@wordbricks/playwright-mcp 0.1.18 → 0.1.20

package/README.md

@@ -142,49 +142,58 @@ Playwright MCP server supports following arguments. They can be provided in the
 
 ```
 > npx @wordbricks/playwright-mcp@latest --help
-  --allowed-origins <origins>  semicolon-separated list of origins to allow the
-                               browser to request. Default is to allow all.
-  --blocked-origins <origins>  semicolon-separated list of origins to block the
-                               browser from requesting. Blocklist is evaluated
-                               before allowlist. If used without the allowlist,
-                               requests not matching the blocklist are still
-                               allowed.
-  --block-service-workers      block service workers
-  --browser <browser>          browser or chrome channel to use, possible
-                               values: chrome, firefox, webkit, msedge.
-  --caps <caps>                comma-separated list of additional capabilities
-                               to enable, possible values: vision, pdf.
-  --cdp-endpoint <endpoint>    CDP endpoint to connect to.
-  --config <path>              path to the configuration file.
-  --device <device>            device to emulate, for example: "iPhone 15"
-  --executable-path <path>     path to the browser executable.
-  --headless                   run browser in headless mode, headed by default
-  --host <host>                host to bind server to. Default is localhost. Use
-                               0.0.0.0 to bind to all interfaces.
-  --ignore-https-errors        ignore https errors
-  --isolated                   keep the browser profile in memory, do not save
-                               it to disk.
-  --image-responses <mode>     whether to send image responses to the client.
-                               Can be "allow" or "omit", Defaults to "allow".
-  --no-sandbox                 disable the sandbox for all process types that
-                               are normally sandboxed.
-  --output-dir <path>          path to the directory for output files.
-  --port <port>                port to listen on for SSE transport.
-  --proxy-bypass <bypass>      comma-separated domains to bypass proxy, for
-                               example ".com,chromium.org,.domain.com"
-  --proxy-server <proxy>       specify proxy server, for example
-                               "http://myproxy:3128" or "socks5://myproxy:8080"
-  --save-session               Whether to save the Playwright MCP session into
-                               the output directory.
-  --save-trace                 Whether to save the Playwright Trace of the
-                               session into the output directory.
-  --storage-state <path>       path to the storage state file for isolated
-                               sessions.
-  --user-agent <ua string>     specify user agent string
-  --user-data-dir <path>       path to the user data directory. If not
-                               specified, a temporary directory will be created.
-  --viewport-size <size>       specify browser viewport size in pixels, for
-                               example "1280, 720"
+  --allowed-origins <origins>   semicolon-separated list of origins to allow the
+                                browser to request. Default is to allow all.
+  --blocked-origins <origins>   semicolon-separated list of origins to block the
+                                browser from requesting. Blocklist is evaluated
+                                before allowlist. If used without the allowlist,
+                                requests not matching the blocklist are still
+                                allowed.
+  --block-service-workers       block service workers
+  --browser <browser>           browser or chrome channel to use, possible
+                                values: chrome, firefox, webkit, msedge.
+  --caps <caps>                 comma-separated list of additional capabilities
+                                to enable, possible values: vision, pdf.
+  --cdp-endpoint <endpoint>     CDP endpoint to connect to.
+  --config <path>               path to the configuration file.
+  --device <device>             device to emulate, for example: "iPhone 15"
+  --executable-path <path>      path to the browser executable.
+  --headless                    run browser in headless mode, headed by default
+  --host <host>                 host to bind server to. Default is localhost.
+                                Use 0.0.0.0 to bind to all interfaces.
+  --ignore-https-errors         ignore https errors
+  --init-script <path>          path to a JavaScript file to inject into all
+                                pages using addInitScript.
+  --isolated                    keep the browser profile in memory, do not save
+                                it to disk.
+  --image-responses <mode>      whether to send image responses to the client.
+                                Can be "allow" or "omit", Defaults to "allow".
+  --no-sandbox                  disable the sandbox for all process types that
+                                are normally sandboxed.
+  --output-dir <path>           path to the directory for output files.
+  --port <port>                 port to listen on for SSE transport.
+  --proxy-bypass <bypass>       comma-separated domains to bypass proxy, for
+                                example ".com,chromium.org,.domain.com"
+  --proxy-server <proxy>        specify proxy server, for example
+                                "http://myproxy:3128" or "socks5://myproxy:8080"
+  --save-session                Whether to save the Playwright MCP session into
+                                the output directory.
+  --save-trace                  Whether to save the Playwright Trace of the
+                                session into the output directory.
+  --storage-state <path>        path to the storage state file for isolated
+                                sessions.
+  --user-agent <ua string>      specify user agent string
+  --user-data-dir <path>        path to the user data directory. If not
+                                specified, a temporary directory will be
+                                created.
+  --viewport-size <size>        specify browser viewport size in pixels, for
+                                example "1280, 720"
+  --window-position <x,y>       specify Chrome window position in pixels, for
+                                example "100,200"
+  --window-size <width,height>  specify Chrome window size in pixels, for
+                                example "1280,720"
+  --app <url>                   launch browser in app mode with the specified
+                                URL
 ```
 
 <!--- End of options generated section -->
@@ -397,6 +406,7 @@ http.createServer(async (req, res) => {
     - `ref` (string): Exact target element reference from the page snapshot
     - `doubleClick` (boolean, optional): Whether to perform a double click instead of a single click
     - `button` (string, optional): Button to click, defaults to left
+    - `modifiers` (array, optional): Modifier keys to press
   - Read-only: **false**
 
 <!-- NOTE: This has been generated via update-readme.js -->
@@ -564,7 +574,7 @@ http.createServer(async (req, res) => {
   - Description: Scroll the page using mouse wheel with human-like behavior
   - Parameters:
     - `amount` (number): Vertical scroll amount in pixels (positive scrolls down, negative up)
-  - Read-only: **false**
+  - Read-only: **true**
 
 <!-- NOTE: This has been generated via update-readme.js -->
 

package/lib/hooks/antiBotDetectionHook.js

@@ -0,0 +1,171 @@
+import ms from 'ms';
+import { Ok } from '../utils/result.js';
+import { hookNameSchema } from './schema.js';
+import { getEventsAfter, isEventType, trackEvent } from './events.js';
+const RESOLUTION_WAIT_MS = ms('10s');
+const lastProcessedEventIdByContext = new WeakMap();
+const detectedProvidersByContext = new WeakMap();
+const isLikelyResolved = async (ctx) => {
+    if (!ctx.tab?.page)
+        return false;
+    const host = ctx.tab.page.url();
+    if (host.includes('challenges.cloudflare.com'))
+        return false;
+    return ctx.tab.page.evaluate(() => {
+        const challengeSelectors = [
+            '#challenge-stage',
+            '#cf-challenge-running',
+            'iframe[src*="turnstile"]',
+            'form[action*="/cdn-cgi/challenge-platform"]',
+            '[data-cf-challenge]'
+        ];
+        const hasChallengeDom = challengeSelectors.some(selector => document.querySelector(selector));
+        if (hasChallengeDom)
+            return false;
+        const title = document.title.toLowerCase();
+        const bodyText = (document.body?.innerText || '').slice(0, 2000).toLowerCase();
+        if (title.includes('just a moment') || bodyText.includes('just a moment'))
+            return false;
+        if (title.includes('checking your browser') || bodyText.includes('checking your browser'))
+            return false;
+        return true;
+    });
+};
+const getDetectedProviders = (context) => {
+    const detectedProviders = detectedProvidersByContext.get(context);
+    if (detectedProviders)
+        return detectedProviders;
+    const newSet = new Set();
+    detectedProvidersByContext.set(context, newSet);
+    return newSet;
+};
+const updateLastProcessedEventId = (context, events) => {
+    const lastEvent = events[events.length - 1];
+    if (!lastEvent)
+        return;
+    lastProcessedEventIdByContext.set(context, lastEvent.id);
+};
+const isStatusOk = (status) => status >= 200 && status < 400;
+const providerConfigs = [
+    {
+        provider: 'cloudflare-turnstile',
+        match: event => isStatusOk(event.data.status) &&
+            event.data.url.includes('challenges.cloudflare.com') &&
+            event.data.url.includes('/turnstile/'),
+    },
+    {
+        provider: 'aws-waf',
+        match: event => isStatusOk(event.data.status) &&
+            event.data.method.toUpperCase() === 'POST' &&
+            event.data.url.includes('.awswaf.com') &&
+            event.data.url.includes('/telemetry'),
+    },
+];
+export const getAntiBotProviderConfigs = () => providerConfigs;
+const waitForResolution = async (ctx) => {
+    const start = Date.now();
+    if (!ctx.tab?.page)
+        return { resolved: false, waitedMs: 0 };
+    await ctx.tab.page.waitForTimeout(RESOLUTION_WAIT_MS);
+    const resolved = await isLikelyResolved(ctx);
+    return { resolved, waitedMs: Date.now() - start };
+};
+const detectAntiBot = (ctx, events) => {
+    const detectedProviders = getDetectedProviders(ctx.context);
+    const networkEvents = events.filter(isEventType('network-request'));
+    return providerConfigs.reduce((acc, config) => {
+        if (detectedProviders.has(config.provider))
+            return acc;
+        const match = networkEvents.find(config.match);
+        if (!match)
+            return acc;
+        detectedProviders.add(config.provider);
+        return {
+            hits: [
+                ...acc.hits,
+                {
+                    provider: config.provider,
+                    url: match.data.url,
+                    status: match.data.status,
+                }
+            ],
+        };
+    }, { hits: [] });
+};
+export const antiBotDetectionPreHook = {
+    name: hookNameSchema.enum['anti-bot-detection-pre'],
+    handler: async (ctx) => {
+        if (lastProcessedEventIdByContext.has(ctx.context))
+            return Ok(undefined);
+        if (typeof ctx.eventStore.lastSeenEventId === 'number')
+            lastProcessedEventIdByContext.set(ctx.context, ctx.eventStore.lastSeenEventId);
+        return Ok(undefined);
+    },
+};
+export const antiBotDetectionPostHook = {
+    name: hookNameSchema.enum['anti-bot-detection-post'],
+    handler: async (ctx) => {
+        const newEvents = getEventsAfter(ctx.eventStore, lastProcessedEventIdByContext.get(ctx.context));
+        if (newEvents.length === 0)
+            return Ok(undefined);
+        const detection = detectAntiBot(ctx, newEvents);
+        if (detection.hits.length > 0) {
+            detection.hits.forEach(hit => {
+                trackEvent(ctx.context, {
+                    type: 'anti-bot',
+                    data: {
+                        provider: hit.provider,
+                        detectionMethod: 'network-request',
+                        url: hit.url,
+                        status: hit.status,
+                        action: 'detected',
+                        waitMs: RESOLUTION_WAIT_MS,
+                    },
+                });
+            });
+            const waitResult = await waitForResolution(ctx);
+            detection.hits.forEach(hit => {
+                trackEvent(ctx.context, {
+                    type: 'anti-bot',
+                    data: {
+                        provider: hit.provider,
+                        detectionMethod: 'network-request',
+                        url: hit.url,
+                        status: hit.status,
+                        action: waitResult.resolved ? 'resolved' : 'still-blocked',
+                        waitMs: waitResult.waitedMs,
+                    },
+                });
+            });
+        }
+        updateLastProcessedEventId(ctx.context, newEvents);
+        return Ok(undefined);
+    },
+};
+export const antiBotDetectionHooks = {
+    pre: antiBotDetectionPreHook,
+    post: antiBotDetectionPostHook,
+};
+export const formatAntiBotEvent = (event) => {
+    if (event.data.action === 'still-blocked') {
+        const waitSeconds = event.data.waitMs ? Math.round(event.data.waitMs / 1000) : 0;
+        if (event.data.provider === 'cloudflare-turnstile')
+            return `Anti-bot still active: Cloudflare Turnstile after ${waitSeconds || '<1'}s wait`;
+        if (event.data.provider === 'aws-waf')
+            return `Anti-bot still active: AWS WAF after ${waitSeconds || '<1'}s wait`;
+        return 'Anti-bot mechanism still active';
+    }
+    if (event.data.action === 'resolved') {
+        const waitSeconds = event.data.waitMs ? Math.round(event.data.waitMs / 1000) : 0;
+        if (event.data.provider === 'cloudflare-turnstile')
+            return `Anti-bot resolved: Cloudflare Turnstile after ${waitSeconds || '<1'}s wait`;
+        if (event.data.provider === 'aws-waf')
+            return `Anti-bot resolved: AWS WAF after ${waitSeconds || '<1'}s wait`;
+        return 'Anti-bot mechanism resolved';
+    }
+    if (event.data.provider === 'cloudflare-turnstile')
+        return `Anti-bot detected: Cloudflare Turnstile (${event.data.status})`;
+    if (event.data.provider === 'aws-waf')
+        return `Anti-bot detected: AWS WAF telemetry request (${event.data.status})`;
+    return 'Anti-bot mechanism detected';
+};

package/lib/hooks/eventConsumer.js

@@ -1,4 +1,4 @@
-import { getEventsAfter, updateLastSeenId } from './events.js';
+import { getEventsAfter, isEventType, updateLastSeenId } from './events.js';
 import { formatWaitEvent } from './waitHook.js';
 import { formatPageHeightEvent } from './pageHeightHook.js';
 import { formatNetworkEvent } from './networkTrackingHook.js';
@@ -6,6 +6,8 @@ import { planGroupedMessages } from './grouping.js';
 import { formatToolCallEvent } from './formatToolCallEvent.js';
 import { formatFrameworkStateEvent } from './frameworkStateHook.js';
 import { formatJsonLdEvent } from './jsonLdDetectionHook.js';
+import { formatAntiBotEvent, getAntiBotProviderConfigs } from './antiBotDetectionHook.js';
+import { isAntiBotUrl } from './networkFilters.js';
 const eventFormatters = {
     'wait': formatWaitEvent,
     'page-height-change': formatPageHeightEvent,
@@ -13,6 +15,7 @@ const eventFormatters = {
     'tool-call': formatToolCallEvent,
     'framework-state': formatFrameworkStateEvent,
     'json-ld': formatJsonLdEvent,
+    'anti-bot': formatAntiBotEvent,
 };
 const formatEvent = (event) => {
     const formatter = eventFormatters[event.type];
@@ -25,13 +28,23 @@ const consumeEvent = (event, response, plan) => {
     const formattedMessage = replacement ?? formatEvent(event);
     response.addEvent(`[${event.id}] ${formattedMessage}`);
 };
+const shouldHideEvent = (event) => {
+    const isNetworkRequest = isEventType('network-request');
+    if (!isNetworkRequest(event))
+        return false;
+    if (isAntiBotUrl(event.data.url))
+        return true;
+    const configs = getAntiBotProviderConfigs().filter(config => config.provider === 'cloudflare-turnstile');
+    return configs.some(config => config.match(event));
+};
 export const consumeEvents = (context, eventStore, response) => {
     const unconsumedEvents = getEventsAfter(eventStore, eventStore.lastSeenEventId);
     if (unconsumedEvents.length === 0)
         return;
-    const plan = planGroupedMessages(unconsumedEvents);
+    const visibleEvents = unconsumedEvents.filter(event => !shouldHideEvent(event));
+    const plan = planGroupedMessages(visibleEvents);
     // Consume all events in chronological order
-    for (const event of unconsumedEvents)
+    for (const event of visibleEvents)
         consumeEvent(event, response, plan);
     // Update last seen event ID
     const latestEvent = unconsumedEvents[unconsumedEvents.length - 1];

package/lib/hooks/networkFilters.js

@@ -11,6 +11,13 @@ const hasExcludedExtension = (url) => {
         return extRegex.test(url);
     });
 };
+export const isAntiBotUrl = (url) => {
+    if (url.includes('challenges.cloudflare.com'))
+        return true;
+    if (url.includes('.awswaf.com'))
+        return true;
+    return false;
+};
 const isSuccessfulStatus = (status) => {
     // Status 0 is for failed requests, which we want to capture
     // 2xx status codes are successful
@@ -18,6 +25,8 @@ const isSuccessfulStatus = (status) => {
     return status === 0 || (status >= 200 && status < 300 && status !== 204);
 };
 export const shouldCaptureRequest = (method, url, status, resourceType) => {
+    if (isAntiBotUrl(url))
+        return true;
     return !hasExcludedExtension(url) &&
         MEANINGFUL_RESOURCE_TYPES.includes(resourceType) &&
         ALLOWED_METHODS.includes(method) &&

package/lib/hooks/networkSetup.js

@@ -11,7 +11,7 @@ const getEventIdMap = (context) => {
 };
 export const getNetworkEventEntry = (context, id) => getEventIdMap(context).get(id);
 export const setupNetworkTracking = (context, page) => {
-    page.on('response', response => {
+    page.on('response', async (response) => {
         const request = response.request();
         const method = request.method();
         const url = request.url();
@@ -19,12 +19,15 @@ export const setupNetworkTracking = (context, page) => {
         const resourceType = request.resourceType();
         // Apply filters before saving the event
         if (shouldCaptureRequest(method, url, status, resourceType)) {
+            const setCookies = await response.headerValues('set-cookie').catch(() => []);
+            const cookieValues = setCookies.length ? setCookies : undefined;
             const networkData = {
                 method,
                 url,
                 status,
                 resourceType,
                 postData: request.postData() || undefined,
+                setCookies: cookieValues,
             };
             const id = trackEvent(context, {
                 type: 'network-request',

package/lib/hooks/networkTrackingHook.js

@@ -25,8 +25,20 @@ export const networkTrackingHooks = {
     post: networkTrackingPostHook,
 };
 export const formatNetworkEvent = (event) => {
-    const { method, url, status, postData } = event.data;
-    return formatNetworkSummaryLine({ method, url, status, postData });
+    const { method, url, status, postData, setCookies } = event.data;
+    const summary = formatNetworkSummaryLine({ method, url, status, postData });
+    if (!setCookies || setCookies.length === 0)
+        return summary;
+    const names = setCookies
+        .map(cookie => {
+        const firstPart = cookie.split(';', 1)[0];
+        const [name] = firstPart.split('=', 1);
+        return name?.trim();
+    })
+        .filter((name) => !!name);
+    if (!names.length)
+        return summary;
+    return `${summary} | Set-Cookie keys: ${names.join(', ')}`;
 };
 const computeNetworkGroupKey = (event) => {
     const method = (event.data.method || '').toUpperCase();

package/lib/hooks/registry.js

@@ -9,18 +9,21 @@ import { toolNameSchema } from './schema.js';
 import { requireTabHooks } from './requireTabHook.js';
 import { registerGroupingRule } from './grouping.js';
 import { networkGroupingRule } from './networkTrackingHook.js';
+import { antiBotDetectionHooks } from './antiBotDetectionHook.js';
 const COMMON_HOOKS = {
     preHooks: [
         requireTabHooks.pre,
         networkTrackingHooks.pre,
+        antiBotDetectionHooks.pre,
         pageHeightHooks.pre,
         frameworkStateHooks.pre,
         jsonLdDetectionHooks.pre
     ],
     postHooks: [
+        networkTrackingHooks.post,
+        antiBotDetectionHooks.post,
         frameworkStateHooks.post,
         jsonLdDetectionHooks.post,
-        networkTrackingHooks.post,
         pageHeightHooks.post,
         waitHooks.post
     ],

package/lib/hooks/schema.js

@@ -10,6 +10,8 @@ export const hookNameSchema = z.enum([
     'json-ld-detection-pre',
     'json-ld-detection-post',
     'require-tab-pre',
+    'anti-bot-detection-pre',
+    'anti-bot-detection-post',
 ]);
 // Tool names enum - should match actual tool names in
 export const toolNameSchema = z.enum([
@@ -37,6 +39,7 @@ export const EventTypeSchema = z.enum([
     'tool-call',
     'framework-state',
     'json-ld',
+    'anti-bot',
 ]);
 export const NetworkRequestEventDataSchema = z.object({
     method: z.string(),
@@ -44,6 +47,7 @@ export const NetworkRequestEventDataSchema = z.object({
     status: z.number(),
     resourceType: z.string(),
     postData: z.string().optional(),
+    setCookies: z.array(z.string()).optional(),
     responseSize: z.number().optional(),
 });
 export const PageHeightChangeEventDataSchema = z.object({
@@ -75,3 +79,11 @@ export const JsonLdEventDataSchema = z.object({
     changes: z.array(z.string()).optional(),
     action: z.enum(['detected', 'changed']),
 });
+export const AntiBotEventDataSchema = z.object({
+    provider: z.enum(['cloudflare-turnstile', 'aws-waf']),
+    detectionMethod: z.literal('network-request'),
+    url: z.string(),
+    status: z.number(),
+    action: z.enum(['detected', 'resolved', 'still-blocked']),
+    waitMs: z.number().optional(),
+});

package/lib/tools/networkDetail.js

@@ -1,8 +1,7 @@
 import { z } from 'zod';
 import ms from 'ms';
-import * as cheerio from 'cheerio';
 import { defineTabTool } from './tool.js';
-import { removeNonEssentialLinks, removeMetaTags, removeHtmlComments, stripSvgAttributes, minifyHtml } from '../utils/sanitizeHtml.js';
+import { sanitizeHtml } from '../utils/sanitizeHtml.js';
 import { formatTruncationLine } from '../utils/truncate.js';
 import { withTimeout } from '../utils/withTimeout.js';
 import { getNetworkEventEntry } from '../hooks/networkSetup.js';
@@ -148,6 +147,12 @@ const formatRequestDetail = async (ctx, { request, response, id, }) => {
             headerParts.push(`content-length=${resCl}`);
         if (headerParts.length)
             lines.push(`\nResponse Headers: { ${headerParts.join(', ')} }`);
+        const setCookieHeaders = await response.headerValues('set-cookie').catch(() => []);
+        if (setCookieHeaders.length) {
+            lines.push(`\nSet-Cookie Headers (${setCookieHeaders.length}):`);
+            for (const cookie of setCookieHeaders)
+                lines.push(cookie);
+        }
     }
     // Fetch the full body each time
     let buf;
@@ -174,24 +179,17 @@ const formatRequestDetail = async (ctx, { request, response, id, }) => {
         }
         catch { }
     }
-    // Reset if finished in a prior call
-    if (state.cursor >= buf.length) {
-        state.cursor = 0;
-        state.headersShown = false; // allow headers again after a full pass
-    }
     let bodyText = buf.toString('utf8');
     const resHeadersForBody = normalizeHeaderKeys(await response.allHeaders());
     const resCtForBody = resHeadersForBody['content-type'] || '';
     const isHtml = resCtForBody.includes('html');
-    if (isHtml) {
-        const $ = cheerio.load(bodyText, { xmlMode: false });
-        removeNonEssentialLinks($);
-        removeMetaTags($);
-        removeHtmlComments($);
-        stripSvgAttributes($);
-        bodyText = minifyHtml($.root().html() || '');
-    }
+    if (isHtml)
+        bodyText = sanitizeHtml(bodyText, { shouldRemoveScripts: false, shouldRemoveStyles: true });
     const totalLength = bodyText.length;
+    if (state.cursor >= totalLength) {
+        state.cursor = 0;
+        state.headersShown = false; // allow headers again after a full pass
+    }
     const start = state.cursor;
     const end = Math.min(start + CHUNK_BYTES, totalLength);
     const chunk = bodyText.slice(start, end);
@@ -201,7 +199,7 @@ const formatRequestDetail = async (ctx, { request, response, id, }) => {
     lines.push(`\nBody Chunk (text): ${percent}%${more ? ' (more)' : ' (done)'}:`);
     lines.push(chunk);
     if (more)
-        lines.push(formatTruncationLine(nextCursor, buf.length, { formatter: formatBytes }));
+        lines.push(formatTruncationLine(nextCursor, totalLength, { formatter: formatBytes }));
     state.cursor = nextCursor;
     state.headersShown = true;
     return lines.join('\n');

package/lib/tools/networkSearch.js

@@ -8,7 +8,7 @@ import { toJsonPathNormalized, truncateStringTo } from '../utils/truncate.js';
 import { searchInUrls } from './networkSearch/urlSearch.js';
 import { searchInRequestBody, searchInResponseBody } from './networkSearch/bodySearch.js';
 import { normalizePath, getDepth, mergeGroupedMatches } from './networkSearch/grouping.js';
-import { parseKeywordParams } from './networkSearch/helpers.js';
+import { parseKeywordParams, highlightMatch } from './networkSearch/helpers.js';
 const MAX_SEARCH_RESULTS = 10;
 const MAX_GROUPS_TO_SHOW = 3;
 const networkSearchSchema = z.object({
@@ -19,6 +19,7 @@ const createSourceCounts = () => ({
     requestBody: 0,
     responseUrl: 0,
     responseBody: 0,
+    responseHeaders: 0,
 });
 const accumulateSourceCounts = (records) => {
     const counts = createSourceCounts();
@@ -31,6 +32,7 @@ const cloneSourceCounts = (counts) => ({
     requestBody: counts.requestBody,
     responseUrl: counts.responseUrl,
     responseBody: counts.responseBody,
+    responseHeaders: counts.responseHeaders,
 });
 const computeEventScore = (match) => {
     const ageMs = Math.max(0, Date.now() - match.timestamp);
@@ -40,7 +42,8 @@ const computeEventScore = (match) => {
     const responseBonus = match.sourceCounts.responseBody * 2;
     const requestBonus = match.sourceCounts.requestBody;
     const urlBonus = (match.sourceCounts.requestUrl + match.sourceCounts.responseUrl) * 0.25;
-    return base + responseBonus + requestBonus + urlBonus + recencyBoost;
+    const headerBonus = match.sourceCounts.responseHeaders;
+    return base + responseBonus + requestBonus + urlBonus + headerBonus + recencyBoost;
 };
 const formatGroupPath = (group) => {
     const normalized = group.normalized;
@@ -74,6 +77,21 @@ const extractExamples = (group) => {
     }
     return items;
 };
+const searchInResponseSetCookies = async (response, keyword, matches) => {
+    const cookies = await response.headerValues('set-cookie').catch(() => []);
+    if (!cookies.length)
+        return;
+    for (const [index, cookie] of cookies.entries()) {
+        if (!cookie.toLowerCase().includes(keyword))
+            continue;
+        matches.push({
+            path: `response.headers.set-cookie[${index}]`,
+            value: cookie,
+            context: highlightMatch(cookie, keyword, 120),
+            source: 'responseHeaders',
+        });
+    }
+};
 const networkSearch = defineTool({
     capability: 'core',
     schema: {
@@ -103,8 +121,10 @@ const networkSearch = defineTool({
                 const matches = [];
                 searchInUrls(request, resp, keyword, keywordParams, matches);
                 searchInRequestBody(request, keyword, matches);
-                if (resp)
+                if (resp) {
                     await searchInResponseBody(resp, keyword, matches);
+                    await searchInResponseSetCookies(resp, keyword, matches);
+                }
                 if (matches.length > 0) {
                     const groupMap = new Map();
                     for (const m of matches) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wordbricks/playwright-mcp",
-  "version": "0.1.18",
+  "version": "0.1.20",
   "description": "Playwright Tools for MCP",
   "type": "module",
   "repository": {
@@ -49,7 +49,7 @@
     }
   },
   "dependencies": {
-    "@fxts/core": "1.21.0",
+    "@fxts/core": "1.20.0",
     "@ghostery/adblocker": "2.12.5",
     "@modelcontextprotocol/sdk": "1.16.0",
     "cheerio": "1.1.2",