unbrowse 3.1.0-experiments.5e7a7bb → 3.1.0-experiments.995f8bb

package/dist/cli.js

@@ -31,7 +31,7 @@ var __promiseAll = (args) => Promise.all(args);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 // ../../src/build-info.generated.ts
-var BUILD_RELEASE_VERSION = "3.1.0-experiments.5e7a7bb", BUILD_GIT_SHA = "5e7a7bb949c1", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuNWU3YTdiYiIsImdpdF9zaGEiOiI1ZTdhN2JiOTQ5YzEiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDVlN2E3YmI5NDljMSIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDVUMTQ6NTY6MjkuNjY2WiJ9", BUILD_RELEASE_MANIFEST_SIGNATURE = "OuZD9NeemoStAyT3-MgMS3V3eeatbRMKkVY_J4_6nsM", BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
+var BUILD_RELEASE_VERSION = "3.1.0-experiments.995f8bb", BUILD_GIT_SHA = "995f8bbf54ac", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuOTk1ZjhiYiIsImdpdF9zaGEiOiI5OTVmOGJiZjU0YWMiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDk5NWY4YmJmNTRhYyIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDVUMjM6NDc6MDguMzk3WiJ9", BUILD_RELEASE_MANIFEST_SIGNATURE = "fsY0FlwZTGKoZwvzv3jow-t3ri874GEziuzW8i3aupw", BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
 
 // ../../src/version.ts
 import { createHash } from "crypto";
@@ -899,18 +899,6 @@ var init_extraction = __esm(() => {
   CHROME_TAGS = new Set(["nav", "footer", "header"]);
 });
 
-// ../../src/graph/agent-augment.ts
-var DEFAULT_MODEL, ENABLED, AUGMENT_TIMEOUT_MS, MAX_AUGMENT_ENDPOINTS, MAX_AUGMENT_PAYLOAD_CHARS, GENERIC_SEMANTIC_TYPES;
-var init_agent_augment = __esm(() => {
-  init_graph();
-  DEFAULT_MODEL = process.env.UNBROWSE_AGENT_SEMANTIC_MODEL ?? process.env.UNBROWSE_AGENT_JUDGE_MODEL ?? "gpt-4.1-mini";
-  ENABLED = process.env.UNBROWSE_AGENT_SEMANTIC_AUGMENT !== "0";
-  AUGMENT_TIMEOUT_MS = Number(process.env.UNBROWSE_AGENT_SEMANTIC_TIMEOUT_MS ?? 8000);
-  MAX_AUGMENT_ENDPOINTS = Math.max(1, Number(process.env.UNBROWSE_AGENT_SEMANTIC_MAX_ENDPOINTS ?? 6));
-  MAX_AUGMENT_PAYLOAD_CHARS = Math.max(4000, Number(process.env.UNBROWSE_AGENT_SEMANTIC_MAX_PAYLOAD_CHARS ?? 24000));
-  GENERIC_SEMANTIC_TYPES = new Set(["identifier", "input", "resource", "entity", "item"]);
-});
-
 // ../../src/execution/search-forms.ts
 var SEARCH_FIELD_NAMES, LOGIN_FIELD_NAMES, SUPPORTED_INPUT_TYPES;
 var init_search_forms = __esm(() => {
@@ -1036,7 +1024,6 @@ var init_execution = __esm(async () => {
   init_domain();
   init_extraction();
   init_graph();
-  init_agent_augment();
   init_logger();
   init_version();
   init_search_forms();

package/dist/mcp.js

@@ -225,11 +225,11 @@ import { dirname, join, parse } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 
 // ../../src/build-info.generated.ts
-var BUILD_RELEASE_VERSION = "3.1.0-experiments.5e7a7bb";
-var BUILD_GIT_SHA = "5e7a7bb949c1";
+var BUILD_RELEASE_VERSION = "3.1.0-experiments.995f8bb";
+var BUILD_GIT_SHA = "995f8bbf54ac";
 var BUILD_CODE_HASH = "1488fc1d92b7";
-var BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuNWU3YTdiYiIsImdpdF9zaGEiOiI1ZTdhN2JiOTQ5YzEiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDVlN2E3YmI5NDljMSIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDVUMTQ6NTY6MjkuNjY2WiJ9";
-var BUILD_RELEASE_MANIFEST_SIGNATURE = "OuZD9NeemoStAyT3-MgMS3V3eeatbRMKkVY_J4_6nsM";
+var BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuOTk1ZjhiYiIsImdpdF9zaGEiOiI5OTVmOGJiZjU0YWMiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDk5NWY4YmJmNTRhYyIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDVUMjM6NDc6MDguMzk3WiJ9";
+var BUILD_RELEASE_MANIFEST_SIGNATURE = "fsY0FlwZTGKoZwvzv3jow-t3ri874GEziuzW8i3aupw";
 var BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
 
 // ../../src/version.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbrowse",
-  "version": "3.1.0-experiments.5e7a7bb",
+  "version": "3.1.0-experiments.995f8bb",
   "description": "Reverse-engineer any website into reusable API skills. Zero-dep single binary with embedded browser engine.",
   "type": "module",
   "bin": {

package/runtime-src/api/browse-index.ts

@@ -1,5 +1,6 @@
 import { nanoid } from "nanoid";
 import { readFileSync } from "node:fs";
+import { log } from "../logger.js";
 import { extractEndpoints, extractAuthHeaders } from "../reverse-engineer/index.js";
 import { enrichEndpointsWithTokenSources } from "../reverse-engineer/token-sources.js";
 import { buildSkillOperationGraph, inferEndpointSemantic } from "../graph/index.js";
@@ -196,6 +197,7 @@ export async function cacheBrowseRequests(params: {
     if (!existingSkill || mergedEndpoints.length >= existingSkill.endpoints.length) {
       for (const endpoint of mergedEndpoints) {
         if (!endpoint.description) endpoint.description = generateLocalDescription(endpoint);
+        if (!endpoint.semantic) endpoint.semantic = inferEndpointSemantic(endpoint);
       }
       const quickSkill: SkillManifest = {
         skill_id: existingSkill?.skill_id ?? nanoid(),
@@ -221,9 +223,11 @@ export async function cacheBrowseRequests(params: {
       try {
         const html = getPageHtml ? await getPageHtml() : undefined;
         if (html && html.startsWith("<")) {
-          enrichEndpointsWithTokenSources(quickSkill.endpoints, requests, html, jsBundles);
+          const preCheck = requests.filter(r => r.request_headers["authorization"] || r.request_headers["x-csrf-token"]).length;
+          const enriched = enrichEndpointsWithTokenSources(quickSkill.endpoints, requests, html, jsBundles);
+          log("browse-index", `token enrichment: ${enriched} bindings, ${preCheck} auth-reqs pre-call, ${quickSkill.endpoints.length} eps`);
         }
-      } catch { /* best-effort */ }
+      } catch (e) { log("browse-index", `token enrichment failed: ${e}`); }
 
       const cacheKey = buildResolveCacheKey(domain, intent, sessionUrl);
       const scopedKey = scopedCacheKey("global", cacheKey);

package/runtime-src/api/routes.ts

@@ -8,7 +8,6 @@ import { nanoid } from "nanoid";
 import type { ExecutionTrace, OrchestrationTiming, ProjectionOptions, SkillManifest } from "../types/index.js";
 import { mergeEndpoints } from "../marketplace/index.js";
 import { buildSkillOperationGraph, getEndpointDescriptionMetadata, getSkillChunk, toAgentSkillChunkView } from "../graph/index.js";
-import { augmentEndpointsWithAgent } from "../graph/agent-augment.js";
 import { findExistingSkillForDomain, cachePublishedSkill } from "../client/index.js";
 import { storeCredential } from "../vault/index.js";
 import { getRegistrableDomain } from "../domain.js";

package/runtime-src/browser/index.ts

@@ -7,7 +7,6 @@ import type { RawRequest } from "../capture/index.js";
 import { queueBackgroundIndex } from "../indexer/index.js";
 import { mergeEndpoints } from "../marketplace/index.js";
 import { buildSkillOperationGraph } from "../graph/index.js";
-import { augmentEndpointsWithAgent } from "../graph/agent-augment.js";
 import { findExistingSkillForDomain, cachePublishedSkill } from "../client/index.js";
 import { storeCredential } from "../vault/index.js";
 import { getRegistrableDomain } from "../domain.js";

package/runtime-src/build-info.generated.ts

@@ -1,6 +1,6 @@
-export const BUILD_RELEASE_VERSION = "3.1.0-experiments.5e7a7bb";
-export const BUILD_GIT_SHA = "5e7a7bb949c1";
+export const BUILD_RELEASE_VERSION = "3.1.0-experiments.995f8bb";
+export const BUILD_GIT_SHA = "995f8bbf54ac";
 export const BUILD_CODE_HASH = "1488fc1d92b7";
-export const BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuNWU3YTdiYiIsImdpdF9zaGEiOiI1ZTdhN2JiOTQ5YzEiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDVlN2E3YmI5NDljMSIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDVUMTQ6NTY6MjkuNjY2WiJ9";
-export const BUILD_RELEASE_MANIFEST_SIGNATURE = "OuZD9NeemoStAyT3-MgMS3V3eeatbRMKkVY_J4_6nsM";
+export const BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuOTk1ZjhiYiIsImdpdF9zaGEiOiI5OTVmOGJiZjU0YWMiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDk5NWY4YmJmNTRhYyIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDVUMjM6NDc6MDguMzk3WiJ9";
+export const BUILD_RELEASE_MANIFEST_SIGNATURE = "fsY0FlwZTGKoZwvzv3jow-t3ri874GEziuzW8i3aupw";
 export const BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";

package/runtime-src/capture/index.ts

@@ -670,13 +670,21 @@ export function mergePassiveCaptureData(
     });
   }
 
-  // Priority 3: Extension entries (URL+headers supplement, no bodies)
+  // Priority 3: Extension entries (chrome.webRequest — has full auth headers HAR strips)
   for (const entry of extensionEntries) {
-    if (seen.has(entry.url)) continue;
     const reqHeaders: Record<string, string> = {};
     for (const h of entry.requestHeaders ?? []) reqHeaders[h.name] = h.value;
     const respHeaders: Record<string, string> = {};
     for (const h of entry.responseHeaders ?? []) respHeaders[h.name] = h.value;
+
+    const existing = seen.get(entry.url);
+    if (existing) {
+      // Merge auth headers from extension into existing entry (HAR strips them)
+      for (const [k, v] of Object.entries(reqHeaders)) {
+        if (!existing.request_headers[k]) existing.request_headers[k] = v;
+      }
+      continue;
+    }
     seen.set(entry.url, {
       url: entry.url,
       method: entry.method,
@@ -936,22 +944,36 @@ export async function enrichPassiveCaptureRequests(params: {
     ...request,
     url: normalizeCapturedUrl(request.url, captureUrl),
   }));
+
+  // HAR strips auth headers. Infer their presence from cookies so
+  // enrichEndpointsWithTokenSources can create DAG bindings.
+  if (extensionEntries.length === 0) {
+    const tabCookies = await kuri.getCookies(tabId).catch(() => []) as Array<{ name: string; value: string }>;
+    const hasAuthCookie = tabCookies.some((c) => /^(ct0|csrf_token|_csrf|csrftoken|XSRF-TOKEN|auth_token)$/i.test(c.name));
+    if (hasAuthCookie) {
+      for (const req of requests) {
+        if (/\/(api|graphql|v\d+)\b/i.test(req.url) || /ads-api|voyager/i.test(req.url)) {
+          if (!req.request_headers["authorization"]) req.request_headers["authorization"] = "[REDACTED]";
+          if (!req.request_headers["x-csrf-token"]) req.request_headers["x-csrf-token"] = "[REDACTED]";
+        }
+      }
+    }
+  }
+
   log("capture", `browse-checkpoint tracked ${harEntries.length} HAR, ${intercepted.length} intercepted, ${extensionEntries.length} extension, ${responseBodies.size} bodies → ${requests.length} merged`);
   return requests;
 }
-
 /**
  * Collect network requests observed by kuri's builtin extension (chrome.webRequest).
  * Gracefully returns [] if the extension relay is not yet wired.
  */
 async function collectExtensionRequests(tabId: string): Promise<ExtensionEntry[]> {
   try {
-    // Query the builtin extension's network log via the agent bridge
     const raw = await kuri.evaluate(tabId, `
       (function() {
         if (!window.__kuri || !window.__kuri._networkLog) return '[]';
         var log = window.__kuri._networkLog;
-        window.__kuri._networkLog = []; // drain
+        window.__kuri._networkLog = [];
         return JSON.stringify(log);
       })()
     `);

package/runtime-src/execution/index.ts

@@ -19,7 +19,6 @@ import { nanoid } from "nanoid";
 import { getRegistrableDomain } from "../domain.js";
 import { extractFromDOM, extractFromDOMWithHint } from "../extraction/index.js";
 import { buildSkillOperationGraph, getEndpointDescriptionMetadata, inferEndpointSemantic, resolveEndpointSemantic } from "../graph/index.js";
-import { augmentEndpointsWithAgent } from "../graph/agent-augment.js";
 import { log } from "../logger.js";
 import { TRACE_VERSION } from "../version.js";
 import { buildQueryBindingMap, extractTemplateQueryBindings, mergeContextTemplateParams } from "../template-params.js";
@@ -190,11 +189,10 @@ function normalizeEndpointForManifest(endpoint: EndpointDescriptor): EndpointDes
 
 async function prepareLearnedEndpoints(
   endpoints: EndpointDescriptor[],
-  intent: string,
-  domain: string,
+  _intent: string,
+  _domain: string,
 ): Promise<EndpointDescriptor[]> {
-  const normalized = endpoints.map(normalizeEndpointForManifest);
-  return augmentEndpointsWithAgent(normalized, { intent, domain });
+  return endpoints.map(normalizeEndpointForManifest);
 }
 
 function intentWantsStructuredRecords(intent?: string): boolean {
@@ -2017,14 +2015,16 @@ export async function executeEndpoint(
   const epDomain = (() => { try { return new URL(endpoint.url_template).hostname; } catch { return skill.domain; } })();
   await reloadExecutionAuthState(skill, epDomain, authHeaders, cookies);
 
-  // If endpoint has auth_tokens bindings and vault didn't provide the needed headers,
-  // resolve them from the page source (meta tags, inline scripts, JS bundles)
-  if (endpoint.auth_tokens?.length && Object.keys(authHeaders).length === 0) {
+  // If endpoint has auth_tokens bindings, always resolve fresh tokens.
+  // Vault headers may be stale — the DAG knows how to get fresh ones.
+  log("exec", `auth_tokens check: ${endpoint.auth_tokens?.length ?? 0} bindings on ${endpoint.endpoint_id}`);
+  if (endpoint.auth_tokens?.length) {
     try {
       const { resolveAuthTokens } = await import("./token-resolver.js");
       const resolved = await resolveAuthTokens(endpoint, cookies, authHeaders);
+      log("exec", `token resolver returned ${Object.keys(resolved).length} headers: ${Object.keys(resolved).join(",") || "none"}`);
       Object.assign(authHeaders, resolved);
-    } catch { /* token resolution is best-effort */ }
+    } catch (e) { log("exec", `token resolver failed: ${e}`); }
   }
 
   log("exec", `endpoint ${endpoint.endpoint_id}: cookies=${cookies.length} authHeaders=${Object.keys(authHeaders).length} hasAuth=${cookies.length > 0 || Object.keys(authHeaders).length > 0}`);

package/runtime-src/execution/token-resolver.ts

@@ -34,10 +34,8 @@ export async function resolveAuthTokens(
   const triggerUrl = endpoint.trigger_url;
   if (!triggerUrl) return {};
 
-  // Only resolve header bindings that aren't already satisfied
-  const headerBindings = bindings.filter(
-    (b) => b.param_location === "header" && !existingAuthHeaders[b.param_name],
-  );
+  // Resolve ALL header bindings — DAG sources are authoritative over vault cache
+  const headerBindings = bindings.filter((b) => b.param_location === "header");
   if (headerBindings.length === 0) return {};
 
   const resolved: Record<string, string> = {};
@@ -56,7 +54,7 @@ export async function resolveAuthTokens(
       }
 
       for (const binding of headerBindings) {
-        const value = resolveBinding(binding, html);
+        const value = await resolveBinding(binding, html, cookies);
         if (value) {
           resolved[binding.param_name] = binding.param_name.toLowerCase() === "authorization"
             ? (value.startsWith("Bearer ") ? value : `Bearer ${value}`)
@@ -73,21 +71,36 @@ export async function resolveAuthTokens(
   return resolved;
 }
 
-function resolveBinding(binding: AuthTokenBinding, html: string): string | undefined {
+async function resolveBinding(
+  binding: AuthTokenBinding,
+  html: string,
+  cookies: Array<{ name: string; value: string; domain: string }>,
+): Promise<string | undefined> {
   for (const source of binding.sources) {
     let value: string | undefined;
 
-    if (source.kind === "html-meta" || source.kind === "html-inline-script") {
+    if (source.kind === "cookie" && source.cookie_names?.length) {
+      // Resolve from cookies — CSRF tokens typically live here
+      for (const name of source.cookie_names) {
+        const cookie = cookies.find((c) => c.name === name);
+        if (cookie?.value) { value = cookie.value; break; }
+      }
+    } else if (source.kind === "html-meta" || source.kind === "html-inline-script") {
       value = extractTokenFromHtml(source, html);
+    } else if (source.kind === "js-bundle" && source.bundle_url_pattern) {
+      try {
+        const resp = await fetch(source.bundle_url_pattern);
+        if (resp.ok) {
+          const body = await resp.text();
+          value = extractTokenFromBundle(source, body);
+        }
+      } catch { /* fetch failed — try next source */ }
     }
-    // JS bundle resolution would require fetching the bundle URL —
-    // skip for now, HTML sources cover most cases (CSRF, inline tokens)
 
     if (value && value.length >= 8) return value;
   }
   return undefined;
 }
-
 async function openResolverTab(
   url: string,
   cookies: Array<{ name: string; value: string; domain: string }>,

package/runtime-src/orchestrator/browser-agent.ts

@@ -15,7 +15,6 @@ import { extractBrowserCookies } from "../auth/browser-cookies.js";
 import { queueBackgroundIndex } from "../indexer/index.js";
 import { mergeEndpoints } from "../marketplace/index.js";
 import { buildSkillOperationGraph } from "../graph/index.js";
-import { augmentEndpointsWithAgent } from "../graph/agent-augment.js";
 import { findExistingSkillForDomain, cachePublishedSkill } from "../client/index.js";
 import { storeCredential } from "../vault/index.js";
 import { getRegistrableDomain } from "../domain.js";

package/runtime-src/reverse-engineer/token-sources.ts

@@ -289,8 +289,6 @@ export function enrichEndpointsWithTokenSources(
   html: string | undefined,
   jsBundles: Map<string, string> | undefined,
 ): number {
-  if (!html && (!jsBundles || jsBundles.size === 0)) return 0;
-
   let enriched = 0;
   for (const req of requests) {
     const matching = endpoints.filter((ep) => endpointMatchesRequest(ep, req));
@@ -298,15 +296,35 @@ export function enrichEndpointsWithTokenSources(
 
     for (const [headerName, headerValue] of Object.entries(req.request_headers)) {
       if (!TOKEN_HEADER_PATTERN.test(headerName)) continue;
-      // Bearer tokens are prefixed — strip before scanning
       const tokenValue = extractTokenValue(headerName, headerValue);
       if (!tokenValue) continue;
 
-      const sources = findTokenSources(tokenValue, html, jsBundles);
+      const sources = (html || (jsBundles && jsBundles.size > 0))
+        ? findTokenSources(tokenValue, html, jsBundles)
+        : [];
+
+      const lowerName = headerName.toLowerCase();
+      if (sources.length === 0) {
+        if (/csrf|xsrf/i.test(lowerName)) {
+          sources.push({ kind: "cookie", cookie_names: ["ct0", "csrf_token", "_csrf", "csrftoken", "XSRF-TOKEN"] });
+        } else if (lowerName === "authorization") {
+          if (html) {
+            const scriptSrcRe = /<script[^>]+src=["']([^"']+)["']/gi;
+            let m: RegExpExecArray | null;
+            while ((m = scriptSrcRe.exec(html)) !== null) {
+              if (/main|app|client|bundle|vendor/i.test(m[1])) {
+                sources.push({ kind: "js-bundle", bundle_url_pattern: m[1] });
+                if (sources.length >= 3) break;
+              }
+            }
+          }
+        }
+      }
+
       if (sources.length === 0) continue;
 
       const binding: AuthTokenBinding = {
-        param_name: headerName.toLowerCase(),
+        param_name: lowerName,
         param_location: "header",
         sources,
         refresh_on_401: true,
@@ -314,9 +332,13 @@ export function enrichEndpointsWithTokenSources(
 
       for (const ep of matching) {
         if (!ep.auth_tokens) ep.auth_tokens = [];
-        // Dedupe: skip if a binding for the same param already exists
-        if (ep.auth_tokens.some((b) => b.param_name === binding.param_name)) continue;
-        ep.auth_tokens.push(binding);
+        // Always replace with fresh binding — stale sources from cached merges get overwritten
+        const idx = ep.auth_tokens.findIndex((b) => b.param_name === binding.param_name);
+        if (idx >= 0) {
+          ep.auth_tokens[idx] = binding;
+        } else {
+          ep.auth_tokens.push(binding);
+        }
         enriched++;
       }
     }