@jshookmcp/jshook 0.2.5 → 0.2.6

package/workflows/api-openapi-probe/tsconfig.json

@@ -0,0 +1,15 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "noEmit": false,
+    "outDir": "dist",
+    "rootDir": ".",
+    "strict": true,
+    "skipLibCheck": true,
+    "types": ["node"]
+  },
+  "include": ["workflow.ts"],
+  "exclude": ["dist", "node_modules"]
+}

package/workflows/api-openapi-probe/workflow.ts

@@ -0,0 +1,40 @@
+import {
+  createWorkflow,
+  type WorkflowExecutionContext,
+  SequenceNodeBuilder,
+} from '@jshookmcp/extension-sdk/workflow';
+
+const workflowId = 'workflow.api-openapi-probe.v1';
+
+export default createWorkflow(workflowId, 'OpenAPI Probe Batch')
+  .description('Probe standard API docs/openapi paths in one burst.')
+  .tags(['workflow', 'api', 'openapi', 'probe'])
+  .timeoutMs(2 * 60_000)
+  .defaultMaxConcurrency(1)
+  .buildGraph((ctx: WorkflowExecutionContext) => {
+    const baseUrl = ctx.getConfig('workflows.apiProbe.baseUrl', '');
+    if (!baseUrl) throw new Error('[workflow.api-openapi-probe] Missing required config: workflows.apiProbe.baseUrl');
+
+    const root = new SequenceNodeBuilder('api-openapi-probe-root');
+
+    root.tool('probe-openapi-paths', 'api_probe_batch', {
+      input: {
+        baseUrl,
+        method: 'GET',
+        paths: [
+          '/docs',
+          '/openapi.json',
+          '/api/docs',
+          '/swagger.json',
+          '/api/v1/openapi.json',
+          '/api/openapi.json',
+        ],
+        includeBodyStatuses: [200, 201, 204],
+        maxBodySnippetLength: 800,
+        autoInjectAuth: true,
+      },
+    });
+
+    return root;
+  })
+  .build();

package/workflows/api-probe-batch/.jshook-install.json

@@ -0,0 +1,14 @@
+{
+  "version": 1,
+  "kind": "workflow",
+  "slug": "api-probe-batch",
+  "id": "workflow.api-probe-batch.v1",
+  "source": {
+    "type": "git",
+    "repo": "https://github.com/vmoranv/jshook_workflow_api_probe_batch",
+    "ref": "main",
+    "commit": "6cfdefb",
+    "subpath": ".",
+    "entry": "workflow.ts"
+  }
+}

package/workflows/api-probe-batch/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 vmoranv
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/workflows/api-probe-batch/README.md

@@ -0,0 +1,45 @@
+# api-probe-batch workflow
+
+Declarative workflow for OpenAPI-first endpoint probing. It codifies a safe probing order: establish same-origin browser context first, probe documentation/discovery paths next, and only then probe business endpoints.
+
+## Entry File
+
+- `workflow.ts`
+
+## Workflow ID
+
+- `workflow.api-probe-batch.v1`
+
+## Structure
+
+This workflow wraps the built-in `api_probe_batch` tool with a repeatable operator flow:
+
+- `page_navigate` to a same-origin app page so localStorage auth can be reused
+- First `api_probe_batch` call for standard OpenAPI / Swagger discovery paths
+- Second `api_probe_batch` call for configured business endpoints
+- `console_execute` summary step to mark completion for downstream runners
+
+## Tools Used
+
+- `page_navigate`
+- `api_probe_batch`
+- `console_execute`
+
+## Config
+
+- `workflows.apiProbe.appUrl`
+- `workflows.apiProbe.baseUrl`
+- `workflows.apiProbe.method`
+- `workflows.apiProbe.autoInjectAuth`
+- `workflows.apiProbe.maxBodySnippetLength`
+- `workflows.apiProbe.discoveryIncludeBodies`
+- `workflows.apiProbe.targetPaths`
+
+## Local Validation
+
+1. Run `pnpm install`.
+2. Run `pnpm typecheck`.
+3. Put this repo under a configured `workflows/` extension root.
+4. Run `extensions_reload` in `jshookmcp`.
+5. Confirm the workflow appears in `extensions_list`.
+6. Execute the workflow and verify the order is `navigate -> discovery probe -> target probe -> summary`.

package/workflows/api-probe-batch/meta.yaml

@@ -0,0 +1,4 @@
+name: api-probe-batch
+description: Declarative workflow for OpenAPI-first probing of authenticated API endpoints.
+author: vmoranv
+source_repo: https://github.com/vmoranv/jshook_workflow_api_probe_batch

package/workflows/api-probe-batch/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "@jshookmcpextension/workflow-api-probe-batch",
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "typecheck": "tsc --noEmit -p tsconfig.json"
+  },
+  "type": "module",
+  "dependencies": {
+"@jshookmcp/extension-sdk": "^0.3.0",
+    "@modelcontextprotocol/sdk": "^1.27.1",
+    "dotenv": "^17.3.1"
+  },
+  "version": "0.1.0",
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^25.3.0",
+    "typescript": "^5.9.3"
+  },
+  "private": true,
+  "packageManager": "pnpm@10.28.2"
+}

package/workflows/api-probe-batch/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "lib": ["ES2022"],
+    "strict": true,
+    "skipLibCheck": true,
+    "esModuleInterop": true,
+    "resolveJsonModule": true,
+    "rootDir": ".",
+    "outDir": "dist"
+  },
+  "include": ["workflow.ts"],
+  "exclude": ["dist", "node_modules"]
+}

package/workflows/api-probe-batch/workflow.ts

@@ -0,0 +1,111 @@
+import type { WorkflowContract, WorkflowExecutionContext } from '@jshookmcp/extension-sdk/workflow';
+import { toolNode, sequenceNode, branchNode } from '@jshookmcp/extension-sdk/workflow';
+
+const DISCOVERY_PATHS = [
+  '/docs',
+  '/openapi.json',
+  '/api/docs',
+  '/swagger.json',
+  '/api/v1/openapi.json',
+  '/api/openapi.json',
+] as const;
+
+const DEFAULT_TARGET_PATHS = ['/api/v1/auths/', '/api/v2/chats/', '/api/models'] as const;
+
+function getOrigin(url: string): string {
+  const match = url.match(/^(https?:\/\/[^/]+)/i);
+  return match ? match[1] : url;
+}
+
+const apiProbeBatchWorkflow: WorkflowContract = {
+  kind: 'workflow-contract',
+  version: 1,
+  id: 'workflow.api-probe-batch.v1',
+  displayName: 'API Probe Batch',
+  description:
+    'Navigate to an application origin, optionally extract auth context, probe OpenAPI discovery paths first, and then probe configured business endpoints.',
+  tags: ['workflow', 'api', 'probe', 'openapi', 'auth'],
+  timeoutMs: 5 * 60_000,
+  defaultMaxConcurrency: 1,
+
+  build(ctx) {
+    const appUrl = ctx.getConfig<string>('workflows.apiProbe.appUrl', '');
+    if (!appUrl) throw new Error('[workflow.api-probe-batch] Missing required config: workflows.apiProbe.appUrl');
+    const derivedBaseUrl = getOrigin(appUrl);
+    const baseUrl = ctx.getConfig<string>('workflows.apiProbe.baseUrl', derivedBaseUrl);
+    const method = ctx.getConfig<string>('workflows.apiProbe.method', 'GET');
+    const autoInjectAuth = ctx.getConfig<boolean>('workflows.apiProbe.autoInjectAuth', true);
+    const maxBodySnippetLength = ctx.getConfig<number>('workflows.apiProbe.maxBodySnippetLength', 800);
+    const includeBodyStatuses = ctx.getConfig<number[]>(
+      'workflows.apiProbe.includeBodyStatuses',
+      [200, 201, 204, 400, 401, 403, 404],
+    );
+    const targetPaths = ctx.getConfig<string[]>(
+      'workflows.apiProbe.targetPaths',
+      [...DEFAULT_TARGET_PATHS],
+    );
+    const runAuthExtract = ctx.getConfig<boolean>('workflows.apiProbe.runAuthExtract', true);
+
+    return sequenceNode('api-probe-batch-root')
+      .step(toolNode('navigate-app-origin', 'page_navigate').input({
+        url: appUrl,
+        waitUntil: 'domcontentloaded',
+        enableNetworkMonitoring: true,
+      }))
+      .step(branchNode('maybe-auth-extract', 'api_probe_run_auth_extract')
+        .predicateFn(() => runAuthExtract)
+        .whenTrue(toolNode('auth-extract', 'page_script_run').input({ name: 'auth_extract' }))
+        .whenFalse(toolNode('skip-auth-extract', 'console_execute').input({
+          expression: '({ skipped: true, step: "auth_extract", reason: "config_disabled" })',
+        })))
+      .step(toolNode('probe-openapi-discovery', 'api_probe_batch').input({
+        baseUrl,
+        method,
+        autoInjectAuth,
+        maxBodySnippetLength,
+        includeBodyStatuses,
+        paths: [...DISCOVERY_PATHS],
+      }))
+      .step(toolNode('probe-business-endpoints', 'api_probe_batch').input({
+        baseUrl,
+        method,
+        autoInjectAuth,
+        maxBodySnippetLength,
+        includeBodyStatuses,
+        paths: targetPaths,
+      }))
+      .step(toolNode('emit-summary', 'console_execute').input({
+        expression: `(${JSON.stringify({
+          status: 'api_probe_complete',
+          order: ['navigate', 'auth_extract', 'discovery', 'target'],
+          appUrl,
+          baseUrl,
+          targetPaths,
+        })})`,
+      }))
+      .build();
+  },
+
+  onStart(ctx) {
+    ctx.emitMetric('workflow_runs_total', 1, 'counter', {
+      workflowId: 'workflow.api-probe-batch.v1',
+      stage: 'start',
+    });
+  },
+
+  onFinish(ctx) {
+    ctx.emitMetric('workflow_runs_total', 1, 'counter', {
+      workflowId: 'workflow.api-probe-batch.v1',
+      stage: 'finish',
+    });
+  },
+
+  onError(ctx, error) {
+    ctx.emitMetric('workflow_errors_total', 1, 'counter', {
+      workflowId: 'workflow.api-probe-batch.v1',
+      error: error.name,
+    });
+  },
+};
+
+export default apiProbeBatchWorkflow;

package/workflows/auth-bootstrap/.jshook-install.json

@@ -0,0 +1,14 @@
+{
+  "version": 1,
+  "kind": "workflow",
+  "slug": "auth-bootstrap",
+  "id": "workflow.auth-bootstrap.v1",
+  "source": {
+    "type": "git",
+    "repo": "https://github.com/vmoranv/jshook_workflow_auth_bootstrap",
+    "ref": "main",
+    "commit": "162b033",
+    "subpath": ".",
+    "entry": "workflow.ts"
+  }
+}

package/workflows/auth-bootstrap/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 vmoranv
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/workflows/auth-bootstrap/README.md

@@ -0,0 +1,74 @@
+# auth-bootstrap workflow
+
+Declarative workflow for bootstrapping web authentication using a form-driven flow plus optional temp-mail verification and auth extraction.
+
+## Workflow ID
+
+- `workflow.auth-bootstrap.v1`
+
+## Capabilities
+
+- Navigate to an auth/register page
+- Wait for the first form field
+- Fill a configurable fields map
+- Click configurable checkbox selectors
+- Submit the form and wait for completion
+- Optionally chain:
+  - `workflow.temp-mail-open-latest.v1`
+  - `workflow.temp-mail-extract-link.v1`
+- Optionally run:
+  - `page_script_run(auth_extract)`
+  - `network_extract_auth`
+- Emit a concise summary for downstream orchestration
+
+## Config
+
+Prefix: `workflows.authBootstrap.*`
+
+- `authUrl`
+- `waitUntil`
+- `clearCookiesFirst`
+- `clearStorageFirst`
+- `preAuthClearUrl`
+- `fields`
+- `firstFieldSelector`
+- `submitSelector`
+- `checkboxSelectors`
+- `typingDelay`
+- `afterSubmitWaitMs`
+- `runMailboxVerification`
+- `mailboxUrl`
+- `mailboxReadySelector`
+- `mailboxRefreshSelector`
+- `mailboxItemSelector`
+- `mailboxHrefIncludes`
+- `mailboxHrefRegex`
+- `mailboxTextIncludes`
+- `mailboxTextRegex`
+- `mailboxOpenOrder`
+- `verificationWaitUntil`
+- `verificationInitialWaitMs`
+- `verificationRetryWaitMs`
+- `verificationMaxWaitAttempts`
+- `verificationReadySelector`
+- `verificationReadyText`
+- `verificationTitleBlocklist`
+- `verificationBodyBlocklist`
+- `verificationExpectedContextHints`
+- `verificationLinkSelector`
+- `verificationHrefIncludes`
+- `verificationTextIncludes`
+- `verificationRegexPattern`
+- `verificationRegexFlags`
+- `verificationMaxLinks`
+- `verificationIncludeFallbackLinks`
+- `verificationFallbackMaxLinks`
+- `openVerificationLink`
+- `verificationWaitAfterOpenMs`
+- `runAuthExtract`
+- `runNetworkAuthScan`
+- `authMinConfidence`
+
+## Notes
+
+This workflow is generic and does not hardcode Qwen-specific selectors or mail providers. It expects the caller to provide the correct field names, submit selector, and mailbox matching patterns for the target site.

package/workflows/auth-bootstrap/meta.yaml

@@ -0,0 +1,4 @@
+name: auth-bootstrap
+description: Declarative workflow for bootstrapping web authentication via form submission, optional temp-mail verification, and auth artifact extraction.
+author: vmoranv
+source_repo: https://github.com/vmoranv/jshook_workflow_auth_bootstrap

package/workflows/auth-bootstrap/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "@jshookmcpextension/workflow-auth-bootstrap",
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "typecheck": "tsc --noEmit -p tsconfig.json"
+  },
+  "type": "module",
+  "dependencies": {
+"@jshookmcp/extension-sdk": "^0.3.0",
+    "@modelcontextprotocol/sdk": "^1.27.1",
+    "dotenv": "^17.3.1"
+  },
+  "version": "0.1.0",
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^25.3.0",
+    "typescript": "^5.9.3"
+  },
+  "private": true,
+  "packageManager": "pnpm@10.28.2"
+}

package/workflows/auth-bootstrap/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "lib": ["ES2022"],
+    "strict": true,
+    "skipLibCheck": true,
+    "esModuleInterop": true,
+    "resolveJsonModule": true,
+    "rootDir": ".",
+    "outDir": "dist"
+  },
+  "include": ["workflow.ts"],
+  "exclude": ["dist", "node_modules"]
+}

package/workflows/auth-bootstrap/workflow.ts

@@ -0,0 +1,141 @@
+import type { WorkflowContract } from '@jshookmcp/extension-sdk/workflow';
+import { toolNode, sequenceNode, branchNode } from '@jshookmcp/extension-sdk/workflow';
+
+const workflowId = 'workflow.auth-bootstrap.v1';
+
+const workflow: WorkflowContract = {
+  kind: 'workflow-contract',
+  version: 1,
+  id: workflowId,
+  displayName: 'Auth Bootstrap',
+  description:
+    'Bootstrap web authentication by delegating to register/temp-mail workflows, then extract auth artifacts.',
+  tags: ['workflow', 'auth', 'bootstrap', 'registration', 'verification'],
+  timeoutMs: 10 * 60_000,
+  defaultMaxConcurrency: 1,
+
+  build(ctx) {
+    const prefix = 'workflows.authBootstrap';
+    const registerWorkflowId = ctx.getConfig<string>(`${prefix}.registerWorkflowId`, 'workflow.register-account-flow.v1');
+    const registerUrl = ctx.getConfig<string>(`${prefix}.registerUrl`, '');
+    if (!registerUrl) throw new Error('[workflow.auth-bootstrap] Missing required config: workflows.authBootstrap.registerUrl');
+    const clearCookiesFirst = ctx.getConfig<boolean>(`${prefix}.clearCookiesFirst`, false);
+    const clearStorageFirst = ctx.getConfig<boolean>(`${prefix}.clearStorageFirst`, false);
+    const preAuthClearUrl = ctx.getConfig<string>(`${prefix}.preAuthClearUrl`, registerUrl.replace(/(https?:\/\/[^/]+).*/, '$1/'));
+    const username = ctx.getConfig<string>(`${prefix}.username`, '');
+    const email = ctx.getConfig<string>(`${prefix}.email`, '');
+    const password = ctx.getConfig<string>(`${prefix}.password`, '');
+    if (!username || !email || !password) {
+      throw new Error(`[workflow.auth-bootstrap] Missing required config: ${[!username && 'username', !email && 'email', !password && 'password'].filter(Boolean).join(', ')} (prefix: workflows.authBootstrap.*)`);
+    }
+    const includeConfirmPassword = ctx.getConfig<boolean>(`${prefix}.includeConfirmPassword`, true);
+    const confirmPasswordFieldName = ctx.getConfig<string>(`${prefix}.confirmPasswordFieldName`, 'checkPassword');
+    const extraFields = ctx.getConfig<Record<string, unknown>>(`${prefix}.extraFields`, {});
+    const checkboxSelectors = ctx.getConfig<string[]>(`${prefix}.checkboxSelectors`, []);
+    const submitSelector = ctx.getConfig<string>(`${prefix}.submitSelector`, "button[type='submit']");
+    const registerTimeoutMs = ctx.getConfig<number>(`${prefix}.registerTimeoutMs`, 90_000);
+
+    const enableEmailVerification = ctx.getConfig<boolean>(`${prefix}.enableEmailVerification`, false);
+    const emailProviderUrl = ctx.getConfig<string>(`${prefix}.emailProviderUrl`, '');
+    const mailOpenWorkflowId = ctx.getConfig<string>(`${prefix}.mailOpenWorkflowId`, 'workflow.temp-mail-open-latest.v1');
+    const mailOpenConfig = ctx.getConfig<Record<string, unknown>>(`${prefix}.mailOpenConfig`, {});
+    const mailExtractWorkflowId = ctx.getConfig<string>(`${prefix}.mailExtractWorkflowId`, 'workflow.temp-mail-extract-link.v1');
+    const mailExtractConfig = ctx.getConfig<Record<string, unknown>>(`${prefix}.mailExtractConfig`, {});
+    const postVerifyNavigateUrl = ctx.getConfig<string>(`${prefix}.postVerifyNavigateUrl`, '');
+
+    const authExtractPageUrl = ctx.getConfig<string>(`${prefix}.authExtractPageUrl`, '');
+    const runAuthExtract = ctx.getConfig<boolean>(`${prefix}.runAuthExtract`, true);
+    const runNetworkAuthExtract = ctx.getConfig<boolean>(`${prefix}.runNetworkAuthExtract`, true);
+    const authMinConfidence = ctx.getConfig<number>(`${prefix}.authMinConfidence`, 0.3);
+
+    const fields: Record<string, unknown> = { username, email, password, ...extraFields };
+    if (includeConfirmPassword) fields[confirmPasswordFieldName] = password;
+
+    const registerConfig = {
+      workflows: {
+        registerAccount: {
+          registerUrl, username, email, password,
+          includeConfirmPassword, confirmPasswordFieldName,
+          extraFields, checkboxSelectors, submitSelector,
+          timeoutMs: registerTimeoutMs,
+        },
+      },
+    };
+
+    const mailboxBranch = branchNode('maybe-email-verification', 'auth_bootstrap_enable_email_verification')
+      .predicateFn(() => enableEmailVerification && Boolean(emailProviderUrl))
+      .whenTrue(sequenceNode('email-verification-sequence')
+        .step(toolNode('open-latest-mail', 'run_extension_workflow')
+          .input({ workflowId: mailOpenWorkflowId, config: { workflows: { tempMailOpenLatest: { mailboxUrl: emailProviderUrl, ...mailOpenConfig } } } })
+          .timeout(180_000))
+        .step(toolNode('extract-verification-link', 'run_extension_workflow')
+          .input({ workflowId: mailExtractWorkflowId, config: { workflows: { tempMailExtractLink: { detailUrl: '', ...mailExtractConfig } } } })
+          .timeout(180_000))
+        .step(branchNode('maybe-post-verify-navigate', 'auth_bootstrap_post_verify_navigate')
+          .predicateFn(() => Boolean(postVerifyNavigateUrl))
+          .whenTrue(toolNode('navigate-post-verify-page', 'page_navigate').input({ url: postVerifyNavigateUrl, waitUntil: 'networkidle', enableNetworkMonitoring: true }))
+          .whenFalse(toolNode('skip-post-verify-navigate', 'console_execute').input({ expression: '({ skipped: true, step: "post_verify_navigate", reason: "postVerifyNavigateUrl not configured" })' }))))
+      .whenFalse(toolNode('skip-email-verification', 'console_execute').input({ expression: '({ skipped: true, step: "email_verification", reason: "config_disabled" })' }));
+
+    const authExtractBranch = branchNode('maybe-auth-extract', 'auth_bootstrap_run_auth_extract')
+      .predicateFn(() => runAuthExtract)
+      .whenTrue(sequenceNode('auth-extract-sequence')
+        .step(branchNode('maybe-navigate-auth-extract-page', 'auth_bootstrap_auth_extract_page_url')
+          .predicateFn(() => Boolean(authExtractPageUrl))
+          .whenTrue(toolNode('navigate-auth-extract-page', 'page_navigate').input({ url: authExtractPageUrl, waitUntil: 'networkidle', enableNetworkMonitoring: true }))
+          .whenFalse(toolNode('skip-auth-extract-page-nav', 'console_execute').input({ expression: '({ skipped: true, step: "auth_extract_page_nav", reason: "authExtractPageUrl not configured" })' })))
+        .step(toolNode('auth-extract', 'page_script_run').input({ name: 'auth_extract' })))
+      .whenFalse(toolNode('skip-auth-extract', 'console_execute').input({ expression: '({ skipped: true, step: "auth_extract", reason: "config_disabled" })' }));
+
+    const networkAuthBranch = branchNode('maybe-network-auth-extract', 'auth_bootstrap_run_network_auth_extract')
+      .predicateFn(() => runNetworkAuthExtract)
+      .whenTrue(toolNode('network-auth-extract', 'network_extract_auth').input({ minConfidence: authMinConfidence }))
+      .whenFalse(toolNode('skip-network-auth-extract', 'console_execute').input({ expression: '({ skipped: true, step: "network_auth_extract", reason: "config_disabled" })' }));
+
+    return sequenceNode('auth-bootstrap-root')
+      .step(branchNode('maybe-preclear-auth-state', 'auth_bootstrap_preclear_auth_state')
+        .predicateFn(() => clearCookiesFirst || clearStorageFirst)
+        .whenTrue(sequenceNode('preclear-auth-state-sequence')
+          .step(toolNode('navigate-preclear-page', 'page_navigate').input({ url: preAuthClearUrl, waitUntil: 'domcontentloaded', enableNetworkMonitoring: true }))
+          .step(branchNode('maybe-clear-cookies', 'auth_bootstrap_clear_cookies_first')
+            .predicateFn(() => clearCookiesFirst)
+            .whenTrue(toolNode('clear-cookies', 'page_clear_cookies').input({}))
+            .whenFalse(toolNode('skip-clear-cookies', 'console_execute').input({ expression: '({ skipped: true, step: "clear_cookies", reason: "config_disabled" })' })))
+          .step(branchNode('maybe-clear-storage', 'auth_bootstrap_clear_storage_first')
+            .predicateFn(() => clearStorageFirst)
+            .whenTrue(toolNode('clear-web-storage', 'page_evaluate').input({ code: '(() => { try { localStorage.clear(); sessionStorage.clear(); } catch {} return { ok: true, href: location.href }; })()' }))
+            .whenFalse(toolNode('skip-clear-storage', 'console_execute').input({ expression: '({ skipped: true, step: "clear_storage", reason: "config_disabled" })' }))))
+        .whenFalse(toolNode('skip-preclear-auth-state', 'console_execute').input({ expression: '({ skipped: true, step: "preclear_auth_state", reason: "all clear flags disabled" })' })))
+      .step(toolNode('run-register-workflow', 'run_extension_workflow')
+        .input({ workflowId: registerWorkflowId, config: registerConfig })
+        .timeout(Math.max(180_000, registerTimeoutMs + 60_000)))
+      .step(mailboxBranch)
+      .step(authExtractBranch)
+      .step(networkAuthBranch)
+      .step(toolNode('emit-summary', 'console_execute').input({
+        expression: `(${JSON.stringify({
+          workflowId, registerWorkflowId, registerUrl, email,
+          enableEmailVerification, emailProviderUrl,
+          mailOpenWorkflowId, mailExtractWorkflowId,
+          postVerifyNavigateUrl, authExtractPageUrl,
+          runAuthExtract, runNetworkAuthExtract, authMinConfidence,
+          note: 'Inspect nested workflow outputs for form submit, mail opening, link extraction, and final auth artifacts.',
+        })})`,
+      }))
+      .build();
+  },
+
+  onStart(ctx) {
+    ctx.emitMetric('workflow_runs_total', 1, 'counter', { workflowId, stage: 'start' });
+  },
+
+  onFinish(ctx) {
+    ctx.emitMetric('workflow_runs_total', 1, 'counter', { workflowId, stage: 'finish' });
+  },
+
+  onError(ctx, error) {
+    ctx.emitMetric('workflow_errors_total', 1, 'counter', { workflowId, error: error.name });
+  },
+};
+
+export default workflow;

package/workflows/auth-extract/.jshook-install.json

@@ -0,0 +1,14 @@
+{
+  "version": 1,
+  "kind": "workflow",
+  "slug": "auth-extract",
+  "id": "workflow.auth-extract.v1",
+  "source": {
+    "type": "git",
+    "repo": "https://github.com/vmoranv/jshook_workflow_auth_extract",
+    "ref": "main",
+    "commit": "abcb3e8ef8e54a9742f1f6d51edbb2e551e72b40",
+    "subpath": ".",
+    "entry": "workflow.ts"
+  }
+}

package/workflows/auth-extract/meta.yaml

@@ -0,0 +1,6 @@
+name: auth-extract
+description: JSHook workflow for auth-extract
+author: vmoranv
+tags:
+  - workflow
+  - auth-extract

package/workflows/auth-extract/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "jshook-workflow-auth-extract",
+  "private": true,
+  "version": "0.1.0",
+  "description": "jshookmcp workflow: auth-extract",
+  "type": "module",
+  "packageManager": "pnpm@10.28.2",
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "check": "tsc -p tsconfig.json --noEmit"
+  },
+  "dependencies": {
+    "@jshookmcp/extension-sdk": "^0.3.0"
+  },
+  "devDependencies": {
+    "@types/node": "^25.3.0",
+    "typescript": "^5.9.3"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  }
+}