docs: update mdBook and repo metadata for stealth features

Updates repo description with stealth capabilities (BoringSSL,
JA3/JA4, 17-patch CDP stealth, 288 tests, 15 crates) and sets
homepage URL to GitHub Pages.

mdBook updates:
- crate-reference/fetch.md: complete rewrite covering wreq,
  FetchConfig.emulation, BrowserFetchConfig.stealth, WebdriverValue
  enum, 17 stealth patches table, BrowserProfile/ProfileMode,
  stealth regression test results (Rebrowser 10/10, Sannysoft 55/56)
- security/browser-sandbox.md: added CDP stealth mode section with
  Chrome launch hardening, 17 patches table, determinism guarantee,
  and verified detection test results
- appendix/glossary.md: new Anti-Detection section with JA3, JA4,
  BoringSSL, Akamai h2, CDP stealth, BrowserProfile, ProfileMode,
  WebdriverValue definitions

Rebuilt docs/book/ from updated sources.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: copyleftdev

book/src/appendix/glossary.md

@@ -73,3 +73,21 @@
 **UniverseGenerator** — The trait for generating deterministic responses. Implementations: LinkMaze, EncodingHell, MalformedDom, RedirectLabyrinth, ContentTrap, TemporalDrift.
 
 **Adversarial Universe** — A simulation universe designed to stress a specific aspect of the crawl kernel (encoding, DOM parsing, redirects, spider traps, temporal changes).
+
+## Anti-Detection
+
+**JA3** — TLS fingerprinting method that hashes five fields from the ClientHello: TLS version, cipher suites, extensions, supported groups, EC point formats. Legacy but still deployed by WAFs.
+
+**JA4** — Current TLS fingerprinting standard (FoxIO). Sorts before hashing to defeat extension randomization. Three sections: header, sorted cipher hash, sorted extension hash.
+
+**BoringSSL** — Google's fork of OpenSSL used by Chrome. Palimpsest uses it (via `wreq`) for full ClientHello control, enabling browser-grade TLS impersonation.
+
+**Akamai h2 Fingerprint** — Passive HTTP/2 fingerprint capturing SETTINGS frame values/order, WINDOW_UPDATE, PRIORITY frames, and pseudo-header ordering. Distinguishes browsers from automation clients.
+
+**CDP Stealth Mode** — Anti-detection suite for headless Chrome. 17 evasion patches covering `navigator.webdriver`, `window.chrome`, plugins, WebGL, canvas noise, AudioContext noise, and more.
+
+**BrowserProfile** — A unified, internally consistent browser identity tying TLS fingerprint + HTTP/2 settings + HTTP headers + JS surface into a single profile. Prevents cross-layer detection mismatches.
+
+**ProfileMode** — Controls how browser profiles are selected: `None` (default), `Fixed` (one profile), `Seeded` (deterministic from CrawlSeed), `RotatePerDomain` (per-domain via BLAKE3).
+
+**WebdriverValue** — Explicit config for `navigator.webdriver` in stealth mode. `False` (matches real Chrome, default) or `Undefined` (property deleted). Auditable, not hidden.

book/src/crate-reference/fetch.md

@@ -1,6 +1,6 @@
 # palimpsest-fetch
 
-HTTP client + browser capture (CDP) + link extraction + robots.txt parsing. Every fetch wraps an `ExecutionEnvelope`.
+HTTP client + browser capture (CDP) + link extraction + robots.txt parsing + TLS/HTTP2 fingerprint impersonation + CDP stealth mode. Every fetch wraps an `ExecutionEnvelope`.
 
 ## HttpFetcher
 
@@ -12,17 +12,22 @@ impl HttpFetcher {
 }
 ```
 
+Uses **wreq** (BoringSSL backend) instead of reqwest. When an emulation profile is set, the TLS ClientHello and HTTP/2 SETTINGS frame match the selected browser.
+
 ## FetchConfig
 
 ```rust
 pub struct FetchConfig {
-    pub connect_timeout: Duration,  // Default: 30s
-    pub total_timeout: Duration,    // Default: 120s
-    pub max_body_size: u64,         // Default: 256 MiB
-    pub max_redirects: usize,       // Default: 10
+    pub connect_timeout: Duration,                   // Default: 30s
+    pub total_timeout: Duration,                     // Default: 120s
+    pub max_body_size: u64,                          // Default: 256 MiB
+    pub max_redirects: usize,                        // Default: 10
+    pub emulation: Option<wreq_util::Emulation>,     // Default: None
 }
 ```
 
+When `emulation` is set (e.g., `Emulation::Chrome133`), wreq impersonates the selected browser's TLS fingerprint (JA3/JA4 including post-quantum key shares) and HTTP/2 settings (SETTINGS frame values/order, WINDOW_UPDATE, pseudo-header ordering). 70+ browser profiles available: Chrome 100-137, Firefox 109-139, Safari 15-18.5, Edge, Opera.
+
 ## BrowserFetcher
 
 ```rust
@@ -33,7 +38,81 @@ impl BrowserFetcher {
 }
 ```
 
-Launches headless Chrome via CDP. Injects JS determinism overrides. Captures DOM snapshot, sub-resources via Network events, and resource dependency graph.
+Launches headless Chrome via CDP. Injects determinism overrides and (optionally) 17 stealth evasion patches. Captures DOM snapshot, sub-resources via Network events, and resource dependency graph.
+
+## BrowserFetchConfig
+
+```rust
+pub struct BrowserFetchConfig {
+    pub page_timeout: Duration,          // Default: 30s
+    pub viewport_width: u32,             // Default: 1920
+    pub viewport_height: u32,            // Default: 1080
+    pub js_enabled: bool,                // Default: true
+    pub user_agent: String,              // Default: "PalimpsestBot/0.1"
+    pub stealth: bool,                   // Default: false
+    pub webdriver_value: WebdriverValue, // Default: False
+}
+```
+
+## WebdriverValue
+
+```rust
+pub enum WebdriverValue {
+    False,     // Matches real non-automated Chrome (default)
+    Undefined, // Property appears deleted
+}
+```
+
+Explicit, auditable config choice for `navigator.webdriver`. Default `False` passes Rebrowser Bot Detector (10/10).
+
+## CDP Stealth Mode
+
+When `stealth: true`, the browser fetcher applies:
+
+**Chrome launch hardening:**
+- `--disable-blink-features=AutomationControlled`
+- `--disable-component-extensions-with-background-pages`
+
+**17 stealth evasion patches** (injected via `addScriptToEvaluateOnNewDocument`):
+
+| # | Patch | What It Does |
+|---|---|---|
+| 1 | `navigator.webdriver` | Set to `false` (configurable via `WebdriverValue`) |
+| 2 | `window.chrome` | Full object mock (app, csi, loadTimes, runtime) |
+| 3 | `navigator.plugins` | Chrome PDF Plugin, Chrome PDF Viewer, Native Client |
+| 4 | `navigator.mimeTypes` | application/pdf, application/x-nacl |
+| 5 | `navigator.permissions` | Fix Notification state inconsistency |
+| 6 | `navigator.languages` | `["en-US", "en"]` |
+| 7 | `navigator.hardwareConcurrency` | 8 |
+| 8 | `navigator.deviceMemory` | 8 |
+| 9 | WebGL vendor/renderer | Intel UHD Graphics 630 |
+| 10 | Canvas fingerprint | Seeded sub-pixel noise (CrawlSeed) |
+| 11 | Window dimensions | outerWidth/outerHeight match viewport + chrome UI |
+| 12 | Screen dimensions | width/height/availWidth/availHeight/colorDepth |
+| 13 | AudioContext | Seeded oscillator noise (CrawlSeed) |
+| 14 | ClientRect | Seeded sub-pixel noise (CrawlSeed) |
+| 15 | sourceURL markers | Strip pptr/playwright stack traces |
+| 16 | `navigator.userAgent` | Consistent with HTTP header |
+| 17 | `navigator.maxTouchPoints` | 0 |
+
+All noise patches use deterministic xorshift PRNGs seeded from `CrawlSeed` (Law 1).
+
+## Browser Emulation Profiles
+
+```rust
+pub struct BrowserProfile { /* unified TLS + HTTP/2 + headers + JS identity */ }
+
+pub enum ProfileMode {
+    None,                        // No impersonation (default)
+    Fixed(BrowserProfile),       // Same profile for all requests
+    Seeded,                      // Generate from CrawlSeed
+    RotatePerDomain,             // Per-domain via BLAKE3(seed + domain)
+}
+```
+
+Pre-built profiles: `BrowserProfile::chrome_windows()`, `firefox_linux()`, `safari_macos()`.
+
+See [profile module](../crate-reference/fetch.md) for details.
 
 ## BrowserFetchResult
 
@@ -56,14 +135,10 @@ pub fn normalize_url_for_comparison(url: &Url) -> String;
 
 `extract_links` strips `<script>` and `<style>` content before scanning for `href` and `src` attributes. Output is deduplicated and sorted for determinism.
 
-`normalize_url` removes fragments, strips default ports (80/443), and sorts query parameters.
-
 ## Robots.txt
 
 ```rust
-pub struct RobotsRules {
-    pub crawl_delay: Option<Duration>,
-}
+pub struct RobotsRules { pub crawl_delay: Option<Duration> }
 
 impl RobotsRules {
     pub fn parse(body: &str) -> Self;  // RFC 9309 compliant
@@ -72,6 +147,20 @@ impl RobotsRules {
 
 Per-origin caching in `BTreeMap` (deterministic).
 
+## Stealth Regression Tests
+
+5 integration tests against live public detection sites:
+
+| Site | Score | Key Checks |
+|---|---|---|
+| Rebrowser Bot Detector | **10/10** | CDP leak, webdriver, viewport, user-agent |
+| Sannysoft | **55/56** | webdriver, chrome, plugins, WebGL, canvas, permissions |
+| FingerprintJS BotD | **Clean** | 18 detectors, no bot verdict |
+| CreepJS | **Clean** | Headless rating, stealth rating, lie detection |
+| Infosimples | **Skipped** | Site timeout |
+
+Run with: `cargo test -p palimpsest-fetch --test stealth_test -- --ignored --nocapture --test-threads=1`
+
 ## Key Invariant
 
-Every fetch receives an `ExecutionEnvelope`. The envelope seals the context before the network request begins, enabling replay and verification.
+Every fetch receives an `ExecutionEnvelope`. The envelope seals the context before the network request begins, enabling replay and verification. Emulation profile and stealth config are deterministic inputs (Law 1).

book/src/security/browser-sandbox.md

@@ -10,17 +10,7 @@ Headless Chrome runs in a sandboxed process with strict isolation:
 
 ## Timeout Enforcement
 
-Every page load has a hard timeout (default: 60 seconds for browser mode, 30 seconds for page load). If the page does not complete loading within the timeout, the browser process is killed.
-
-```rust
-pub struct BrowserFetchConfig {
-    pub page_timeout: Duration,      // Default: 30s
-    pub viewport_width: u32,         // Default: 1920
-    pub viewport_height: u32,        // Default: 1080
-    pub js_enabled: bool,            // Default: true
-    pub user_agent: String,
-}
-```
+Every page load has a hard timeout (default: 30 seconds). If the page does not complete loading within the timeout, the browser process is killed.
 
 ## Determinism Overrides
 
@@ -39,6 +29,55 @@ performance.now = function() { return (__perf_offset += 0.1); };
 
 This prevents JavaScript on the page from introducing non-determinism. Same seed = same execution.
 
+## CDP Stealth Mode
+
+When `stealth: true` is set on `BrowserFetchConfig`, a comprehensive anti-detection suite is applied on top of the determinism overrides.
+
+### Chrome Launch Hardening
+
+```
+--disable-blink-features=AutomationControlled
+--disable-component-extensions-with-background-pages
+--no-first-run
+--no-default-browser-check
+```
+
+### 17 Stealth Evasion Patches
+
+All patches injected via `Page.addScriptToEvaluateOnNewDocument` before navigation:
+
+| Patch | Purpose |
+|---|---|
+| navigator.webdriver | Set to `false` (configurable via `WebdriverValue` enum) |
+| window.chrome | Full Chrome object mock (app, csi, loadTimes, runtime) |
+| navigator.plugins | 3 plugins matching real Chrome |
+| navigator.mimeTypes | PDF + NaCl mime types |
+| navigator.permissions | Fix Notification permission inconsistency |
+| navigator.languages | `["en-US", "en"]` |
+| navigator.hardwareConcurrency | 8 cores |
+| navigator.deviceMemory | 8 GB |
+| WebGL vendor/renderer | Intel UHD Graphics 630 |
+| Canvas fingerprint | Seeded sub-pixel noise |
+| Window/screen dimensions | Match viewport + chrome UI offset |
+| AudioContext | Seeded oscillator noise |
+| ClientRect | Seeded sub-pixel noise |
+| sourceURL markers | Strip automation stack traces |
+| navigator.userAgent | Consistent with HTTP User-Agent header |
+| navigator.maxTouchPoints | 0 |
+
+### Determinism Guarantee
+
+All noise patches (canvas, audio, ClientRect) use deterministic xorshift PRNGs with sub-seeds derived from `CrawlSeed`. Same seed = same noise = same fingerprint. This is Law 1 compliant.
+
+### Verified Results
+
+Tested against 5 public bot detection sites:
+
+- **Rebrowser Bot Detector**: 10/10 pass
+- **Sannysoft**: 55/56 pass (only PluginArray prototype)
+- **FingerprintJS BotD**: No bot verdict
+- **CreepJS**: No hard failures
+
 ## Sub-Resource Capture
 
 Chrome DevTools Protocol (CDP) network event listeners capture all sub-resources:

docs/book/404.html

@@ -37,7 +37,7 @@
             const path_to_root = "";
             const default_light_theme = "light";
             const default_dark_theme = "coal";
-            window.path_to_searchindex_js = "searchindex-dc01b304.js";
+            window.path_to_searchindex_js = "searchindex-4f269067.js";
         </script>
         <!-- Start loading toc.js asap -->
         <script src="toc-7980dfd2.js"></script>

docs/book/appendix/api-reference.html

@@ -36,7 +36,7 @@
             const path_to_root = "../";
             const default_light_theme = "light";
             const default_dark_theme = "coal";
-            window.path_to_searchindex_js = "../searchindex-dc01b304.js";
+            window.path_to_searchindex_js = "../searchindex-4f269067.js";
         </script>
         <!-- Start loading toc.js asap -->
         <script src="../toc-7980dfd2.js"></script>

docs/book/appendix/error-taxonomy.html

@@ -36,7 +36,7 @@
             const path_to_root = "../";
             const default_light_theme = "light";
             const default_dark_theme = "coal";
-            window.path_to_searchindex_js = "../searchindex-dc01b304.js";
+            window.path_to_searchindex_js = "../searchindex-4f269067.js";
         </script>
         <!-- Start loading toc.js asap -->
         <script src="../toc-7980dfd2.js"></script>

docs/book/appendix/glossary.html

@@ -36,7 +36,7 @@
             const path_to_root = "../";
             const default_light_theme = "light";
             const default_dark_theme = "coal";
-            window.path_to_searchindex_js = "../searchindex-dc01b304.js";
+            window.path_to_searchindex_js = "../searchindex-4f269067.js";
         </script>
         <!-- Start loading toc.js asap -->
         <script src="../toc-7980dfd2.js"></script>
@@ -216,6 +216,15 @@ <h2 id="simulation"><a class="header" href="#simulation">Simulation</a></h2>
 <p><strong>SimulatedWeb</strong> — A virtual internet for testing. Hosts multiple <code>UniverseGenerator</code> instances, each responding to URLs on its domain.</p>
 <p><strong>UniverseGenerator</strong> — The trait for generating deterministic responses. Implementations: LinkMaze, EncodingHell, MalformedDom, RedirectLabyrinth, ContentTrap, TemporalDrift.</p>
 <p><strong>Adversarial Universe</strong> — A simulation universe designed to stress a specific aspect of the crawl kernel (encoding, DOM parsing, redirects, spider traps, temporal changes).</p>
+<h2 id="anti-detection"><a class="header" href="#anti-detection">Anti-Detection</a></h2>
+<p><strong>JA3</strong> — TLS fingerprinting method that hashes five fields from the ClientHello: TLS version, cipher suites, extensions, supported groups, EC point formats. Legacy but still deployed by WAFs.</p>
+<p><strong>JA4</strong> — Current TLS fingerprinting standard (FoxIO). Sorts before hashing to defeat extension randomization. Three sections: header, sorted cipher hash, sorted extension hash.</p>
+<p><strong>BoringSSL</strong> — Google’s fork of OpenSSL used by Chrome. Palimpsest uses it (via <code>wreq</code>) for full ClientHello control, enabling browser-grade TLS impersonation.</p>
+<p><strong>Akamai h2 Fingerprint</strong> — Passive HTTP/2 fingerprint capturing SETTINGS frame values/order, WINDOW_UPDATE, PRIORITY frames, and pseudo-header ordering. Distinguishes browsers from automation clients.</p>
+<p><strong>CDP Stealth Mode</strong> — Anti-detection suite for headless Chrome. 17 evasion patches covering <code>navigator.webdriver</code>, <code>window.chrome</code>, plugins, WebGL, canvas noise, AudioContext noise, and more.</p>
+<p><strong>BrowserProfile</strong> — A unified, internally consistent browser identity tying TLS fingerprint + HTTP/2 settings + HTTP headers + JS surface into a single profile. Prevents cross-layer detection mismatches.</p>
+<p><strong>ProfileMode</strong> — Controls how browser profiles are selected: <code>None</code> (default), <code>Fixed</code> (one profile), <code>Seeded</code> (deterministic from CrawlSeed), <code>RotatePerDomain</code> (per-domain via BLAKE3).</p>
+<p><strong>WebdriverValue</strong> — Explicit config for <code>navigator.webdriver</code> in stealth mode. <code>False</code> (matches real Chrome, default) or <code>Undefined</code> (property deleted). Auditable, not hidden.</p>
 
                     </main>
 

docs/book/architecture/crate-map.html

@@ -36,7 +36,7 @@
             const path_to_root = "../";
             const default_light_theme = "light";
             const default_dark_theme = "coal";
-            window.path_to_searchindex_js = "../searchindex-dc01b304.js";
+            window.path_to_searchindex_js = "../searchindex-4f269067.js";
         </script>
         <!-- Start loading toc.js asap -->
         <script src="../toc-7980dfd2.js"></script>

docs/book/architecture/data-flow.html

@@ -36,7 +36,7 @@
             const path_to_root = "../";
             const default_light_theme = "light";
             const default_dark_theme = "coal";
-            window.path_to_searchindex_js = "../searchindex-dc01b304.js";
+            window.path_to_searchindex_js = "../searchindex-4f269067.js";
         </script>
         <!-- Start loading toc.js asap -->
         <script src="../toc-7980dfd2.js"></script>

docs/book/architecture/overview.html

@@ -36,7 +36,7 @@
             const path_to_root = "../";
             const default_light_theme = "light";
             const default_dark_theme = "coal";
-            window.path_to_searchindex_js = "../searchindex-dc01b304.js";
+            window.path_to_searchindex_js = "../searchindex-4f269067.js";
         </script>
         <!-- Start loading toc.js asap -->
         <script src="../toc-7980dfd2.js"></script>