unbrowse 3.1.0-experiments.a2cf008 → 3.1.0-experiments.acc0c3e

package/dist/cli.js

@@ -31,7 +31,7 @@ var __promiseAll = (args) => Promise.all(args);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 // ../../src/build-info.generated.ts
-var BUILD_RELEASE_VERSION = "3.1.0-experiments.a2cf008", BUILD_GIT_SHA = "a2cf008142ff", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuYTJjZjAwOCIsImdpdF9zaGEiOiJhMmNmMDA4MTQyZmYiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QGEyY2YwMDgxNDJmZiIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDVUMjM6MzQ6NDEuMzk1WiJ9", BUILD_RELEASE_MANIFEST_SIGNATURE = "1vxiaCYILmk4RglXTLEsIOnEpX1T_x2iDsMRsp_SSis", BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
+var BUILD_RELEASE_VERSION = "3.1.0-experiments.acc0c3e", BUILD_GIT_SHA = "acc0c3e1f8c5", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuYWNjMGMzZSIsImdpdF9zaGEiOiJhY2MwYzNlMWY4YzUiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QGFjYzBjM2UxZjhjNSIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMDI6MzI6NTMuOTQxWiJ9", BUILD_RELEASE_MANIFEST_SIGNATURE = "ZqdsNG9DQl3Sx4n94HXYdmjYsiExN3BXql7Z-yRx7wE", BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
 
 // ../../src/version.ts
 import { createHash } from "crypto";
@@ -1369,7 +1369,7 @@ init_wallet();
 init_telemetry_attribution();
 import { readFileSync as readFileSync3, writeFileSync, existsSync as existsSync4, mkdirSync, readdirSync as readdirSync2 } from "fs";
 import { join as join4 } from "path";
-import { homedir as homedir3, hostname } from "os";
+import { homedir as homedir3, hostname, release as osRelease } from "os";
 import { randomBytes, createHash as createHash2 } from "crypto";
 import { createInterface } from "readline";
 var API_URL = process.env.UNBROWSE_BACKEND_URL || DEFAULT_BACKEND_URL;
@@ -1562,9 +1562,19 @@ async function recordInstallTelemetryEvent(source, options) {
     skill_version: options?.skillVersion,
     status: options?.status ?? "installed",
     created_at: createdAt,
-    properties: mergeTelemetryProperties(options?.properties, getTelemetryAttribution())
+    properties: mergeTelemetryProperties({ ...getRuntimeContext(), ...options?.properties }, getTelemetryAttribution())
   });
 }
+function getRuntimeContext() {
+  return {
+    cli_version: PACKAGE_VERSION,
+    code_hash: CODE_HASH,
+    node_version: process.version,
+    platform: process.platform,
+    arch: process.arch,
+    os_release: osRelease()
+  };
+}
 async function recordFunnelTelemetryEvent(name, options) {
   const createdAt = options?.createdAt ?? new Date().toISOString();
   const landingToken = getLandingToken();
@@ -1576,7 +1586,7 @@ async function recordFunnelTelemetryEvent(name, options) {
     source: options?.source ?? "cli",
     host_type: options?.hostType ?? detectTelemetryHostType(),
     created_at: createdAt,
-    properties: mergeTelemetryProperties(options?.properties, getTelemetryAttribution())
+    properties: mergeTelemetryProperties({ ...getRuntimeContext(), ...options?.properties }, getTelemetryAttribution())
   });
 }
 var EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/i;

package/dist/mcp.js

@@ -225,11 +225,11 @@ import { dirname, join, parse } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 
 // ../../src/build-info.generated.ts
-var BUILD_RELEASE_VERSION = "3.1.0-experiments.a2cf008";
-var BUILD_GIT_SHA = "a2cf008142ff";
+var BUILD_RELEASE_VERSION = "3.1.0-experiments.acc0c3e";
+var BUILD_GIT_SHA = "acc0c3e1f8c5";
 var BUILD_CODE_HASH = "1488fc1d92b7";
-var BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuYTJjZjAwOCIsImdpdF9zaGEiOiJhMmNmMDA4MTQyZmYiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QGEyY2YwMDgxNDJmZiIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDVUMjM6MzQ6NDEuMzk1WiJ9";
-var BUILD_RELEASE_MANIFEST_SIGNATURE = "1vxiaCYILmk4RglXTLEsIOnEpX1T_x2iDsMRsp_SSis";
+var BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuYWNjMGMzZSIsImdpdF9zaGEiOiJhY2MwYzNlMWY4YzUiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QGFjYzBjM2UxZjhjNSIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMDI6MzI6NTMuOTQxWiJ9";
+var BUILD_RELEASE_MANIFEST_SIGNATURE = "ZqdsNG9DQl3Sx4n94HXYdmjYsiExN3BXql7Z-yRx7wE";
 var BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
 
 // ../../src/version.ts
@@ -743,7 +743,7 @@ function readImpactSummary() {
 // ../../src/client/index.ts
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, existsSync as existsSync6, mkdirSync as mkdirSync4, readdirSync as readdirSync3 } from "fs";
 import { join as join5 } from "path";
-import { homedir as homedir4, hostname } from "os";
+import { homedir as homedir4, hostname, release as osRelease } from "os";
 
 // ../../src/payments/cascade.ts
 import bs58 from "bs58";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbrowse",
-  "version": "3.1.0-experiments.a2cf008",
+  "version": "3.1.0-experiments.acc0c3e",
   "description": "Reverse-engineer any website into reusable API skills. Zero-dep single binary with embedded browser engine.",
   "type": "module",
   "bin": {

package/runtime-src/api/browse-index.ts

@@ -169,6 +169,10 @@ export async function cacheBrowseRequests(params: {
   // so serverFetch can replay them. Use registrable domain for vault key
   // so ads.x.com and ads-api.x.com share the same session.
   const capturedAuthHeaders = extractAuthHeaders(requests);
+  // Filter out [REDACTED] placeholders from cookie-inferred auth headers
+  for (const [k, v] of Object.entries(capturedAuthHeaders)) {
+    if (v === "[REDACTED]") delete capturedAuthHeaders[k];
+  }
   if (Object.keys(capturedAuthHeaders).length > 0) {
     const sessionKey = `${getRegistrableDomain(domain)}-session`;
     await storeCredential(sessionKey, JSON.stringify({ headers: capturedAuthHeaders })).catch(() => {});

package/runtime-src/build-info.generated.ts

@@ -1,6 +1,6 @@
-export const BUILD_RELEASE_VERSION = "3.1.0-experiments.a2cf008";
-export const BUILD_GIT_SHA = "a2cf008142ff";
+export const BUILD_RELEASE_VERSION = "3.1.0-experiments.acc0c3e";
+export const BUILD_GIT_SHA = "acc0c3e1f8c5";
 export const BUILD_CODE_HASH = "1488fc1d92b7";
-export const BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuYTJjZjAwOCIsImdpdF9zaGEiOiJhMmNmMDA4MTQyZmYiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QGEyY2YwMDgxNDJmZiIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDVUMjM6MzQ6NDEuMzk1WiJ9";
-export const BUILD_RELEASE_MANIFEST_SIGNATURE = "1vxiaCYILmk4RglXTLEsIOnEpX1T_x2iDsMRsp_SSis";
+export const BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuYWNjMGMzZSIsImdpdF9zaGEiOiJhY2MwYzNlMWY4YzUiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QGFjYzBjM2UxZjhjNSIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMDI6MzI6NTMuOTQxWiJ9";
+export const BUILD_RELEASE_MANIFEST_SIGNATURE = "ZqdsNG9DQl3Sx4n94HXYdmjYsiExN3BXql7Z-yRx7wE";
 export const BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";

package/runtime-src/client/index.ts

@@ -1,6 +1,6 @@
 import { readFileSync, writeFileSync, existsSync, mkdirSync, readdirSync } from "fs";
 import { join } from "path";
-import { homedir, hostname } from "os";
+import { homedir, hostname, release as osRelease } from "os";
 import { randomBytes, createHash } from "crypto";
 import { createInterface } from "readline";
 import type {
@@ -16,6 +16,7 @@ import {
   CODE_HASH,
   DEFAULT_BACKEND_URL,
   GIT_SHA,
+  PACKAGE_VERSION,
   RELEASE_MANIFEST_BASE64,
   RELEASE_MANIFEST_SIGNATURE,
   TRACE_VERSION,
@@ -302,10 +303,21 @@ export async function recordInstallTelemetryEvent(
     skill_version: options?.skillVersion,
     status: options?.status ?? "installed",
     created_at: createdAt,
-    properties: mergeTelemetryProperties(options?.properties, getTelemetryAttribution()),
+    properties: mergeTelemetryProperties({ ...getRuntimeContext(), ...options?.properties }, getTelemetryAttribution()),
   });
 }
 
+function getRuntimeContext(): Record<string, unknown> {
+  return {
+    cli_version: PACKAGE_VERSION,
+    code_hash: CODE_HASH,
+    node_version: process.version,
+    platform: process.platform,
+    arch: process.arch,
+    os_release: osRelease(),
+  };
+}
+
 export async function recordFunnelTelemetryEvent(
   name: string,
   options?: {
@@ -326,7 +338,7 @@ export async function recordFunnelTelemetryEvent(
     source: options?.source ?? "cli",
     host_type: options?.hostType ?? detectTelemetryHostType(),
     created_at: createdAt,
-    properties: mergeTelemetryProperties(options?.properties, getTelemetryAttribution()),
+    properties: mergeTelemetryProperties({ ...getRuntimeContext(), ...options?.properties }, getTelemetryAttribution()),
   });
 }
 

package/runtime-src/execution/index.ts

@@ -2022,7 +2022,7 @@ export async function executeEndpoint(
     try {
       const { resolveAuthTokens } = await import("./token-resolver.js");
       const resolved = await resolveAuthTokens(endpoint, cookies, authHeaders);
-      log("exec", `token resolver returned ${Object.keys(resolved).length} headers: ${Object.keys(resolved).join(",") || "none"}`);
+      log("exec", `token resolver returned ${Object.keys(resolved).length} headers: ${Object.keys(resolved).join(",") || "none"} auth=${(resolved.authorization || "").substring(0, 40)}`);
       Object.assign(authHeaders, resolved);
     } catch (e) { log("exec", `token resolver failed: ${e}`); }
   }
@@ -2241,7 +2241,7 @@ export async function executeEndpoint(
 
     for (const replayUrl of replayUrls) {
       const replayHeaders = buildStructuredReplayHeaders(url, replayUrl, headers);
-      log("exec", `server-fetch: ${endpoint.method} ${replayUrl.substring(0, 80)} csrf=${replayHeaders["x-csrf-token"]?.substring(0, 10)}... cookies=${(replayHeaders["cookie"]?.length ?? 0)}chars`);
+      log("exec", `server-fetch: ${endpoint.method} ${replayUrl.substring(0, 80)} auth=${(replayHeaders["authorization"] || "none").substring(0, 50)} csrf=${replayHeaders["x-csrf-token"]?.substring(0, 10)}... cookies=${(replayHeaders["cookie"]?.length ?? 0)}chars`);
       const res = await fetch(replayUrl, {
         method: endpoint.method,
         headers: replayHeaders,
@@ -3165,6 +3165,7 @@ export function rankEndpoints(endpoints: EndpointDescriptor[], intent?: string,
       }
     }
     score += ep.reliability_score * 5;
+    if (ep.verification_status === "verified") score += 15;
     if (ep.method === "WS" && ep.response_schema) score += 3;
 
     // === Domain affinity ===

package/runtime-src/execution/token-resolver.ts

@@ -54,7 +54,14 @@ export async function resolveAuthTokens(
       }
 
       for (const binding of headerBindings) {
-        const value = await resolveBinding(binding, html, cookies);
+        let value = await resolveBinding(binding, html, cookies);
+
+        // If stored sources didn't resolve (e.g. bearer in a different bundle),
+        // scan all loaded script resources via Performance API
+        if (!value && binding.sources.some((s) => s.kind === "js-bundle")) {
+          value = await scanAllScriptResources(tabId, binding);
+        }
+
         if (value) {
           resolved[binding.param_name] = binding.param_name.toLowerCase() === "authorization"
             ? (value.startsWith("Bearer ") ? value : `Bearer ${value}`)
@@ -133,3 +140,35 @@ async function waitForLoad(tabId: string): Promise<void> {
     await new Promise((r) => setTimeout(r, 500));
   }
 }
+
+/**
+ * Scan all script resources loaded by the page via Performance API.
+ * Fetches each bundle and searches for a token matching the binding pattern.
+ * This handles cases where the enrichment captured the wrong bundle URLs.
+ */
+async function scanAllScriptResources(tabId: string, binding: AuthTokenBinding): Promise<string | undefined> {
+  try {
+    const raw = await kuri.evaluate(tabId, `
+      JSON.stringify(
+        performance.getEntriesByType('resource')
+          .filter(function(e) { return e.initiatorType === 'script'; })
+          .map(function(e) { return e.name; })
+      )
+    `);
+    if (typeof raw !== "string" || !raw.startsWith("[")) return undefined;
+    const urls: string[] = JSON.parse(raw);
+
+    const tokenPattern = /AAAAAAAAAAAAAAAAAAA[A-Za-z0-9+/=_%-]{20,}/;
+
+    for (const url of urls) {
+      try {
+        const resp = await fetch(url);
+        if (!resp.ok) continue;
+        const body = await resp.text();
+        const m = body.match(tokenPattern);
+        if (m && m[0].length >= 20) return m[0];
+      } catch { /* fetch failed, try next */ }
+    }
+  } catch { /* evaluate failed */ }
+  return undefined;
+}

package/runtime-src/reverse-engineer/token-sources.ts

@@ -309,7 +309,7 @@ export function enrichEndpointsWithTokenSources(
           sources.push({ kind: "cookie", cookie_names: ["ct0", "csrf_token", "_csrf", "csrftoken", "XSRF-TOKEN"] });
         } else if (lowerName === "authorization") {
           if (html) {
-            const scriptSrcRe = /<script[^>]+src=["']([^"']+\.js[^"']*?)["']/gi;
+            const scriptSrcRe = /<script[^>]+src=["']([^"']+)["']/gi;
             let m: RegExpExecArray | null;
             while ((m = scriptSrcRe.exec(html)) !== null) {
               if (/main|app|client|bundle|vendor/i.test(m[1])) {

package/vendor/kuri/manifest.json

@@ -1,28 +1,25 @@
 {
   "repo_url": "https://github.com/justrach/kuri.git",
   "branch": "adding-extensions",
-  "source_sha": "08eecbe3740f046a46f656eed7ebfc66c1bad9bb",
-  "built_at": "2026-04-05T06:43:57.212Z",
+  "source_sha": "eadfaa5f921f7152e1762aed5ed64b3a4fbefbf3",
+  "built_at": "2026-04-06T02:32:53.993Z",
   "binaries": {
     "darwin-arm64": {
       "zig_target": "aarch64-macos",
-      "sha256": "1553633e722d18059dedffa8a52d55ed6c052e4961fd2753ee0b62be60b241bf"
+      "sha256": "e230b49c36db62c3a5c9cf62e316b637ffff7452335211f63c390aab1a13e250",
+      "source": "prebuilt"
     },
     "darwin-x64": {
       "zig_target": "x86_64-macos",
-      "sha256": "b5eb07e631c6ddad64019c8d0c86c32cb76a74ff0791ac5611a3aa3550767ec8"
+      "sha256": "f43bae178982b7d5d7da9d041a2984204afecf60c81f6c037451b372adbd2968"
     },
     "linux-arm64": {
       "zig_target": "aarch64-linux",
-      "sha256": "ea88a26f7b335d5842b0c1d83bfa4066bed0a119284560f6bd3833f1d240cce2"
+      "sha256": "8416277825f6d55a2936de06f5dedce8ce1fe9445bb94843edd62103e22f8e0d"
     },
     "linux-x64": {
       "zig_target": "x86_64-linux",
-      "sha256": "175a7c59e458e952a26974f0fb5c2ce374e56f2c4c352903b481b5aa5a16978f"
-    },
-    "win-x64": {
-      "zig_target": "x86_64-windows",
-      "sha256": "176291ad9827a183ba7322ddb56cc1fa5edc7c214a264ecdf8a1d5d18366d686"
+      "sha256": "459df714ac61fc906d9234f223791d51359c002a8ecbada9995211df9e0283cd"
     }
   }
 }