@jshookmcp/jshook 0.2.5 → 0.2.6

package/workflows/replay-lab/tsconfig.json

@@ -0,0 +1,15 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "noEmit": false,
+    "outDir": "dist",
+    "rootDir": ".",
+    "strict": true,
+    "skipLibCheck": true,
+    "types": ["node"]
+  },
+  "include": ["workflow.ts"],
+  "exclude": ["dist", "node_modules"]
+}

package/workflows/replay-lab/workflow.ts

@@ -0,0 +1,106 @@
+import {
+  createWorkflow,
+  type WorkflowExecutionContext,
+  SequenceNodeBuilder,
+} from '@jshookmcp/extension-sdk/workflow';
+
+const workflowId = 'workflow.replay-lab.v1';
+
+export default createWorkflow(workflowId, 'Replay Lab')
+  .description(
+    'Captures a target request, extracts its full context (headers, cookies, auth tokens, body), replays it with modifications, compares responses, and produces a replay script — enabling parameter tampering, signature validation, and API probing.',
+  )
+  .tags(['reverse', 'replay', 'request', 'api', 'tamper', 'probe', 'mission'])
+  .timeoutMs(8 * 60_000)
+  .defaultMaxConcurrency(3)
+  .buildGraph((ctx: WorkflowExecutionContext) => {
+    const prefix = 'workflows.replayLab';
+    const url = String(ctx.getConfig(`${prefix}.url`, 'https://example.com'));
+    const waitUntil = String(ctx.getConfig(`${prefix}.waitUntil`, 'networkidle0'));
+    const requestTail = Number(ctx.getConfig(`${prefix}.requestTail`, 30));
+    const targetUrlPattern = String(ctx.getConfig(`${prefix}.targetUrlPattern`, ''));
+    const replayCount = Number(ctx.getConfig(`${prefix}.replayCount`, 1));
+    const maxConcurrency = Number(ctx.getConfig(`${prefix}.parallel.maxConcurrency`, 3));
+    const exportHar = Boolean(ctx.getConfig(`${prefix}.exportHar`, true));
+
+    const root = new SequenceNodeBuilder('replay-lab-root');
+
+    // Phase 1: Network Setup & Navigate
+    root
+      .tool('enable-network', 'network_enable', { input: { enableExceptions: true } })
+      .tool('navigate', 'page_navigate', { input: { url, waitUntil } })
+
+      // Phase 2: Capture Traffic
+      .tool('capture-requests', 'network_get_requests', { input: { tail: requestTail } })
+
+      // Phase 3: Parallel Context Collection
+      .parallel('collect-context', (p) => {
+        p.maxConcurrency(maxConcurrency)
+          .failFast(false)
+          .tool('get-cookies', 'page_get_cookies')
+          .tool('get-local-storage', 'page_get_local_storage')
+          .tool('extract-auth', 'network_extract_auth', { input: { minConfidence: 0.2 } })
+          .tool('get-network-stats', 'network_get_stats', { input: {} });
+      })
+
+      // Phase 4: Replay Target Request
+      .tool('replay-request', 'network_replay_request', {
+        input: { urlPattern: targetUrlPattern, count: replayCount },
+      })
+
+      // Phase 5: Instrumentation-level replay
+      .tool('instrumentation-replay', 'instrumentation_network_replay', {
+        input: {},
+      });
+
+    // Phase 6: HAR Export (Optional)
+    if (exportHar) {
+      root.tool('export-har', 'network_export_har', { input: {} });
+    }
+
+    // Phase 7: XHR/Fetch interceptor for live capture
+    root.tool('inject-fetch-interceptor', 'console_inject_fetch_interceptor', {
+      input: { persistent: false },
+    });
+
+    // Phase 8: Evidence Recording
+    root
+      .tool('create-evidence-session', 'instrumentation_session_create', {
+        input: {
+          name: `replay-lab-${new Date().toISOString().slice(0, 10)}`,
+          metadata: { url, workflowId, targetUrlPattern },
+        },
+      })
+      .tool('record-artifact', 'instrumentation_artifact_record', {
+        input: {
+          type: 'replay_session',
+          label: `Replay lab for ${url}`,
+          metadata: { url, targetUrlPattern, replayCount },
+        },
+      })
+
+      // Phase 9: Session Insight
+      .tool('emit-insight', 'append_session_insight', {
+        input: {
+          insight: JSON.stringify({
+            status: 'replay_lab_complete',
+            workflowId,
+            url,
+            targetUrlPattern,
+            replayCount,
+          }),
+        },
+      });
+
+    return root;
+  })
+  .onStart((ctx) => {
+    ctx.emitMetric('workflow_runs_total', 1, 'counter', { workflowId, mission: 'replay_lab', stage: 'start' });
+  })
+  .onFinish((ctx) => {
+    ctx.emitMetric('workflow_runs_total', 1, 'counter', { workflowId, mission: 'replay_lab', stage: 'finish' });
+  })
+  .onError((ctx, error) => {
+    ctx.emitMetric('workflow_errors_total', 1, 'counter', { workflowId, mission: 'replay_lab', stage: 'error', error: error.name });
+  })
+  .build();

package/workflows/script-evidence-scan/.jshook-install.json

@@ -0,0 +1,14 @@
+{
+  "version": 1,
+  "kind": "workflow",
+  "slug": "script-evidence-scan",
+  "id": "workflow.script-evidence-scan.v1",
+  "source": {
+    "type": "git",
+    "repo": "https://github.com/vmoranv/jshook_workflow_script_evidence_scan",
+    "ref": "main",
+    "commit": "2ff377c",
+    "subpath": ".",
+    "entry": "workflow.ts"
+  }
+}

package/workflows/script-evidence-scan/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 vmoranv
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/workflows/script-evidence-scan/README.md

@@ -0,0 +1,61 @@
+# script-evidence-scan workflow
+
+Declarative workflow for extracting evidence from **browser-loaded scripts** instead of relying on `collect_code + search_in_scripts`.
+
+## Entry File
+
+- `workflow.ts`
+
+## Workflow ID
+
+- `workflow.script-evidence-scan.v1`
+
+## Structure
+
+This workflow codifies a loaded-script-first evidence path:
+
+- `page_navigate` into the target page
+- optional `page_script_run(auth_extract)` to capture ambient auth context
+- `get_all_scripts(includeSource=false)` to enumerate scripts currently loaded in the browser
+- `get_script_source(preview=true)` for a configurable list of URL hints / wildcard patterns
+- `console_execute` summary step listing which hints were inspected
+
+## Tools Used
+
+- `page_navigate`
+- `page_script_run`
+- `get_all_scripts`
+- `get_script_source`
+- `console_execute`
+
+## Config
+
+- `workflows.scriptEvidenceScan.pageUrl`
+- `workflows.scriptEvidenceScan.waitUntil`
+- `workflows.scriptEvidenceScan.runAuthExtract`
+- `workflows.scriptEvidenceScan.maxScripts`
+- `workflows.scriptEvidenceScan.includeDefaultHints`
+- `workflows.scriptEvidenceScan.targetScriptHints`
+- `workflows.scriptEvidenceScan.previewMaxLines`
+
+## Default Hints
+
+The workflow can inspect these script URL hints by default:
+
+- `*main*.js`
+- `*index*.js`
+- `*app*.js`
+
+You can add explicit bundle URLs or wildcard patterns via config.
+
+## Local Validation
+
+1. Run `pnpm install`.
+2. Run `pnpm typecheck`.
+3. Put this repo under a configured `workflows/` extension root.
+4. Run `reload_extensions` in `jshookmcp`.
+5. Confirm the workflow appears in `list_extension_workflows`.
+6. Execute the workflow and verify it outputs:
+   - loaded scripts summary
+   - preview(s) for configured script hints
+   - final summary of inspected hints

package/workflows/script-evidence-scan/meta.yaml

@@ -0,0 +1,4 @@
+name: script-evidence-scan
+description: Declarative workflow for extracting evidence from browser-loaded scripts via get_all_scripts and get_script_source.
+author: vmoranv
+source_repo: https://github.com/vmoranv/jshook_workflow_script_evidence_scan

package/workflows/script-evidence-scan/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "@jshookmcpextension/workflow-script-evidence-scan",
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "typecheck": "tsc --noEmit -p tsconfig.json"
+  },
+  "type": "module",
+  "dependencies": {
+"@jshookmcp/extension-sdk": "^0.3.0",
+    "@modelcontextprotocol/sdk": "^1.27.1",
+    "dotenv": "^17.3.1"
+  },
+  "version": "0.1.0",
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^25.3.0",
+    "typescript": "^5.9.3"
+  },
+  "private": true,
+  "packageManager": "pnpm@10.28.2"
+}

package/workflows/script-evidence-scan/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "lib": ["ES2022"],
+    "strict": true,
+    "skipLibCheck": true,
+    "esModuleInterop": true,
+    "resolveJsonModule": true,
+    "rootDir": ".",
+    "outDir": "dist"
+  },
+  "include": ["workflow.ts"],
+  "exclude": ["dist", "node_modules"]
+}

package/workflows/script-evidence-scan/workflow.ts

@@ -0,0 +1,89 @@
+import type { WorkflowContract } from '@jshookmcp/extension-sdk/workflow';
+import { toolNode, sequenceNode, branchNode } from '@jshookmcp/extension-sdk/workflow';
+
+const DEFAULT_HINTS = ['*main*.js', '*index*.js', '*app*.js'] as const;
+
+const workflow: WorkflowContract = {
+  kind: 'workflow-contract',
+  version: 1,
+  id: 'workflow.script-evidence-scan.v1',
+  displayName: 'Script Evidence Scan',
+  description:
+    'Navigate to a page, enumerate browser-loaded scripts, and inspect configured script URL hints via get_script_source previews.',
+  tags: ['workflow', 'reverse', 'script', 'evidence', 'browser'],
+  timeoutMs: 8 * 60_000,
+  defaultMaxConcurrency: 1,
+
+  build(ctx) {
+    const prefix = 'workflows.scriptEvidenceScan';
+    const pageUrl = ctx.getConfig<string>(`${prefix}.pageUrl`, 'https://example.com/');
+    const waitUntil = ctx.getConfig<string>(`${prefix}.waitUntil`, 'networkidle');
+    const runAuthExtract = ctx.getConfig<boolean>(`${prefix}.runAuthExtract`, true);
+    const maxScripts = ctx.getConfig<number>(`${prefix}.maxScripts`, 80);
+    const includeDefaultHints = ctx.getConfig<boolean>(`${prefix}.includeDefaultHints`, true);
+    const configuredHints = ctx.getConfig<string[]>(`${prefix}.targetScriptHints`, []);
+    const includeFullSource = ctx.getConfig<boolean>(`${prefix}.includeFullSource`, true);
+    const previewMaxLines = ctx.getConfig<number>(`${prefix}.previewMaxLines`, 120);
+
+    const targetHints = [
+      ...(includeDefaultHints ? [...DEFAULT_HINTS] : []),
+      ...configuredHints,
+    ].filter((value, index, array) => value.trim().length > 0 && array.indexOf(value) === index);
+
+    return sequenceNode('script-evidence-scan-root')
+      .step(toolNode('navigate-target', 'page_navigate').input({
+        url: pageUrl, waitUntil, enableNetworkMonitoring: true,
+      }))
+      .step(branchNode('maybe-auth-extract', 'script_evidence_run_auth_extract')
+        .predicateFn(() => runAuthExtract)
+        .whenTrue(toolNode('auth-extract', 'page_script_run').input({ name: 'auth_extract' }))
+        .whenFalse(toolNode('skip-auth-extract', 'console_execute').input({
+          expression: '({ skipped: true, step: "auth_extract", reason: "config_disabled" })',
+        })))
+      .step(toolNode('list-loaded-scripts', 'get_all_scripts').input({
+        includeSource: includeFullSource, maxScripts,
+      }))
+      .step(toolNode('summarize-script-hints', 'page_evaluate').input({
+        code: `(function(){
+          const hints = ${JSON.stringify(targetHints)};
+          const urls = Array.from(document.scripts)
+            .map(s => s.src || '')
+            .filter(Boolean);
+          const matches = hints.map((hint) => {
+            const escaped = hint
+              .replace(/[.+^()|[\\\\]\\\\]/g, '\\\\$&')
+              .replace(/\\\\\\*/g, '.*');
+            const rx = new RegExp('^' + escaped + '$', 'i');
+            return {
+              hint,
+              matchedUrls: urls.filter(url => rx.test(url)).slice(0, 10),
+            };
+          });
+          return { hints, totalScriptsWithSrc: urls.length, matches };
+        })()`,
+      }))
+      .step(toolNode('emit-summary', 'console_execute').input({
+        expression: `(${JSON.stringify({
+          workflowId: 'workflow.script-evidence-scan.v1',
+          pageUrl, waitUntil, runAuthExtract, maxScripts, previewMaxLines,
+          inspectedHints: targetHints,
+          strategy: ['navigate', 'optional_auth_extract', 'get_all_scripts', 'get_script_source(preview)'],
+        })})`,
+      }))
+      .build();
+  },
+
+  onStart(ctx) {
+    ctx.emitMetric('workflow_runs_total', 1, 'counter', { workflowId: 'workflow.script-evidence-scan.v1', stage: 'start' });
+  },
+
+  onFinish(ctx) {
+    ctx.emitMetric('workflow_runs_total', 1, 'counter', { workflowId: 'workflow.script-evidence-scan.v1', stage: 'finish' });
+  },
+
+  onError(ctx, error) {
+    ctx.emitMetric('workflow_errors_total', 1, 'counter', { workflowId: 'workflow.script-evidence-scan.v1', error: error.name });
+  },
+};
+
+export default workflow;

package/workflows/signature-hunter/.jshook-install.json

@@ -0,0 +1,14 @@
+{
+  "version": 1,
+  "kind": "workflow",
+  "slug": "signature-hunter",
+  "id": "workflow.signature-hunter.v1",
+  "source": {
+    "type": "git",
+    "repo": "https://github.com/vmoranv/jshook_workflow_signature_hunter",
+    "ref": "main",
+    "commit": "9d24e172bbb841ae8d6516ab50757857da9b8bc5",
+    "subpath": ".",
+    "entry": "workflow.ts"
+  }
+}

package/workflows/signature-hunter/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 vmoranv
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/workflows/signature-hunter/README.md

@@ -0,0 +1,105 @@
+# jshook_workflow_template
+
+TypeScript-first template repository for building a reusable `jshook` workflow.
+
+This template focuses on one thing:
+
+- codify an existing built-in tool chain into a reusable workflow contract
+- keep TypeScript source in Git and generated JavaScript out of Git
+
+## Included in the template
+
+- `workflow.ts`: workflow source entrypoint
+- `docs/agent-recipes.md`: recipes for orchestration, parallel reads, and subagent-assisted analysis
+- `dist/workflow.js`: generated locally by `pnpm run build` and ignored by Git
+
+## What the MVP workflow demonstrates
+
+The sample workflow runs this shape:
+
+1. `network_enable`
+2. `page_navigate`
+3. parallel surface collection
+   - `page_get_local_storage`
+   - `page_get_cookies`
+   - `network_get_requests`
+   - `page_get_all_links`
+   - optional `console_get_logs`
+4. `network_extract_auth`
+5. `console_execute` summary output
+
+## Dependency model
+
+This template uses the published npm package:
+
+```json
+{
+  "@jshookmcp/extension-sdk": "^0.1.3"
+}
+```
+
+## Install and build
+
+```bash
+pnpm install
+pnpm run build
+pnpm run check
+```
+
+## Loading behavior
+
+`jshook` discovers both `workflow.ts` and `dist/workflow.js`, but when both exist it prefers the generated JavaScript entry.
+
+Recommended workflow:
+
+1. edit `workflow.ts`
+2. run `pnpm run build`
+3. let `jshook` load `dist/workflow.js`
+
+Do **not** commit `dist/`.
+
+## Load the workflow into jshook
+
+Set:
+
+```bash
+MCP_WORKFLOW_ROOTS=<path-to-cloned-jshook_workflow_template>
+```
+
+Then run inside `jshook`:
+
+1. `extensions_reload`
+2. `extensions_list`
+3. `list_extension_workflows`
+4. `run_extension_workflow`
+
+## Configuration prefix
+
+The template uses:
+
+```text
+workflows.templateCapture.*
+```
+
+Rename that prefix early when adapting the template for real use.
+
+## Git hygiene
+
+Keep this repo focused on source and docs.
+Do not commit:
+
+- `dist/`
+- `node_modules/`
+- `.env`
+- runtime artifacts
+- screenshots
+- local sessions
+- host-specific temp output
+
+## What to change first
+
+1. replace `workflowId` and `displayName`
+2. rename the config prefix
+3. keep state-mutating steps serialized
+4. keep read-only collection steps parallel where safe
+5. validate the workflow through `extensions_reload` and `list_extension_workflows`

package/workflows/signature-hunter/docs/agent-recipes.md

@@ -0,0 +1,44 @@
+# Agent Recipes for `jshook_workflow_template`
+
+## Core rule
+
+- parallelize reads, not shared page state mutations
+- let the main agent keep the active browser session
+- use subagents for sidecar analysis and report drafting
+
+## Recipe 1: run workflow, then delegate analysis
+
+Recommended split:
+
+- main agent
+  - `run_extension_workflow`
+  - optional `network_get_response_body`
+- subagent
+  - classify endpoints
+  - summarize auth and session artifacts
+  - draft report output
+
+## Recipe 2: main agent navigates, subagent reviews outputs
+
+Recommended split:
+
+- main agent
+  - `page_navigate`
+  - page actions
+  - `network_get_requests`
+- subagent
+  - endpoint matrix
+  - auth header and signature review
+  - next-step probing suggestions
+
+## Recipe 3: when to use parallel tool calls
+
+Good read-only candidates:
+
+- `extensions_list`
+- `search_tools`
+- `page_get_local_storage`
+- `page_get_cookies`
+- `console_get_logs`
+
+Avoid parallelizing any action that changes the current page state.

package/workflows/signature-hunter/meta.yaml

@@ -0,0 +1,6 @@
+name: signature-hunter
+description: JSHook workflow for signature-hunter
+author: vmoranv
+tags:
+  - workflow
+  - signature-hunter

package/workflows/signature-hunter/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "jshook-workflow-template",
+  "private": true,
+  "version": "0.1.0",
+  "description": "Standalone template repository for building jshook workflows.",
+  "type": "module",
+  "packageManager": "pnpm@10.28.2",
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "check": "tsc -p tsconfig.json --noEmit"
+  },
+  "dependencies": {
+    "@jshookmcp/extension-sdk": "^0.3.0"
+  },
+  "devDependencies": {
+    "@types/node": "^25.3.0",
+    "typescript": "^5.9.3"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  }
+}

package/workflows/signature-hunter/tsconfig.json

@@ -0,0 +1,15 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "noEmit": false,
+    "outDir": "dist",
+    "rootDir": ".",
+    "strict": true,
+    "skipLibCheck": true,
+    "types": ["node"]
+  },
+  "include": ["workflow.ts"],
+  "exclude": ["dist", "node_modules"]
+}