Ghostwire: Cloudflare Bypass Library

I needed to make HTTP requests to websites protected by Cloudflare’s anti-bot infrastructure for Quelle. The standard solution is a Python library called cloudscraper. I was building the app in Rust and did not want to ship a Python runtime just to bypass a splash screen.

No native Rust equivalent existed. So I built one.

Ghostwire is an async Rust library that detects and solves Cloudflare challenges. It handles legacy IUAM, modern JavaScript orchestration, and Turnstile captchas. It impersonates real browsers down to the TLS cipher suite order using rustls.

“I did not write a single line of Rust for this project. The machine wrote it. I just defined the architecture.”

AI-directed development

This project was an experiment in AI-assisted engineering. I took the original Python source code, fed it to an LLM, and dictated the translation into Rust.

The model generated the module structure, the regex extractions, the async challenge handlers, and the integration tests in a single session. My role was entirely editorial. I reviewed the boundaries, enforced error handling patterns, and corrected its assumptions about tokio’s execution model. The code compiled and passed the test suite without manual typing.

You can read about my thoughts on AI-assisted development in more depth in The Work AI Moves. The short version is that it is a powerful tool, but it does not replace human engineering. The architecture and design decisions still require a human in the loop.

Emulating human behavior

Bypassing anti-bot systems requires more than executing JavaScript. The infrastructure analyzes connection metadata before the application layer even loads.

If a request claims to be Chrome but negotiates TLS like a standard HTTP client, the firewall blocks it. Ghostwire embeds a static database of browser fingerprints. It matches the Accept-Language headers, the sec-ch-ua variations, and the specific TLS cipher suites of the browser it claims to be. It introduces randomized delays before submitting challenge answers to avoid triggering temporal rate limits.

When algorithmic challenges fail, it routes Turnstile tokens to third-party solvers. It manages proxy rotation with success-rate weighting and prevents infinite retry loops through strict solve-depth limits. It is a complete, drop-in replacement for the Python original.