unbrowse 3.1.0-experiments.548e04c → 3.1.0-experiments.856fef4

package/dist/cli.js

@@ -31,7 +31,7 @@ var __promiseAll = (args) => Promise.all(args);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 // ../../src/build-info.generated.ts
-var BUILD_RELEASE_VERSION = "3.1.0-experiments.548e04c", BUILD_GIT_SHA = "548e04c0d988", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuNTQ4ZTA0YyIsImdpdF9zaGEiOiI1NDhlMDRjMGQ5ODgiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDU0OGUwNGMwZDk4OCIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMDA6MTM6MzQuNTMxWiJ9", BUILD_RELEASE_MANIFEST_SIGNATURE = "4WHKeltVN_91YrjkahaNoChnZaws3sxgOhxEJmX8zQU", BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
+var BUILD_RELEASE_VERSION = "3.1.0-experiments.856fef4", BUILD_GIT_SHA = "856fef4d4349", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuODU2ZmVmNCIsImdpdF9zaGEiOiI4NTZmZWY0ZDQzNDkiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDg1NmZlZjRkNDM0OSIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMDE6MTY6MDkuMjYxWiJ9", BUILD_RELEASE_MANIFEST_SIGNATURE = "nLW4RVczFfie-HIZ_041aO64RVlhLfzzu14svepH1mc", BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
 
 // ../../src/version.ts
 import { createHash } from "crypto";

package/dist/mcp.js

@@ -225,11 +225,11 @@ import { dirname, join, parse } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 
 // ../../src/build-info.generated.ts
-var BUILD_RELEASE_VERSION = "3.1.0-experiments.548e04c";
-var BUILD_GIT_SHA = "548e04c0d988";
+var BUILD_RELEASE_VERSION = "3.1.0-experiments.856fef4";
+var BUILD_GIT_SHA = "856fef4d4349";
 var BUILD_CODE_HASH = "1488fc1d92b7";
-var BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuNTQ4ZTA0YyIsImdpdF9zaGEiOiI1NDhlMDRjMGQ5ODgiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDU0OGUwNGMwZDk4OCIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMDA6MTM6MzQuNTMxWiJ9";
-var BUILD_RELEASE_MANIFEST_SIGNATURE = "4WHKeltVN_91YrjkahaNoChnZaws3sxgOhxEJmX8zQU";
+var BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuODU2ZmVmNCIsImdpdF9zaGEiOiI4NTZmZWY0ZDQzNDkiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDg1NmZlZjRkNDM0OSIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMDE6MTY6MDkuMjYxWiJ9";
+var BUILD_RELEASE_MANIFEST_SIGNATURE = "nLW4RVczFfie-HIZ_041aO64RVlhLfzzu14svepH1mc";
 var BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
 
 // ../../src/version.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbrowse",
-  "version": "3.1.0-experiments.548e04c",
+  "version": "3.1.0-experiments.856fef4",
   "description": "Reverse-engineer any website into reusable API skills. Zero-dep single binary with embedded browser engine.",
   "type": "module",
   "bin": {

package/runtime-src/api/browse-index.ts

@@ -169,6 +169,10 @@ export async function cacheBrowseRequests(params: {
   // so serverFetch can replay them. Use registrable domain for vault key
   // so ads.x.com and ads-api.x.com share the same session.
   const capturedAuthHeaders = extractAuthHeaders(requests);
+  // Filter out [REDACTED] placeholders from cookie-inferred auth headers
+  for (const [k, v] of Object.entries(capturedAuthHeaders)) {
+    if (v === "[REDACTED]") delete capturedAuthHeaders[k];
+  }
   if (Object.keys(capturedAuthHeaders).length > 0) {
     const sessionKey = `${getRegistrableDomain(domain)}-session`;
     await storeCredential(sessionKey, JSON.stringify({ headers: capturedAuthHeaders })).catch(() => {});

package/runtime-src/build-info.generated.ts

@@ -1,6 +1,6 @@
-export const BUILD_RELEASE_VERSION = "3.1.0-experiments.548e04c";
-export const BUILD_GIT_SHA = "548e04c0d988";
+export const BUILD_RELEASE_VERSION = "3.1.0-experiments.856fef4";
+export const BUILD_GIT_SHA = "856fef4d4349";
 export const BUILD_CODE_HASH = "1488fc1d92b7";
-export const BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuNTQ4ZTA0YyIsImdpdF9zaGEiOiI1NDhlMDRjMGQ5ODgiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDU0OGUwNGMwZDk4OCIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMDA6MTM6MzQuNTMxWiJ9";
-export const BUILD_RELEASE_MANIFEST_SIGNATURE = "4WHKeltVN_91YrjkahaNoChnZaws3sxgOhxEJmX8zQU";
+export const BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuODU2ZmVmNCIsImdpdF9zaGEiOiI4NTZmZWY0ZDQzNDkiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDg1NmZlZjRkNDM0OSIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMDE6MTY6MDkuMjYxWiJ9";
+export const BUILD_RELEASE_MANIFEST_SIGNATURE = "nLW4RVczFfie-HIZ_041aO64RVlhLfzzu14svepH1mc";
 export const BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";

package/runtime-src/execution/index.ts

@@ -2022,7 +2022,7 @@ export async function executeEndpoint(
     try {
       const { resolveAuthTokens } = await import("./token-resolver.js");
       const resolved = await resolveAuthTokens(endpoint, cookies, authHeaders);
-      log("exec", `token resolver returned ${Object.keys(resolved).length} headers: ${Object.keys(resolved).join(",") || "none"}`);
+      log("exec", `token resolver returned ${Object.keys(resolved).length} headers: ${Object.keys(resolved).join(",") || "none"} auth=${(resolved.authorization || "").substring(0, 40)}`);
       Object.assign(authHeaders, resolved);
     } catch (e) { log("exec", `token resolver failed: ${e}`); }
   }
@@ -2241,7 +2241,7 @@ export async function executeEndpoint(
 
     for (const replayUrl of replayUrls) {
       const replayHeaders = buildStructuredReplayHeaders(url, replayUrl, headers);
-      log("exec", `server-fetch: ${endpoint.method} ${replayUrl.substring(0, 80)} csrf=${replayHeaders["x-csrf-token"]?.substring(0, 10)}... cookies=${(replayHeaders["cookie"]?.length ?? 0)}chars`);
+      log("exec", `server-fetch: ${endpoint.method} ${replayUrl.substring(0, 80)} auth=${(replayHeaders["authorization"] || "none").substring(0, 50)} csrf=${replayHeaders["x-csrf-token"]?.substring(0, 10)}... cookies=${(replayHeaders["cookie"]?.length ?? 0)}chars`);
       const res = await fetch(replayUrl, {
         method: endpoint.method,
         headers: replayHeaders,

package/runtime-src/execution/token-resolver.ts

@@ -54,7 +54,14 @@ export async function resolveAuthTokens(
       }
 
       for (const binding of headerBindings) {
-        const value = await resolveBinding(binding, html, cookies);
+        let value = await resolveBinding(binding, html, cookies);
+
+        // If stored sources didn't resolve (e.g. bearer in a different bundle),
+        // scan all loaded script resources via Performance API
+        if (!value && binding.sources.some((s) => s.kind === "js-bundle")) {
+          value = await scanAllScriptResources(tabId, binding);
+        }
+
         if (value) {
           resolved[binding.param_name] = binding.param_name.toLowerCase() === "authorization"
             ? (value.startsWith("Bearer ") ? value : `Bearer ${value}`)
@@ -133,3 +140,35 @@ async function waitForLoad(tabId: string): Promise<void> {
     await new Promise((r) => setTimeout(r, 500));
   }
 }
+
+/**
+ * Scan all script resources loaded by the page via Performance API.
+ * Fetches each bundle and searches for a token matching the binding pattern.
+ * This handles cases where the enrichment captured the wrong bundle URLs.
+ */
+async function scanAllScriptResources(tabId: string, binding: AuthTokenBinding): Promise<string | undefined> {
+  try {
+    const raw = await kuri.evaluate(tabId, `
+      JSON.stringify(
+        performance.getEntriesByType('resource')
+          .filter(function(e) { return e.initiatorType === 'script'; })
+          .map(function(e) { return e.name; })
+      )
+    `);
+    if (typeof raw !== "string" || !raw.startsWith("[")) return undefined;
+    const urls: string[] = JSON.parse(raw);
+
+    const tokenPattern = /AAAAAAAAAAAAAAAAAAA[A-Za-z0-9+/=_%-]{20,}/;
+
+    for (const url of urls) {
+      try {
+        const resp = await fetch(url);
+        if (!resp.ok) continue;
+        const body = await resp.text();
+        const m = body.match(tokenPattern);
+        if (m && m[0].length >= 20) return m[0];
+      } catch { /* fetch failed, try next */ }
+    }
+  } catch { /* evaluate failed */ }
+  return undefined;
+}

package/vendor/kuri/manifest.json

@@ -2,23 +2,24 @@
   "repo_url": "https://github.com/justrach/kuri.git",
   "branch": "adding-extensions",
   "source_sha": "eadfaa5f921f7152e1762aed5ed64b3a4fbefbf3",
-  "built_at": "2026-04-06T00:13:34.580Z",
+  "built_at": "2026-04-06T01:16:09.307Z",
   "binaries": {
     "darwin-arm64": {
       "zig_target": "aarch64-macos",
-      "sha256": "cd351fd131fe346886bb6b6e11fdbb736cea9dac6c6cb6615cc1ce0644b4a194"
+      "sha256": "e230b49c36db62c3a5c9cf62e316b637ffff7452335211f63c390aab1a13e250",
+      "source": "prebuilt"
     },
     "darwin-x64": {
       "zig_target": "x86_64-macos",
-      "sha256": "82db8a0f3596d1f9335785eca8009e257bf379197e725f29aaedd6f9c2456267"
+      "sha256": "6a2bd826ce35cba39420e1a4b1b7046ba35646c1311584b0bc863827603613e7"
     },
     "linux-arm64": {
       "zig_target": "aarch64-linux",
-      "sha256": "8b53f4944274cb8930488ef822b0052f121e824424501863c399f251d827386b"
+      "sha256": "ffed3b59ea53b87cbaaf38266c9ac86d8579f8cec21ec7d13a8952c769052eae"
     },
     "linux-x64": {
       "zig_target": "x86_64-linux",
-      "sha256": "ac00c41f2a8c706de9f0dcce1087fcdccb53484303c05f101bb461f7b9dceb48"
+      "sha256": "1afd3a740a175dd4ba3844d6e6122f912551e01390db5089eba1663ef5ebf91a"
     }
   }
 }