_easy_setopt_cb(easy, CURLOPT_WRITEFUNCTION, writeCallback);
+
+    try {
+      const result = await asyncCall(b.curl_easy_perform, easy);
+      if (result !== 0) {
+        throw new Error(`curl_easy_perform failed with code ${result}`);
+      }
+
+      const statusBuf = new Int32Array(1);
+      b.curl_easy_getinfo_long(easy, CURLINFO_RESPONSE_CODE, statusBuf);
+      const status = statusBuf[0];
+
+      const responseBody = Buffer.concat(chunks).toString("utf-8");
+      return { status, body: responseBody };
+    } finally {
+      b.curl_easy_cleanup(easy);
+      if (slist) b.curl_slist_free_all(slist);
+      b.koffi.unregister(writeCallback);
+    }
+  }
+
+  /** Setup a curl easy handle with common options. */
+  private setupEasyHandle(
+    url: string,
+    headers: Record<string, string>,
+    opts: {
+      method?: "GET" | "POST";
+      body?: string;
+      timeoutSec?: number;
+    } = {},
+  ): { easy: CurlHandle; slist: SlistHandle } {
+    const b = this.b;
+    const easy = b.curl_easy_init() as CurlHandle;
+    if (!easy) throw new Error("curl_easy_init() returned null");
+
+    // Impersonate Chrome — 0 = don't inject default headers (we control them)
+    b.curl_easy_impersonate(easy, "chrome136", 0);
+
+    b.curl_easy_setopt_str(easy, CURLOPT_URL, url);
+    b.curl_easy_setopt_long(easy, CURLOPT_NOSIGNAL, 1);
+    b.curl_easy_setopt_long(easy, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2_0);
+
+    // Accept-Encoding — let libcurl handle decompression
+    b.curl_easy_setopt_str(easy, CURLOPT_ACCEPT_ENCODING, "");
+
+    // CA bundle for BoringSSL (not using system cert store)
+    if (b.caPath) {
+      b.curl_easy_setopt_str(easy, CURLOPT_CAINFO, b.caPath);
+    }
+
+    if (opts.timeoutSec) {
+      b.curl_easy_setopt_long(easy, CURLOPT_TIMEOUT, opts.timeoutSec);
+    }
+
+    // Proxy
+    const proxyUrl = getProxyUrl();
+    if (proxyUrl) {
+      b.curl_easy_setopt_str(easy, CURLOPT_PROXY, proxyUrl);
+    }
+
+    // Headers — build slist
+    let slist: SlistHandle = null;
+    for (const [key, value] of Object.entries(headers)) {
+      slist = b.curl_slist_append(slist, `${key}: ${value}`) as SlistHandle;
+    }
+    slist = b.curl_slist_append(slist, "Expect:") as SlistHandle;
+    if (slist) {
+      b.curl_easy_setopt_ptr(easy, CURLOPT_HTTPHEADER, slist);
+    }
+
+    // POST body
+    if (opts.method === "POST" || opts.body !== undefined) {
+      const postBody = opts.body ?? "";
+      b.curl_easy_setopt_long(easy, CURLOPT_POST, 1);
+      b.curl_easy_setopt_str(easy, CURLOPT_POSTFIELDS, postBody);
+      b.curl_easy_setopt_long(easy, CURLOPT_POSTFIELDSIZE, Buffer.byteLength(postBody, "utf-8"));
+    }
+
+    return { easy, slist };
+  }
+}
+
+/**
+ * Async factory — loads koffi + libcurl-impersonate and returns a transport instance.
+ */
+export async function createLibcurlFfiTransport(): Promise<LibcurlFfiTransport> {
+  const bindings = await initBindings();
+  return new LibcurlFfiTransport(bindings);
+}

src/tls/transport.ts

@@ -0,0 +1,104 @@
+/**
+ * TLS Transport abstraction — decouples upstream request logic from
+ * the concrete transport (curl CLI subprocess vs libcurl FFI).
+ *
+ * Singleton: call initTransport() once at startup, then getTransport() anywhere.
+ */
+
+import { existsSync } from "fs";
+import { resolve } from "path";
+
+export interface TlsTransportResponse {
+  status: number;
+  headers: Headers;
+  body: ReadableStream<Uint8Array>;
+  setCookieHeaders: string[];
+}
+
+export interface TlsTransport {
+  /** Streaming POST (for SSE). Returns headers + streaming body. */
+  post(
+    url: string,
+    headers: Record<string, string>,
+    body: string,
+    signal?: AbortSignal,
+    timeoutSec?: number,
+  ): Promise<TlsTransportResponse>;
+
+  /** Simple GET — returns full body as string. */
+  get(
+    url: string,
+    headers: Record<string, string>,
+    timeoutSec?: number,
+  ): Promise<{ status: number; body: string }>;
+
+  /** Simple (non-streaming) POST — returns full body as string. */
+  simplePost(
+    url: string,
+    headers: Record<string, string>,
+    body: string,
+    timeoutSec?: number,
+  ): Promise<{ status: number; body: string }>;
+
+  /** Whether this transport provides a Chrome TLS fingerprint. */
+  isImpersonate(): boolean;
+}
+
+let _transport: TlsTransport | null = null;
+
+/**
+ * Initialize the transport singleton. Must be called once at startup
+ * after config and proxy detection are ready.
+ */
+export async function initTransport(): Promise<TlsTransport> {
+  if (_transport) return _transport;
+
+  const { getConfig } = await import("../config.js");
+  const config = getConfig();
+  const setting = config.tls.transport ?? "auto";
+
+  if (setting === "libcurl-ffi" || (setting === "auto" && shouldUseFfi())) {
+    try {
+      const { createLibcurlFfiTransport } = await import("./libcurl-ffi-transport.js");
+      _transport = await createLibcurlFfiTransport();
+      console.log("[TLS] Using libcurl-impersonate FFI transport");
+      return _transport;
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (setting === "libcurl-ffi") {
+        throw new Error(`Failed to initialize libcurl FFI transport: ${msg}`);
+      }
+      console.warn(`[TLS] FFI transport unavailable (${msg}), falling back to curl CLI`);
+    }
+  }
+
+  const { CurlCliTransport } = await import("./curl-cli-transport.js");
+  _transport = new CurlCliTransport();
+  console.log("[TLS] Using curl CLI transport");
+  return _transport;
+}
+
+/**
+ * Get the initialized transport. Throws if initTransport() hasn't been called.
+ */
+export function getTransport(): TlsTransport {
+  if (!_transport) throw new Error("Transport not initialized. Call initTransport() first.");
+  return _transport;
+}
+
+/**
+ * Determine if FFI transport should be used in "auto" mode.
+ * FFI is preferred on Windows where curl-impersonate CLI is unavailable.
+ */
+function shouldUseFfi(): boolean {
+  if (process.platform !== "win32") return false;
+
+  // Check if libcurl-impersonate DLL exists (shipped as libcurl.dll)
+  const dllPath = resolve(process.cwd(), "bin", "libcurl.dll");
+  return existsSync(dllPath);
+}
+
+/** Reset transport singleton (for testing). */
+export function resetTransport(): void {
+  _transport = null;
+}