@jshookmcp/jshook 0.2.8 → 0.2.9

package/dist/workflow-f3xJOcjx.mjs

@@ -0,0 +1,725 @@
+import { t as logger } from "./logger-Dh_xb7_2.mjs";
+import { Cr as WORKFLOW_BUNDLE_CACHE_MAX_BYTES, Dr as WORKFLOW_JS_BUNDLE_MAX_SIZE_BYTES, Er as WORKFLOW_JS_BUNDLE_MAX_REDIRECTS, Tr as WORKFLOW_JS_BUNDLE_FETCH_TIMEOUT_MS, wr as WORKFLOW_BUNDLE_CACHE_TTL_MS } from "./constants-B0OANIBL.mjs";
+import { a as argString, i as argObject, r as argNumber, t as argBool } from "./parse-args-BlRjqlkL.mjs";
+import { a as isLoopbackHost, s as isPrivateHost } from "./ssrf-policy-ZaUfvhq7.mjs";
+import { t as R } from "./ResponseBuilder-D3iFYx2N.mjs";
+import "./definitions-Cke7zEb8.mjs";
+import { BlockList, isIP } from "node:net";
+import { lookup } from "node:dns/promises";
+//#region src/server/domains/workflow/handlers/shared.ts
+/**
+* Shared types, state, and utilities for workflow domain sub-handlers.
+*/
+const BUILTIN_SCRIPT_ENTRIES = [
+	{
+		name: "auth_extract",
+		description: "Extract auth tokens from localStorage and cookies",
+		code: `(function(){
+  var keys=['token','active_token','access_token','jwt','auth_token','userRole','id_token','refresh_token'];
+  var r={};
+  for(var i=0;i<keys.length;i++){var v=localStorage.getItem(keys[i]);if(v)r[keys[i]]=v;}
+  r._cookies=document.cookie;
+  return r;
+})()`
+	},
+	{
+		name: "bundle_search",
+		description: "Fetch a remote JS bundle and search it with regex patterns. params: { url: string, patterns: string[] }",
+		code: `(async function(){
+  var p=typeof __params__!=='undefined'?__params__:{};
+  if(!p.url)return{error:'params.url required'};
+  var resp=await fetch(p.url);
+  var text=await resp.text();
+  var patterns=p.patterns||[];
+  var results={};
+  for(var i=0;i<patterns.length;i++){
+    var re=new RegExp(patterns[i],'g');
+    var matches=[];var m;
+    while((m=re.exec(text))!==null){
+      var s=Math.max(0,m.index-80),e=Math.min(text.length,m.index+m[0].length+80);
+      matches.push({match:m[0],ctx:text.slice(s,e)});
+      if(matches.length>=10)break;
+    }
+    results[patterns[i]]=matches;
+  }
+  return{size:text.length,results:results};
+})()`
+	},
+	{
+		name: "react_fill_form",
+		description: "Fill React controlled form inputs using native setter trick. params: { fields: { \"selector\": \"value\" } }",
+		code: `(function(){
+  var p=typeof __params__!=='undefined'?__params__:{};
+  var fields=p.fields||{};
+  var ns=Object.getOwnPropertyDescriptor(window.HTMLInputElement.prototype,'value').set;
+  var r={};
+  var entries=Object.entries(fields);
+  for(var i=0;i<entries.length;i++){
+    var sel=entries[i][0],val=entries[i][1];
+    var el=document.querySelector(sel);
+    if(!el){r[sel]='not found';continue;}
+    ns.call(el,val);
+    el.dispatchEvent(new Event('input',{bubbles:true}));
+    el.dispatchEvent(new Event('change',{bubbles:true}));
+    r[sel]='filled';
+  }
+  return r;
+})()`
+	},
+	{
+		name: "dom_find_upgrade_buttons",
+		description: "Scan the current page for upgrade/subscription/tier-related UI elements",
+		code: `(function(){
+  var kw=['upgrade','plus','pro','premium','subscribe','plan','tier','vip','membership'];
+  var r=[];
+  document.querySelectorAll('button,a,[role=button],[class*=upgrade],[class*=premium],[class*=plus]').forEach(function(el){
+    var t=(el.textContent||'').toLowerCase().trim();
+    var c=(el.className||'').toLowerCase();
+    if(kw.some(function(k){return t.includes(k)||c.includes(k);})){
+      r.push({tag:el.tagName,text:t.slice(0,120),cls:c.slice(0,100),href:el.href||null,id:el.id||null});
+    }
+  });
+  return r;
+})()`
+	}
+];
+function createWorkflowSharedState(deps) {
+	const state = {
+		deps,
+		scriptRegistry: /* @__PURE__ */ new Map(),
+		bundleCache: /* @__PURE__ */ new Map(),
+		bundleCacheBytes: 0
+	};
+	initBuiltinScripts(state.scriptRegistry);
+	return state;
+}
+const WORKFLOW_CONSTANTS = {
+	BUNDLE_CACHE_TTL_MS: WORKFLOW_BUNDLE_CACHE_TTL_MS,
+	MAX_SCRIPTS: 100,
+	MAX_BUNDLE_CACHE: 50,
+	MAX_BUNDLE_CACHE_BYTES: WORKFLOW_BUNDLE_CACHE_MAX_BYTES
+};
+function initBuiltinScripts(registry) {
+	for (const entry of BUILTIN_SCRIPT_ENTRIES) registry.set(entry.name, {
+		code: entry.code,
+		description: entry.description,
+		source: "core",
+		protectedFromEviction: true
+	});
+}
+function evictBundleCache(state) {
+	const now = Date.now();
+	for (const [k, v] of state.bundleCache) if (now - v.cachedAt >= WORKFLOW_CONSTANTS.BUNDLE_CACHE_TTL_MS) {
+		state.bundleCacheBytes -= v.text.length;
+		state.bundleCache.delete(k);
+	}
+	while (state.bundleCache.size >= WORKFLOW_CONSTANTS.MAX_BUNDLE_CACHE || state.bundleCacheBytes > WORKFLOW_CONSTANTS.MAX_BUNDLE_CACHE_BYTES) {
+		const oldest = state.bundleCache.keys().next().value;
+		if (oldest !== void 0) {
+			const entry = state.bundleCache.get(oldest);
+			if (entry) state.bundleCacheBytes -= entry.text.length;
+			state.bundleCache.delete(oldest);
+		} else break;
+	}
+}
+function escapeInlineScriptLiteral(value) {
+	return value.replace(/[<>/\u2028\u2029]/g, (char) => {
+		switch (char) {
+			case "<": return "\\u003C";
+			case ">": return "\\u003E";
+			case "/": return "\\u002F";
+			case "\u2028": return "\\u2028";
+			case "\u2029": return "\\u2029";
+			default: return char;
+		}
+	});
+}
+function getOptionalString(value) {
+	return typeof value === "string" ? value : void 0;
+}
+function getOptionalRecord(value) {
+	if (value === null || typeof value !== "object" || Array.isArray(value)) return void 0;
+	return value;
+}
+function jsonTextResult(payload) {
+	return R.raw(payload);
+}
+//#endregion
+//#region src/server/domains/workflow/handlers/script-handlers.ts
+/**
+* Script management and extension workflow sub-handler.
+*/
+var ScriptHandlers = class {
+	state;
+	constructor(state) {
+		this.state = state;
+	}
+	async handlePageScriptRegister(args) {
+		const name = getOptionalString(args.name);
+		const code = getOptionalString(args.code);
+		const description = getOptionalString(args.description) ?? "";
+		if (!name || !code) return jsonTextResult({
+			success: false,
+			error: "name and code are required"
+		});
+		const isUpdate = this.state.scriptRegistry.has(name);
+		if (!isUpdate && this.state.scriptRegistry.size >= WORKFLOW_CONSTANTS.MAX_SCRIPTS) {
+			for (const [scriptName, entry] of this.state.scriptRegistry) if (!entry.protectedFromEviction) {
+				this.state.scriptRegistry.delete(scriptName);
+				break;
+			}
+		}
+		const existingEntry = this.state.scriptRegistry.get(name);
+		this.state.scriptRegistry.set(name, {
+			code,
+			description,
+			source: existingEntry?.source ?? "user",
+			protectedFromEviction: existingEntry?.protectedFromEviction ?? false
+		});
+		return jsonTextResult({
+			success: true,
+			action: isUpdate ? "updated" : "registered",
+			name,
+			description,
+			totalScripts: this.state.scriptRegistry.size,
+			available: Array.from(this.state.scriptRegistry.keys())
+		});
+	}
+	async handlePageScriptRun(args) {
+		const name = getOptionalString(args.name);
+		const params = getOptionalRecord(args.params);
+		const entry = name ? this.state.scriptRegistry.get(name) : void 0;
+		if (!entry) {
+			const available = Array.from(this.state.scriptRegistry.keys());
+			return jsonTextResult({
+				success: false,
+				error: `Script "${name}" not found`,
+				available
+			});
+		}
+		let codeToRun;
+		if (params !== void 0) codeToRun = `(function(){const __params__=JSON.parse(${escapeInlineScriptLiteral(JSON.stringify(JSON.stringify(params)))});return(${entry.code});})()`;
+		else codeToRun = entry.code;
+		try {
+			return await this.state.deps.browserHandlers.handlePageEvaluate({ code: codeToRun });
+		} catch (error) {
+			logger.error(`[page_script_run] Script "${name}" failed:`, error);
+			return jsonTextResult({
+				success: false,
+				script: name,
+				error: error instanceof Error ? error.message : String(error)
+			});
+		}
+	}
+	async handleListExtensionWorkflows() {
+		const ctx = this.state.deps.serverContext;
+		if (!ctx) return jsonTextResult({
+			success: false,
+			error: "Extension workflow runtime is unavailable in this handler context"
+		});
+		const { ensureWorkflowsLoaded } = await import("./ExtensionManager-CWYgw0YW.mjs").then((n) => n.t);
+		await ensureWorkflowsLoaded(ctx);
+		const workflows = [...ctx.extensionWorkflowsById.values()].filter((record) => record.route?.kind !== "preset");
+		workflows.sort((a, b) => a.id.localeCompare(b.id));
+		const serializedWorkflows = workflows.map((record) => ({
+			id: record.id,
+			displayName: record.displayName,
+			description: record.description,
+			tags: record.tags,
+			timeoutMs: record.timeoutMs,
+			defaultMaxConcurrency: record.defaultMaxConcurrency,
+			source: record.source,
+			route: record.route ? {
+				kind: record.route.kind,
+				priority: record.route.priority,
+				requiredDomains: record.route.requiredDomains,
+				triggerPatterns: record.route.triggerPatterns.map((pattern) => pattern.source),
+				steps: record.route.steps
+			} : void 0
+		}));
+		return jsonTextResult({
+			success: true,
+			count: serializedWorkflows.length,
+			workflows: serializedWorkflows
+		});
+	}
+	async handleRunExtensionWorkflow(args) {
+		const ctx = this.state.deps.serverContext;
+		if (!ctx) return jsonTextResult({
+			success: false,
+			error: "Extension workflow runtime is unavailable in this handler context"
+		});
+		const workflowId = getOptionalString(args.workflowId) ?? getOptionalString(args.id);
+		if (!workflowId) return jsonTextResult({
+			success: false,
+			error: "workflowId is required"
+		});
+		const { ensureWorkflowsLoaded } = await import("./ExtensionManager-CWYgw0YW.mjs").then((n) => n.t);
+		await ensureWorkflowsLoaded(ctx);
+		const runtimeRecord = ctx.extensionWorkflowRuntimeById.get(workflowId);
+		if (!runtimeRecord) {
+			const available = [...ctx.extensionWorkflowsById.values()].filter((record) => record.route?.kind !== "preset").map((record) => record.id);
+			available.sort((a, b) => a.localeCompare(b));
+			return jsonTextResult({
+				success: false,
+				error: `Extension workflow "${workflowId}" not found`,
+				available
+			});
+		}
+		if (runtimeRecord.route?.kind === "preset") return jsonTextResult({
+			success: false,
+			workflowId,
+			error: `Extension workflow "${workflowId}" is a routing preset and cannot be executed directly. Use route_tool or the suggested preset steps instead.`
+		});
+		const profile = getOptionalString(args.profile);
+		const config = getOptionalRecord(args.config);
+		const nodeInputOverrides = argObject(args, "nodeInputOverrides");
+		const timeoutMs = argNumber(args, "timeoutMs");
+		try {
+			const { executeExtensionWorkflow } = await import("./WorkflowEngine-CuvkZtWu.mjs").then((n) => n.t);
+			return jsonTextResult({
+				success: true,
+				...await executeExtensionWorkflow(ctx, runtimeRecord.workflow, {
+					profile,
+					config,
+					nodeInputOverrides,
+					timeoutMs
+				})
+			});
+		} catch (error) {
+			logger.error(`[run_extension_workflow] Workflow "${workflowId}" failed:`, error);
+			return jsonTextResult({
+				success: false,
+				workflowId,
+				error: error instanceof Error ? error.message : String(error)
+			});
+		}
+	}
+};
+//#endregion
+//#region src/server/domains/workflow/handlers/network-policy.ts
+/**
+* Workflow network policy — SSRF-aware URL authorization.
+*/
+function normalizeWorkflowHostname(host) {
+	return host.trim().replace(/^\[|\]$/g, "").toLowerCase();
+}
+function parseWorkflowStringArray(raw) {
+	if (raw === void 0) return [];
+	const parsed = typeof raw === "string" ? (() => {
+		try {
+			return JSON.parse(raw);
+		} catch {
+			return null;
+		}
+	})() : raw;
+	if (!Array.isArray(parsed)) return null;
+	const values = parsed.filter((entry) => typeof entry === "string");
+	if (values.length !== parsed.length) return null;
+	return values.map((entry) => entry.trim()).filter((entry) => entry.length > 0);
+}
+function normalizeWorkflowHostPattern(raw) {
+	const trimmed = raw.trim();
+	const candidate = trimmed.includes("://") ? trimmed : `http://${trimmed}`;
+	try {
+		const parsed = new URL(candidate);
+		if (parsed.port.length > 0) return {
+			scope: "host",
+			value: parsed.host.toLowerCase()
+		};
+		return {
+			scope: "hostname",
+			value: normalizeWorkflowHostname(parsed.hostname)
+		};
+	} catch {
+		return {
+			scope: "hostname",
+			value: normalizeWorkflowHostname(trimmed)
+		};
+	}
+}
+function parseWorkflowBoolean(raw, fieldName) {
+	if (raw === void 0) return {
+		ok: true,
+		value: false
+	};
+	if (typeof raw !== "boolean") return {
+		ok: false,
+		error: `${fieldName} must be a boolean when provided`
+	};
+	return {
+		ok: true,
+		value: raw
+	};
+}
+function parseWorkflowNetworkPolicy(args) {
+	const rawNetworkPolicy = args.networkPolicy;
+	if (rawNetworkPolicy === void 0) return { policy: {
+		allowPrivateNetwork: false,
+		allowInsecureHttp: false,
+		allowedHosts: [],
+		allowedRedirectHosts: [],
+		allowedCidrs: [],
+		allowedCidrBlockList: new BlockList()
+	} };
+	const parsedInput = typeof rawNetworkPolicy === "string" ? (() => {
+		try {
+			return JSON.parse(rawNetworkPolicy);
+		} catch {
+			return null;
+		}
+	})() : rawNetworkPolicy;
+	if (!parsedInput || typeof parsedInput !== "object" || Array.isArray(parsedInput)) return { error: "networkPolicy must be an object or valid JSON object string" };
+	const record = parsedInput;
+	const allowPrivateNetwork = parseWorkflowBoolean(record.allowPrivateNetwork, "networkPolicy.allowPrivateNetwork");
+	if (!allowPrivateNetwork.ok) return { error: allowPrivateNetwork.error };
+	const allowInsecureHttp = parseWorkflowBoolean(record.allowInsecureHttp, "networkPolicy.allowInsecureHttp");
+	if (!allowInsecureHttp.ok) return { error: allowInsecureHttp.error };
+	const allowedHosts = parseWorkflowStringArray(record.allowedHosts);
+	if (allowedHosts === null) return { error: "networkPolicy.allowedHosts must be an array of strings" };
+	const allowedRedirectHosts = parseWorkflowStringArray(record.allowedRedirectHosts);
+	if (allowedRedirectHosts === null) return { error: "networkPolicy.allowedRedirectHosts must be an array of strings" };
+	const allowedCidrs = parseWorkflowStringArray(record.allowedCidrs);
+	if (allowedCidrs === null) return { error: "networkPolicy.allowedCidrs must be an array of strings" };
+	const allowedCidrBlockList = new BlockList();
+	for (const cidr of allowedCidrs) {
+		const [address, prefixRaw] = cidr.split("/");
+		if (!address || !prefixRaw) return { error: `Invalid CIDR in networkPolicy.allowedCidrs: "${cidr}"` };
+		const family = isIP(address);
+		if (family === 0) return { error: `Invalid CIDR base address in networkPolicy.allowedCidrs: "${cidr}"` };
+		const prefix = Number(prefixRaw);
+		const maxPrefix = family === 4 ? 32 : 128;
+		if (!Number.isInteger(prefix) || prefix < 0 || prefix > maxPrefix) return { error: `Invalid CIDR prefix in networkPolicy.allowedCidrs: "${cidr}"` };
+		allowedCidrBlockList.addSubnet(address, prefix, family === 4 ? "ipv4" : "ipv6");
+	}
+	return { policy: {
+		allowPrivateNetwork: allowPrivateNetwork.value,
+		allowInsecureHttp: allowInsecureHttp.value,
+		allowedHosts: allowedHosts.map(normalizeWorkflowHostPattern),
+		allowedRedirectHosts: allowedRedirectHosts.map(normalizeWorkflowHostPattern),
+		allowedCidrs,
+		allowedCidrBlockList
+	} };
+}
+async function authorizeWorkflowUrl(targetUrl, policy, options) {
+	let parsedUrl;
+	try {
+		parsedUrl = new URL(targetUrl);
+	} catch {
+		throw new Error(`Invalid ${options.label}: ${targetUrl}`);
+	}
+	if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") throw new Error(`Unsupported protocol for ${options.label}: ${parsedUrl.protocol} — only http/https allowed`);
+	const normalizedHostname = normalizeWorkflowHostname(parsedUrl.hostname);
+	const parsedHost = parsedUrl.host.toLowerCase();
+	const ipFamily = isIP(normalizedHostname);
+	const resolvedIp = ipFamily !== 0 ? normalizedHostname : await lookup(normalizedHostname).then((result) => result.address).catch((error) => {
+		throw new Error(`DNS resolution failed for "${targetUrl}"`, { cause: error });
+	});
+	const resolvedFamily = isIP(resolvedIp);
+	const matchesAllowedCidr = resolvedFamily !== 0 && policy.allowedCidrs.length > 0 && policy.allowedCidrBlockList.check(resolvedIp, resolvedFamily === 4 ? "ipv4" : "ipv6");
+	const hostPatterns = options.allowRedirectHosts && policy.allowedRedirectHosts.length > 0 ? policy.allowedRedirectHosts : policy.allowedHosts;
+	const matchesAllowedHost = hostPatterns.some((pattern) => pattern.scope === "host" ? pattern.value === parsedHost : pattern.value === normalizedHostname);
+	const hasHostOrCidrRules = hostPatterns.length > 0 || policy.allowedCidrs.length > 0;
+	const isAuthorizedTarget = !hasHostOrCidrRules || matchesAllowedHost || matchesAllowedCidr;
+	if (isPrivateHost(normalizedHostname) || isPrivateHost(resolvedIp)) {
+		if (!policy.allowPrivateNetwork) throw new Error(`Blocked: ${options.label} "${targetUrl}" resolves to a private/reserved address`);
+		if (!hasHostOrCidrRules || !isAuthorizedTarget) throw new Error(`Blocked: ${options.label} "${targetUrl}" requires an explicit networkPolicy host or CIDR allow rule`);
+	} else if (hasHostOrCidrRules && !isAuthorizedTarget) throw new Error(`Blocked: ${options.label} "${targetUrl}" is not authorized by networkPolicy`);
+	const loopbackTarget = isLoopbackHost(normalizedHostname) || isLoopbackHost(resolvedIp);
+	if (parsedUrl.protocol === "http:" && !loopbackTarget) {
+		if (!policy.allowInsecureHttp) throw new Error(`Blocked: insecure HTTP requires networkPolicy.allowInsecureHttp for "${targetUrl}"`);
+		if (!hasHostOrCidrRules || !isAuthorizedTarget) throw new Error(`Blocked: insecure HTTP target "${targetUrl}" requires an explicit networkPolicy host or CIDR allow rule`);
+	}
+	const fetchHeaders = {};
+	let fetchUrl = parsedUrl.toString();
+	if (options.rewriteHttpHostToResolvedIp && parsedUrl.protocol === "http:" && ipFamily === 0) {
+		const originalHost = parsedUrl.host;
+		const pinnedUrl = new URL(parsedUrl.toString());
+		pinnedUrl.hostname = resolvedIp.includes(":") ? `[${resolvedIp}]` : resolvedIp;
+		fetchUrl = pinnedUrl.toString();
+		fetchHeaders.Host = originalHost;
+	}
+	return {
+		parsedUrl,
+		resolvedIp,
+		fetchUrl,
+		headers: fetchHeaders
+	};
+}
+//#endregion
+//#region src/server/domains/workflow/handlers/api-handlers.ts
+/**
+* API probe sub-handler.
+*/
+var ApiHandlers = class {
+	state;
+	constructor(state) {
+		this.state = state;
+	}
+	async handleApiProbeBatch(args) {
+		const rawBaseUrl = typeof args.baseUrl === "string" ? args.baseUrl.trim() : "";
+		if (rawBaseUrl.length === 0) return R.fail("baseUrl is required and must be a non-empty string").json();
+		const policyResult = parseWorkflowNetworkPolicy(args);
+		if (!policyResult.policy) return R.fail(policyResult.error).json();
+		let normalizedBaseUrl;
+		let authorizationHeaders = {};
+		try {
+			const authorization = await authorizeWorkflowUrl(rawBaseUrl, policyResult.policy, {
+				label: "baseUrl",
+				rewriteHttpHostToResolvedIp: true
+			});
+			normalizedBaseUrl = authorization.fetchUrl.replace(/\/$/, "");
+			authorizationHeaders = authorization.headers;
+		} catch (error) {
+			return R.fail(error).json();
+		}
+		const baseUrl = normalizedBaseUrl;
+		const rawPaths = args.paths;
+		const paths = Array.isArray(rawPaths) ? rawPaths : typeof rawPaths === "string" ? (() => {
+			try {
+				return JSON.parse(rawPaths);
+			} catch {
+				return [];
+			}
+		})() : [];
+		const method = (argString(args, "method") ?? "GET").toUpperCase();
+		const extraHeaders = argObject(args, "headers") ?? {};
+		const bodyTemplate = argString(args, "bodyTemplate") ?? null;
+		const includeBodyStatuses = Array.isArray(args.includeBodyStatuses) ? args.includeBodyStatuses.filter((v) => typeof v === "number") : [
+			200,
+			201,
+			204
+		];
+		const maxBodySnippetLength = Math.max(0, Math.min(argNumber(args, "maxBodySnippetLength", 500), 1e4));
+		const autoInjectAuth = argBool(args, "autoInjectAuth", true);
+		if (!paths || paths.length === 0) return R.fail("paths array is required and must not be empty").json();
+		const probeCode = `(async function() {
+  var baseUrl = ${JSON.stringify(baseUrl)};
+  var paths = ${JSON.stringify(paths)};
+  var method = ${JSON.stringify(method)};
+  var extraHeaders = ${JSON.stringify(extraHeaders)};
+  var includeBodyStatuses = ${JSON.stringify(includeBodyStatuses)};
+  var maxSnippetLen = ${JSON.stringify(maxBodySnippetLength)};
+  var autoInjectAuth = ${JSON.stringify(autoInjectAuth)};
+  var bodyTemplate = ${JSON.stringify(bodyTemplate)};
+  var authHeaders = ${JSON.stringify(authorizationHeaders)};
+  var headers = Object.assign({'Content-Type':'application/json'}, extraHeaders, authHeaders);
+  if (autoInjectAuth) {
+    var token = localStorage.getItem('token') || localStorage.getItem('active_token') || localStorage.getItem('access_token');
+    if (token) headers['Authorization'] = 'Bearer ' + token;
+  }
+  var results = {};
+  async function probePath(path) {
+    try {
+      var opts = {method: method, headers: headers, redirect: 'error'};
+      if (bodyTemplate && (method === 'POST' || method === 'PUT' || method === 'PATCH')) {
+        opts.body = bodyTemplate;
+      }
+      var resp = await fetch(baseUrl + path, opts);
+      var ct = resp.headers.get('content-type') || '';
+      var snippet = null;
+      if (includeBodyStatuses.indexOf(resp.status) !== -1) {
+        var text = await resp.text();
+        if (!ct.includes('text/html') && !ct.includes('application/xml')) {
+          snippet = text.length > maxSnippetLen ? text.slice(0, maxSnippetLen) + '...[truncated]' : text;
+        } else {
+          snippet = '[HTML/XML response suppressed]';
+        }
+      }
+      return [path, {status: resp.status, contentType: ct.split(';')[0].trim(), snippet: snippet}];
+    } catch(e) {
+      return [path, {status: -1, error: e instanceof Error ? e.message : String(e)}];
+    }
+  }
+  var nextIndex = 0;
+  var maxConcurrency = Math.min(paths.length, 6);
+  await Promise.all(Array.from({ length: maxConcurrency }, async function() {
+    while (nextIndex < paths.length) {
+      var currentIndex = nextIndex++;
+      var currentPath = paths[currentIndex];
+      var entry = await probePath(currentPath);
+      results[entry[0]] = entry[1];
+    }
+  }));
+  return {probed: paths.length, method: method, baseUrl: baseUrl, results: results};
+})()`;
+		try {
+			const resp = await this.state.deps.browserHandlers.handlePageEvaluate({ code: probeCode });
+			const data = R.parse(resp);
+			return R.ok().merge(data).json();
+		} catch (error) {
+			logger.error("[api_probe_batch] Error:", error);
+			return R.fail(error).json();
+		}
+	}
+};
+//#endregion
+//#region src/server/domains/workflow/handlers/account-handlers.ts
+/**
+* JS bundle search sub-handler.
+*/
+var AccountHandlers = class {
+	state;
+	constructor(state) {
+		this.state = state;
+	}
+	async handleJsBundleSearch(args) {
+		const url = argString(args, "url", "");
+		const rawPatterns = args.patterns;
+		const patterns = Array.isArray(rawPatterns) ? rawPatterns : typeof rawPatterns === "string" ? (() => {
+			try {
+				return JSON.parse(rawPatterns);
+			} catch {
+				return [];
+			}
+		})() : [];
+		const cacheBundle = argBool(args, "cacheBundle", true);
+		const stripNoise = argBool(args, "stripNoise", true);
+		const maxMatches = argNumber(args, "maxMatches", 10);
+		const policyResult = parseWorkflowNetworkPolicy(args);
+		if (!url || !patterns || patterns.length === 0) return R.fail("url and patterns are required").json();
+		if (!policyResult.policy) return R.fail(policyResult.error).json();
+		const networkPolicy = policyResult.policy;
+		const MAX_BUNDLE_SIZE = WORKFLOW_JS_BUNDLE_MAX_SIZE_BYTES;
+		const MAX_REDIRECTS = WORKFLOW_JS_BUNDLE_MAX_REDIRECTS;
+		const safeFetch = async (targetUrl, signal) => {
+			let currentUrl = targetUrl;
+			for (let hops = 0; hops < MAX_REDIRECTS; hops++) {
+				const authorization = await authorizeWorkflowUrl(currentUrl, networkPolicy, {
+					label: hops === 0 ? "bundle URL" : "redirect target",
+					allowRedirectHosts: hops > 0,
+					rewriteHttpHostToResolvedIp: true
+				});
+				const resp = await fetch(authorization.fetchUrl, {
+					signal,
+					redirect: "manual",
+					headers: authorization.headers
+				});
+				if (resp.status >= 300 && resp.status < 400) {
+					const location = resp.headers.get("location");
+					if (!location) throw new Error(`Redirect ${resp.status} without Location header`);
+					currentUrl = new URL(location, currentUrl).toString();
+					continue;
+				}
+				return resp;
+			}
+			throw new Error(`Too many redirects (>${MAX_REDIRECTS})`);
+		};
+		let bundleText;
+		let fromCache = false;
+		try {
+			if (cacheBundle) {
+				const cached = this.state.bundleCache.get(url);
+				if (cached && Date.now() - cached.cachedAt < WORKFLOW_CONSTANTS.BUNDLE_CACHE_TTL_MS) {
+					bundleText = cached.text;
+					fromCache = true;
+				} else {
+					const controller = new AbortController();
+					const timeoutId = setTimeout(() => controller.abort(), WORKFLOW_JS_BUNDLE_FETCH_TIMEOUT_MS);
+					try {
+						const resp = await safeFetch(url, controller.signal);
+						if (!resp.ok) return R.fail(`Fetch failed: ${resp.status} ${resp.statusText}`).merge({ url }).json();
+						bundleText = await resp.text();
+						if (bundleText.length > MAX_BUNDLE_SIZE) return R.fail(`Response too large: ${bundleText.length} bytes exceeds ${MAX_BUNDLE_SIZE} limit`).merge({ url }).json();
+						evictBundleCache(this.state);
+						this.state.bundleCache.set(url, {
+							text: bundleText,
+							cachedAt: Date.now()
+						});
+						this.state.bundleCacheBytes += bundleText.length;
+					} finally {
+						clearTimeout(timeoutId);
+					}
+				}
+			} else {
+				const controller = new AbortController();
+				const timeoutId = setTimeout(() => controller.abort(), 3e4);
+				try {
+					const resp = await safeFetch(url, controller.signal);
+					if (!resp.ok) return R.fail(`Fetch failed: ${resp.status} ${resp.statusText}`).merge({ url }).json();
+					bundleText = await resp.text();
+					if (bundleText.length > MAX_BUNDLE_SIZE) return R.fail(`Response too large: ${bundleText.length} bytes exceeds ${MAX_BUNDLE_SIZE} limit`).merge({ url }).json();
+				} finally {
+					clearTimeout(timeoutId);
+				}
+			}
+		} catch (fetchError) {
+			return R.fail(fetchError).merge({ url }).json();
+		}
+		const results = {};
+		for (const pattern of patterns) {
+			const contextBefore = pattern.contextBefore ?? 80;
+			const contextAfter = pattern.contextAfter ?? 80;
+			let re;
+			try {
+				re = new RegExp(pattern.regex, "g");
+			} catch (e) {
+				results[pattern.name] = [{
+					match: "",
+					index: -1,
+					context: `Invalid regex: ${e instanceof Error ? e.message : String(e)}`
+				}];
+				continue;
+			}
+			const matches = [];
+			let m;
+			while ((m = re.exec(bundleText)) !== null) {
+				const s = Math.max(0, m.index - contextBefore);
+				const e = Math.min(bundleText.length, m.index + m[0].length + contextAfter);
+				const ctx = bundleText.slice(s, e);
+				if (stripNoise) {
+					if (/[Mm]\d{1,6}(?:\.\d+)?[, ]\d{1,6}(?:\.\d+)?[CLHVSQTAZclhvsqtaz]/.test(ctx)) continue;
+					if (/data:[a-z+-]+\/[a-z+-]+;base64,/i.test(ctx)) continue;
+					if (ctx.replace(/[^A-Za-z0-9+/=]/g, "").length > ctx.length * .85 && ctx.length > 200) continue;
+				}
+				matches.push({
+					match: m[0],
+					index: m.index,
+					context: ctx
+				});
+				if (matches.length >= maxMatches) break;
+			}
+			results[pattern.name] = matches;
+		}
+		return R.ok().merge({
+			bundleUrl: url,
+			bundleSize: bundleText.length,
+			cached: fromCache,
+			patternsSearched: patterns.length,
+			results
+		}).json();
+	}
+};
+//#endregion
+//#region src/server/domains/workflow/handlers.impl.core.ts
+var WorkflowHandlers = class {
+	scripts;
+	api;
+	account;
+	constructor(deps) {
+		const state = createWorkflowSharedState(deps);
+		this.scripts = new ScriptHandlers(state);
+		this.api = new ApiHandlers(state);
+		this.account = new AccountHandlers(state);
+	}
+	handlePageScriptRegister(args) {
+		return this.scripts.handlePageScriptRegister(args);
+	}
+	handlePageScriptRun(args) {
+		return this.scripts.handlePageScriptRun(args);
+	}
+	handleListExtensionWorkflows() {
+		return this.scripts.handleListExtensionWorkflows();
+	}
+	handleRunExtensionWorkflow(args) {
+		return this.scripts.handleRunExtensionWorkflow(args);
+	}
+	handleApiProbeBatch(args) {
+		return this.api.handleApiProbeBatch(args);
+	}
+	handleJsBundleSearch(args) {
+		return this.account.handleJsBundleSearch(args);
+	}
+};
+//#endregion
+export { WorkflowHandlers };