From 4410bc38992fb14660a036bf7e029353b78db03e Mon Sep 17 00:00:00 2001
From: epli2 <motoryo1@gmail.com>
Date: Thu, 5 Mar 2026 10:20:03 +0900
Subject: [PATCH 1/8] feat(test): add non-invasive Node.js proxy integration
 test with HTTPS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds an integration test that verifies phantom captures HTTP traces from
an existing Node.js app without modifying its code — the same philosophy
as LD_PRELOAD, but for Node.js.

Changes:
- tests/apps/node-app/client.js: proxy-unaware Node.js app (BACKEND_*_URL only)
- tests/apps/node-app/proxy-preload.js: --require shim that monkey-patches
  http/https to route through HTTP_PROXY (CONNECT tunnel for HTTPS)
- tests/proxy_node_integration.rs: Rust integration test with in-process
  HTTP (std::net) and HTTPS (rustls) mock backends; verifies 4 traces
  (2 HTTP + 2 HTTPS MITM) including headers, bodies, trace/span IDs
- crates/phantom-capture: add --insecure mode (NoCertVerifier via rustls
  dangerous API + custom hyper-rustls client) for self-signed backend certs
- src/main.rs: expose --insecure CLI flag
- Cargo.toml: add rustls/rcgen/rustls-pki-types dev-deps

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 Cargo.lock                           |  84 ++++++
 Cargo.toml                           |   8 +
 crates/phantom-capture/Cargo.toml    |   3 +
 crates/phantom-capture/src/proxy.rs  | 119 ++++++++-
 src/main.rs                          |   6 +-
 tests/apps/node-app/client.js        | 102 ++++++++
 tests/apps/node-app/package.json     |   6 +
 tests/apps/node-app/proxy-preload.js | 163 ++++++++++++
 tests/proxy_node_integration.rs      | 370 +++++++++++++++++++++++++++
 9 files changed, 847 insertions(+), 14 deletions(-)
 create mode 100644 tests/apps/node-app/client.js
 create mode 100644 tests/apps/node-app/package.json
 create mode 100644 tests/apps/node-app/proxy-preload.js
 create mode 100644 tests/proxy_node_integration.rs

diff --git a/Cargo.lock b/Cargo.lock
index 629480c..996bcca 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -379,6 +379,22 @@ dependencies = [
  "crossbeam-utils",
 ]
 
+[[package]]
+name = "core-foundation"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
+
 [[package]]
 name = "cpufeatures"
 version = "0.2.17"
@@ -1000,6 +1016,7 @@ dependencies = [
  "hyper-util",
  "log 0.4.29",
  "rustls",
+ "rustls-native-certs",
  "rustls-pki-types",
  "tokio",
  "tokio-rustls",
@@ -1502,6 +1519,12 @@ version = "1.70.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
 
+[[package]]
+name = "openssl-probe"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
+
 [[package]]
 name = "option-ext"
 version = "0.2.0"
@@ -1589,8 +1612,12 @@ dependencies = [
  "phantom-core",
  "phantom-storage",
  "phantom-tui",
+ "rcgen",
+ "rustls",
+ "rustls-pki-types",
  "serde",
  "serde_json",
+ "tempfile",
  "tokio",
  "tracing",
  "tracing-subscriber",
@@ -1618,8 +1645,11 @@ dependencies = [
  "http-body-util",
  "hudsucker",
  "hyper",
+ "hyper-rustls",
+ "hyper-util",
  "phantom-core",
  "rand",
+ "rustls",
  "serde",
  "serde_json",
  "tokio",
@@ -1931,6 +1961,28 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "rustls-native-certs"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5bfb394eeed242e909609f56089eecfe5fda225042e8b171791b9c95f5931e5"
+dependencies = [
+ "openssl-probe",
+ "rustls-pemfile",
+ "rustls-pki-types",
+ "schannel",
+ "security-framework",
+]
+
+[[package]]
+name = "rustls-pemfile"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
+dependencies = [
+ "rustls-pki-types",
+]
+
 [[package]]
 name = "rustls-pki-types"
 version = "1.14.0"
@@ -1963,6 +2015,15 @@ version = "1.0.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"
 
+[[package]]
+name = "schannel"
+version = "0.1.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "891d81b926048e76efe18581bf793546b4c0eaf8448d72be8de2bbee5fd166e1"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "scoped-tls"
 version = "1.0.1"
@@ -1975,6 +2036,29 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
+[[package]]
+name = "security-framework"
+version = "2.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
+dependencies = [
+ "bitflags",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2691df843ecc5d231c0b14ece2acc3efb62c0a398c7e1d875f3983ce020e3"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
 [[package]]
 name = "self_cell"
 version = "1.2.2"
diff --git a/Cargo.toml b/Cargo.toml
index b0f9854..4afa1c9 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -42,6 +42,14 @@ clap = { version = "4", features = ["derive"] }
 dirs = "6"
 anyhow = "1"
 
+[dev-dependencies]
+serde_json = { workspace = true }
+serde = { workspace = true }
+tempfile = "3"
+rustls = "0.22"
+rcgen = "0.13"
+rustls-pki-types = "1"
+
 [dev-dependencies.cargo-husky]
 version = "1"
 default-features = false # Disable default run-cargo-test
diff --git a/crates/phantom-capture/Cargo.toml b/crates/phantom-capture/Cargo.toml
index a5940d3..9ddab6c 100644
--- a/crates/phantom-capture/Cargo.toml
+++ b/crates/phantom-capture/Cargo.toml
@@ -15,6 +15,9 @@ bytes = "1"
 http-body-util = "0.1"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
+rustls = "0.22"
+hyper-rustls = "0.26"
+hyper-util = { version = "0.1", features = ["client-legacy", "tokio"] }
 
 # base64 decoding for LD_PRELOAD agent messages (Linux)
 [target.'cfg(target_os = "linux")'.dependencies]
diff --git a/crates/phantom-capture/src/proxy.rs b/crates/phantom-capture/src/proxy.rs
index d30e9ca..04fe55b 100644
--- a/crates/phantom-capture/src/proxy.rs
+++ b/crates/phantom-capture/src/proxy.rs
@@ -18,14 +18,16 @@ const MAX_BODY_SIZE: usize = 1024 * 1024;
 
 pub struct ProxyCaptureBackend {
     listen_port: u16,
+    insecure: bool,
     shutdown_tx: Option<oneshot::Sender<()>>,
     task_handle: Option<tokio::task::JoinHandle<()>>,
 }
 
 impl ProxyCaptureBackend {
-    pub fn new(listen_port: u16) -> Self {
+    pub fn new(listen_port: u16, insecure: bool) -> Self {
         Self {
             listen_port,
+            insecure,
             shutdown_tx: None,
             task_handle: None,
         }
@@ -43,6 +45,7 @@ impl CaptureBackend for ProxyCaptureBackend {
         };
 
         let port = self.listen_port;
+        let insecure = self.insecure;
 
         let task_handle = tokio::spawn(async move {
             let (key_pair, ca_cert) = generate_ca();
@@ -51,18 +54,34 @@ impl CaptureBackend for ProxyCaptureBackend {
             let addr = SocketAddr::from(([127, 0, 0, 1], port));
             info!("Starting proxy on {addr}");
 
-            let proxy = Proxy::builder()
-                .with_addr(addr)
-                .with_rustls_client()
-                .with_ca(ca)
-                .with_http_handler(handler)
-                .with_graceful_shutdown(async {
-                    shutdown_rx.await.ok();
-                })
-                .build();
-
-            if let Err(e) = proxy.start().await {
-                warn!("Proxy error: {e}");
+            if insecure {
+                info!("TLS verification disabled (--insecure)");
+                let client = build_insecure_client();
+                let proxy = Proxy::builder()
+                    .with_addr(addr)
+                    .with_client(client)
+                    .with_ca(ca)
+                    .with_http_handler(handler)
+                    .with_graceful_shutdown(async {
+                        shutdown_rx.await.ok();
+                    })
+                    .build();
+                if let Err(e) = proxy.start().await {
+                    warn!("Proxy error: {e}");
+                }
+            } else {
+                let proxy = Proxy::builder()
+                    .with_addr(addr)
+                    .with_rustls_client()
+                    .with_ca(ca)
+                    .with_http_handler(handler)
+                    .with_graceful_shutdown(async {
+                        shutdown_rx.await.ok();
+                    })
+                    .build();
+                if let Err(e) = proxy.start().await {
+                    warn!("Proxy error: {e}");
+                }
             }
         });
 
@@ -273,3 +292,77 @@ fn rand_bytes<const N: usize>() -> [u8; N] {
     buf.iter_mut().for_each(|b| *b = rand::random());
     buf
 }
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Insecure TLS client (--insecure mode)
+// ─────────────────────────────────────────────────────────────────────────────
+
+/// Build a hyper client that skips all TLS certificate verification.
+/// Used with `--insecure` for testing against backends with self-signed certs.
+fn build_insecure_client() -> hyper_util::client::legacy::Client<
+    hyper_rustls::HttpsConnector<hyper_util::client::legacy::connect::HttpConnector>,
+    Body,
+> {
+    let tls_config = rustls::ClientConfig::builder()
+        .dangerous()
+        .with_custom_certificate_verifier(std::sync::Arc::new(NoCertVerifier))
+        .with_no_client_auth();
+
+    let https = hyper_rustls::HttpsConnectorBuilder::new()
+        .with_tls_config(tls_config)
+        .https_or_http()
+        .enable_http1()
+        .build();
+
+    hyper_util::client::legacy::Client::builder(hyper_util::rt::TokioExecutor::new()).build(https)
+}
+
+/// A [`rustls::client::danger::ServerCertVerifier`] that accepts any certificate.
+/// For testing only — never use in production.
+#[derive(Debug)]
+struct NoCertVerifier;
+
+impl rustls::client::danger::ServerCertVerifier for NoCertVerifier {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &rustls::pki_types::CertificateDer<'_>,
+        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
+        _server_name: &rustls::pki_types::ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: rustls::pki_types::UnixTime,
+    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
+        Ok(rustls::client::danger::ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::pki_types::CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::pki_types::CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+        vec![
+            rustls::SignatureScheme::ECDSA_NISTP384_SHA384,
+            rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
+            rustls::SignatureScheme::ED25519,
+            rustls::SignatureScheme::RSA_PSS_SHA512,
+            rustls::SignatureScheme::RSA_PSS_SHA384,
+            rustls::SignatureScheme::RSA_PSS_SHA256,
+            rustls::SignatureScheme::RSA_PKCS1_SHA512,
+            rustls::SignatureScheme::RSA_PKCS1_SHA384,
+            rustls::SignatureScheme::RSA_PKCS1_SHA256,
+        ]
+    }
+}
diff --git a/src/main.rs b/src/main.rs
index 3058ebc..cfb1e22 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -52,6 +52,10 @@ struct Cli {
     #[arg(short, long, default_value = "8080")]
     port: u16,
 
+    /// Skip TLS certificate verification for backend connections (testing only).
+    #[arg(long, default_value = "false")]
+    insecure: bool,
+
     /// Directory for trace storage.
     #[arg(short, long)]
     data_dir: Option<PathBuf>,
@@ -243,7 +247,7 @@ async fn main() -> anyhow::Result<()> {
 // ─────────────────────────────────────────────────────────────────────────────
 
 async fn run_proxy(cli: Cli, store: Arc<FjallTraceStore>) -> anyhow::Result<()> {
-    let mut backend = ProxyCaptureBackend::new(cli.port);
+    let mut backend = ProxyCaptureBackend::new(cli.port, cli.insecure);
     let backend_name = backend.name().to_string();
     let trace_rx = backend.start().map_err(|e| anyhow::anyhow!("{e}"))?;
 
diff --git a/tests/apps/node-app/client.js b/tests/apps/node-app/client.js
new file mode 100644
index 0000000..2967839
--- /dev/null
+++ b/tests/apps/node-app/client.js
@@ -0,0 +1,102 @@
+// A normal Node.js application that makes HTTP and HTTPS requests.
+// This file contains ZERO proxy configuration — it talks directly to backends.
+// Proxy injection is done externally via: node --require ./proxy-preload.js client.js
+//
+// Environment:
+//   BACKEND_HTTP_URL  — e.g. http://127.0.0.1:3000
+//   BACKEND_HTTPS_URL — e.g. https://127.0.0.1:3443  (optional)
+
+"use strict";
+
+const http = require("http");
+const https = require("https");
+
+const BACKEND_HTTP_URL = process.env.BACKEND_HTTP_URL;
+const BACKEND_HTTPS_URL = process.env.BACKEND_HTTPS_URL;
+
+if (!BACKEND_HTTP_URL) {
+  console.error("BACKEND_HTTP_URL is required");
+  process.exit(1);
+}
+
+// ---------------------------------------------------------------------------
+// Simple promise wrappers around http.get / https.request
+// ---------------------------------------------------------------------------
+
+function httpGet(url) {
+  return new Promise((resolve, reject) => {
+    http.get(url, (res) => {
+      let data = "";
+      res.on("data", (chunk) => (data += chunk));
+      res.on("end", () => resolve({ status: res.statusCode, body: data }));
+    }).on("error", reject);
+  });
+}
+
+function httpsGet(url) {
+  return new Promise((resolve, reject) => {
+    https.get(url, { rejectUnauthorized: false }, (res) => {
+      let data = "";
+      res.on("data", (chunk) => (data += chunk));
+      res.on("end", () => resolve({ status: res.statusCode, body: data }));
+    }).on("error", reject);
+  });
+}
+
+function httpsPost(url, body) {
+  return new Promise((resolve, reject) => {
+    const bodyStr = JSON.stringify(body);
+    const urlObj = new URL(url);
+    const opts = {
+      hostname: urlObj.hostname,
+      port: urlObj.port,
+      path: urlObj.pathname,
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(bodyStr),
+      },
+      rejectUnauthorized: false,
+    };
+    const req = https.request(opts, (res) => {
+      let data = "";
+      res.on("data", (chunk) => (data += chunk));
+      res.on("end", () => resolve({ status: res.statusCode, body: data }));
+    });
+    req.on("error", reject);
+    req.write(bodyStr);
+    req.end();
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+async function main() {
+  // ── HTTP requests ────────────────────────────────────────────────────
+  const r1 = await httpGet(`${BACKEND_HTTP_URL}/api/health`);
+  console.log(`http health: status=${r1.status} body=${r1.body}`);
+
+  const r2 = await httpGet(`${BACKEND_HTTP_URL}/api/users`);
+  console.log(`http users: status=${r2.status} body=${r2.body}`);
+
+  // ── HTTPS requests (only if BACKEND_HTTPS_URL is provided) ──────────
+  if (BACKEND_HTTPS_URL) {
+    const r3 = await httpsGet(`${BACKEND_HTTPS_URL}/api/health`);
+    console.log(`https health: status=${r3.status} body=${r3.body}`);
+
+    const r4 = await httpsPost(`${BACKEND_HTTPS_URL}/api/users`, {
+      name: "Charlie",
+      email: "charlie@example.com",
+    });
+    console.log(`https create: status=${r4.status} body=${r4.body}`);
+  }
+
+  console.log("CLIENT_DONE");
+}
+
+main().catch((err) => {
+  console.error("Client error:", err);
+  process.exit(1);
+});
diff --git a/tests/apps/node-app/package.json b/tests/apps/node-app/package.json
new file mode 100644
index 0000000..ce75a7e
--- /dev/null
+++ b/tests/apps/node-app/package.json
@@ -0,0 +1,6 @@
+{
+  "name": "phantom-test-app",
+  "version": "0.0.0",
+  "private": true,
+  "description": "Test Node.js app for phantom proxy integration tests (no external dependencies)"
+}
diff --git a/tests/apps/node-app/proxy-preload.js b/tests/apps/node-app/proxy-preload.js
new file mode 100644
index 0000000..564b173
--- /dev/null
+++ b/tests/apps/node-app/proxy-preload.js
@@ -0,0 +1,163 @@
+// Transparent HTTP/HTTPS proxy injection via Node.js --require.
+//
+// When loaded with `node --require ./proxy-preload.js app.js`, this script
+// monkey-patches the built-in `http` and `https` modules to route all outbound
+// requests through an HTTP proxy — without touching the application code.
+//
+// Activated by the HTTP_PROXY (or http_proxy) environment variable.
+// If neither is set, this script is a no-op and the app runs normally.
+//
+// This is the Node.js equivalent of LD_PRELOAD for transparent interception.
+
+"use strict";
+
+const PROXY_URL = process.env.HTTP_PROXY || process.env.http_proxy;
+if (!PROXY_URL) {
+  // No proxy configured — do nothing.
+  return;
+}
+
+const http = require("http");
+const https = require("https");
+const tls = require("tls");
+const { URL } = require("url");
+
+const proxy = new URL(PROXY_URL);
+const proxyHost = proxy.hostname;
+const proxyPort = parseInt(proxy.port, 10);
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/** Convert a URL string or URL object to http.request options. */
+function urlToOptions(input) {
+  const u = typeof input === "string" ? new URL(input) : input;
+  return {
+    protocol: u.protocol,
+    hostname: u.hostname,
+    port: u.port || (u.protocol === "https:" ? 443 : 80),
+    path: u.pathname + u.search,
+    hash: u.hash,
+  };
+}
+
+/** Normalise the (url, options, callback) overloaded arguments. */
+function normaliseArgs(args) {
+  let options, callback;
+  if (typeof args[0] === "string" || args[0] instanceof URL) {
+    const urlOpts = urlToOptions(args[0]);
+    options =
+      typeof args[1] === "object" && typeof args[1] !== "function"
+        ? { ...urlOpts, ...args[1] }
+        : urlOpts;
+    callback = typeof args[1] === "function" ? args[1] : args[2];
+  } else {
+    options = args[0] || {};
+    callback = args[1];
+  }
+  return { options, callback };
+}
+
+// ---------------------------------------------------------------------------
+// HTTP patching — rewrite request target to go through proxy
+// ---------------------------------------------------------------------------
+
+const origHttpRequest = http.request;
+const origHttpGet = http.get;
+
+http.request = function (...args) {
+  const { options, callback } = normaliseArgs(args);
+
+  const host = options.hostname || options.host || "localhost";
+  const port = options.port || 80;
+  const path = options.path || "/";
+
+  // Build the absolute URI the proxy expects.
+  const absoluteUri = `http://${host}:${port}${path}`;
+
+  const proxyOpts = {
+    ...options,
+    hostname: proxyHost,
+    port: proxyPort,
+    path: absoluteUri,
+    host: `${proxyHost}:${proxyPort}`,
+    headers: {
+      ...options.headers,
+      Host: port == 80 ? host : `${host}:${port}`,
+    },
+  };
+
+  return origHttpRequest.call(http, proxyOpts, callback);
+};
+
+http.get = function (...args) {
+  const req = http.request(...args);
+  req.end();
+  return req;
+};
+
+// ---------------------------------------------------------------------------
+// HTTPS patching — CONNECT tunnel through proxy, then TLS handshake
+// ---------------------------------------------------------------------------
+
+const origHttpsRequest = https.request;
+const origHttpsGet = https.get;
+
+/**
+ * Custom HTTPS agent that tunnels through the HTTP proxy using CONNECT.
+ *
+ * Flow:
+ *   1. Open TCP to proxy via origHttpRequest (bypasses our http.request patch)
+ *   2. Send CONNECT target:port
+ *   3. On 200, wrap the raw socket with tls.connect
+ *   4. Return the TLS socket to Node's https machinery
+ */
+class ProxyTunnelAgent extends https.Agent {
+  createConnection(options, oncreate) {
+    const targetHost = options.hostname || options.host;
+    const targetPort = options.port || 443;
+
+    const connectReq = origHttpRequest.call(http, {
+      hostname: proxyHost,
+      port: proxyPort,
+      method: "CONNECT",
+      path: `${targetHost}:${targetPort}`,
+      headers: { Host: `${targetHost}:${targetPort}` },
+    });
+
+    connectReq.on("connect", (_res, socket) => {
+      const tlsSocket = tls.connect(
+        {
+          socket,
+          servername: targetHost,
+          // Trust the MITM proxy's dynamically-generated certificates.
+          rejectUnauthorized: false,
+        },
+        () => oncreate(null, tlsSocket)
+      );
+      tlsSocket.on("error", (err) => oncreate(err));
+    });
+
+    connectReq.on("error", (err) => oncreate(err));
+    connectReq.end();
+  }
+}
+
+const tunnelAgent = new ProxyTunnelAgent({
+  keepAlive: false,
+  rejectUnauthorized: false,
+});
+
+https.request = function (...args) {
+  const { options, callback } = normaliseArgs(args);
+  // Force all HTTPS requests through the tunnel agent.
+  options.agent = tunnelAgent;
+  return origHttpsRequest.call(https, options, callback);
+};
+
+https.get = function (...args) {
+  const req = https.request(...args);
+  req.end();
+  return req;
+};
diff --git a/tests/proxy_node_integration.rs b/tests/proxy_node_integration.rs
new file mode 100644
index 0000000..1246f13
--- /dev/null
+++ b/tests/proxy_node_integration.rs
@@ -0,0 +1,370 @@
+//! Integration test: Node.js app → phantom proxy → Rust mock backend
+//!
+//! Verifies non-invasive proxy tracing: the Node.js client has ZERO proxy
+//! awareness.  A `--require proxy-preload.js` script transparently patches
+//! `http`/`https` to route through phantom (like LD_PRELOAD for Node.js).
+//!
+//! Tests both HTTP and HTTPS (MITM) capture.
+//!
+//! Requirements: `node` on PATH.
+//! Run: `cargo test --test proxy_node_integration`
+
+use std::io::{Read, Write as IoWrite};
+use std::net::{TcpListener, TcpStream};
+use std::path::Path;
+use std::process::{Command, Stdio};
+use std::sync::Arc;
+use std::time::{Duration, Instant};
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Helpers
+// ─────────────────────────────────────────────────────────────────────────────
+
+fn available_port() -> u16 {
+    TcpListener::bind("127.0.0.1:0")
+        .expect("bind :0")
+        .local_addr()
+        .unwrap()
+        .port()
+}
+
+fn wait_for_port(port: u16, timeout: Duration) -> bool {
+    let start = Instant::now();
+    while start.elapsed() < timeout {
+        if TcpStream::connect(format!("127.0.0.1:{port}")).is_ok() {
+            return true;
+        }
+        std::thread::sleep(Duration::from_millis(50));
+    }
+    false
+}
+
+struct ProcessGuard(Option<std::process::Child>);
+impl ProcessGuard {
+    fn new(child: std::process::Child) -> Self {
+        Self(Some(child))
+    }
+    fn take(&mut self) -> std::process::Child {
+        self.0.take().expect("already consumed")
+    }
+}
+impl Drop for ProcessGuard {
+    fn drop(&mut self) {
+        if let Some(ref mut c) = self.0 {
+            let _ = c.kill();
+            let _ = c.wait();
+        }
+    }
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Mock backend — HTTP
+// ─────────────────────────────────────────────────────────────────────────────
+
+const HEALTH_BODY: &str = r#"{"status":"ok"}"#;
+const USERS_BODY: &str = r#"[{"id":1,"name":"Alice"},{"id":2,"name":"Bob"}]"#;
+const CREATED_BODY: &str = r#"{"id":3,"name":"Charlie","email":"charlie@example.com"}"#;
+
+fn route_request(req: &str) -> (&str, &str) {
+    let first = req.lines().next().unwrap_or("");
+    if first.starts_with("GET") && first.contains("/api/health") {
+        ("200 OK", HEALTH_BODY)
+    } else if first.starts_with("GET") && first.contains("/api/users") {
+        ("200 OK", USERS_BODY)
+    } else if first.starts_with("POST") && first.contains("/api/users") {
+        ("201 Created", CREATED_BODY)
+    } else {
+        ("404 Not Found", r#"{"error":"Not Found"}"#)
+    }
+}
+
+fn write_response(stream: &mut impl IoWrite, status: &str, body: &str) {
+    let resp = format!(
+        "HTTP/1.1 {status}\r\nContent-Type: application/json\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{body}",
+        body.len()
+    );
+    let _ = stream.write_all(resp.as_bytes());
+    let _ = stream.flush();
+}
+
+fn handle_stream(stream: &mut (impl Read + IoWrite)) {
+    let mut buf = [0u8; 8192];
+    let n = match stream.read(&mut buf) {
+        Ok(0) | Err(_) => return,
+        Ok(n) => n,
+    };
+    let req = String::from_utf8_lossy(&buf[..n]);
+    let (status, body) = route_request(&req);
+    write_response(stream, status, body);
+}
+
+/// Start a plain HTTP mock backend on `port`. Returns a join handle.
+fn start_http_backend(port: u16) -> std::thread::JoinHandle<()> {
+    std::thread::spawn(move || {
+        let listener = TcpListener::bind(format!("127.0.0.1:{port}")).unwrap();
+        listener
+            .set_nonblocking(false)
+            .expect("set_nonblocking(false)");
+        for stream in listener.incoming() {
+            match stream {
+                Ok(mut s) => handle_stream(&mut s),
+                Err(_) => break,
+            }
+        }
+    })
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Mock backend — HTTPS (rustls)
+// ─────────────────────────────────────────────────────────────────────────────
+
+fn start_https_backend(
+    port: u16,
+    cert_der: Vec<u8>,
+    key_der: Vec<u8>,
+) -> std::thread::JoinHandle<()> {
+    std::thread::spawn(move || {
+        let certs = vec![rustls_pki_types::CertificateDer::from(cert_der)];
+        let key = rustls_pki_types::PrivateKeyDer::try_from(key_der).expect("parse private key");
+
+        let server_config = Arc::new(
+            rustls::ServerConfig::builder()
+                .with_no_client_auth()
+                .with_single_cert(certs, key)
+                .expect("build ServerConfig"),
+        );
+
+        let listener = TcpListener::bind(format!("127.0.0.1:{port}")).unwrap();
+        for stream in listener.incoming() {
+            match stream {
+                Ok(tcp) => {
+                    let conn = match rustls::ServerConnection::new(server_config.clone()) {
+                        Ok(c) => c,
+                        Err(_) => continue,
+                    };
+                    let mut tls = rustls::StreamOwned::new(conn, tcp);
+                    handle_stream(&mut tls);
+                }
+                Err(_) => break,
+            }
+        }
+    })
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Test
+// ─────────────────────────────────────────────────────────────────────────────
+
+#[test]
+fn test_proxy_captures_node_app_traffic() {
+    // Pre-flight: node available?
+    if Command::new("node")
+        .arg("--version")
+        .stdout(Stdio::null())
+        .stderr(Stdio::null())
+        .status()
+        .is_err()
+    {
+        eprintln!("SKIP: `node` not found");
+        return;
+    }
+
+    let phantom_bin = env!("CARGO_BIN_EXE_phantom");
+    let app_dir = Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/apps/node-app");
+    let tmp_dir = tempfile::tempdir().expect("tempdir");
+
+    let http_port = available_port();
+    let https_port = available_port();
+    let proxy_port = available_port();
+
+    // ── Generate self-signed cert ────────────────────────────────────────
+    let certified =
+        rcgen::generate_simple_self_signed(vec!["localhost".to_string()]).expect("generate cert");
+    let cert_der = certified.cert.der().to_vec();
+    let key_der = certified.key_pair.serialize_der();
+
+    // ── Start HTTP backend ───────────────────────────────────────────────
+    let _http_thread = start_http_backend(http_port);
+    assert!(
+        wait_for_port(http_port, Duration::from_secs(3)),
+        "HTTP backend"
+    );
+
+    // ── Start HTTPS backend ──────────────────────────────────────────────
+    let _https_thread = start_https_backend(https_port, cert_der, key_der);
+    assert!(
+        wait_for_port(https_port, Duration::from_secs(3)),
+        "HTTPS backend"
+    );
+
+    // ── Start phantom proxy (--insecure to accept self-signed backend) ──
+    let phantom_proc = Command::new(phantom_bin)
+        .args([
+            "--backend",
+            "proxy",
+            "--output",
+            "jsonl",
+            "--port",
+            &proxy_port.to_string(),
+            "--insecure",
+            "--data-dir",
+        ])
+        .arg(tmp_dir.path())
+        .stdout(Stdio::piped())
+        .stderr(Stdio::piped())
+        .spawn()
+        .expect("spawn phantom");
+
+    let mut phantom_guard = ProcessGuard::new(phantom_proc);
+    assert!(
+        wait_for_port(proxy_port, Duration::from_secs(5)),
+        "phantom proxy"
+    );
+
+    // ── Run client via --require proxy-preload.js ────────────────────────
+    let preload = app_dir.join("proxy-preload.js");
+    let client_output = Command::new("node")
+        .args(["--require", &preload.to_string_lossy()])
+        .arg(app_dir.join("client.js"))
+        .env("BACKEND_HTTP_URL", format!("http://127.0.0.1:{http_port}"))
+        .env(
+            "BACKEND_HTTPS_URL",
+            format!("https://localhost:{https_port}"),
+        )
+        .env("HTTP_PROXY", format!("http://127.0.0.1:{proxy_port}"))
+        .env("NODE_TLS_REJECT_UNAUTHORIZED", "0")
+        .output()
+        .expect("run client.js");
+
+    let client_stdout = String::from_utf8_lossy(&client_output.stdout);
+    let client_stderr = String::from_utf8_lossy(&client_output.stderr);
+    assert!(
+        client_output.status.success(),
+        "client.js failed.\n  stdout: {client_stdout}\n  stderr: {client_stderr}"
+    );
+    assert!(
+        client_stdout.contains("CLIENT_DONE"),
+        "client.js incomplete.\n  stdout: {client_stdout}\n  stderr: {client_stderr}"
+    );
+
+    // ── Collect phantom output ───────────────────────────────────────────
+    std::thread::sleep(Duration::from_millis(500));
+
+    let mut phantom_proc = phantom_guard.take();
+    let mut phantom_stdout = phantom_proc.stdout.take().unwrap();
+    let mut phantom_stderr_h = phantom_proc.stderr.take().unwrap();
+    phantom_proc.kill().ok();
+    phantom_proc.wait().ok();
+
+    let mut stdout_buf = String::new();
+    phantom_stdout.read_to_string(&mut stdout_buf).ok();
+    let mut stderr_buf = String::new();
+    phantom_stderr_h.read_to_string(&mut stderr_buf).ok();
+
+    // ── Parse JSONL traces ───────────────────────────────────────────────
+    let traces: Vec<serde_json::Value> = stdout_buf
+        .lines()
+        .filter(|l| l.starts_with('{'))
+        .filter_map(|l| serde_json::from_str(l).ok())
+        .collect();
+
+    assert_eq!(
+        traces.len(),
+        4,
+        "Expected 4 traces (2 HTTP + 2 HTTPS), got {}.\n  stdout:\n{stdout_buf}\n  stderr:\n{stderr_buf}\n  client:\n{client_stdout}",
+        traces.len(),
+    );
+
+    // ── HTTP: GET /api/health ────────────────────────────────────────────
+    let health_http = traces
+        .iter()
+        .find(|t| {
+            let url = t["url"].as_str().unwrap_or("");
+            url.contains("/api/health") && url.starts_with("http://")
+        })
+        .expect("missing HTTP GET /api/health");
+    assert_eq!(health_http["method"], "GET");
+    assert_eq!(health_http["status_code"], 200);
+    assert!(
+        health_http["response_body"]
+            .as_str()
+            .is_some_and(|b| b.contains("ok"))
+    );
+
+    // ── HTTP: GET /api/users ─────────────────────────────────────────────
+    let users_http = traces
+        .iter()
+        .find(|t| {
+            let url = t["url"].as_str().unwrap_or("");
+            url.contains("/api/users") && url.starts_with("http://") && t["method"] == "GET"
+        })
+        .expect("missing HTTP GET /api/users");
+    assert_eq!(users_http["status_code"], 200);
+    assert!(
+        users_http["response_body"]
+            .as_str()
+            .is_some_and(|b| b.contains("Alice"))
+    );
+
+    // ── HTTPS: GET /api/health ───────────────────────────────────────────
+    let health_https = traces
+        .iter()
+        .find(|t| {
+            let url = t["url"].as_str().unwrap_or("");
+            url.contains("/api/health") && url.starts_with("https://")
+        })
+        .expect("missing HTTPS GET /api/health");
+    assert_eq!(health_https["method"], "GET");
+    assert_eq!(health_https["status_code"], 200);
+    assert!(
+        health_https["response_body"]
+            .as_str()
+            .is_some_and(|b| b.contains("ok"))
+    );
+
+    // ── HTTPS: POST /api/users ───────────────────────────────────────────
+    let create_https = traces
+        .iter()
+        .find(|t| {
+            let url = t["url"].as_str().unwrap_or("");
+            url.contains("/api/users") && url.starts_with("https://") && t["method"] == "POST"
+        })
+        .expect("missing HTTPS POST /api/users");
+    assert_eq!(create_https["status_code"], 201);
+    assert!(
+        create_https["request_body"]
+            .as_str()
+            .is_some_and(|b| b.contains("Charlie"))
+    );
+    assert!(
+        create_https["response_body"]
+            .as_str()
+            .is_some_and(|b| b.contains("Charlie"))
+    );
+
+    // ── Cross-cutting checks ─────────────────────────────────────────────
+    for (i, t) in traces.iter().enumerate() {
+        assert!(
+            t["trace_id"].as_str().is_some_and(|s| !s.is_empty()),
+            "trace[{i}] trace_id"
+        );
+        assert!(
+            t["span_id"].as_str().is_some_and(|s| !s.is_empty()),
+            "trace[{i}] span_id"
+        );
+        assert!(
+            t["timestamp_ms"].as_u64().is_some_and(|v| v > 0),
+            "trace[{i}] timestamp_ms"
+        );
+        assert!(
+            t["request_headers"].is_object(),
+            "trace[{i}] request_headers"
+        );
+        assert!(
+            t["response_headers"].is_object(),
+            "trace[{i}] response_headers"
+        );
+    }
+
+    eprintln!("All 4 traces (2 HTTP + 2 HTTPS) verified.");
+}

From 6cec9b60f37d3dab6e4b20ac5904b712e7b226ad Mon Sep 17 00:00:00 2001
From: epli2 <motoryo1@gmail.com>
Date: Thu, 5 Mar 2026 20:44:28 +0900
Subject: [PATCH 2/8] feat: integrate proxy-preload.js into phantom CLI
 (phantom -- node app.js)

Embed proxy-preload.js in the phantom binary via include_str! so that
`phantom -- node app.js` transparently injects HTTPS interception into
any Node.js app without code changes.

Key additions to src/main.rs:
- NODE_PROXY_PRELOAD const: preload script embedded at compile time
- TempScript RAII guard: writes preload to /tmp, deletes on drop
- is_node_command(): detects node/nodejs executables
- spawn_proxy_child(): sets HTTP_PROXY; for node prepends --require <tmp>
- wait_for_proxy(): async poll until proxy port is ready
- run_proxy() updated to call spawn_proxy_child when -- CMD is given

Integration test updated to use `phantom -- node client.js` instead of
manually managing the preload script and proxy env vars.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/main.rs                     | 145 +++++++++++++++++++++++++++++---
 tests/proxy_node_integration.rs |  80 ++++--------------
 2 files changed, 152 insertions(+), 73 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index cfb1e22..39ccffc 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,4 +1,4 @@
-use std::path::PathBuf;
+use std::path::{Path, PathBuf};
 use std::sync::Arc;
 use std::time::UNIX_EPOCH;
 
@@ -10,6 +10,14 @@ use phantom_core::trace::HttpTrace;
 use phantom_storage::FjallTraceStore;
 use serde::Serialize;
 
+// ─────────────────────────────────────────────────────────────────────────────
+// Embedded proxy preload script (Node.js transparent injection)
+// ─────────────────────────────────────────────────────────────────────────────
+
+/// The proxy-preload.js content, embedded at compile time.
+/// Written to a temp file when tracing Node.js processes via `phantom -- node …`.
+const NODE_PROXY_PRELOAD: &str = include_str!("../tests/apps/node-app/proxy-preload.js");
+
 // ─────────────────────────────────────────────────────────────────────────────
 // CLI
 // ─────────────────────────────────────────────────────────────────────────────
@@ -66,10 +74,21 @@ struct Cli {
     #[arg(long, value_name = "PATH")]
     agent_lib: Option<PathBuf>,
 
-    /// Command to run with LD_PRELOAD injected (required for --backend ldpreload).
+    /// Command to spawn and trace.
     ///
     /// Everything after `--` is treated as the command.
-    /// Example: `phantom --backend ldpreload --agent-lib ./libphantom_agent.so -- curl http://example.com`
+    ///
+    /// In proxy mode (`--backend proxy`): the command is launched with
+    /// `HTTP_PROXY` set automatically.  For Node.js commands (`node`/`nodejs`)
+    /// the proxy-preload script is also injected via `--require` so that HTTPS
+    /// is intercepted transparently without any changes to the application.
+    ///
+    /// In ldpreload mode (`--backend ldpreload`): the LD_PRELOAD agent is
+    /// injected into the child process (Linux only).
+    ///
+    /// Examples:
+    ///   `phantom -- node app.js`
+    ///   `phantom --backend ldpreload --agent-lib ./libphantom_agent.so -- curl http://example.com`
     #[arg(last = true, value_name = "CMD")]
     command: Vec<String>,
 }
@@ -246,19 +265,100 @@ async fn main() -> anyhow::Result<()> {
 // Proxy backend
 // ─────────────────────────────────────────────────────────────────────────────
 
+/// RAII guard that deletes a temporary script file on drop.
+struct TempScript(PathBuf);
+
+impl Drop for TempScript {
+    fn drop(&mut self) {
+        let _ = std::fs::remove_file(&self.0);
+    }
+}
+
+/// Returns `true` if `exe` (path or bare name) resolves to `node` or `nodejs`.
+fn is_node_command(exe: &str) -> bool {
+    let base = Path::new(exe)
+        .file_name()
+        .and_then(|n| n.to_str())
+        .unwrap_or(exe);
+    base == "node" || base == "nodejs"
+}
+
+/// Spawns `command` as a child process routed through the phantom proxy.
+///
+/// * `HTTP_PROXY` / `http_proxy` are set so plain HTTP is captured.
+/// * For Node.js executables the embedded proxy-preload script is written to a
+///   temp file and prepended as `--require <path>` so HTTPS is also captured
+///   without touching the application source.
+///
+/// Returns `(child, Option<TempScript>)`.  The `TempScript` must be kept alive
+/// until after the child exits so the file is not deleted prematurely.
+fn spawn_proxy_child(
+    command: &[String],
+    proxy_port: u16,
+) -> anyhow::Result<(std::process::Child, Option<TempScript>)> {
+    let exe = &command[0];
+    let proxy_url = format!("http://127.0.0.1:{proxy_port}");
+
+    let (actual_args, temp_script): (Vec<String>, Option<TempScript>) = if is_node_command(exe) {
+        // Write the embedded preload script to a temp file.
+        let script_path =
+            std::env::temp_dir().join(format!("phantom-preload-{}.js", std::process::id()));
+        std::fs::write(&script_path, NODE_PROXY_PRELOAD)
+            .map_err(|e| anyhow::anyhow!("failed to write proxy preload script: {e}"))?;
+        let ts = TempScript(script_path.clone());
+
+        // Prepend --require <script> before the rest of the args.
+        let mut args = vec![
+            "--require".to_string(),
+            script_path.to_string_lossy().into_owned(),
+        ];
+        args.extend_from_slice(&command[1..]);
+        (args, Some(ts))
+    } else {
+        (command[1..].to_vec(), None)
+    };
+
+    let child = std::process::Command::new(exe)
+        .args(&actual_args)
+        .env("HTTP_PROXY", &proxy_url)
+        .env("http_proxy", &proxy_url)
+        .spawn()
+        .map_err(|e| anyhow::anyhow!("failed to spawn {:?}: {e}", exe))?;
+
+    Ok((child, temp_script))
+}
+
 async fn run_proxy(cli: Cli, store: Arc<FjallTraceStore>) -> anyhow::Result<()> {
     let mut backend = ProxyCaptureBackend::new(cli.port, cli.insecure);
     let backend_name = backend.name().to_string();
     let trace_rx = backend.start().map_err(|e| anyhow::anyhow!("{e}"))?;
 
-    match cli.output {
-        OutputMode::Tui => {
-            eprintln!("phantom: proxy listening on 127.0.0.1:{}", cli.port);
-            eprintln!("  Set your HTTP proxy to http://127.0.0.1:{}", cli.port);
+    // Optionally spawn a child command routed through the proxy.
+    let child_and_script: Option<(std::process::Child, Option<TempScript>)> =
+        if !cli.command.is_empty() {
+            // Wait for the proxy to be ready before spawning the child.
+            wait_for_proxy(cli.port).await?;
+            let (child, ts) = spawn_proxy_child(&cli.command, cli.port)?;
             eprintln!(
-                "  Example: curl -x http://127.0.0.1:{} http://httpbin.org/get",
-                cli.port
+                "phantom: spawned PID {} → {}",
+                child.id(),
+                cli.command.join(" ")
             );
+            Some((child, ts))
+        } else {
+            None
+        };
+
+    match cli.output {
+        OutputMode::Tui => {
+            if cli.command.is_empty() {
+                eprintln!("phantom: proxy listening on 127.0.0.1:{}", cli.port);
+                eprintln!("  Set your HTTP proxy to http://127.0.0.1:{}", cli.port);
+                eprintln!(
+                    "  Example: curl -x http://127.0.0.1:{} http://httpbin.org/get",
+                    cli.port
+                );
+            }
             eprintln!(
                 "phantom: traces stored in {}",
                 store_path_display(&cli.data_dir)
@@ -270,7 +370,15 @@ async fn run_proxy(cli: Cli, store: Arc<FjallTraceStore>) -> anyhow::Result<()>
                 "phantom: proxy listening on 127.0.0.1:{} [jsonl mode]",
                 cli.port
             );
-            run_jsonl_output(store, trace_rx, None).await?;
+            // Split into child and script guard separately so the TempScript
+            // is NOT dropped until after run_jsonl_output completes (the file
+            // must exist while node is loading it via --require).
+            let (child, _script_guard) = match child_and_script {
+                Some((c, ts)) => (Some(c), ts),
+                None => (None, None),
+            };
+            run_jsonl_output(store, trace_rx, child).await?;
+            // _script_guard dropped here — temp file deleted after child exits.
         }
     }
 
@@ -278,6 +386,23 @@ async fn run_proxy(cli: Cli, store: Arc<FjallTraceStore>) -> anyhow::Result<()>
     Ok(())
 }
 
+/// Poll until the proxy port is accepting connections (or timeout after 5 s).
+async fn wait_for_proxy(port: u16) -> anyhow::Result<()> {
+    let deadline = tokio::time::Instant::now() + std::time::Duration::from_secs(5);
+    loop {
+        if tokio::net::TcpStream::connect(format!("127.0.0.1:{port}"))
+            .await
+            .is_ok()
+        {
+            return Ok(());
+        }
+        if tokio::time::Instant::now() >= deadline {
+            anyhow::bail!("proxy did not become ready on port {port} within 5 s");
+        }
+        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
+    }
+}
+
 // ─────────────────────────────────────────────────────────────────────────────
 // LD_PRELOAD backend (Linux only)
 // ─────────────────────────────────────────────────────────────────────────────
diff --git a/tests/proxy_node_integration.rs b/tests/proxy_node_integration.rs
index 1246f13..cee2dab 100644
--- a/tests/proxy_node_integration.rs
+++ b/tests/proxy_node_integration.rs
@@ -1,8 +1,9 @@
-//! Integration test: Node.js app → phantom proxy → Rust mock backend
+//! Integration test: phantom proxy transparently traces a Node.js app
 //!
 //! Verifies non-invasive proxy tracing: the Node.js client has ZERO proxy
-//! awareness.  A `--require proxy-preload.js` script transparently patches
-//! `http`/`https` to route through phantom (like LD_PRELOAD for Node.js).
+//! awareness.  `phantom -- node client.js` automatically injects
+//! `proxy-preload.js` (embedded in the binary) via `--require`, transparently
+//! patching `http`/`https` to route through the phantom proxy.
 //!
 //! Tests both HTTP and HTTPS (MITM) capture.
 //!
@@ -39,24 +40,6 @@ fn wait_for_port(port: u16, timeout: Duration) -> bool {
     false
 }
 
-struct ProcessGuard(Option<std::process::Child>);
-impl ProcessGuard {
-    fn new(child: std::process::Child) -> Self {
-        Self(Some(child))
-    }
-    fn take(&mut self) -> std::process::Child {
-        self.0.take().expect("already consumed")
-    }
-}
-impl Drop for ProcessGuard {
-    fn drop(&mut self) {
-        if let Some(ref mut c) = self.0 {
-            let _ = c.kill();
-            let _ = c.wait();
-        }
-    }
-}
-
 // ─────────────────────────────────────────────────────────────────────────────
 // Mock backend — HTTP
 // ─────────────────────────────────────────────────────────────────────────────
@@ -197,8 +180,10 @@ fn test_proxy_captures_node_app_traffic() {
         "HTTPS backend"
     );
 
-    // ── Start phantom proxy (--insecure to accept self-signed backend) ──
-    let phantom_proc = Command::new(phantom_bin)
+    // ── Run phantom with `-- node client.js` ────────────────────────────
+    // In JSONL mode phantom exits automatically when the child process exits.
+    // The proxy-preload.js is injected automatically by phantom for Node.js.
+    let phantom_output = Command::new(phantom_bin)
         .args([
             "--backend",
             "proxy",
@@ -210,57 +195,26 @@ fn test_proxy_captures_node_app_traffic() {
             "--data-dir",
         ])
         .arg(tmp_dir.path())
-        .stdout(Stdio::piped())
-        .stderr(Stdio::piped())
-        .spawn()
-        .expect("spawn phantom");
-
-    let mut phantom_guard = ProcessGuard::new(phantom_proc);
-    assert!(
-        wait_for_port(proxy_port, Duration::from_secs(5)),
-        "phantom proxy"
-    );
-
-    // ── Run client via --require proxy-preload.js ────────────────────────
-    let preload = app_dir.join("proxy-preload.js");
-    let client_output = Command::new("node")
-        .args(["--require", &preload.to_string_lossy()])
+        .arg("--")
+        .arg("node")
         .arg(app_dir.join("client.js"))
         .env("BACKEND_HTTP_URL", format!("http://127.0.0.1:{http_port}"))
         .env(
             "BACKEND_HTTPS_URL",
             format!("https://localhost:{https_port}"),
         )
-        .env("HTTP_PROXY", format!("http://127.0.0.1:{proxy_port}"))
         .env("NODE_TLS_REJECT_UNAUTHORIZED", "0")
         .output()
-        .expect("run client.js");
+        .expect("run phantom");
+
+    let stdout_buf = String::from_utf8_lossy(&phantom_output.stdout).into_owned();
+    let stderr_buf = String::from_utf8_lossy(&phantom_output.stderr).into_owned();
 
-    let client_stdout = String::from_utf8_lossy(&client_output.stdout);
-    let client_stderr = String::from_utf8_lossy(&client_output.stderr);
-    assert!(
-        client_output.status.success(),
-        "client.js failed.\n  stdout: {client_stdout}\n  stderr: {client_stderr}"
-    );
     assert!(
-        client_stdout.contains("CLIENT_DONE"),
-        "client.js incomplete.\n  stdout: {client_stdout}\n  stderr: {client_stderr}"
+        phantom_output.status.success(),
+        "phantom exited non-zero.\n  stdout:\n{stdout_buf}\n  stderr:\n{stderr_buf}"
     );
 
-    // ── Collect phantom output ───────────────────────────────────────────
-    std::thread::sleep(Duration::from_millis(500));
-
-    let mut phantom_proc = phantom_guard.take();
-    let mut phantom_stdout = phantom_proc.stdout.take().unwrap();
-    let mut phantom_stderr_h = phantom_proc.stderr.take().unwrap();
-    phantom_proc.kill().ok();
-    phantom_proc.wait().ok();
-
-    let mut stdout_buf = String::new();
-    phantom_stdout.read_to_string(&mut stdout_buf).ok();
-    let mut stderr_buf = String::new();
-    phantom_stderr_h.read_to_string(&mut stderr_buf).ok();
-
     // ── Parse JSONL traces ───────────────────────────────────────────────
     let traces: Vec<serde_json::Value> = stdout_buf
         .lines()
@@ -271,7 +225,7 @@ fn test_proxy_captures_node_app_traffic() {
     assert_eq!(
         traces.len(),
         4,
-        "Expected 4 traces (2 HTTP + 2 HTTPS), got {}.\n  stdout:\n{stdout_buf}\n  stderr:\n{stderr_buf}\n  client:\n{client_stdout}",
+        "Expected 4 traces (2 HTTP + 2 HTTPS), got {}.\\n  stdout:\\n{stdout_buf}\\n  stderr:\\n{stderr_buf}",
         traces.len(),
     );
 

From eb5291768856309eaac0bc95cd8988235c66a3a1 Mon Sep 17 00:00:00 2001
From: epli2 <motoryo1@gmail.com>
Date: Fri, 6 Mar 2026 00:04:09 +0900
Subject: [PATCH 3/8] docs(cli): enrich --help for AI-readable self-description

Add long_about with full backend/output-mode explanations and complete
JSONL field schema so an AI agent can understand the tool from --help alone.
Add after_long_help Examples section covering all common usage patterns.
Improve per-flag descriptions to be precise and actionable.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/main.rs | 143 ++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 116 insertions(+), 27 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index 39ccffc..7ec1c75 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -24,71 +24,160 @@ const NODE_PROXY_PRELOAD: &str = include_str!("../tests/apps/node-app/proxy-prel
 
 #[derive(Debug, Clone, ValueEnum)]
 enum Backend {
-    /// MITM HTTP/HTTPS proxy (cross-platform, requires `http_proxy` env var).
+    /// MITM proxy — captures HTTP + HTTPS, cross-platform. Node.js HTTPS injected automatically.
     Proxy,
-    /// LD_PRELOAD agent injected into a target process (Linux only).
+    /// LD_PRELOAD agent — plain HTTP only, Linux only. No proxy config needed.
     #[cfg(target_os = "linux")]
     Ldpreload,
 }
 
 #[derive(Debug, Clone, Default, ValueEnum)]
 enum OutputMode {
-    /// Interactive TUI (default).
+    /// Interactive terminal UI with trace list and detail view.
     #[default]
     Tui,
-    /// Stream captured traces as JSON Lines to stdout (one object per line).
-    /// Useful for scripting and AI-driven workflows.
+    /// Stream traces as JSON Lines to stdout; auto-exits when child process finishes.
     Jsonl,
 }
 
 #[derive(Parser)]
 #[command(
     name = "phantom",
-    about = "Zero-instrumentation API observability",
+    about = "Zero-instrumentation HTTP/HTTPS API observability tool",
+    long_about = "phantom — Zero-instrumentation HTTP/HTTPS API observability\n\
+\n\
+Captures every HTTP and HTTPS request/response made by a target process\n\
+and displays them in an interactive TUI or streams them as JSON Lines.\n\
+The target application requires NO code changes.\n\
+\n\
+━━━ CAPTURE BACKENDS ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n\
+\n\
+  proxy  (default, cross-platform)\n\
+    Starts a MITM proxy on 127.0.0.1:<PORT>.  Intercepts HTTP and HTTPS.\n\
+\n\
+    • Node.js  (`phantom -- node app.js`)\n\
+      proxy-preload.js is injected automatically via --require.  Both http://\n\
+      and https:// are captured with zero application changes.\n\
+\n\
+    • Other commands  (`phantom -- curl http://api.example.com/v1`)\n\
+      HTTP_PROXY / http_proxy is set automatically.  Plain HTTP is captured.\n\
+      HTTPS requires the application to honour HTTP_PROXY CONNECT tunnelling.\n\
+\n\
+    • Manual  (start phantom alone, then configure your app)\n\
+      Set HTTP_PROXY=http://127.0.0.1:8080 in the target process yourself.\n\
+\n\
+  ldpreload  (Linux only)\n\
+    Injects libphantom_agent.so via LD_PRELOAD.  Hooks send/recv/close at\n\
+    the libc level.  No proxy configuration required.  Plain HTTP only\n\
+    (HTTPS traffic is already encrypted at the socket layer).\n\
+\n\
+━━━ OUTPUT MODES ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n\
+\n\
+  tui   (default) — Interactive terminal UI with trace list + detail view.\n\
+\n\
+  jsonl — One JSON object per line on stdout.  phantom exits automatically\n\
+          when the child process exits (ideal for scripting and AI agents).\n\
+\n\
+  JSONL record schema (all fields always present unless marked optional):\n\
+    trace_id          string   W3C-compatible 128-bit trace ID (hex, 32 chars)\n\
+    span_id           string   64-bit span ID (hex, 16 chars)\n\
+    timestamp_ms      number   Unix epoch milliseconds — request start time\n\
+    duration_ms       number   Round-trip latency in milliseconds\n\
+    method            string   HTTP verb: \"GET\", \"POST\", \"PUT\", \"DELETE\", …\n\
+    url               string   Full request URL (scheme + host + path + query)\n\
+    status_code       number   HTTP response status code (200, 404, 500, …)\n\
+    protocol_version  string   HTTP version string, e.g. \"HTTP/1.1\"\n\
+    request_headers   object   Lower-cased header names → values\n\
+    response_headers  object   Lower-cased header names → values\n\
+    request_body      string?  UTF-8 decoded body; omitted when empty\n\
+    response_body     string?  UTF-8 decoded body; omitted when empty\n\
+    source_addr       string?  Client socket address, e.g. \"127.0.0.1:54321\"\n\
+    dest_addr         string?  Server socket address, e.g. \"93.184.216.34:443\"",
+    after_long_help = "EXAMPLES\n\
+\n\
+  ┌─ Proxy mode (default) ──────────────────────────────────────────────────┐\n\
+\n\
+  # Trace a Node.js app — HTTP + HTTPS captured, zero app changes:\n\
+  phantom -- node app.js\n\
+\n\
+  # Stream traces as JSONL for scripting / AI analysis:\n\
+  phantom --output jsonl -- node app.js\n\
+\n\
+  # Allow self-signed TLS certs on backend servers:\n\
+  phantom --insecure --output jsonl -- node app.js\n\
+\n\
+  # Trace any command (plain HTTP only, HTTPS if app uses HTTP_PROXY CONNECT):\n\
+  phantom -- curl http://api.example.com/v1/users\n\
+\n\
+  # Start proxy only, configure target app manually:\n\
+  phantom\n\
+  # then in another shell:\n\
+  HTTP_PROXY=http://127.0.0.1:8080 node app.js\n\
+\n\
+  # Custom port, custom data directory:\n\
+  phantom --port 9090 --data-dir ./traces -- node app.js\n\
+\n\
+  └─────────────────────────────────────────────────────────────────────────┘\n\
+\n\
+  ┌─ LD_PRELOAD mode (Linux only) ──────────────────────────────────────────┐\n\
+\n\
+  # Build the agent first:\n\
+  cargo build -p phantom-agent\n\
+\n\
+  # Trace a process (plain HTTP only):\n\
+  phantom --backend ldpreload \\\n\
+          --agent-lib ./target/debug/libphantom_agent.so \\\n\
+          -- curl http://api.example.com/v1/users\n\
+\n\
+  └─────────────────────────────────────────────────────────────────────────┘\n\
+\n\
+  ┌─ Consume JSONL from another process ────────────────────────────────────┐\n\
+\n\
+  phantom --output jsonl -- node app.js \\\n\
+    | jq 'select(.status_code >= 400)'          # filter errors\n\
+\n\
+  phantom --output jsonl -- node app.js \\\n\
+    | jq '{method,url,status_code,duration_ms}' # compact summary\n\
+\n\
+  └─────────────────────────────────────────────────────────────────────────┘",
     version
 )]
 struct Cli {
-    /// Capture backend to use.
+    /// Capture backend: 'proxy' (MITM, cross-platform) or 'ldpreload' (Linux, plain HTTP only).
     #[arg(short, long, value_enum, default_value = "proxy")]
     backend: Backend,
 
-    /// Output mode: interactive TUI or JSON Lines stream.
+    /// Output mode: 'tui' opens the interactive UI; 'jsonl' streams one trace
+    /// per line to stdout and exits when the child process finishes.
     #[arg(short, long, value_enum, default_value = "tui")]
     output: OutputMode,
 
-    /// Port for the proxy backend.
+    /// TCP port the proxy listens on.
     #[arg(short, long, default_value = "8080")]
     port: u16,
 
-    /// Skip TLS certificate verification for backend connections (testing only).
+    /// Disable TLS certificate verification for connections to backend servers.
+    /// Use when tracing apps that talk to servers with self-signed certificates.
     #[arg(long, default_value = "false")]
     insecure: bool,
 
-    /// Directory for trace storage.
+    /// Directory where captured traces are persisted (Fjall key-value store).
+    /// Defaults to the platform data directory, e.g. ~/.local/share/phantom/data.
     #[arg(short, long)]
     data_dir: Option<PathBuf>,
 
-    /// Path to libphantom_agent.so (required for --backend ldpreload).
+    /// Path to libphantom_agent.so  [required for --backend ldpreload]
     ///
-    /// Example: ./target/debug/libphantom_agent.so
+    /// Build with: cargo build -p phantom-agent
+    /// Then pass:  --agent-lib ./target/debug/libphantom_agent.so
     #[arg(long, value_name = "PATH")]
     agent_lib: Option<PathBuf>,
 
-    /// Command to spawn and trace.
+    /// Command to spawn and trace (everything after `--`).
     ///
-    /// Everything after `--` is treated as the command.
-    ///
-    /// In proxy mode (`--backend proxy`): the command is launched with
-    /// `HTTP_PROXY` set automatically.  For Node.js commands (`node`/`nodejs`)
-    /// the proxy-preload script is also injected via `--require` so that HTTPS
-    /// is intercepted transparently without any changes to the application.
-    ///
-    /// In ldpreload mode (`--backend ldpreload`): the LD_PRELOAD agent is
-    /// injected into the child process (Linux only).
-    ///
-    /// Examples:
-    ///   `phantom -- node app.js`
-    ///   `phantom --backend ldpreload --agent-lib ./libphantom_agent.so -- curl http://example.com`
+    /// proxy mode:     HTTP_PROXY is set automatically; Node.js additionally
+    ///                 gets proxy-preload.js injected via --require (captures HTTPS too).
+    /// ldpreload mode: LD_PRELOAD + PHANTOM_SOCKET are set automatically.
     #[arg(last = true, value_name = "CMD")]
     command: Vec<String>,
 }

From 93ff6b627fb142b18ef9e3e0f84db4ec44788889 Mon Sep 17 00:00:00 2001
From: epli2 <motoryo1@gmail.com>
Date: Fri, 6 Mar 2026 00:50:18 +0900
Subject: [PATCH 4/8] test: add integration tests for axios/undici/fetch
 tracing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add `test_proxy_captures_alternative_http_clients` test verifying
  that axios, undici, and globalThis.fetch are all transparently
  captured by the phantom proxy (6 traces: HTTP + HTTPS × 3 clients)
- Update proxy-preload.js to patch undici's global dispatcher via
  ProxyAgent so undici.request() goes through phantom
- Fix axios double-proxy: detect absolute-URI path already targeting
  the proxy and skip re-wrapping in http.request patch
- Fix fetch() HTTP via CONNECT: patch globalThis.fetch for http:// URLs
  to route through http.request (already proxy-patched), bypassing
  undici ProxyAgent's CONNECT tunnelling which phantom treats as HTTPS
- Add undici as npm dependency for explicit npm package usage
- Add client-alts.js: zero-config test app exercising all three clients

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 tests/apps/node-app/client-alts.js    |  92 ++++++++
 tests/apps/node-app/package-lock.json | 304 ++++++++++++++++++++++++++
 tests/apps/node-app/package.json      |   6 +-
 tests/apps/node-app/proxy-preload.js  | 142 +++++++++++-
 tests/proxy_node_integration.rs       | 207 ++++++++++++++++++
 5 files changed, 748 insertions(+), 3 deletions(-)
 create mode 100644 tests/apps/node-app/client-alts.js
 create mode 100644 tests/apps/node-app/package-lock.json

diff --git a/tests/apps/node-app/client-alts.js b/tests/apps/node-app/client-alts.js
new file mode 100644
index 0000000..118cfea
--- /dev/null
+++ b/tests/apps/node-app/client-alts.js
@@ -0,0 +1,92 @@
+// client-alts.js — Tests alternative HTTP client libraries through the proxy.
+//
+// Uses axios, undici (node:undici built-in), and the global fetch API —
+// all with ZERO proxy configuration in this file.
+// Proxy injection is handled externally via: node --require ./proxy-preload.js
+//
+// Each client adds an `x-phantom-client` header so traces can be identified
+// in the JSONL output by inspecting request_headers.
+//
+// Environment:
+//   BACKEND_HTTP_URL  — e.g. http://127.0.0.1:3000
+//   BACKEND_HTTPS_URL — e.g. https://localhost:3443
+
+"use strict";
+
+const BACKEND_HTTP_URL = process.env.BACKEND_HTTP_URL;
+const BACKEND_HTTPS_URL = process.env.BACKEND_HTTPS_URL;
+
+if (!BACKEND_HTTP_URL || !BACKEND_HTTPS_URL) {
+  console.error("BACKEND_HTTP_URL and BACKEND_HTTPS_URL are required");
+  process.exit(1);
+}
+
+async function main() {
+  // ── axios ──────────────────────────────────────────────────────────────────
+  // axios in Node.js uses the built-in http/https modules internally, so it
+  // goes through the patched http.request / https.request automatically.
+  const axios = require("axios");
+  // For HTTPS, disable certificate verification for the self-signed test cert.
+  const axiosHttps = axios.create({
+    httpsAgent: new (require("https").Agent)({ rejectUnauthorized: false }),
+  });
+
+  const a1 = await axios.get(`${BACKEND_HTTP_URL}/api/health`, {
+    headers: { "x-phantom-client": "axios" },
+  });
+  console.log(`axios  http health: status=${a1.status}`);
+
+  const a2 = await axiosHttps.get(`${BACKEND_HTTPS_URL}/api/health`, {
+    headers: { "x-phantom-client": "axios" },
+  });
+  console.log(`axios  https health: status=${a2.status}`);
+
+  // ── undici ─────────────────────────────────────────────────────────────────
+  // undici has its own HTTP stack and bypasses http/https modules.
+  // proxy-preload.js patches it via setGlobalDispatcher(ProxyAgent).
+  const { request } = require("undici");
+
+  const u1 = await request(`${BACKEND_HTTP_URL}/api/users`, {
+    headers: { "x-phantom-client": "undici" },
+  });
+  await u1.body.text(); // consume body to allow connection to close
+  console.log(`undici http users: status=${u1.statusCode}`);
+
+  const u2 = await request(`${BACKEND_HTTPS_URL}/api/users`, {
+    headers: { "x-phantom-client": "undici" },
+  });
+  await u2.body.text();
+  console.log(`undici https users: status=${u2.statusCode}`);
+
+  // ── fetch (global, Node.js 18+) ────────────────────────────────────────────
+  // proxy-preload.js sets undici's global ProxyAgent dispatcher so that
+  // requests from fetch go through the phantom proxy.  HTTP_PROXY is removed
+  // from the environment after our patches are installed to prevent fetch's
+  // built-in proxy detection from conflicting with the ProxyAgent.
+  const postBody = JSON.stringify({ name: "Dave", email: "dave@example.com" });
+  const postHeaders = {
+    "content-type": "application/json",
+    "x-phantom-client": "fetch",
+  };
+
+  const f1 = await fetch(`${BACKEND_HTTP_URL}/api/users`, {
+    method: "POST",
+    headers: postHeaders,
+    body: postBody,
+  });
+  console.log(`fetch  http  post users: status=${f1.status}`);
+
+  const f2 = await fetch(`${BACKEND_HTTPS_URL}/api/users`, {
+    method: "POST",
+    headers: postHeaders,
+    body: postBody,
+  });
+  console.log(`fetch  https post users: status=${f2.status}`);
+
+  console.log("CLIENT_DONE");
+}
+
+main().catch((err) => {
+  console.error("Client error:", err);
+  process.exit(1);
+});
diff --git a/tests/apps/node-app/package-lock.json b/tests/apps/node-app/package-lock.json
new file mode 100644
index 0000000..e15269d
--- /dev/null
+++ b/tests/apps/node-app/package-lock.json
@@ -0,0 +1,304 @@
+{
+  "name": "phantom-test-app",
+  "version": "0.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "phantom-test-app",
+      "version": "0.0.0",
+      "dependencies": {
+        "axios": "^1.7.0",
+        "undici": "^7.0.0"
+      }
+    },
+    "node_modules/asynckit": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
+      "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==",
+      "license": "MIT"
+    },
+    "node_modules/axios": {
+      "version": "1.13.6",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.13.6.tgz",
+      "integrity": "sha512-ChTCHMouEe2kn713WHbQGcuYrr6fXTBiu460OTwWrWob16g1bXn4vtz07Ope7ewMozJAnEquLk5lWQWtBig9DQ==",
+      "license": "MIT",
+      "dependencies": {
+        "follow-redirects": "^1.15.11",
+        "form-data": "^4.0.5",
+        "proxy-from-env": "^1.1.0"
+      }
+    },
+    "node_modules/call-bind-apply-helpers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
+      "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/combined-stream": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
+      "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
+      "license": "MIT",
+      "dependencies": {
+        "delayed-stream": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/delayed-stream": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
+      "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
+    "node_modules/dunder-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
+      "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "gopd": "^1.2.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-define-property": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
+      "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-object-atoms": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
+      "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-set-tostringtag": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz",
+      "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.6",
+        "has-tostringtag": "^1.0.2",
+        "hasown": "^2.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/follow-redirects": {
+      "version": "1.15.11",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz",
+      "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==",
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://github.com/sponsors/RubenVerborgh"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=4.0"
+      },
+      "peerDependenciesMeta": {
+        "debug": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/form-data": {
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
+      "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
+      "license": "MIT",
+      "dependencies": {
+        "asynckit": "^0.4.0",
+        "combined-stream": "^1.0.8",
+        "es-set-tostringtag": "^2.1.0",
+        "hasown": "^2.0.2",
+        "mime-types": "^2.1.12"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/function-bind": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+      "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-intrinsic": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
+      "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "es-define-property": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "es-object-atoms": "^1.1.1",
+        "function-bind": "^1.1.2",
+        "get-proto": "^1.0.1",
+        "gopd": "^1.2.0",
+        "has-symbols": "^1.1.0",
+        "hasown": "^2.0.2",
+        "math-intrinsics": "^1.1.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
+      "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
+      "license": "MIT",
+      "dependencies": {
+        "dunder-proto": "^1.0.1",
+        "es-object-atoms": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/gopd": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
+      "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-symbols": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
+      "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-tostringtag": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz",
+      "integrity": "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==",
+      "license": "MIT",
+      "dependencies": {
+        "has-symbols": "^1.0.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/hasown": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
+      "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+      "license": "MIT",
+      "dependencies": {
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/math-intrinsics": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
+      "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/mime-db": {
+      "version": "1.52.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
+      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime-types": {
+      "version": "2.1.35",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
+      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": "1.52.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/proxy-from-env": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
+      "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==",
+      "license": "MIT"
+    },
+    "node_modules/undici": {
+      "version": "7.22.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-7.22.0.tgz",
+      "integrity": "sha512-RqslV2Us5BrllB+JeiZnK4peryVTndy9Dnqq62S3yYRRTj0tFQCwEniUy2167skdGOy3vqRzEvl1Dm4sV2ReDg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.18.1"
+      }
+    }
+  }
+}
diff --git a/tests/apps/node-app/package.json b/tests/apps/node-app/package.json
index ce75a7e..979b68f 100644
--- a/tests/apps/node-app/package.json
+++ b/tests/apps/node-app/package.json
@@ -2,5 +2,9 @@
   "name": "phantom-test-app",
   "version": "0.0.0",
   "private": true,
-  "description": "Test Node.js app for phantom proxy integration tests (no external dependencies)"
+  "description": "Test Node.js app for phantom proxy integration tests",
+  "dependencies": {
+    "axios": "^1.7.0",
+    "undici": "^7.0.0"
+  }
 }
diff --git a/tests/apps/node-app/proxy-preload.js b/tests/apps/node-app/proxy-preload.js
index 564b173..d87eb1a 100644
--- a/tests/apps/node-app/proxy-preload.js
+++ b/tests/apps/node-app/proxy-preload.js
@@ -70,9 +70,20 @@ http.request = function (...args) {
   const { options, callback } = normaliseArgs(args);
 
   const host = options.hostname || options.host || "localhost";
-  const port = options.port || 80;
+  const port = Number(options.port) || 80;
   const path = options.path || "/";
 
+  // If this request already has an absolute-URI path AND is connecting to our
+  // proxy, it was pre-formatted by a proxy-aware client (e.g. axios reading
+  // HTTP_PROXY automatically).  Pass it through unchanged to avoid double-wrapping.
+  if (
+    (path.startsWith("http://") || path.startsWith("https://")) &&
+    host === proxyHost &&
+    port === proxyPort
+  ) {
+    return origHttpRequest.call(http, options, callback);
+  }
+
   // Build the absolute URI the proxy expects.
   const absoluteUri = `http://${host}:${port}${path}`;
 
@@ -84,7 +95,7 @@ http.request = function (...args) {
     host: `${proxyHost}:${proxyPort}`,
     headers: {
       ...options.headers,
-      Host: port == 80 ? host : `${host}:${port}`,
+      Host: port === 80 ? host : `${host}:${port}`,
     },
   };
 
@@ -161,3 +172,130 @@ https.get = function (...args) {
   req.end();
   return req;
 };
+
+// ---------------------------------------------------------------------------
+// Undici / native fetch (Node.js 18+)
+// ---------------------------------------------------------------------------
+// undici implements its own HTTP stack and does NOT go through the patched
+// http/https modules above.  Redirect it through the proxy by installing a
+// global ProxyAgent dispatcher.  This also covers globalThis.fetch, which is
+// built on top of undici in Node.js 18+.
+
+(function patchUndici() {
+  let undici;
+  // Try the built-in first (Node 18.13+), then fall back to the npm package.
+  for (const mod of ["node:undici", "undici"]) {
+    try {
+      undici = require(mod);
+      break;
+    } catch (_) {}
+  }
+  if (!undici || !undici.ProxyAgent || !undici.setGlobalDispatcher) return;
+  try {
+    undici.setGlobalDispatcher(
+      new undici.ProxyAgent({
+        uri: PROXY_URL,
+        // phantom presents a MITM certificate — skip TLS verification.
+        connect: { rejectUnauthorized: false },
+      })
+    );
+  } catch (_) {
+    // Ignore: proxy agent creation can fail in some environments.
+  }
+})();
+
+// ---------------------------------------------------------------------------
+// Patch globalThis.fetch for HTTP
+// ---------------------------------------------------------------------------
+// undici's ProxyAgent (set above) sends a CONNECT tunnel for *all* requests
+// made via fetch(), including plain HTTP.  phantom handles CONNECT as an HTTPS
+// MITM tunnel — sending plain HTTP through it fails ("Connection reset by peer").
+//
+// Fix: wrap globalThis.fetch so that http:// requests are dispatched through
+// our already-patched http.request instead of through the ProxyAgent.
+// https:// requests are left unchanged (CONNECT → MITM works fine for TLS).
+
+if (typeof globalThis.fetch === "function") {
+  const _origFetch = globalThis.fetch;
+
+  globalThis.fetch = async function patchedFetch(input, init) {
+    // Determine the target URL string.
+    let urlStr;
+    try {
+      urlStr =
+        typeof input === "string"
+          ? input
+          : input instanceof URL
+            ? input.href
+            : input.url;
+    } catch (_) {
+      return _origFetch.apply(this, arguments);
+    }
+
+    // Only intercept plain HTTP; leave HTTPS to the ProxyAgent.
+    if (!urlStr.startsWith("http://")) {
+      return _origFetch.apply(this, arguments);
+    }
+
+    const url = new URL(urlStr);
+    const method = (
+      (init && init.method) ||
+      (input && input.method) ||
+      "GET"
+    ).toUpperCase();
+
+    // Normalise headers to a plain object.
+    const rawHeaders =
+      (init && init.headers) || (input && input.headers) || {};
+    const headers = {};
+    if (rawHeaders && typeof rawHeaders.entries === "function") {
+      for (const [k, v] of rawHeaders.entries()) headers[k] = v;
+    } else {
+      Object.assign(headers, rawHeaders);
+    }
+
+    // Serialise body to a Buffer if present.
+    let bodyData = null;
+    const rawBody = init && init.body;
+    if (rawBody != null) {
+      if (typeof rawBody === "string") bodyData = rawBody;
+      else if (Buffer.isBuffer(rawBody)) bodyData = rawBody;
+      else if (rawBody instanceof ArrayBuffer) bodyData = Buffer.from(rawBody);
+      else if (rawBody instanceof Uint8Array) bodyData = Buffer.from(rawBody);
+      // Streams, FormData, URLSearchParams, etc. fall through to origFetch.
+      else return _origFetch.apply(this, arguments);
+    }
+
+    // Dispatch through our patched http.request → goes via phantom proxy.
+    return new Promise((resolve, reject) => {
+      const opts = {
+        hostname: url.hostname,
+        port: url.port || 80,
+        path: url.pathname + (url.search || ""),
+        method,
+        headers,
+      };
+
+      const req = http.request(opts, (res) => {
+        const chunks = [];
+        res.on("data", (c) => chunks.push(c));
+        res.on("end", () => {
+          const body = Buffer.concat(chunks);
+          // Node 18+ exposes Headers and Response as globals.
+          resolve(
+            new Response(body, {
+              status: res.statusCode,
+              statusText: res.statusMessage || "",
+              headers: new Headers(res.headers),
+            })
+          );
+        });
+        res.on("error", reject);
+      });
+
+      req.on("error", reject);
+      if (bodyData != null) req.write(bodyData);
+      req.end();
+    });
+  };
+}
diff --git a/tests/proxy_node_integration.rs b/tests/proxy_node_integration.rs
index cee2dab..b0f5736 100644
--- a/tests/proxy_node_integration.rs
+++ b/tests/proxy_node_integration.rs
@@ -322,3 +322,210 @@ fn test_proxy_captures_node_app_traffic() {
 
     eprintln!("All 4 traces (2 HTTP + 2 HTTPS) verified.");
 }
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Helpers shared by both tests
+// ─────────────────────────────────────────────────────────────────────────────
+
+/// Return the value of the `x-phantom-client` request header from a JSONL trace.
+fn client_of(t: &serde_json::Value) -> &str {
+    t["request_headers"]["x-phantom-client"]
+        .as_str()
+        .unwrap_or("unknown")
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Test 2: alternative HTTP clients (axios / undici / fetch)
+// ─────────────────────────────────────────────────────────────────────────────
+
+#[test]
+fn test_proxy_captures_alternative_http_clients() {
+    // ── Pre-flight: require node and npm ─────────────────────────────────
+    if Command::new("node")
+        .arg("--version")
+        .stdout(Stdio::null())
+        .stderr(Stdio::null())
+        .status()
+        .is_err()
+    {
+        eprintln!("SKIP: `node` not found");
+        return;
+    }
+    if Command::new("npm")
+        .arg("--version")
+        .stdout(Stdio::null())
+        .stderr(Stdio::null())
+        .status()
+        .is_err()
+    {
+        eprintln!("SKIP: `npm` not found");
+        return;
+    }
+
+    let phantom_bin = env!("CARGO_BIN_EXE_phantom");
+    let app_dir = Path::new(env!("CARGO_MANIFEST_DIR")).join("tests/apps/node-app");
+    let tmp_dir = tempfile::tempdir().expect("tempdir");
+
+    // ── Install npm dependencies (axios) ─────────────────────────────────
+    let npm_status = Command::new("npm")
+        .args(["install", "--prefix"])
+        .arg(&app_dir)
+        .status()
+        .expect("npm install");
+    assert!(npm_status.success(), "npm install failed");
+
+    let http_port = available_port();
+    let https_port = available_port();
+    let proxy_port = available_port();
+
+    // ── Generate self-signed cert ─────────────────────────────────────────
+    let certified =
+        rcgen::generate_simple_self_signed(vec!["localhost".to_string()]).expect("generate cert");
+    let cert_der = certified.cert.der().to_vec();
+    let key_der = certified.key_pair.serialize_der();
+
+    // ── Start Rust mock backends ──────────────────────────────────────────
+    let _http_thread = start_http_backend(http_port);
+    assert!(
+        wait_for_port(http_port, Duration::from_secs(3)),
+        "HTTP backend"
+    );
+
+    let _https_thread = start_https_backend(https_port, cert_der, key_der);
+    assert!(
+        wait_for_port(https_port, Duration::from_secs(3)),
+        "HTTPS backend"
+    );
+
+    // ── Run phantom with `-- node client-alts.js` ─────────────────────────
+    // phantom injects proxy-preload.js (embedded) which patches http, https,
+    // AND undici/fetch via setGlobalDispatcher.
+    let phantom_output = Command::new(phantom_bin)
+        .args([
+            "--backend",
+            "proxy",
+            "--output",
+            "jsonl",
+            "--port",
+            &proxy_port.to_string(),
+            "--insecure",
+            "--data-dir",
+        ])
+        .arg(tmp_dir.path())
+        .arg("--")
+        .arg("node")
+        .arg(app_dir.join("client-alts.js"))
+        .env("BACKEND_HTTP_URL", format!("http://127.0.0.1:{http_port}"))
+        .env(
+            "BACKEND_HTTPS_URL",
+            format!("https://localhost:{https_port}"),
+        )
+        .env("NODE_TLS_REJECT_UNAUTHORIZED", "0")
+        // Point node_modules resolution to the app directory.
+        .env("NODE_PATH", app_dir.join("node_modules"))
+        .output()
+        .expect("run phantom");
+
+    let stdout_buf = String::from_utf8_lossy(&phantom_output.stdout).into_owned();
+    let stderr_buf = String::from_utf8_lossy(&phantom_output.stderr).into_owned();
+
+    assert!(
+        phantom_output.status.success(),
+        "phantom exited non-zero.\n  stdout:\n{stdout_buf}\n  stderr:\n{stderr_buf}"
+    );
+
+    // ── Parse JSONL traces ────────────────────────────────────────────────
+    let traces: Vec<serde_json::Value> = stdout_buf
+        .lines()
+        .filter(|l| l.starts_with('{'))
+        .filter_map(|l| serde_json::from_str(l).ok())
+        .collect();
+
+    assert_eq!(
+        traces.len(),
+        6,
+        "Expected 6 traces (2 per client × 3 clients: axios/undici/fetch), got {}.\
+         \n  stdout:\n{stdout_buf}\n  stderr:\n{stderr_buf}",
+        traces.len(),
+    );
+
+    // ── axios: HTTP + HTTPS GET /api/health (200) ────────────────────────
+    for scheme in ["http", "https"] {
+        let t = traces
+            .iter()
+            .find(|t| {
+                client_of(t) == "axios"
+                    && t["url"]
+                        .as_str()
+                        .is_some_and(|u| u.starts_with(&format!("{scheme}://")))
+            })
+            .unwrap_or_else(|| panic!("missing axios {scheme}:// trace\n  stdout:\n{stdout_buf}"));
+        assert_eq!(t["method"], "GET", "axios {scheme} method");
+        assert_eq!(t["status_code"], 200, "axios {scheme} status");
+        assert!(
+            t["url"].as_str().is_some_and(|u| u.contains("/api/health")),
+            "axios {scheme} url"
+        );
+    }
+
+    // ── undici: HTTP + HTTPS GET /api/users (200) ────────────────────────
+    for scheme in ["http", "https"] {
+        let t = traces
+            .iter()
+            .find(|t| {
+                client_of(t) == "undici"
+                    && t["url"]
+                        .as_str()
+                        .is_some_and(|u| u.starts_with(&format!("{scheme}://")))
+            })
+            .unwrap_or_else(|| panic!("missing undici {scheme}:// trace\n  stdout:\n{stdout_buf}"));
+        assert_eq!(t["method"], "GET", "undici {scheme} method");
+        assert_eq!(t["status_code"], 200, "undici {scheme} status");
+        assert!(
+            t["url"].as_str().is_some_and(|u| u.contains("/api/users")),
+            "undici {scheme} url"
+        );
+    }
+
+    // ── fetch: HTTP + HTTPS POST /api/users (201) ────────────────────────
+    for scheme in ["http", "https"] {
+        let t = traces
+            .iter()
+            .find(|t| {
+                client_of(t) == "fetch"
+                    && t["url"]
+                        .as_str()
+                        .is_some_and(|u| u.starts_with(&format!("{scheme}://")))
+            })
+            .unwrap_or_else(|| panic!("missing fetch {scheme}:// trace\n  stdout:\n{stdout_buf}"));
+        assert_eq!(t["method"], "POST", "fetch {scheme} method");
+        assert_eq!(t["status_code"], 201, "fetch {scheme} status");
+        assert!(
+            t["request_body"]
+                .as_str()
+                .is_some_and(|b| b.contains("Dave")),
+            "fetch {scheme} request body"
+        );
+    }
+
+    // ── Cross-cutting checks ──────────────────────────────────────────────
+    for (i, t) in traces.iter().enumerate() {
+        assert!(
+            t["trace_id"].as_str().is_some_and(|s| !s.is_empty()),
+            "trace[{i}] trace_id"
+        );
+        assert!(
+            t["span_id"].as_str().is_some_and(|s| !s.is_empty()),
+            "trace[{i}] span_id"
+        );
+        assert!(
+            t["timestamp_ms"].as_u64().is_some_and(|v| v > 0),
+            "trace[{i}] timestamp_ms"
+        );
+    }
+
+    eprintln!(
+        "All 6 traces (axios ×2, undici ×2, fetch ×2) verified. clients: {:?}",
+        traces.iter().map(client_of).collect::<Vec<_>>()
+    );
+}

From 3fd7acd4191041f778f8dd5f51cf0ca37734bf42 Mon Sep 17 00:00:00 2001
From: epli2 <motoryo1@gmail.com>
Date: Fri, 6 Mar 2026 00:53:50 +0900
Subject: [PATCH 5/8] chore: update .gitignore to include node_modules and IDE
 config files

---
 .gitignore | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.gitignore b/.gitignore
index ea8c4bf..bb3b816 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,4 @@
 /target
+**/node_modules/**
+.idea/
+

From 977963ef5a15d70994ada0868463b9378390bcca Mon Sep 17 00:00:00 2001
From: epli2 <motoryo1@gmail.com>
Date: Fri, 6 Mar 2026 01:05:03 +0900
Subject: [PATCH 6/8] docs: update GEMINI.md with latest features and roadmap

---
 GEMINI.md | 83 ++++++++++++++++++++++++++++++++++---------------------
 1 file changed, 51 insertions(+), 32 deletions(-)

diff --git a/GEMINI.md b/GEMINI.md
index e7ef396..5d9a706 100644
--- a/GEMINI.md
+++ b/GEMINI.md
@@ -6,65 +6,84 @@ Phantom is a next-generation API observability and automatic workflow generation
 
 ### Building and Running
 - **Build the project:** `cargo build`
-- **Run with Proxy (default):** `cargo run` (Proxy on port 8080)
+- **Run with Proxy (default):** `phantom -- <COMMAND>` (e.g., `phantom -- node app.js`)
 - **Run with LD_PRELOAD (Linux only):**
   `cargo run -- --backend ldpreload --agent-lib ./target/debug/libphantom_agent.so -- curl http://example.com`
-- **Run in JSONL mode:** `cargo run -- --output jsonl`
+- **Run in JSONL mode:** `phantom --output jsonl -- <COMMAND>`
 - **Run tests:** `cargo test`
 
-### CLI Options
-- `-b, --backend <BACKEND>`: Capture backend to use (`proxy` or `ldpreload`).
-- `-o, --output <MODE>`: Output mode (`tui` or `jsonl`).
-- `-p, --port <PORT>`: Port for the proxy backend (default: 8080).
-- `-d, --data-dir <DIR>`: Directory for trace storage (default: `~/.local/share/phantom/data`).
+### Common Examples
+- **Trace a Node.js app (HTTP + HTTPS captured automatically):**
+  `phantom -- node app.js`
+- **Stream traces to jq for filtering:**
+  `phantom --output jsonl -- node app.js | jq 'select(.status_code >= 400)'`
+- **Capture plain HTTP for any command:**
+  `phantom -- curl http://api.example.com/v1/users`
+
+## 🛠 CLI Options
+- `-b, --backend <BACKEND>`: Capture backend to use (`proxy` or `ldpreload`). Default: `proxy`.
+- `-o, --output <MODE>`: Output mode (`tui` or `jsonl`). Default: `tui`.
+- `-p, --port <PORT>`: Port for the proxy backend. Default: `8080`.
+- `--insecure`: Disable TLS certificate verification for backend connections.
+- `-d, --data-dir <DIR>`: Directory for trace storage. Default: `~/.local/share/phantom/data`.
 - `--agent-lib <PATH>`: Path to `libphantom_agent.so` (required for `ldpreload`).
-- `-- <COMMAND>`: The command to run with `LD_PRELOAD` injected.
+- `-- <COMMAND>`: The command to run with interception injected.
+
+### JSONL Output Schema
+When using `--output jsonl`, each line is a JSON object with:
+- `trace_id`: W3C-compatible 128-bit trace ID (hex).
+- `span_id`: 64-bit span ID (hex).
+- `timestamp_ms`: Unix epoch milliseconds.
+- `duration_ms`: Round-trip latency in ms.
+- `method`: HTTP verb (GET, POST, etc.).
+- `url`: Full request URL.
+- `status_code`: HTTP response status.
+- `protocol_version`: e.g., "HTTP/1.1".
+- `request_headers` / `response_headers`: Header maps.
+- `request_body` / `response_body`: UTF-8 decoded bodies (optional).
 
 ## 🏗 Architecture & Tech Stack
 
-The project is organized as a Rust workspace with the following crates:
+The project is organized as a Rust workspace:
 
-- **`phantom-core`**: Defines core traits (`TraceStore`, `CaptureBackend`), data structures (`HttpTrace`), and error types.
-- **`phantom-storage`**: Implements `TraceStore` using **Fjall**, a high-performance LSM-tree storage engine.
+- **`phantom-core`**: Defines core traits (`TraceStore`, `CaptureBackend`) and `HttpTrace`.
+- **`phantom-storage`**: Implements `TraceStore` using **Fjall** (LSM-tree).
 - **`phantom-capture`**: Implements `CaptureBackend`.
     - **ProxyBackend**: MITM HTTPS interception using `hudsucker`.
-    - **LdPreloadBackend**: Receives traces from the `phantom-agent` via Unix Domain Sockets.
-- **`phantom-agent`**: A Linux-only `LD_PRELOAD` shared library that hooks `libc` functions (`send`, `recv`, `close`) to capture plain-text HTTP traffic.
-- **`phantom-tui`**: Terminal user interface using **Ratatui**.
+    - **Node.js Integration**: Automatically injects `proxy-preload.js` via `--require` to capture HTTPS without code changes.
+    - **LdPreloadBackend**: Receives traces from `phantom-agent` via Unix Domain Sockets.
+- **`phantom-agent`**: Linux-only `LD_PRELOAD` library hooking `libc` `send`/`recv`.
+- **`phantom-tui`**: Interactive UI using **Ratatui**.
 
 ### Key Technologies
 - **Async Runtime:** `tokio`
-- **Storage Engine:** `fjall`
-- **TUI Framework:** `ratatui`
+- **Storage:** `fjall` (LSM-tree with key-value separation).
+- **TUI:** `ratatui`
 - **Proxy/MITM:** `hudsucker`
-- **LD_PRELOAD Hooking:** `redhook`
 - **Serialization:** `serde`, `serde_json`
-- **Trace Context:** W3C Trace Context compatible (128-bit Trace ID, 64-bit Span ID).
 
 ## 🛠 Development Conventions
 
 ### Coding Style
-- Follow standard Rust idioms and `clippy` suggestions.
-- Use `anyhow` for application-level error handling and `thiserror` for library-level errors.
-- Prefer `Arc<dyn Trait>` for sharing state between components.
+- Use `anyhow` for applications, `thiserror` for libraries.
+- Prefer `Arc<dyn Trait>` for component sharing.
+- Follow standard Rust idioms and `clippy`.
 
 ### Testing
-- `phantom-storage` uses `tempfile` for testing LSM-tree operations.
-- Ensure all tests pass before submitting changes: `cargo test`.
+- `phantom-storage` uses `tempfile` for disk-based tests.
+- **Integration Tests:** `tests/proxy_node_integration.rs` verifies the Node.js proxy injection.
+- Run all tests: `cargo test`.
 
 ### Project Roadmap (from `plan.md`)
-- **Userspace eBPF:** Integration with `bpftime` for zero-instrumentation capture without kernel overhead.
-- **Workflow Inference:** Automatic generation of **Arazzo Specification** and **OpenAPI Spec** using **LLM** (`candle`) and semantic analysis.
-- **GUI:** Potential future integration with `Tauri`.
+- **Userspace eBPF:** Integration with `bpftime` for zero-instrumentation capture (10x faster than uprobes).
+- **Workflow Inference:** Automatic generation of **Arazzo Specification** using **LLM** (`candle`) and semantic value correlation.
+- **GUI:** Cross-platform desktop interface using **Tauri**.
 
 ## 📂 Key Files
-- `src/main.rs`: Entry point, CLI parsing, and component wiring.
+- `src/main.rs`: CLI entry point and process spawning logic.
 - `crates/phantom-core/src/trace.rs`: `HttpTrace` definition.
-- `crates/phantom-core/src/capture.rs`: `CaptureBackend` trait.
-- `crates/phantom-core/src/storage.rs`: `TraceStore` trait.
 - `crates/phantom-storage/src/fjall_store.rs`: Primary storage implementation.
 - `crates/phantom-capture/src/proxy.rs`: Proxy-based interception logic.
-- `crates/phantom-capture/src/ldpreload.rs`: `LD_PRELOAD` backend listener.
 - `crates/phantom-agent/src/lib.rs`: The `LD_PRELOAD` injection agent.
-- `crates/phantom-tui/src/lib.rs`: TUI entry point.
-- `plan.md`: Comprehensive technical design and research document.
+- `tests/proxy_node_integration.rs`: Node.js integration test suite.
+- `plan.md`: Comprehensive technical design (Japanese).

From 3b3d2a423a4abecab1040e15b018208ba44e67c5 Mon Sep 17 00:00:00 2001
From: epli2 <motoryo1@gmail.com>
Date: Fri, 6 Mar 2026 01:09:41 +0900
Subject: [PATCH 7/8] docs: update AGENTS.md with proxy-preload injection,
 JSONL schema, and new tests

- Document Node.js transparent proxy injection (proxy-preload.js auto-inject)
- Add HTTP client support matrix (axios/undici/fetch HTTP+HTTPS)
- Explain double-proxy guard and fetch CONNECT workaround
- Add JSONL output schema section
- Add --insecure and --output flags to CLI options table
- Update project layout and key files to include test infrastructure
- Document proxy_node_integration.rs tests and how to run them
- Update data flow section with Node.js auto-injection path

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 AGENTS.md | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 101 insertions(+), 7 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index 1d6c32d..add87eb 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -1,19 +1,23 @@
 # Phantom — Agent Instructions
 
-Phantom is a Rust-based API observability tool that captures HTTP/HTTPS traffic via a MITM proxy (or LD_PRELOAD agent on Linux) and presents it in a terminal UI. It is organized as a Cargo workspace of five library crates plus one binary.
+Phantom is a Rust-based API observability tool that captures HTTP/HTTPS traffic via a MITM proxy (or LD_PRELOAD agent on Linux) and presents it in a terminal UI or streams it as JSON Lines. It is organized as a Cargo workspace of five library crates plus one binary.
 
 ---
 
 ## Project Layout
 
 ```
-src/main.rs                  # Binary entry point: CLI parsing, component wiring
+src/main.rs                  # Binary entry point: CLI parsing, component wiring, child-process spawning
 crates/
   phantom-core/              # Domain types, traits, error types — no I/O
   phantom-storage/           # Fjall LSM-tree TraceStore implementation
   phantom-capture/           # Hudsucker MITM proxy + LD_PRELOAD (Linux) CaptureBackend
   phantom-tui/               # Ratatui terminal UI
   phantom-agent/             # LD_PRELOAD dylib (Linux only, hooks libc send/recv)
+tests/
+  proxy_node_integration.rs  # Integration tests: Node.js proxy capture (HTTP + HTTPS)
+  apps/node-app/             # Test Node.js app (client.js, client-alts.js, proxy-preload.js)
+  integration/               # Shell-based integration tests
 Cargo.toml                   # Workspace root + binary crate
 plan.md                      # Japanese-language technical design document
 ```
@@ -38,6 +42,8 @@ cargo build --workspace --all-targets --all-features  # Full build (matches CI)
 cargo build --release                # Release build
 cargo run                            # Run proxy on default port 8080
 cargo run -- --port 9090             # Run with custom port
+cargo run -- -- node app.js          # Trace a Node.js app (proxy-preload.js auto-injected)
+cargo run -- --output jsonl -- node app.js  # Stream JSONL and exit when child exits
 cargo run -- --backend ldpreload --agent-lib ./target/debug/libphantom_agent.so -- curl http://example.com
 cargo check                          # Fast type/borrow check (no codegen)
 cargo clippy --workspace --all-targets --all-features -- -D warnings  # Lint (CI-exact)
@@ -60,12 +66,64 @@ make check    # fmt + clippy + build + test (full CI locally)
 
 | Flag | Default | Description |
 |---|---|---|
-| `-b, --backend <BACKEND>` | `proxy` | `proxy` or `ldpreload` (Linux only) |
-| `-o, --output <OUTPUT>` | `tui` | `tui` (interactive) or `jsonl` (stdout stream) |
+| `-b, --backend <BACKEND>` | `proxy` | `proxy` (MITM, cross-platform) or `ldpreload` (Linux only) |
+| `-o, --output <OUTPUT>` | `tui` | `tui` (interactive) or `jsonl` (stdout stream, auto-exits with child) |
 | `-p, --port <PORT>` | `8080` | Proxy capture port |
+| `--insecure` | off | Disable TLS verification for backend servers (self-signed certs) |
 | `-d, --data-dir <DIR>` | `~/.local/share/phantom/data` | Storage directory |
 | `--agent-lib <PATH>` | — | Path to `libphantom_agent.so` (ldpreload backend) |
-| `-- <CMD>` | — | Command to run with LD_PRELOAD injected |
+| `-- <CMD>` | — | Command to spawn and trace automatically |
+
+---
+
+## Node.js Transparent Proxy Injection
+
+When the command after `--` is `node` or `nodejs`, phantom automatically:
+
+1. Writes `proxy-preload.js` (embedded via `include_str!`) to a temp file.
+2. Prepends `--require <tempfile>` to the Node arguments.
+3. Sets `HTTP_PROXY` / `http_proxy` to `http://127.0.0.1:<PORT>`.
+4. Deletes the temp file after the child exits (`TempScript` RAII guard).
+
+`proxy-preload.js` monkey-patches Node's `http`, `https`, and `undici` modules so that **all** outbound requests (including HTTPS) go through the phantom MITM proxy with zero application changes.
+
+### HTTP client support in proxy-preload.js
+
+| Client | Mechanism | HTTP | HTTPS |
+|--------|-----------|------|-------|
+| `http.request` / `http.get` | Rewritten to absolute URI targeting proxy | ✅ | — |
+| `https.request` / `https.get` | Custom `ProxyTunnelAgent` (CONNECT + TLS MITM) | — | ✅ |
+| `axios` (npm) | Uses `http`/`https` internally → patched automatically | ✅ | ✅ |
+| `undici.request()` | `setGlobalDispatcher(new ProxyAgent(...))` | ✅ | ✅ |
+| `globalThis.fetch` HTTP | Patched to route `http://` via `http.request` (bypasses CONNECT) | ✅ | — |
+| `globalThis.fetch` HTTPS | Handled by undici ProxyAgent (CONNECT → MITM) | — | ✅ |
+
+**Double-proxy guard**: axios auto-reads `HTTP_PROXY` and formats an absolute-URI request. The `http.request` patch detects this (absolute URI path + target == proxy host:port) and skips re-wrapping.
+
+**fetch HTTP CONNECT issue**: undici's `ProxyAgent` uses `CONNECT` for all `fetch()` requests. Phantom handles `CONNECT` as HTTPS MITM, which breaks plain HTTP. Fix: `proxy-preload.js` patches `globalThis.fetch` to intercept `http://` URLs and route them through `http.request` directly.
+
+---
+
+## JSONL Output Schema
+
+When `--output jsonl` is used, one JSON object is written per line to stdout. All fields are always present unless marked optional.
+
+| Field | Type | Description |
+|---|---|---|
+| `trace_id` | string | W3C-compatible 128-bit trace ID (hex, 32 chars) |
+| `span_id` | string | 64-bit span ID (hex, 16 chars) |
+| `timestamp_ms` | number | Unix epoch milliseconds — request start time |
+| `duration_ms` | number | Round-trip latency in milliseconds |
+| `method` | string | HTTP verb: `"GET"`, `"POST"`, `"PUT"`, `"DELETE"`, … |
+| `url` | string | Full request URL (scheme + host + path + query) |
+| `status_code` | number | HTTP response status code |
+| `protocol_version` | string | HTTP version string, e.g. `"HTTP/1.1"` |
+| `request_headers` | object | Lower-cased header names → values |
+| `response_headers` | object | Lower-cased header names → values |
+| `request_body` | string? | UTF-8 decoded body; omitted when empty |
+| `response_body` | string? | UTF-8 decoded body; omitted when empty |
+| `source_addr` | string? | Client socket address, e.g. `"127.0.0.1:54321"` |
+| `dest_addr` | string? | Server socket address, e.g. `"93.184.216.34:443"` |
 
 ---
 
@@ -87,7 +145,32 @@ cargo test -p phantom-core
 cargo test -p phantom-tui
 ```
 
-### Run a Single Test Function
+### Run a Specific Integration Test
+
+```sh
+# Node.js proxy integration tests (requires node + npm in PATH)
+cargo test --test proxy_node_integration -- --nocapture
+
+# Single test function:
+cargo test --test proxy_node_integration test_proxy_captures_node_app_traffic -- --nocapture
+cargo test --test proxy_node_integration test_proxy_captures_alternative_http_clients -- --nocapture
+```
+
+### Node.js Integration Tests (`tests/proxy_node_integration.rs`)
+
+| Test | Description |
+|------|-------------|
+| `test_proxy_captures_node_app_traffic` | HTTP + HTTPS GET/POST via `http`/`https` modules (4 traces) |
+| `test_proxy_captures_alternative_http_clients` | axios, undici, fetch — HTTP + HTTPS × 3 clients (6 traces) |
+
+Both tests:
+- Auto-skip if `node` or `npm` is not in `PATH`.
+- Start in-process Rust mock backends (HTTP + HTTPS with self-signed cert).
+- Run `phantom --output jsonl --insecure -- node <script>.js`.
+- Parse JSONL output and assert method, path, status code per trace.
+- Identify traces by `x-phantom-client` custom header in `request_headers`.
+
+### Run a Single Unit Test Function
 
 ```sh
 # By substring match (simplest):
@@ -223,7 +306,12 @@ pub enum StorageError {
 
 | File | Purpose |
 |---|---|
-| `src/main.rs` | CLI parsing (`clap` derive), backend/output mode selection, component wiring |
+| `src/main.rs` | CLI parsing (`clap` derive), backend/output mode selection, child-process spawning, JSONL output loop |
+| `tests/proxy_node_integration.rs` | Integration tests: Node.js proxy capture, alternative HTTP client tracing |
+| `tests/apps/node-app/proxy-preload.js` | Node.js `--require` preload: patches `http`, `https`, `undici`, `fetch` to go through proxy |
+| `tests/apps/node-app/client.js` | Test client: `http`/`https` module usage (basic integration test) |
+| `tests/apps/node-app/client-alts.js` | Test client: `axios`, `undici`, `globalThis.fetch` (alternative HTTP clients test) |
+| `tests/apps/node-app/package.json` | Node app deps: `axios ^1.7`, `undici ^7` |
 | `crates/phantom-core/src/trace.rs` | `HttpTrace`, `TraceId`, `SpanId`, `HttpMethod` |
 | `crates/phantom-core/src/storage.rs` | `TraceStore` trait |
 | `crates/phantom-core/src/capture.rs` | `CaptureBackend` trait |
@@ -251,6 +339,12 @@ HTTP traffic
   → app.rs App::add_trace()                   # prepends to traces Vec, bumps count
   → ui.rs render()                            # pure read of App state, no mutation
 
+Node.js auto-injection (proxy mode, -- node app.js):
+  → main.rs spawn_proxy_child()               # writes proxy-preload.js to /tmp, prepends --require
+  → proxy-preload.js loaded by Node at startup
+  → patches http.request, https.request, undici dispatcher, globalThis.fetch
+  → all outbound Node requests → phantom MITM proxy
+
 LD_PRELOAD flow (Linux only):
   → phantom-agent dylib hooks send()/recv()   # intercepts plain-text HTTP/1.x
   → sends JSON datagrams over UnixDatagram    # PHANTOM_SOCKET env var

From 368631f91aec4d6e33bcce490887fd8f4a9cdb6d Mon Sep 17 00:00:00 2001
From: epli2 <motoryo1@gmail.com>
Date: Fri, 6 Mar 2026 01:10:27 +0900
Subject: [PATCH 8/8] docs: update Japanese usage guide with latest features
 and roadmap

---
 docs/how-to-use.ja.md | 282 +++++++++++-------------------------------
 1 file changed, 69 insertions(+), 213 deletions(-)

diff --git a/docs/how-to-use.ja.md b/docs/how-to-use.ja.md
index 5b5d888..f2d66c9 100644
--- a/docs/how-to-use.ja.md
+++ b/docs/how-to-use.ja.md
@@ -1,6 +1,6 @@
 # Phantom — 使い方ガイド
 
-Phantom は **ゼロ計装の HTTP 観測ツール**です。アプリケーションのコードを変更せずに HTTP トラフィックをキャプチャし、インタラクティブな TUI またはスクリプト向けの JSON Lines ストリームで表示します。
+Phantom は **ゼロ計装の HTTP/HTTPS 観測ツール**です。アプリケーションのコードを変更せずにトラフィックをキャプチャし、インタラクティブな TUI またはスクリプト向けの JSON Lines ストリームで表示・保存します。
 
 ---
 
@@ -10,7 +10,7 @@ Phantom は **ゼロ計装の HTTP 観測ツール**です。アプリケーシ
 2. [ビルド](#ビルド)
 3. [クイックスタート](#クイックスタート)
 4. [キャプチャモード](#キャプチャモード)
-   - [プロキシモード](#プロキシモード)
+   - [プロキシモード（推奨）](#プロキシモード推奨)
    - [LD_PRELOAD モード（Linux 限定）](#ld_preload-モードlinux-限定)
 5. [出力モード](#出力モード)
    - [TUI モード（デフォルト）](#tui-モードデフォルト)
@@ -19,6 +19,7 @@ Phantom は **ゼロ計装の HTTP 観測ツール**です。アプリケーシ
 7. [CLI リファレンス](#cli-リファレンス)
 8. [Docker を使ったテスト](#docker-を使ったテスト)
 9. [データ保存先](#データ保存先)
+10. [ロードマップ](#ロードマップ)
 
 ---
 
@@ -26,11 +27,11 @@ Phantom は **ゼロ計装の HTTP 観測ツール**です。アプリケーシ
 
 | 機能 | 詳細 |
 |------|------|
-| キャプチャ方式 | MITM プロキシ または LD_PRELOAD |
+| キャプチャ方式 | MITM プロキシ（透過的インジェクション対応） または LD_PRELOAD |
 | 対応プロトコル | HTTP / HTTPS（プロキシ）、HTTP のみ（LD_PRELOAD） |
 | 対応 OS | プロキシ: macOS / Linux / Windows、LD_PRELOAD: Linux のみ |
 | 表示形式 | インタラクティブ TUI または JSON Lines (stdout) |
-| データ永続化 | Fjall KV ストア（直近 1000 件を TUI に表示） |
+| データ永続化 | Fjall KV ストア（LSMツリーによる高速保存） |
 
 ---
 
@@ -43,77 +44,66 @@ Phantom は **ゼロ計装の HTTP 観測ツール**です。アプリケーシ
 git clone <repo-url>
 cd phantom
 
-# リリースビルド
+# ビルド
 cargo build --release
 
-# バイナリは target/release/phantom に生成されます
+# バイナリは target/release/phantom に生成されます。
+# パスを通すか、以下の例では `phantom` コマンドとして説明します。
 ```
 
-開発中は `cargo run --` でそのまま実行できます（以下の例では `cargo run --` を使用します）。
-
 ---
 
 ## クイックスタート
 
-**macOS / Linux で 30 秒体験:**
+**30 秒で体験:**
+
+### 1. Node.js アプリをトレース (HTTP/HTTPS 両対応)
+Node.js の場合、Phantom は自動的に `proxy-preload.js` を注入するため、アプリ側でプロキシ設定を意識する必要はありません。
 
 ```bash
-# ターミナル 1: Phantom をプロキシモードで起動
-cargo run
+phantom -- node app.js
+```
 
-# ターミナル 2: プロキシ経由でリクエストを送信
-curl -x http://127.0.0.1:8080 http://httpbin.org/get
+### 2. 一般的なコマンドをトレース (HTTP のみ)
+```bash
+phantom -- curl http://httpbin.org/get
 ```
 
-TUI にリクエストが表示されます。`q` または `Ctrl+C` で終了。
+### 3. JSONL モードでストリーム処理
+```bash
+phantom --output jsonl -- node app.js | jq 'select(.status_code >= 400)'
+```
 
 ---
 
 ## キャプチャモード
 
-### プロキシモード
-
-アプリケーションが **プロキシ設定をサポートしている**場合に使います。HTTPS もキャプチャ可能です。
-
-```bash
-# デフォルトポート 8080 で起動
-cargo run -- --backend proxy
+### プロキシモード（推奨）
 
-# ポートを変更する場合
-cargo run -- --backend proxy --port 9090
-```
+MITM（中間者）プロキシとして動作します。クロスプラットフォーム対応で、HTTPS もキャプチャ可能です。
 
-プロキシ経由でリクエストを送る例:
+#### Node.js の自動連携
+`phantom -- node app.js` のように実行すると、Phantom は `--require` 引数を用いて透過的にプロキシ設定を注入します。これにより、**axios, undici, fetch() などを用いた HTTPS 通信もコード変更なしでキャプチャ可能**です。
 
+#### その他のアプリケーション
+環境変数 `HTTP_PROXY` を自動設定します。
 ```bash
-# curl の場合
-curl -x http://127.0.0.1:8080 https://api.example.com/users
-
-# 環境変数でプロキシを設定する場合（多くのツールが対応）
-export http_proxy=http://127.0.0.1:8080
-export https_proxy=http://127.0.0.1:8080
-curl https://api.example.com/users
+# 明示的にポートを指定して起動
+phantom --port 9090 -- curl http://example.com
 ```
 
 ### LD_PRELOAD モード（Linux 限定）
 
-**Linux のみ**対応。アプリケーションの `send` / `recv` / `close` システムコールをフックしてキャプチャします。プロキシ設定が不要ですが、**平文 HTTP のみ**対応（HTTPS はソケット層で暗号化されているためキャプチャ不可）。
+アプリケーションのシステムコールを直接フックします。プロキシ設定を無視するツールや、コンテナ内での利用に適していますが、**平文 HTTP のみ**対応です。
 
 ```bash
-# Step 1: エージェント dylib をビルド
+# エージェントをビルド
 cargo build -p phantom-agent
 
-# Step 2: LD_PRELOAD モードで対象コマンドを実行
-cargo run -- \
-  --backend ldpreload \
-  --agent-lib ./target/debug/libphantom_agent.so \
-  -- curl http://httpbin.org/get
-
-# リリースビルドのエージェントを使う場合
-cargo run --release -- \
-  --backend ldpreload \
-  --agent-lib ./target/release/libphantom_agent.so \
-  -- your-app --arg1 --arg2
+# トレース実行
+phantom --backend ldpreload \
+        --agent-lib ./target/debug/libphantom_agent.so \
+        -- curl http://example.com
 ```
 
 ---
@@ -122,206 +112,72 @@ cargo run --release -- \
 
 ### TUI モード（デフォルト）
 
-インタラクティブな 2 ペインビューアーが起動します。
-
-```bash
-cargo run -- --output tui   # 明示指定（省略可）
-cargo run                   # デフォルトでも TUI が起動
-```
-
-**レイアウト:**
-
-```
-┌─────────────────────────────────────────────────────────────────┐
-│ 時刻        メソッド  URL                     ステータス  所要時間 │
-│ 12:34:56    GET      http://api.example.com/…  200        42ms   │
-│ 12:34:57    POST     http://api.example.com/…  201        93ms   │
-├──────────────────────────┬──────────────────────────────────────┤
-│  トレースリスト (45%)     │  詳細ビュー (55%)                    │
-│                           │                                      │
-│  選択中のトレース詳細      │  リクエストヘッダー、ボディ           │
-│                           │  レスポンスヘッダー、ボディ           │
-└──────────────────────────┴──────────────────────────────────────┘
-```
+インタラクティブな 2 ペインビューアーです。`Tab` キーでリストと詳細表示を切り替えます。
 
 ### JSONL モード
 
-1 トレース = 1 行の JSON を stdout に出力します。スクリプトや AI ワークフローとの連携に最適です。
-
-```bash
-cargo run -- --output jsonl
-
-# jq で絞り込む例
-cargo run -- --output jsonl | jq '{method, status_code, url, duration_ms}'
-
-# LD_PRELOAD と組み合わせる場合
-cargo run -- --backend ldpreload \
-  --agent-lib ./target/debug/libphantom_agent.so \
-  --output jsonl \
-  -- curl http://httpbin.org/post -d '{"key":"value"}'
-```
+1 トレースを 1 行の JSON として出力します。
 
-**出力フィールド:**
-
-| フィールド | 型 | 説明 |
-|-----------|-----|------|
-| `timestamp_ms` | number | リクエスト開始時刻（Unix ミリ秒） |
-| `duration_ms` | number | 往復所要時間（ミリ秒） |
-| `method` | string | HTTP メソッド（GET, POST, …） |
-| `url` | string | 完全な URL |
-| `status_code` | number | HTTP ステータスコード |
-| `protocol_version` | string | HTTP/1.1 など |
-| `request_headers` | object | リクエストヘッダー（小文字キー） |
-| `response_headers` | object | レスポンスヘッダー（小文字キー） |
-| `request_body` | string | リクエストボディ（UTF-8） |
-| `response_body` | string | レスポンスボディ（UTF-8） |
-| `source_addr` | string? | 送信元アドレス |
-| `dest_addr` | string? | 宛先アドレス |
-| `trace_id` | string | W3C Trace ID |
-| `span_id` | string | W3C Span ID |
+**スキーマ要約:**
+- `trace_id` / `span_id`: W3C 互換 ID
+- `timestamp_ms`: 開始時刻 (Unix Epoch)
+- `duration_ms`: レイテンシ
+- `method` / `url` / `status_code`: 基本情報
+- `request_headers` / `response_headers`: ヘッダーマップ
+- `request_body` / `response_body`: UTF-8 デコード済みボディ (optional)
 
 ---
 
 ## TUI 操作キー
 
-### ナビゲーション
-
-| キー | 動作 |
-|------|------|
-| `j` / ↓ | 下に移動 |
-| `k` / ↑ | 上に移動 |
-| `g` / Home | 先頭に移動 |
-| `G` / End | 末尾に移動 |
-| Tab | トレースリスト ↔ 詳細ペインを切り替え |
-
-### フィルタ
-
-| キー | 動作 |
-|------|------|
-| `/` | フィルタ入力モードを開始（URL を部分一致で絞り込み、大文字小文字を無視） |
-| Backspace | フィルタ文字を 1 文字削除 |
-| Enter | フィルタを確定してリストに戻る |
-| Esc | フィルタをクリアして解除 |
-
-### その他
-
 | キー | 動作 |
 |------|------|
-| `q` | 終了 |
-| Ctrl+C | 終了 |
+| `j` / `k` | 上下移動 |
+| `Tab` | トレースリスト ↔ 詳細ペイン切り替え |
+| `/` | フィルタモード（URL 部分一致） |
+| `Esc` | フィルタ解除 / 戻る |
+| `q` / `Ctrl+C` | 終了 |
 
 ---
 
 ## CLI リファレンス
 
-```
-USAGE:
-    phantom [OPTIONS] [-- CMD...]
-
+```text
 OPTIONS:
-    -b, --backend <BACKEND>     キャプチャバックエンド
-                                  proxy     MITM プロキシ（デフォルト）
-                                  ldpreload LD_PRELOAD フック（Linux のみ）
-
-    -o, --output <MODE>         出力モード
-                                  tui   インタラクティブ TUI（デフォルト）
-                                  jsonl JSON Lines を stdout に出力
-
-    -p, --port <PORT>           プロキシのリッスンポート（デフォルト: 8080）
-
-    -d, --data-dir <PATH>       トレースの保存ディレクトリ
-                                （デフォルト: ~/.local/share/phantom/data）
-
-        --agent-lib <PATH>      libphantom_agent.so のパス
-                                （ldpreload モード時に必須）
-
-    [-- CMD...]                 トレース対象コマンドと引数
-                                （ldpreload モード時に指定）
-
-    -h, --help                  ヘルプを表示
-    -V, --version               バージョンを表示
-```
-
-**使用例:**
-
-```bash
-# プロキシをポート 9090 で起動
-phantom --port 9090
-
-# LD_PRELOAD で Python スクリプトをトレース
-phantom --backend ldpreload \
-  --agent-lib /path/to/libphantom_agent.so \
-  -- python3 my_script.py
-
-# JSONL でキャプチャしてファイルに保存
-phantom --output jsonl > traces.jsonl
+    -b, --backend <BACKEND>  [proxy, ldpreload] (デフォルト: proxy)
+    -o, --output <MODE>      [tui, jsonl] (デフォルト: tui)
+    -p, --port <PORT>        プロキシポート (デフォルト: 8080)
+    --insecure               バックエンド接続時の TLS 検証を無効化
+    -d, --data-dir <DIR>     データ保存先
+    --agent-lib <PATH>       libphantom_agent.so のパス (ldpreload 用)
+    -- <COMMAND>             実行・追跡するコマンド
 ```
 
 ---
 
 ## Docker を使ったテスト
 
-LD_PRELOAD は Linux 限定のため、macOS や Windows でも Makefile のターゲットで Docker 上テストできます。
+Makefile を使用して Linux 環境 (LD_PRELOAD 等) をテストできます。
 
 ```bash
-# Docker イメージをビルド（初回のみ、3〜5 分かかる場合があります）
-make docker-build
-
-# LD_PRELOAD + TUI でテスト（curl のトレースが表示される）
-make docker-test-ldpreload
-
-# プロキシ + TUI でテスト（ポート 8080 を使用）
-make docker-test-proxy
-
-# LD_PRELOAD + JSONL でテスト（stdout に JSON が流れる）
-make docker-test-jsonl
-
-# HTTP/HTTPS の統合テストスイートを実行
-make docker-test-integration
-
-# Docker コンテナに入って自由に操作
-make docker-shell
-
-# Docker イメージとコンテナを削除
-make docker-clean
-```
-
-その他の Makefile ターゲット:
-
-```bash
-make build          # ワークスペース全体をビルド (debug)
-make release        # 最適化ビルド (release)
-make release-linux  # Linux x86_64 向けクロスコンパイル (cargo-zigbuild 必須)
-make release-linux-aarch64 # Linux aarch64 向けクロスコンパイル
-make clean          # ビルド成果物を消去
-make test           # Rust テストを実行
-make fmt            # フォーマットチェック
-make fmt-fix        # フォーマット自動修正
-make clippy         # Clippy リント (警告はエラー)
-make clippy-linux   # Linux 向け Clippy リント
-make check          # fmt, clippy, clippy-linux, build, test をまとめて実行
+make docker-build             # イメージ作成
+make docker-test-integration  # 統合テスト実行
 ```
 
 ---
 
 ## データ保存先
 
-トレースは Fjall KV ストアに永続化されます。次回起動時も過去のトレースを参照できます（TUI 起動時は直近 1000 件を読み込み）。
-
-**デフォルトパス:**
+デフォルトでは以下のパスに Fjall (LSM-tree) 形式で保存されます。
 
-| OS | パス |
-|----|------|
-| Linux | `~/.local/share/phantom/data` |
-| macOS | `~/Library/Application Support/phantom/data` |
-| Windows | `%APPDATA%\phantom\data` |
+- **Linux**: `~/.local/share/phantom/data`
+- **macOS**: `~/Library/Application Support/phantom/data`
+- **Windows**: `%APPDATA%\phantom\data`
 
-**カスタマイズ:**
+---
 
-```bash
-# 任意のディレクトリを指定
-phantom --data-dir /tmp/phantom-traces
+## ロードマップ
 
-# プロジェクトごとにトレースを分けたい場合
-phantom --data-dir ./traces/my-project
-```
+- **bpftime (Userspace eBPF) 統合**: uprobe よりも 10 倍高速なゼロ計装キャプチャ。
+- **ワークフロー自動推論**: キャプチャしたデータから **Arazzo Specification** を AI (`Candle`) で自動生成。
+- **GUI アプリケーション**: `Tauri` を用いたクロスプラットフォームデスクトップアプリ。