unbrowse 3.1.0-experiments.e16f194 → 3.1.0-experiments.ef43417

package/dist/cli.js

@@ -31,7 +31,7 @@ var __promiseAll = (args) => Promise.all(args);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 // ../../src/build-info.generated.ts
-var BUILD_RELEASE_VERSION = "3.1.0-experiments.e16f194", BUILD_GIT_SHA = "e16f194a388c", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuZTE2ZjE5NCIsImdpdF9zaGEiOiJlMTZmMTk0YTM4OGMiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QGUxNmYxOTRhMzg4YyIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDVUMTQ6MzY6MjMuNDY3WiJ9", BUILD_RELEASE_MANIFEST_SIGNATURE = "FextqttPXF5moOI2DNGvrN-yPrwuleNkbadmvTLmmPc", BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
+var BUILD_RELEASE_VERSION = "3.1.0-experiments.ef43417", BUILD_GIT_SHA = "ef434171bbc8", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuZWY0MzQxNyIsImdpdF9zaGEiOiJlZjQzNDE3MWJiYzgiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QGVmNDM0MTcxYmJjOCIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMDI6NTQ6MTAuMjU3WiJ9", BUILD_RELEASE_MANIFEST_SIGNATURE = "TWn8YbnQaAVxkiuNsLHcxl8-9saAN2wWFxDFtz9Xc0c", BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
 
 // ../../src/version.ts
 import { createHash } from "crypto";
@@ -899,18 +899,6 @@ var init_extraction = __esm(() => {
   CHROME_TAGS = new Set(["nav", "footer", "header"]);
 });
 
-// ../../src/graph/agent-augment.ts
-var DEFAULT_MODEL, ENABLED, AUGMENT_TIMEOUT_MS, MAX_AUGMENT_ENDPOINTS, MAX_AUGMENT_PAYLOAD_CHARS, GENERIC_SEMANTIC_TYPES;
-var init_agent_augment = __esm(() => {
-  init_graph();
-  DEFAULT_MODEL = process.env.UNBROWSE_AGENT_SEMANTIC_MODEL ?? process.env.UNBROWSE_AGENT_JUDGE_MODEL ?? "gpt-4.1-mini";
-  ENABLED = process.env.UNBROWSE_AGENT_SEMANTIC_AUGMENT !== "0";
-  AUGMENT_TIMEOUT_MS = Number(process.env.UNBROWSE_AGENT_SEMANTIC_TIMEOUT_MS ?? 8000);
-  MAX_AUGMENT_ENDPOINTS = Math.max(1, Number(process.env.UNBROWSE_AGENT_SEMANTIC_MAX_ENDPOINTS ?? 6));
-  MAX_AUGMENT_PAYLOAD_CHARS = Math.max(4000, Number(process.env.UNBROWSE_AGENT_SEMANTIC_MAX_PAYLOAD_CHARS ?? 24000));
-  GENERIC_SEMANTIC_TYPES = new Set(["identifier", "input", "resource", "entity", "item"]);
-});
-
 // ../../src/execution/search-forms.ts
 var SEARCH_FIELD_NAMES, LOGIN_FIELD_NAMES, SUPPORTED_INPUT_TYPES;
 var init_search_forms = __esm(() => {
@@ -1036,7 +1024,6 @@ var init_execution = __esm(async () => {
   init_domain();
   init_extraction();
   init_graph();
-  init_agent_augment();
   init_logger();
   init_version();
   init_search_forms();
@@ -1382,7 +1369,7 @@ init_wallet();
 init_telemetry_attribution();
 import { readFileSync as readFileSync3, writeFileSync, existsSync as existsSync4, mkdirSync, readdirSync as readdirSync2 } from "fs";
 import { join as join4 } from "path";
-import { homedir as homedir3, hostname } from "os";
+import { homedir as homedir3, hostname, release as osRelease } from "os";
 import { randomBytes, createHash as createHash2 } from "crypto";
 import { createInterface } from "readline";
 var API_URL = process.env.UNBROWSE_BACKEND_URL || DEFAULT_BACKEND_URL;
@@ -1575,9 +1562,19 @@ async function recordInstallTelemetryEvent(source, options) {
     skill_version: options?.skillVersion,
     status: options?.status ?? "installed",
     created_at: createdAt,
-    properties: mergeTelemetryProperties(options?.properties, getTelemetryAttribution())
+    properties: mergeTelemetryProperties({ ...getRuntimeContext(), ...options?.properties }, getTelemetryAttribution())
   });
 }
+function getRuntimeContext() {
+  return {
+    cli_version: PACKAGE_VERSION,
+    code_hash: CODE_HASH,
+    node_version: process.version,
+    platform: process.platform,
+    arch: process.arch,
+    os_release: osRelease()
+  };
+}
 async function recordFunnelTelemetryEvent(name, options) {
   const createdAt = options?.createdAt ?? new Date().toISOString();
   const landingToken = getLandingToken();
@@ -1589,7 +1586,7 @@ async function recordFunnelTelemetryEvent(name, options) {
     source: options?.source ?? "cli",
     host_type: options?.hostType ?? detectTelemetryHostType(),
     created_at: createdAt,
-    properties: mergeTelemetryProperties(options?.properties, getTelemetryAttribution())
+    properties: mergeTelemetryProperties({ ...getRuntimeContext(), ...options?.properties }, getTelemetryAttribution())
   });
 }
 var EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/i;

package/dist/mcp.js

@@ -225,11 +225,11 @@ import { dirname, join, parse } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 
 // ../../src/build-info.generated.ts
-var BUILD_RELEASE_VERSION = "3.1.0-experiments.e16f194";
-var BUILD_GIT_SHA = "e16f194a388c";
+var BUILD_RELEASE_VERSION = "3.1.0-experiments.ef43417";
+var BUILD_GIT_SHA = "ef434171bbc8";
 var BUILD_CODE_HASH = "1488fc1d92b7";
-var BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuZTE2ZjE5NCIsImdpdF9zaGEiOiJlMTZmMTk0YTM4OGMiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QGUxNmYxOTRhMzg4YyIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDVUMTQ6MzY6MjMuNDY3WiJ9";
-var BUILD_RELEASE_MANIFEST_SIGNATURE = "FextqttPXF5moOI2DNGvrN-yPrwuleNkbadmvTLmmPc";
+var BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuZWY0MzQxNyIsImdpdF9zaGEiOiJlZjQzNDE3MWJiYzgiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QGVmNDM0MTcxYmJjOCIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMDI6NTQ6MTAuMjU3WiJ9";
+var BUILD_RELEASE_MANIFEST_SIGNATURE = "TWn8YbnQaAVxkiuNsLHcxl8-9saAN2wWFxDFtz9Xc0c";
 var BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
 
 // ../../src/version.ts
@@ -743,7 +743,7 @@ function readImpactSummary() {
 // ../../src/client/index.ts
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, existsSync as existsSync6, mkdirSync as mkdirSync4, readdirSync as readdirSync3 } from "fs";
 import { join as join5 } from "path";
-import { homedir as homedir4, hostname } from "os";
+import { homedir as homedir4, hostname, release as osRelease } from "os";
 
 // ../../src/payments/cascade.ts
 import bs58 from "bs58";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbrowse",
-  "version": "3.1.0-experiments.e16f194",
+  "version": "3.1.0-experiments.ef43417",
   "description": "Reverse-engineer any website into reusable API skills. Zero-dep single binary with embedded browser engine.",
   "type": "module",
   "bin": {

package/runtime-src/api/browse-index.ts

@@ -1,5 +1,6 @@
 import { nanoid } from "nanoid";
 import { readFileSync } from "node:fs";
+import { log } from "../logger.js";
 import { extractEndpoints, extractAuthHeaders } from "../reverse-engineer/index.js";
 import { enrichEndpointsWithTokenSources } from "../reverse-engineer/token-sources.js";
 import { buildSkillOperationGraph, inferEndpointSemantic } from "../graph/index.js";
@@ -168,6 +169,10 @@ export async function cacheBrowseRequests(params: {
   // so serverFetch can replay them. Use registrable domain for vault key
   // so ads.x.com and ads-api.x.com share the same session.
   const capturedAuthHeaders = extractAuthHeaders(requests);
+  // Filter out [REDACTED] placeholders from cookie-inferred auth headers
+  for (const [k, v] of Object.entries(capturedAuthHeaders)) {
+    if (v === "[REDACTED]") delete capturedAuthHeaders[k];
+  }
   if (Object.keys(capturedAuthHeaders).length > 0) {
     const sessionKey = `${getRegistrableDomain(domain)}-session`;
     await storeCredential(sessionKey, JSON.stringify({ headers: capturedAuthHeaders })).catch(() => {});
@@ -196,6 +201,7 @@ export async function cacheBrowseRequests(params: {
     if (!existingSkill || mergedEndpoints.length >= existingSkill.endpoints.length) {
       for (const endpoint of mergedEndpoints) {
         if (!endpoint.description) endpoint.description = generateLocalDescription(endpoint);
+        if (!endpoint.semantic) endpoint.semantic = inferEndpointSemantic(endpoint);
       }
       const quickSkill: SkillManifest = {
         skill_id: existingSkill?.skill_id ?? nanoid(),
@@ -221,9 +227,11 @@ export async function cacheBrowseRequests(params: {
       try {
         const html = getPageHtml ? await getPageHtml() : undefined;
         if (html && html.startsWith("<")) {
-          enrichEndpointsWithTokenSources(quickSkill.endpoints, requests, html, jsBundles);
+          const preCheck = requests.filter(r => r.request_headers["authorization"] || r.request_headers["x-csrf-token"]).length;
+          const enriched = enrichEndpointsWithTokenSources(quickSkill.endpoints, requests, html, jsBundles);
+          log("browse-index", `token enrichment: ${enriched} bindings, ${preCheck} auth-reqs pre-call, ${quickSkill.endpoints.length} eps`);
         }
-      } catch { /* best-effort */ }
+      } catch (e) { log("browse-index", `token enrichment failed: ${e}`); }
 
       const cacheKey = buildResolveCacheKey(domain, intent, sessionUrl);
       const scopedKey = scopedCacheKey("global", cacheKey);

package/runtime-src/api/routes.ts

@@ -8,7 +8,6 @@ import { nanoid } from "nanoid";
 import type { ExecutionTrace, OrchestrationTiming, ProjectionOptions, SkillManifest } from "../types/index.js";
 import { mergeEndpoints } from "../marketplace/index.js";
 import { buildSkillOperationGraph, getEndpointDescriptionMetadata, getSkillChunk, toAgentSkillChunkView } from "../graph/index.js";
-import { augmentEndpointsWithAgent } from "../graph/agent-augment.js";
 import { findExistingSkillForDomain, cachePublishedSkill } from "../client/index.js";
 import { storeCredential } from "../vault/index.js";
 import { getRegistrableDomain } from "../domain.js";
@@ -1179,10 +1178,16 @@ export async function registerRoutes(app: FastifyInstance) {
 
   async function restartBrowseCapture(session: BrowseSession): Promise<void> {
     const broker = brokerForSession(session);
-    const load = await broker.waitForLoad(session.tabId, 2_000).catch(() => null);
-    if (load && load.status === "timeout") {
-      session.harActive = false;
-      return;
+    // Ensure Kuri is actually responding before starting HAR.
+    // Cold starts on packaged CLI can have ConnectionRefused retries —
+    // if we start HAR during instability, it gets lost on restart.
+    for (let attempt = 0; attempt < 5; attempt++) {
+      try {
+        await broker.waitForLoad(session.tabId, 2_000);
+        break;
+      } catch {
+        if (attempt < 4) await new Promise((r) => setTimeout(r, 1_000));
+      }
     }
     await broker.networkEnable(session.tabId).catch(() => {});
     await broker.harStart(session.tabId).catch(() => {});

package/runtime-src/browser/index.ts

@@ -7,7 +7,6 @@ import type { RawRequest } from "../capture/index.js";
 import { queueBackgroundIndex } from "../indexer/index.js";
 import { mergeEndpoints } from "../marketplace/index.js";
 import { buildSkillOperationGraph } from "../graph/index.js";
-import { augmentEndpointsWithAgent } from "../graph/agent-augment.js";
 import { findExistingSkillForDomain, cachePublishedSkill } from "../client/index.js";
 import { storeCredential } from "../vault/index.js";
 import { getRegistrableDomain } from "../domain.js";

package/runtime-src/build-info.generated.ts

@@ -1,6 +1,6 @@
-export const BUILD_RELEASE_VERSION = "3.1.0-experiments.e16f194";
-export const BUILD_GIT_SHA = "e16f194a388c";
+export const BUILD_RELEASE_VERSION = "3.1.0-experiments.ef43417";
+export const BUILD_GIT_SHA = "ef434171bbc8";
 export const BUILD_CODE_HASH = "1488fc1d92b7";
-export const BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuZTE2ZjE5NCIsImdpdF9zaGEiOiJlMTZmMTk0YTM4OGMiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QGUxNmYxOTRhMzg4YyIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDVUMTQ6MzY6MjMuNDY3WiJ9";
-export const BUILD_RELEASE_MANIFEST_SIGNATURE = "FextqttPXF5moOI2DNGvrN-yPrwuleNkbadmvTLmmPc";
+export const BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4xLjAtZXhwZXJpbWVudHMuZWY0MzQxNyIsImdpdF9zaGEiOiJlZjQzNDE3MWJiYzgiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QGVmNDM0MTcxYmJjOCIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMDI6NTQ6MTAuMjU3WiJ9";
+export const BUILD_RELEASE_MANIFEST_SIGNATURE = "TWn8YbnQaAVxkiuNsLHcxl8-9saAN2wWFxDFtz9Xc0c";
 export const BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";

package/runtime-src/capture/index.ts

@@ -670,13 +670,21 @@ export function mergePassiveCaptureData(
     });
   }
 
-  // Priority 3: Extension entries (URL+headers supplement, no bodies)
+  // Priority 3: Extension entries (chrome.webRequest — has full auth headers HAR strips)
   for (const entry of extensionEntries) {
-    if (seen.has(entry.url)) continue;
     const reqHeaders: Record<string, string> = {};
     for (const h of entry.requestHeaders ?? []) reqHeaders[h.name] = h.value;
     const respHeaders: Record<string, string> = {};
     for (const h of entry.responseHeaders ?? []) respHeaders[h.name] = h.value;
+
+    const existing = seen.get(entry.url);
+    if (existing) {
+      // Merge auth headers from extension into existing entry (HAR strips them)
+      for (const [k, v] of Object.entries(reqHeaders)) {
+        if (!existing.request_headers[k]) existing.request_headers[k] = v;
+      }
+      continue;
+    }
     seen.set(entry.url, {
       url: entry.url,
       method: entry.method,
@@ -936,22 +944,36 @@ export async function enrichPassiveCaptureRequests(params: {
     ...request,
     url: normalizeCapturedUrl(request.url, captureUrl),
   }));
+
+  // HAR strips auth headers. Infer their presence from cookies so
+  // enrichEndpointsWithTokenSources can create DAG bindings.
+  if (extensionEntries.length === 0) {
+    const tabCookies = await kuri.getCookies(tabId).catch(() => []) as Array<{ name: string; value: string }>;
+    const hasAuthCookie = tabCookies.some((c) => /^(ct0|csrf_token|_csrf|csrftoken|XSRF-TOKEN|auth_token)$/i.test(c.name));
+    if (hasAuthCookie) {
+      for (const req of requests) {
+        if (/\/(api|graphql|v\d+)\b/i.test(req.url) || /ads-api|voyager/i.test(req.url)) {
+          if (!req.request_headers["authorization"]) req.request_headers["authorization"] = "[REDACTED]";
+          if (!req.request_headers["x-csrf-token"]) req.request_headers["x-csrf-token"] = "[REDACTED]";
+        }
+      }
+    }
+  }
+
   log("capture", `browse-checkpoint tracked ${harEntries.length} HAR, ${intercepted.length} intercepted, ${extensionEntries.length} extension, ${responseBodies.size} bodies → ${requests.length} merged`);
   return requests;
 }
-
 /**
  * Collect network requests observed by kuri's builtin extension (chrome.webRequest).
  * Gracefully returns [] if the extension relay is not yet wired.
  */
 async function collectExtensionRequests(tabId: string): Promise<ExtensionEntry[]> {
   try {
-    // Query the builtin extension's network log via the agent bridge
     const raw = await kuri.evaluate(tabId, `
       (function() {
         if (!window.__kuri || !window.__kuri._networkLog) return '[]';
         var log = window.__kuri._networkLog;
-        window.__kuri._networkLog = []; // drain
+        window.__kuri._networkLog = [];
         return JSON.stringify(log);
       })()
     `);

package/runtime-src/client/index.ts

@@ -1,6 +1,6 @@
 import { readFileSync, writeFileSync, existsSync, mkdirSync, readdirSync } from "fs";
 import { join } from "path";
-import { homedir, hostname } from "os";
+import { homedir, hostname, release as osRelease } from "os";
 import { randomBytes, createHash } from "crypto";
 import { createInterface } from "readline";
 import type {
@@ -16,6 +16,7 @@ import {
   CODE_HASH,
   DEFAULT_BACKEND_URL,
   GIT_SHA,
+  PACKAGE_VERSION,
   RELEASE_MANIFEST_BASE64,
   RELEASE_MANIFEST_SIGNATURE,
   TRACE_VERSION,
@@ -302,10 +303,21 @@ export async function recordInstallTelemetryEvent(
     skill_version: options?.skillVersion,
     status: options?.status ?? "installed",
     created_at: createdAt,
-    properties: mergeTelemetryProperties(options?.properties, getTelemetryAttribution()),
+    properties: mergeTelemetryProperties({ ...getRuntimeContext(), ...options?.properties }, getTelemetryAttribution()),
   });
 }
 
+function getRuntimeContext(): Record<string, unknown> {
+  return {
+    cli_version: PACKAGE_VERSION,
+    code_hash: CODE_HASH,
+    node_version: process.version,
+    platform: process.platform,
+    arch: process.arch,
+    os_release: osRelease(),
+  };
+}
+
 export async function recordFunnelTelemetryEvent(
   name: string,
   options?: {
@@ -326,7 +338,7 @@ export async function recordFunnelTelemetryEvent(
     source: options?.source ?? "cli",
     host_type: options?.hostType ?? detectTelemetryHostType(),
     created_at: createdAt,
-    properties: mergeTelemetryProperties(options?.properties, getTelemetryAttribution()),
+    properties: mergeTelemetryProperties({ ...getRuntimeContext(), ...options?.properties }, getTelemetryAttribution()),
   });
 }
 

package/runtime-src/execution/index.ts

@@ -19,7 +19,6 @@ import { nanoid } from "nanoid";
 import { getRegistrableDomain } from "../domain.js";
 import { extractFromDOM, extractFromDOMWithHint } from "../extraction/index.js";
 import { buildSkillOperationGraph, getEndpointDescriptionMetadata, inferEndpointSemantic, resolveEndpointSemantic } from "../graph/index.js";
-import { augmentEndpointsWithAgent } from "../graph/agent-augment.js";
 import { log } from "../logger.js";
 import { TRACE_VERSION } from "../version.js";
 import { buildQueryBindingMap, extractTemplateQueryBindings, mergeContextTemplateParams } from "../template-params.js";
@@ -190,11 +189,10 @@ function normalizeEndpointForManifest(endpoint: EndpointDescriptor): EndpointDes
 
 async function prepareLearnedEndpoints(
   endpoints: EndpointDescriptor[],
-  intent: string,
-  domain: string,
+  _intent: string,
+  _domain: string,
 ): Promise<EndpointDescriptor[]> {
-  const normalized = endpoints.map(normalizeEndpointForManifest);
-  return augmentEndpointsWithAgent(normalized, { intent, domain });
+  return endpoints.map(normalizeEndpointForManifest);
 }
 
 function intentWantsStructuredRecords(intent?: string): boolean {
@@ -2017,14 +2015,16 @@ export async function executeEndpoint(
   const epDomain = (() => { try { return new URL(endpoint.url_template).hostname; } catch { return skill.domain; } })();
   await reloadExecutionAuthState(skill, epDomain, authHeaders, cookies);
 
-  // If endpoint has auth_tokens bindings and vault didn't provide the needed headers,
-  // resolve them from the page source (meta tags, inline scripts, JS bundles)
-  if (endpoint.auth_tokens?.length && Object.keys(authHeaders).length === 0) {
+  // If endpoint has auth_tokens bindings, always resolve fresh tokens.
+  // Vault headers may be stale — the DAG knows how to get fresh ones.
+  log("exec", `auth_tokens check: ${endpoint.auth_tokens?.length ?? 0} bindings on ${endpoint.endpoint_id}`);
+  if (endpoint.auth_tokens?.length) {
     try {
       const { resolveAuthTokens } = await import("./token-resolver.js");
       const resolved = await resolveAuthTokens(endpoint, cookies, authHeaders);
+      log("exec", `token resolver returned ${Object.keys(resolved).length} headers: ${Object.keys(resolved).join(",") || "none"} auth=${(resolved.authorization || "").substring(0, 40)}`);
       Object.assign(authHeaders, resolved);
-    } catch { /* token resolution is best-effort */ }
+    } catch (e) { log("exec", `token resolver failed: ${e}`); }
   }
 
   log("exec", `endpoint ${endpoint.endpoint_id}: cookies=${cookies.length} authHeaders=${Object.keys(authHeaders).length} hasAuth=${cookies.length > 0 || Object.keys(authHeaders).length > 0}`);
@@ -2241,7 +2241,7 @@ export async function executeEndpoint(
 
     for (const replayUrl of replayUrls) {
       const replayHeaders = buildStructuredReplayHeaders(url, replayUrl, headers);
-      log("exec", `server-fetch: ${endpoint.method} ${replayUrl.substring(0, 80)} csrf=${replayHeaders["x-csrf-token"]?.substring(0, 10)}... cookies=${(replayHeaders["cookie"]?.length ?? 0)}chars`);
+      log("exec", `server-fetch: ${endpoint.method} ${replayUrl.substring(0, 80)} auth=${(replayHeaders["authorization"] || "none").substring(0, 50)} csrf=${replayHeaders["x-csrf-token"]?.substring(0, 10)}... cookies=${(replayHeaders["cookie"]?.length ?? 0)}chars`);
       const res = await fetch(replayUrl, {
         method: endpoint.method,
         headers: replayHeaders,
@@ -3165,6 +3165,7 @@ export function rankEndpoints(endpoints: EndpointDescriptor[], intent?: string,
       }
     }
     score += ep.reliability_score * 5;
+    if (ep.verification_status === "verified") score += 15;
     if (ep.method === "WS" && ep.response_schema) score += 3;
 
     // === Domain affinity ===

package/runtime-src/execution/token-resolver.ts

@@ -34,10 +34,8 @@ export async function resolveAuthTokens(
   const triggerUrl = endpoint.trigger_url;
   if (!triggerUrl) return {};
 
-  // Only resolve header bindings that aren't already satisfied
-  const headerBindings = bindings.filter(
-    (b) => b.param_location === "header" && !existingAuthHeaders[b.param_name],
-  );
+  // Resolve ALL header bindings — DAG sources are authoritative over vault cache
+  const headerBindings = bindings.filter((b) => b.param_location === "header");
   if (headerBindings.length === 0) return {};
 
   const resolved: Record<string, string> = {};
@@ -56,7 +54,14 @@ export async function resolveAuthTokens(
       }
 
       for (const binding of headerBindings) {
-        const value = resolveBinding(binding, html);
+        let value = await resolveBinding(binding, html, cookies);
+
+        // If stored sources didn't resolve (e.g. bearer in a different bundle),
+        // scan all loaded script resources via Performance API
+        if (!value && binding.sources.some((s) => s.kind === "js-bundle")) {
+          value = await scanAllScriptResources(tabId, binding);
+        }
+
         if (value) {
           resolved[binding.param_name] = binding.param_name.toLowerCase() === "authorization"
             ? (value.startsWith("Bearer ") ? value : `Bearer ${value}`)
@@ -73,21 +78,36 @@ export async function resolveAuthTokens(
   return resolved;
 }
 
-function resolveBinding(binding: AuthTokenBinding, html: string): string | undefined {
+async function resolveBinding(
+  binding: AuthTokenBinding,
+  html: string,
+  cookies: Array<{ name: string; value: string; domain: string }>,
+): Promise<string | undefined> {
   for (const source of binding.sources) {
     let value: string | undefined;
 
-    if (source.kind === "html-meta" || source.kind === "html-inline-script") {
+    if (source.kind === "cookie" && source.cookie_names?.length) {
+      // Resolve from cookies — CSRF tokens typically live here
+      for (const name of source.cookie_names) {
+        const cookie = cookies.find((c) => c.name === name);
+        if (cookie?.value) { value = cookie.value; break; }
+      }
+    } else if (source.kind === "html-meta" || source.kind === "html-inline-script") {
       value = extractTokenFromHtml(source, html);
+    } else if (source.kind === "js-bundle" && source.bundle_url_pattern) {
+      try {
+        const resp = await fetch(source.bundle_url_pattern);
+        if (resp.ok) {
+          const body = await resp.text();
+          value = extractTokenFromBundle(source, body);
+        }
+      } catch { /* fetch failed — try next source */ }
     }
-    // JS bundle resolution would require fetching the bundle URL —
-    // skip for now, HTML sources cover most cases (CSRF, inline tokens)
 
     if (value && value.length >= 8) return value;
   }
   return undefined;
 }
-
 async function openResolverTab(
   url: string,
   cookies: Array<{ name: string; value: string; domain: string }>,
@@ -120,3 +140,35 @@ async function waitForLoad(tabId: string): Promise<void> {
     await new Promise((r) => setTimeout(r, 500));
   }
 }
+
+/**
+ * Scan all script resources loaded by the page via Performance API.
+ * Fetches each bundle and searches for a token matching the binding pattern.
+ * This handles cases where the enrichment captured the wrong bundle URLs.
+ */
+async function scanAllScriptResources(tabId: string, binding: AuthTokenBinding): Promise<string | undefined> {
+  try {
+    const raw = await kuri.evaluate(tabId, `
+      JSON.stringify(
+        performance.getEntriesByType('resource')
+          .filter(function(e) { return e.initiatorType === 'script'; })
+          .map(function(e) { return e.name; })
+      )
+    `);
+    if (typeof raw !== "string" || !raw.startsWith("[")) return undefined;
+    const urls: string[] = JSON.parse(raw);
+
+    const tokenPattern = /AAAAAAAAAAAAAAAAAAA[A-Za-z0-9+/=_%-]{20,}/;
+
+    for (const url of urls) {
+      try {
+        const resp = await fetch(url);
+        if (!resp.ok) continue;
+        const body = await resp.text();
+        const m = body.match(tokenPattern);
+        if (m && m[0].length >= 20) return m[0];
+      } catch { /* fetch failed, try next */ }
+    }
+  } catch { /* evaluate failed */ }
+  return undefined;
+}

package/runtime-src/orchestrator/browser-agent.ts

@@ -15,7 +15,6 @@ import { extractBrowserCookies } from "../auth/browser-cookies.js";
 import { queueBackgroundIndex } from "../indexer/index.js";
 import { mergeEndpoints } from "../marketplace/index.js";
 import { buildSkillOperationGraph } from "../graph/index.js";
-import { augmentEndpointsWithAgent } from "../graph/agent-augment.js";
 import { findExistingSkillForDomain, cachePublishedSkill } from "../client/index.js";
 import { storeCredential } from "../vault/index.js";
 import { getRegistrableDomain } from "../domain.js";

package/runtime-src/reverse-engineer/token-sources.ts

@@ -289,8 +289,6 @@ export function enrichEndpointsWithTokenSources(
   html: string | undefined,
   jsBundles: Map<string, string> | undefined,
 ): number {
-  if (!html && (!jsBundles || jsBundles.size === 0)) return 0;
-
   let enriched = 0;
   for (const req of requests) {
     const matching = endpoints.filter((ep) => endpointMatchesRequest(ep, req));
@@ -298,15 +296,35 @@ export function enrichEndpointsWithTokenSources(
 
     for (const [headerName, headerValue] of Object.entries(req.request_headers)) {
       if (!TOKEN_HEADER_PATTERN.test(headerName)) continue;
-      // Bearer tokens are prefixed — strip before scanning
       const tokenValue = extractTokenValue(headerName, headerValue);
       if (!tokenValue) continue;
 
-      const sources = findTokenSources(tokenValue, html, jsBundles);
+      const sources = (html || (jsBundles && jsBundles.size > 0))
+        ? findTokenSources(tokenValue, html, jsBundles)
+        : [];
+
+      const lowerName = headerName.toLowerCase();
+      if (sources.length === 0) {
+        if (/csrf|xsrf/i.test(lowerName)) {
+          sources.push({ kind: "cookie", cookie_names: ["ct0", "csrf_token", "_csrf", "csrftoken", "XSRF-TOKEN"] });
+        } else if (lowerName === "authorization") {
+          if (html) {
+            const scriptSrcRe = /<script[^>]+src=["']([^"']+)["']/gi;
+            let m: RegExpExecArray | null;
+            while ((m = scriptSrcRe.exec(html)) !== null) {
+              if (/main|app|client|bundle|vendor/i.test(m[1])) {
+                sources.push({ kind: "js-bundle", bundle_url_pattern: m[1] });
+                if (sources.length >= 3) break;
+              }
+            }
+          }
+        }
+      }
+
       if (sources.length === 0) continue;
 
       const binding: AuthTokenBinding = {
-        param_name: headerName.toLowerCase(),
+        param_name: lowerName,
         param_location: "header",
         sources,
         refresh_on_401: true,
@@ -314,9 +332,13 @@ export function enrichEndpointsWithTokenSources(
 
       for (const ep of matching) {
         if (!ep.auth_tokens) ep.auth_tokens = [];
-        // Dedupe: skip if a binding for the same param already exists
-        if (ep.auth_tokens.some((b) => b.param_name === binding.param_name)) continue;
-        ep.auth_tokens.push(binding);
+        // Always replace with fresh binding — stale sources from cached merges get overwritten
+        const idx = ep.auth_tokens.findIndex((b) => b.param_name === binding.param_name);
+        if (idx >= 0) {
+          ep.auth_tokens[idx] = binding;
+        } else {
+          ep.auth_tokens.push(binding);
+        }
         enriched++;
       }
     }

package/vendor/kuri/manifest.json

@@ -1,28 +1,25 @@
 {
   "repo_url": "https://github.com/justrach/kuri.git",
   "branch": "adding-extensions",
-  "source_sha": "08eecbe3740f046a46f656eed7ebfc66c1bad9bb",
-  "built_at": "2026-04-05T06:43:57.212Z",
+  "source_sha": "eadfaa5f921f7152e1762aed5ed64b3a4fbefbf3",
+  "built_at": "2026-04-06T02:54:10.305Z",
   "binaries": {
     "darwin-arm64": {
       "zig_target": "aarch64-macos",
-      "sha256": "1553633e722d18059dedffa8a52d55ed6c052e4961fd2753ee0b62be60b241bf"
+      "sha256": "1796501e393403016723c6b69266b834e2db04ba2559f51c84c957bd85c3927b",
+      "source": "prebuilt"
     },
     "darwin-x64": {
       "zig_target": "x86_64-macos",
-      "sha256": "b5eb07e631c6ddad64019c8d0c86c32cb76a74ff0791ac5611a3aa3550767ec8"
+      "sha256": "82db8a0f3596d1f9335785eca8009e257bf379197e725f29aaedd6f9c2456267"
     },
     "linux-arm64": {
       "zig_target": "aarch64-linux",
-      "sha256": "ea88a26f7b335d5842b0c1d83bfa4066bed0a119284560f6bd3833f1d240cce2"
+      "sha256": "8b53f4944274cb8930488ef822b0052f121e824424501863c399f251d827386b"
     },
     "linux-x64": {
       "zig_target": "x86_64-linux",
-      "sha256": "175a7c59e458e952a26974f0fb5c2ce374e56f2c4c352903b481b5aa5a16978f"
-    },
-    "win-x64": {
-      "zig_target": "x86_64-windows",
-      "sha256": "176291ad9827a183ba7322ddb56cc1fa5edc7c214a264ecdf8a1d5d18366d686"
+      "sha256": "ac00c41f2a8c706de9f0dcce1087fcdccb53484303c05f101bb461f7b9dceb48"
     }
   }
 }