unbrowse 3.2.0 → 3.2.2-experiments.128ff09

package/dist/server.js

@@ -76,6 +76,88 @@ function getPackageRoot(metaUrl) {
 var init_paths = () => {};
 
 // ../../src/kuri/client.ts
+var exports_client = {};
+__export(exports_client, {
+  waitForSelector: () => waitForSelector,
+  waitForLoad: () => waitForLoad,
+  waitForCloudflare: () => waitForCloudflare,
+  stop: () => stop,
+  start: () => start,
+  snapshot: () => snapshot,
+  shouldReuseManagedChrome: () => shouldReuseManagedChrome,
+  setViewport: () => setViewport,
+  setUserAgent: () => setUserAgent,
+  setHeaders: () => setHeaders,
+  setCredentials: () => setCredentials,
+  setCookies: () => setCookies,
+  setCookie: () => setCookie,
+  setCdpPortForTests: () => setCdpPortForTests,
+  sessionSave: () => sessionSave,
+  sessionLoad: () => sessionLoad,
+  sessionList: () => sessionList,
+  select: () => select,
+  scrollIntoView: () => scrollIntoView,
+  scroll: () => scroll,
+  scriptInject: () => scriptInject,
+  screenshot: () => screenshot,
+  reuseHealthyBrokerIfPossible: () => reuseHealthyBrokerIfPossible,
+  resolveKuriPort: () => resolveKuriPort,
+  resolveKuriLaunchConfig: () => resolveKuriLaunchConfig,
+  reload: () => reload,
+  press: () => press,
+  newTab: () => newTab,
+  networkEnable: () => networkEnable,
+  navigate: () => navigate,
+  keyboardType: () => keyboardType,
+  keyboardInsertText: () => keyboardInsertText,
+  keyUp: () => keyUp,
+  keyDown: () => keyDown,
+  isReady: () => isReady,
+  interceptStart: () => interceptStart,
+  health: () => health,
+  hasCloudflareChallenge: () => hasCloudflareChallenge,
+  harStop: () => harStop,
+  harStart: () => harStart,
+  goForward: () => goForward,
+  goBack: () => goBack,
+  getText: () => getText,
+  getPort: () => getPort,
+  getPerfLcp: () => getPerfLcp,
+  getPageHtml: () => getPageHtml,
+  getNetworkEvents: () => getNetworkEvents,
+  getMarkdown: () => getMarkdown,
+  getLinks: () => getLinks,
+  getKuriSourceCandidates: () => getKuriSourceCandidates,
+  getKuriErrorMessage: () => getKuriErrorMessage,
+  getKuriClient: () => getKuriClient,
+  getKuriBinaryCandidates: () => getKuriBinaryCandidates,
+  getErrors: () => getErrors,
+  getDefaultTab: () => getDefaultTab,
+  getCurrentUrl: () => getCurrentUrl,
+  getCookies: () => getCookies,
+  getConsole: () => getConsole,
+  getCdpPort: () => getCdpPort,
+  findText: () => findText,
+  findKuriBinary: () => findKuriBinary,
+  fill: () => fill,
+  extractLoadPluginsFromHtml: () => extractLoadPluginsFromHtml,
+  extractLoadPlugins: () => extractLoadPlugins,
+  executeInPageFetch: () => executeInPageFetch,
+  evaluate: () => evaluate,
+  drag: () => drag,
+  domQuery: () => domQuery,
+  domHtml: () => domHtml,
+  domAttributes: () => domAttributes,
+  discoverTabs: () => discoverTabs,
+  closeTab: () => closeTab,
+  click: () => click,
+  bestEffortRehydratePlugins: () => bestEffortRehydratePlugins,
+  authProfileSave: () => authProfileSave,
+  authProfileLoad: () => authProfileLoad,
+  authProfileList: () => authProfileList,
+  authProfileDelete: () => authProfileDelete,
+  action: () => action
+});
 import { execFileSync, spawn } from "node:child_process";
 import { existsSync as existsSync2 } from "node:fs";
 import net from "node:net";
@@ -977,6 +1059,19 @@ async function getPageHtml(tabId, state = defaultBrokerState) {
   const result = await evaluate(tabId, "document.documentElement.outerHTML", state);
   return String(result ?? "");
 }
+function extractLoadPlugins(value) {
+  if (typeof value !== "string")
+    return [];
+  return Array.from(new Set(value.split(/[\s,;]+/).map((part) => part.trim()).filter(Boolean)));
+}
+function extractLoadPluginsFromHtml(html) {
+  const modules = [];
+  const pattern = /data-load-plugins=(["'])(.*?)\1/gi;
+  for (const match of html.matchAll(pattern)) {
+    modules.push(...extractLoadPlugins(match[2]));
+  }
+  return Array.from(new Set(modules));
+}
 async function bestEffortRehydratePlugins(tabId, state = defaultBrokerState) {
   const result = await evaluate(tabId, `(async function() {
     function splitPlugins(value) {
@@ -1118,6 +1213,9 @@ function getPort(state = defaultBrokerState) {
 function getCdpPort() {
   return kuriCdpPort;
 }
+function setCdpPortForTests(port) {
+  kuriCdpPort = port;
+}
 function isReady(state = defaultBrokerState) {
   return state.ready;
 }
@@ -4112,7 +4210,7 @@ function extractEndpoints(requests, wsMessages, context) {
           return "";
         }
       })();
-      const isApiUrl = /\/(api|graphql)\b/i.test(urlPath) || /\.(json)(\?|$)/.test(req.url);
+      const isApiUrl = /\/(api|graphql|youtubei|__ssr_data__)\b/i.test(urlPath) || /\.(json)(\?|$)/.test(req.url);
       let graphqlOpName;
       if (/graphql/i.test(req.url)) {
         if (req.request_body) {
@@ -4201,7 +4299,12 @@ function extractEndpoints(requests, wsMessages, context) {
     const sanitizedQParams = isGet ? sanitizeQueryParams(extractQueryParams(req.url)) : undefined;
     let pathTemplate = sanitizeUrlTemplate(normalized);
     const qBindings = sanitizedQParams ? buildQueryBindingMap(Object.keys(sanitizedQParams)) : {};
-    const qTemplateStr = sanitizedQParams && Object.keys(sanitizedQParams).length > 0 ? Object.keys(sanitizedQParams).map((k) => `${encodeURIComponent(k)}={${qBindings[k] ?? k}}`).join("&") : null;
+    const existingQKeys = new Set;
+    try {
+      for (const k of new URL(pathTemplate).searchParams.keys())
+        existingQKeys.add(k.toLowerCase());
+    } catch {}
+    const qTemplateStr = sanitizedQParams && Object.keys(sanitizedQParams).length > 0 ? Object.keys(sanitizedQParams).filter((k) => !existingQKeys.has(k.toLowerCase())).map((k) => `${encodeURIComponent(k)}={${qBindings[k] ?? k}}`).join("&") || null : null;
     const { url: templatizedPath, pathParams, pathBindingCandidates } = templatizePathSegments(pathTemplate, req.url, context);
     pathTemplate = templatizedPath;
     const parsedRequestBody = !isGet && req.request_body ? tryParseBody(req.request_body) : undefined;
@@ -4217,7 +4320,7 @@ function extractEndpoints(requests, wsMessages, context) {
     let endpoint = {
       endpoint_id: nanoid2(),
       method: req.method,
-      url_template: qTemplateStr ? `${pathTemplate}?${qTemplateStr}` : pathTemplate,
+      url_template: qTemplateStr ? `${pathTemplate}${pathTemplate.includes("?") ? "&" : "?"}${qTemplateStr}` : pathTemplate,
       description: buildEndpointDescription(req, sampleRequest, sampleResponse),
       headers_template: sanitizeHeaders(req.request_headers),
       query: sanitizedQParams,
@@ -4848,7 +4951,7 @@ var init_reverse_engineer = __esm(() => {
   SKIP_HOSTS = /(cloudflare\.com|google-analytics\.com|doubleclick\.net|gstatic\.com|accounts\.google\.com|login\.microsoftonline\.com|auth0\.com|cognito-idp\.|appleid\.apple\.com|github\.com\/login|facebook\.com\/login|protechts\.net|demdex\.net|litms|platform-telemetry|datadoghq\.com|fullstory\.com|launchdarkly\.com|intercom\.io|privy\.io|mypinata\.cloud|sentry\.io|segment\.io|amplitude\.com|mixpanel\.com|hotjar\.com|clarity\.ms|googletagmanager\.com|walletconnect\.com|imagedelivery\.net|cloudflareinsights\.com)/i;
   SKIP_TELEMETRY_HOSTS = /(waa-pa\.|signaler-pa\.|appsgrowthpromo-pa\.|ogads-pa\.|peoplestackwebexperiments-pa\.)/i;
   SKIP_TELEMETRY_PATHS = /\/(log|logging|telemetry|analytics|beacon|ping|heartbeat|metrics)(\/|$)/i;
-  RPC_HINTS = /(\/$rpc\/|\/rpc\/|graphql|trending|search|feed|results|batchexecute|\/api\/)/i;
+  RPC_HINTS = /(\/$rpc\/|\/rpc\/|graphql|trending|search|feed|results|batchexecute|\/api\/|youtubei|__ssr_data__)/i;
   ALLOWED_METHODS = new Set(["GET", "POST", "PUT", "PATCH", "DELETE"]);
   STRIP_HEADERS = new Set([
     "cookie",
@@ -4926,7 +5029,180 @@ var init_reverse_engineer = __esm(() => {
     "adsize",
     "lineitemid"
   ]);
-  ON_DOMAIN_NOISE = /\/(recaptcha|captcha|update-recaptcha|csrf|consent|data-protection|badge|drawer|header-action|geolocation|onboarding|wana\/bids|prebid|bids\/request|ads\/|pixel|beacon|collect|impression|click-tracking|heartbeat|webConfig|config\.json|manifest\.json|service-worker|sw\.js|favicon|robots\.txt|sitemap|opensearch|partial\/[a-zA-Z]+\/mod-|logging|csp-report|gen_204|generate_204|sodar|__|devvit-|user-drawer|action-item)/i;
+  ON_DOMAIN_NOISE = /\/(recaptcha|captcha|update-recaptcha|csrf|consent|data-protection|badge|drawer|header-action|geolocation|onboarding|wana\/bids|prebid|bids\/request|ads\/|pixel|beacon|collect|impression|click-tracking|heartbeat|webConfig|config\.json|manifest\.json|service-worker|sw\.js|favicon|robots\.txt|sitemap|opensearch|partial\/[a-zA-Z]+\/mod-|logging|csp-report|gen_204|generate_204|sodar|__webpack|__next|devvit-|user-drawer|action-item)/i;
+});
+
+// ../../src/vault/index.ts
+var exports_vault = {};
+__export(exports_vault, {
+  storeCredential: () => storeCredential,
+  setKeytarClientForTests: () => setKeytarClientForTests,
+  resetKeytarClientForTests: () => resetKeytarClientForTests,
+  normalizeKeytarModule: () => normalizeKeytarModule,
+  getCredential: () => getCredential,
+  deleteCredential: () => deleteCredential
+});
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+import { existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync, writeFileSync as writeFileSync2 } from "fs";
+import { join as join2 } from "path";
+import { homedir } from "os";
+function normalizeKeytarModule(mod) {
+  let candidate = mod;
+  for (let depth = 0;depth < 3; depth++) {
+    if (!candidate || typeof candidate !== "object" || !("default" in candidate))
+      break;
+    candidate = candidate.default;
+  }
+  if (!candidate)
+    return null;
+  if (typeof candidate.setPassword === "function" && typeof candidate.getPassword === "function" && typeof candidate.deletePassword === "function") {
+    return candidate;
+  }
+  return null;
+}
+function isKeytarBindingError(error) {
+  const message = error instanceof Error ? `${error.name}: ${error.message}` : String(error);
+  return KEYTAR_BINDING_ERROR_RE.test(message);
+}
+function disableKeytar(error) {
+  keytar = null;
+  if (keytarFallbackLogged)
+    return;
+  const summary = error instanceof Error ? error.message : String(error);
+  log("vault", `keytar runtime unavailable (${summary}); using encrypted file fallback`);
+  keytarFallbackLogged = true;
+}
+async function callKeytar(op) {
+  if (!keytar)
+    return KEYTAR_UNAVAILABLE;
+  try {
+    return await op(keytar);
+  } catch (error) {
+    if (!isKeytarBindingError(error))
+      throw error;
+    disableKeytar(error);
+    return KEYTAR_UNAVAILABLE;
+  }
+}
+function setKeytarClientForTests(client) {
+  keytar = client;
+  keytarFallbackLogged = false;
+}
+function resetKeytarClientForTests() {
+  keytar = importedKeytar;
+  keytarFallbackLogged = false;
+}
+function getOrCreateKey() {
+  if (!existsSync3(VAULT_DIR))
+    mkdirSync3(VAULT_DIR, { recursive: true, mode: 448 });
+  if (existsSync3(KEY_FILE))
+    return readFileSync(KEY_FILE);
+  const key = randomBytes(32);
+  writeFileSync2(KEY_FILE, key, { mode: 384 });
+  return key;
+}
+function withVaultLock(fn) {
+  const prev = vaultLock;
+  let release;
+  vaultLock = new Promise((r) => {
+    release = r;
+  });
+  return prev.then(fn).finally(() => release());
+}
+function readVaultFile() {
+  if (!existsSync3(VAULT_FILE))
+    return {};
+  try {
+    const key = getOrCreateKey();
+    const raw = readFileSync(VAULT_FILE);
+    const iv = raw.subarray(0, 16);
+    const enc = raw.subarray(16);
+    const decipher = createDecipheriv("aes-256-cbc", key, iv);
+    const dec = Buffer.concat([decipher.update(enc), decipher.final()]);
+    return JSON.parse(dec.toString("utf8"));
+  } catch {
+    return {};
+  }
+}
+function writeVaultFile(data) {
+  const key = getOrCreateKey();
+  const iv = randomBytes(16);
+  const cipher = createCipheriv("aes-256-cbc", key, iv);
+  const enc = Buffer.concat([cipher.update(JSON.stringify(data), "utf8"), cipher.final()]);
+  writeFileSync2(VAULT_FILE, Buffer.concat([iv, enc]), { mode: 384 });
+}
+async function storeCredential(account, value, opts) {
+  const wrapped = {
+    value,
+    stored_at: new Date().toISOString(),
+    expires_at: opts?.expires_at,
+    max_age_ms: opts?.max_age_ms
+  };
+  const serialized = JSON.stringify(wrapped);
+  const keytarResult = await callKeytar((client) => client.setPassword(SERVICE, account, serialized));
+  if (keytarResult !== KEYTAR_UNAVAILABLE)
+    return;
+  await withVaultLock(() => {
+    const data = readVaultFile();
+    data[account] = serialized;
+    writeVaultFile(data);
+  });
+}
+function isExpired(cred) {
+  if (cred.expires_at) {
+    return new Date(cred.expires_at).getTime() <= Date.now();
+  }
+  if (cred.max_age_ms) {
+    return new Date(cred.stored_at).getTime() + cred.max_age_ms <= Date.now();
+  }
+  return false;
+}
+async function getCredential(account) {
+  let raw;
+  const keytarResult = await callKeytar((client) => client.getPassword(SERVICE, account));
+  if (keytarResult !== KEYTAR_UNAVAILABLE) {
+    raw = keytarResult;
+  } else {
+    const data = readVaultFile();
+    raw = data[account] ?? null;
+  }
+  if (!raw)
+    return null;
+  try {
+    const parsed = JSON.parse(raw);
+    if (parsed.value && parsed.stored_at) {
+      if (isExpired(parsed)) {
+        await deleteCredential(account);
+        return null;
+      }
+      return parsed.value;
+    }
+  } catch {}
+  return raw;
+}
+async function deleteCredential(account) {
+  const keytarResult = await callKeytar((client) => client.deletePassword(SERVICE, account));
+  if (keytarResult !== KEYTAR_UNAVAILABLE)
+    return;
+  await withVaultLock(() => {
+    const data = readVaultFile();
+    delete data[account];
+    writeVaultFile(data);
+  });
+}
+var KEYTAR_UNAVAILABLE, KEYTAR_BINDING_ERROR_RE, keytar = null, importedKeytar, keytarFallbackLogged = false, SERVICE = "unbrowse", VAULT_DIR, VAULT_FILE, KEY_FILE, vaultLock;
+var init_vault = __esm(async () => {
+  init_logger();
+  KEYTAR_UNAVAILABLE = Symbol("KEYTAR_UNAVAILABLE");
+  KEYTAR_BINDING_ERROR_RE = /(keytar(?:\.node)?|native bindings?|bindings file|no native build was found|could not locate the bindings file|module did not self-register|err_dlopen_failed|dlopen\(|compiled against a different node\.js version|cannot find module .*keytar|wasm is not supported on this platform|(set|get|delete)password is not a function)/i;
+  try {
+    keytar = normalizeKeytarModule(await import("keytar"));
+  } catch {}
+  importedKeytar = keytar;
+  VAULT_DIR = join2(homedir(), ".unbrowse", "vault");
+  VAULT_FILE = join2(VAULT_DIR, "credentials.enc");
+  KEY_FILE = join2(VAULT_DIR, ".key");
+  vaultLock = Promise.resolve();
 });
 
 // ../../src/runtime/browser-access.ts
@@ -5379,7 +5655,12 @@ function normalizeCapturedUrl(url, baseUrl) {
   if (!url)
     return url;
   try {
-    return new URL(url).toString();
+    const parsed = new URL(url);
+    if (baseUrl && (parsed.hostname === "127.0.0.1" || parsed.hostname === "localhost")) {
+      const pageOrigin = new URL(baseUrl).origin;
+      return `${pageOrigin}${parsed.pathname}${parsed.search}`;
+    }
+    return parsed.toString();
   } catch {
     if (!baseUrl)
       return url;
@@ -5780,7 +6061,76 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
         log("capture", "scriptInject unavailable — falling back to evaluate injection");
       }
     }
-    await phase("harStart", () => harStart(tabId));
+    try {
+      await phase("harStart", () => harStart(tabId));
+    } catch {}
+    const cdpNetworkEntries = [];
+    const cdpRequestMap = new Map;
+    const cdpResponseMeta = new Map;
+    const cdpFinishedRequests = new Set;
+    let cdpWs = null;
+    let cdpMsgId = 10;
+    const cdpPendingBodies = new Map;
+    const cdpResolvedBodies = new Map;
+    const API_URL_PATTERN = /\/api\/|\/graphql|voyager|youtubei|\/v\d+\//i;
+    try {
+      const cdpPort = getCdpPort();
+      if (cdpPort) {
+        const tabsResp = await fetch(`http://127.0.0.1:${cdpPort}/json`);
+        const tabs = await tabsResp.json();
+        const cdpTab = tabs.find((t) => t.id === tabId) ?? tabs.find((t) => t.type === "page");
+        if (cdpTab?.webSocketDebuggerUrl) {
+          cdpWs = new WebSocket(cdpTab.webSocketDebuggerUrl);
+          await new Promise((resolve, reject) => {
+            cdpWs.onopen = () => resolve();
+            cdpWs.onerror = () => reject(new Error("CDP WS failed"));
+            setTimeout(() => reject(new Error("CDP WS timeout")), 3000);
+          });
+          cdpWs.onmessage = (ev) => {
+            try {
+              const msg = JSON.parse(String(ev.data));
+              if (msg.method === "Network.requestWillBeSent") {
+                const p = msg.params;
+                const reqHeaders = Object.entries(p.request?.headers ?? {}).map(([name, value]) => ({ name, value: String(value) }));
+                cdpRequestMap.set(p.requestId, {
+                  method: p.request?.method ?? "GET",
+                  url: p.request?.url ?? "",
+                  headers: reqHeaders,
+                  postData: p.request?.postData
+                });
+              } else if (msg.method === "Network.responseReceived") {
+                const p = msg.params;
+                const respHeaders = Object.entries(p.response?.headers ?? {}).map(([name, value]) => ({ name, value: String(value) }));
+                cdpResponseMeta.set(p.requestId, {
+                  status: p.response?.status ?? 0,
+                  headers: respHeaders,
+                  mimeType: p.response?.mimeType ?? ""
+                });
+              } else if (msg.method === "Network.loadingFinished") {
+                const requestId = msg.params?.requestId;
+                cdpFinishedRequests.add(requestId);
+                const req = cdpRequestMap.get(requestId);
+                const resp = cdpResponseMeta.get(requestId);
+                if (req && resp && API_URL_PATTERN.test(req.url) && (resp.mimeType.includes("json") || resp.mimeType.includes("text"))) {
+                  const id = ++cdpMsgId;
+                  cdpPendingBodies.set(id, req.url);
+                  cdpWs.send(JSON.stringify({ id, method: "Network.getResponseBody", params: { requestId } }));
+                }
+              } else if (msg.id && cdpPendingBodies.has(msg.id)) {
+                const reqUrl = cdpPendingBodies.get(msg.id);
+                cdpPendingBodies.delete(msg.id);
+                if (msg.result?.body) {
+                  cdpResolvedBodies.set(reqUrl, msg.result.body);
+                }
+              }
+            } catch {}
+          };
+          cdpWs.send(JSON.stringify({ id: 1, method: "Network.enable", params: {} }));
+          await new Promise((r) => setTimeout(r, 200));
+          log("capture", "CDP network capture enabled (direct websocket)");
+        }
+      }
+    } catch {}
     let pageDomain;
     try {
       pageDomain = getRegistrableDomain(new URL(url).hostname);
@@ -5834,11 +6184,85 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
       const perfEntries = await phase("evaluate:perf", () => collectPerformanceResourceEntries(tabId));
       performanceUrls = await phase("replay-fetch", () => replayPerformanceApiResponses(tabId, perfEntries, responseBodies, url, intent));
     } catch {}
+    if (cdpRequestMap.size > 0) {
+      try {
+        const cdpRawReqs = [...cdpRequestMap.values()].map((r) => ({
+          url: r.url,
+          method: r.method,
+          request_headers: Object.fromEntries(r.headers.map((h) => [h.name.toLowerCase(), h.value])),
+          response_status: 200,
+          response_headers: {},
+          response_body: undefined,
+          timestamp: ""
+        }));
+        const authHeaders2 = extractAuthHeaders(cdpRawReqs);
+        if (Object.keys(authHeaders2).length > 0) {
+          const rawKey = `${domain}-session`;
+          const { getCredential: getCredential2 } = await init_vault().then(() => exports_vault);
+          let existing = {};
+          try {
+            const stored = await getCredential2(rawKey);
+            if (stored)
+              existing = JSON.parse(stored);
+          } catch {}
+          if (!existing.cookies || existing.cookies.length === 0) {
+            try {
+              const loginKey = `auth:${getRegistrableDomain(domain)}`;
+              const loginStored = await getCredential2(loginKey);
+              if (loginStored) {
+                const loginData = JSON.parse(loginStored);
+                if (loginData.cookies?.length)
+                  existing.cookies = loginData.cookies;
+              }
+            } catch {}
+          }
+          await storeCredential(rawKey, JSON.stringify({
+            ...existing,
+            headers: { ...existing.headers ?? {}, ...authHeaders2 }
+          }));
+          log("capture", `early auth store: ${Object.keys(authHeaders2).join(", ")} for ${domain}`);
+        }
+      } catch (e) {
+        log("capture", `early auth store failed: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
     let harEntries = [];
     try {
-      const harResult = await phase("harStop", () => harStop(tabId));
-      harEntries = harResult.entries;
+      const harPromise = harStop(tabId);
+      const timeoutPromise = new Promise((resolve) => setTimeout(() => resolve({ entries: [] }), 5000));
+      const harResult = await Promise.race([harPromise, timeoutPromise]);
+      harEntries = harResult.entries ?? [];
     } catch {}
+    if (cdpPendingBodies.size > 0) {
+      await new Promise((r) => setTimeout(r, 1500));
+    }
+    if (cdpWs) {
+      try {
+        cdpWs.close();
+      } catch {}
+    }
+    const harUrls = new Set(harEntries.map((e) => e.request?.url).filter(Boolean));
+    let cdpAdded = 0;
+    for (const [requestId, req] of cdpRequestMap) {
+      if (harUrls.has(req.url))
+        continue;
+      const resp = cdpResponseMeta.get(requestId);
+      if (!resp)
+        continue;
+      const body = cdpResolvedBodies.get(req.url);
+      harEntries.push({
+        startedDateTime: new Date().toISOString(),
+        request: { method: req.method, url: req.url, headers: req.headers, postData: req.postData ? { text: req.postData } : undefined },
+        response: { status: resp.status, headers: resp.headers, content: body ? { text: body, mimeType: resp.mimeType } : {} }
+      });
+      if (body && body.length > 0 && !responseBodies.has(req.url)) {
+        responseBodies.set(req.url, body);
+      }
+      cdpAdded++;
+    }
+    if (cdpAdded > 0) {
+      log("capture", `CDP direct capture added ${cdpAdded} entries (${cdpResolvedBodies.size} with bodies, ${harEntries.length} total HAR)`);
+    }
     const HAR_REPLAY_CT2 = /application\/json|text\/plain|\+json/i;
     let harReplayCount = 0;
     for (const entry of harEntries) {
@@ -5854,7 +6278,7 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
       if (status < 200 || status >= 400)
         continue;
       const ct = (entry.response?.headers ?? []).find((h) => h.name.toLowerCase() === "content-type")?.value ?? "";
-      if (!HAR_REPLAY_CT2.test(ct) && !harUrl.includes("/api/") && !harUrl.includes("_search") && !harUrl.includes("graphql"))
+      if (!HAR_REPLAY_CT2.test(ct) && !harUrl.includes("/api/") && !harUrl.includes("_search") && !harUrl.includes("graphql") && !harUrl.includes("youtubei"))
         continue;
       if (harReplayCount >= 20)
         break;
@@ -5862,7 +6286,7 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
         const postData = method !== "GET" ? entry.request?.postData?.text : undefined;
         const replayScript = method === "GET" || !postData ? `(function(){var x=new XMLHttpRequest();x.open('GET','${harUrl.replace(/'/g, "\\'")}',false);x.send();return x.status>=200&&x.status<400?x.responseText:''})()` : `(function(){var x=new XMLHttpRequest();x.open('${method}','${harUrl.replace(/'/g, "\\'")}',false);x.setRequestHeader('Content-Type','application/json');x.send(${JSON.stringify(postData)});return x.status>=200&&x.status<400?x.responseText:''})()`;
         const body = await phase("har-replay", () => evaluate(tabId, replayScript));
-        if (typeof body === "string" && body.length > 0 && body.length < 512 * 1024) {
+        if (typeof body === "string" && body.length > 0 && body.length < 524288) {
           responseBodies.set(harUrl, body);
           harReplayCount++;
           log("capture", `har-replay-fetched ${harUrl.substring(0, 80)} (${body.length}B)`);
@@ -5889,6 +6313,77 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
       }
       html = await phase("getPageHtml", () => getPageHtml(tabId));
     } catch {}
+    const SSR_DATA_EXTRACTORS = [
+      { name: "ytmusic", script: `(function(){try{var d=ytcfg.get('YTMUSIC_INITIAL_DATA');if(!d||!d.length)return null;var out={};d.forEach(function(x){if(x.path&&x.data)out[x.path]=x.data});out.__apiKey=ytcfg.get('INNERTUBE_API_KEY')||'';out.__context=ytcfg.get('INNERTUBE_CONTEXT')||null;return JSON.stringify(out)}catch(e){return null}})()` },
+      { name: "youtube", script: `(function(){try{return typeof ytInitialData!=='undefined'?JSON.stringify(ytInitialData):null}catch(e){return null}})()` },
+      { name: "nextjs", script: `(function(){try{return window.__NEXT_DATA__?JSON.stringify(window.__NEXT_DATA__):null}catch(e){return null}})()` },
+      { name: "nuxt", script: `(function(){try{return window.__NUXT__?JSON.stringify(window.__NUXT__):null}catch(e){return null}})()` }
+    ];
+    let embeddedDataCount = 0;
+    for (const extractor of SSR_DATA_EXTRACTORS) {
+      try {
+        const raw = await phase(`ssr:${extractor.name}`, () => evaluate(tabId, extractor.script));
+        if (typeof raw !== "string" || !raw || raw === "null")
+          continue;
+        if (extractor.name === "ytmusic") {
+          const parsed = JSON.parse(raw);
+          const apiKey = parsed.__apiKey || "";
+          const innertubeContext = parsed.__context;
+          delete parsed.__apiKey;
+          delete parsed.__context;
+          for (const [path4, data] of Object.entries(parsed)) {
+            if (!data || typeof data !== "object")
+              continue;
+            const cleaned = { ...data };
+            delete cleaned.responseContext;
+            delete cleaned.trackingParams;
+            delete cleaned.header;
+            delete cleaned.background;
+            let bodyStr = JSON.stringify(cleaned);
+            if (bodyStr.length > 1e4) {
+              bodyStr = bodyStr.substring(0, 1e4) + '"}]}';
+              try {
+                JSON.parse(bodyStr);
+              } catch {
+                bodyStr = JSON.stringify(cleaned).substring(0, 1e4);
+              }
+            }
+            if (bodyStr.length < 100)
+              continue;
+            const origin = new URL(url).origin;
+            const contextParams = new URL(url).searchParams;
+            const keyParam = apiKey ? `key=${apiKey}&` : "";
+            const queryStr = path4.includes("search") && contextParams.toString() ? `?${keyParam}${contextParams.toString()}&prettyPrint=false` : `?${keyParam}prettyPrint=false`;
+            const syntheticUrl = `${origin}/youtubei/v1${path4}${queryStr}`;
+            responseBodies.set(syntheticUrl, bodyStr);
+            const queryValue = contextParams.get("q") ?? "";
+            const postBody = path4.includes("search") && innertubeContext ? JSON.stringify({ context: innertubeContext, query: queryValue }) : path4.includes("browse") && innertubeContext ? JSON.stringify({ context: innertubeContext, browseId: "FEmusic_liked_videos" }) : JSON.stringify({ context: innertubeContext ?? {} });
+            harEntries.push({
+              startedDateTime: new Date().toISOString(),
+              request: { method: "POST", url: syntheticUrl, headers: [{ name: "content-type", value: "application/json" }], postData: { text: postBody } },
+              response: { status: 200, headers: [{ name: "content-type", value: "application/json" }], content: { text: bodyStr, mimeType: "application/json" } }
+            });
+            embeddedDataCount++;
+            log("capture", `ssr:${extractor.name} extracted ${path4} (${bodyStr.length}B)`);
+          }
+        } else {
+          if (raw.length < 100)
+            continue;
+          const syntheticUrl = `${new URL(url).origin}/__ssr_data__/${extractor.name}`;
+          responseBodies.set(syntheticUrl, raw);
+          harEntries.push({
+            startedDateTime: new Date().toISOString(),
+            request: { method: "GET", url: syntheticUrl, headers: [] },
+            response: { status: 200, headers: [{ name: "content-type", value: "application/json" }], content: { text: raw, mimeType: "application/json" } }
+          });
+          embeddedDataCount++;
+          log("capture", `ssr:${extractor.name} extracted (${raw.length}B)`);
+        }
+      } catch {}
+    }
+    if (embeddedDataCount > 0) {
+      log("capture", `embedded SSR data: ${embeddedDataCount} synthetic endpoints injected`);
+    }
     const requests = mergePassiveCaptureData(intercepted, harEntries, extensionEntries, responseBodies, performanceUrls);
     log("capture", `tracked ${harEntries.length} HAR, ${intercepted.length} intercepted, ${extensionEntries.length} extension, ${responseBodies.size} bodies → ${requests.length} merged`);
     const rawCookies = await phase("extractCookies", () => extractCookiesFromPage(tabId, url));
@@ -6287,7 +6782,8 @@ var MAX_CONCURRENT_TABS = 3, activeTabs = 0, waitQueue, activeTabRegistry, inter
       var isData = ct.indexOf('json') !== -1 || ct.indexOf('application/x-protobuf') !== -1 ||
                    ct.indexOf('text/plain') !== -1 ||
                    url.indexOf('batchexecute') !== -1 || url.indexOf('/api/') !== -1 ||
-                   url.indexOf('graphql') !== -1 || url.indexOf('voyager') !== -1;
+                   url.indexOf('graphql') !== -1 || url.indexOf('voyager') !== -1 ||
+                   url.indexOf('youtubei') !== -1;
       if (!isJs && !isData) return response;
       if (/\\.(css|woff2?|png|jpg|svg|ico)(\\?|$)/.test(url)) return response;
       var clone = response.clone();
@@ -6337,7 +6833,8 @@ var MAX_CONCURRENT_TABS = 3, activeTabs = 0, waitQueue, activeTabRegistry, inter
       var isData = ct.indexOf('json') !== -1 || ct.indexOf('application/x-protobuf') !== -1 ||
                    ct.indexOf('text/plain') !== -1 ||
                    url.indexOf('batchexecute') !== -1 || url.indexOf('/api/') !== -1 ||
-                   url.indexOf('graphql') !== -1 || url.indexOf('voyager') !== -1;
+                   url.indexOf('graphql') !== -1 || url.indexOf('voyager') !== -1 ||
+                   url.indexOf('youtubei') !== -1;
       if (!isJs && !isData) return;
       if (/\\.(css|woff2?|png|jpg|svg|ico)(\\?|$)/.test(url)) return;
       var respBody = xhr.responseText || '';
@@ -6359,11 +6856,13 @@ var MAX_CONCURRENT_TABS = 3, activeTabs = 0, waitQueue, activeTabRegistry, inter
     return origSend.apply(this, arguments);
   };
 })()`, REPLAY_SKIP, HAR_REPLAY_CT;
-var init_capture = __esm(() => {
+var init_capture = __esm(async () => {
   init_client();
   init_domain();
   init_logger();
+  init_reverse_engineer();
   init_browser_access();
+  await init_vault();
   waitQueue = [];
   activeTabRegistry = new Set;
   interceptorInjectedTabs = new Set;
@@ -6380,17 +6879,17 @@ var init_capture = __esm(() => {
 });
 
 // ../../src/build-info.generated.ts
-var BUILD_RELEASE_VERSION = "3.2.0", BUILD_GIT_SHA = "c3fc3f822751", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4yLjAiLCJnaXRfc2hhIjoiYzNmYzNmODIyNzUxIiwiY29kZV9oYXNoIjoiMTQ4OGZjMWQ5MmI3IiwidHJhY2VfdmVyc2lvbiI6IjE0ODhmYzFkOTJiN0BjM2ZjM2Y4MjI3NTEiLCJpc3N1ZWRfYXQiOiIyMDI2LTA0LTA2VDA1OjA2OjAxLjIwMFoifQ", BUILD_RELEASE_MANIFEST_SIGNATURE = "xCBEHEB2UsniVYLfzuTpoXlcomZHL2pXht-7Ii1e7mM", BUILD_DEFAULT_BACKEND_URL = "https://beta-api.unbrowse.ai";
+var BUILD_RELEASE_VERSION = "3.2.2-experiments.128ff09", BUILD_GIT_SHA = "128ff09f51b3", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4yLjItZXhwZXJpbWVudHMuMTI4ZmYwOSIsImdpdF9zaGEiOiIxMjhmZjA5ZjUxYjMiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDEyOGZmMDlmNTFiMyIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMTE6NTk6NDYuOTQyWiJ9", BUILD_RELEASE_MANIFEST_SIGNATURE = "M80x5zV9aWn-teZrpEFDyzwSU53Hwfj6rf19dl9m-jM", BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
 
 // ../../src/version.ts
 import { createHash } from "crypto";
-import { existsSync as existsSync3, readFileSync, readdirSync } from "fs";
-import { dirname, join as join2, parse } from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync2, readdirSync } from "fs";
+import { dirname, join as join3, parse } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function collectTsFiles(dir) {
   const results = [];
   for (const entry of readdirSync(dir, { withFileTypes: true })) {
-    const full = join2(dir, entry.name);
+    const full = join3(dir, entry.name);
     if (entry.isDirectory() && entry.name !== "node_modules") {
       results.push(...collectTsFiles(full));
     } else if (entry.name.endsWith(".ts")) {
@@ -6403,21 +6902,21 @@ function hashFiles(srcDir, files) {
   const hash = createHash("sha256");
   for (const file of files) {
     hash.update(file.slice(srcDir.length));
-    hash.update(readFileSync(file, "utf-8"));
+    hash.update(readFileSync2(file, "utf-8"));
   }
   return hash.digest("hex").slice(0, 12);
 }
 function resolveCodeHashSourceDir(moduleDir) {
   const candidates = [
     moduleDir,
-    join2(moduleDir, "runtime-src"),
-    join2(moduleDir, "..", "runtime-src"),
-    join2(moduleDir, "src"),
-    join2(moduleDir, "..", "src")
+    join3(moduleDir, "runtime-src"),
+    join3(moduleDir, "..", "runtime-src"),
+    join3(moduleDir, "src"),
+    join3(moduleDir, "..", "src")
   ];
   for (const candidate of candidates) {
     try {
-      if (!existsSync3(candidate))
+      if (!existsSync4(candidate))
         continue;
       const files = collectTsFiles(candidate);
       if (files.length > 0)
@@ -6467,7 +6966,7 @@ function getPackageVersionForModuleDir(moduleDir) {
   const root = parse(dir).root;
   while (true) {
     try {
-      const pkg = JSON.parse(readFileSync(join2(dir, "package.json"), "utf-8"));
+      const pkg = JSON.parse(readFileSync2(join3(dir, "package.json"), "utf-8"));
       return typeof pkg.version === "string" ? pkg.version : "unknown";
     } catch {}
     if (dir === root)
@@ -6571,18 +7070,18 @@ async function ensureCascadeSplitForSkill(skill, deps = {}) {
 var init_cascade = () => {};
 
 // ../../src/payments/wallet.ts
-import { existsSync as existsSync4, readFileSync as readFileSync2 } from "node:fs";
-import { homedir } from "node:os";
-import { join as join3 } from "node:path";
+import { existsSync as existsSync5, readFileSync as readFileSync3 } from "node:fs";
+import { homedir as homedir2 } from "node:os";
+import { join as join4 } from "node:path";
 function asNonEmptyString(value) {
   return typeof value === "string" && value.trim() ? value.trim() : undefined;
 }
 function getLobsterWalletFromLocalConfig() {
-  const agentsPath = join3(process.env.HOME || homedir(), ".lobster", "agents.json");
-  if (!existsSync4(agentsPath))
+  const agentsPath = join4(process.env.HOME || homedir2(), ".lobster", "agents.json");
+  if (!existsSync5(agentsPath))
     return;
   try {
-    const raw = JSON.parse(readFileSync2(agentsPath, "utf8"));
+    const raw = JSON.parse(readFileSync3(agentsPath, "utf8"));
     const activeAgentId = asNonEmptyString(raw.activeAgentId);
     const activeAgent = Array.isArray(raw.agents) ? raw.agents.find((agent) => asNonEmptyString(agent.id) === activeAgentId) : activeAgentId ? raw.agents?.[activeAgentId] : undefined;
     return asNonEmptyString(activeAgent?.authorizedWallets?.solana) ?? asNonEmptyString(activeAgent?.walletAddress) ?? asNonEmptyString(activeAgent?.wallet_address);
@@ -6733,9 +7232,9 @@ __export(exports_lobster_pay, {
   isLobsterAvailable: () => isLobsterAvailable
 });
 import { execFile, execFileSync as execFileSync2 } from "node:child_process";
-import { existsSync as existsSync5 } from "node:fs";
-import { homedir as homedir2 } from "node:os";
-import { join as join4 } from "node:path";
+import { existsSync as existsSync6 } from "node:fs";
+import { homedir as homedir3 } from "node:os";
+import { join as join5 } from "node:path";
 function getLobsterCommand() {
   try {
     execFileSync2("lobstercash", ["--version"], { stdio: "ignore", timeout: 3000 });
@@ -6743,8 +7242,8 @@ function getLobsterCommand() {
   } catch (_e) {}
   try {
     const npmPrefix = execFileSync2("npm", ["config", "get", "prefix"], { encoding: "utf8", timeout: 5000 }).trim();
-    const lobsterPath = join4(npmPrefix, "bin", "lobstercash");
-    if (existsSync5(lobsterPath)) {
+    const lobsterPath = join5(npmPrefix, "bin", "lobstercash");
+    if (existsSync6(lobsterPath)) {
       execFileSync2(lobsterPath, ["--version"], { stdio: "ignore", timeout: 3000 });
       return { cmd: lobsterPath, prefix: [] };
     }
@@ -6757,8 +7256,8 @@ function lobsterCmd() {
   return cachedCommand;
 }
 function isLobsterAvailable() {
-  const agentsPath = join4(process.env.HOME || homedir2(), ".lobster", "agents.json");
-  return existsSync5(agentsPath);
+  const agentsPath = join5(process.env.HOME || homedir3(), ".lobster", "agents.json");
+  return existsSync6(agentsPath);
 }
 function lobsterX402Fetch(url, options) {
   return new Promise((resolve) => {
@@ -6890,10 +7389,10 @@ __export(exports_client2, {
   buildDefaultAgentName: () => buildDefaultAgentName,
   autoFileIssue: () => autoFileIssue
 });
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, existsSync as existsSync6, mkdirSync as mkdirSync3, readdirSync as readdirSync2 } from "fs";
-import { join as join5 } from "path";
-import { homedir as homedir3, hostname, release as osRelease } from "os";
-import { randomBytes, createHash as createHash3 } from "crypto";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, existsSync as existsSync7, mkdirSync as mkdirSync4, readdirSync as readdirSync2 } from "fs";
+import { join as join6 } from "path";
+import { homedir as homedir4, hostname, release as osRelease } from "os";
+import { randomBytes as randomBytes2, createHash as createHash3 } from "crypto";
 import { createInterface } from "readline";
 function buildReleaseAttestationHeaders(manifestBase64, signature) {
   const manifest = manifestBase64.trim();
@@ -6927,18 +7426,18 @@ function scopedSkillKey(skillId, scopeId) {
   return scopeId ? `${scopeId}:${skillId}` : skillId;
 }
 function getSkillCacheDir() {
-  return process.env.UNBROWSE_SKILL_CACHE_DIR || join5(getConfigDir(), "skill-cache");
+  return process.env.UNBROWSE_SKILL_CACHE_DIR || join6(getConfigDir(), "skill-cache");
 }
 function getConfigDir() {
   if (process.env.UNBROWSE_CONFIG_DIR)
     return process.env.UNBROWSE_CONFIG_DIR;
-  return PROFILE_NAME ? join5(homedir3(), ".unbrowse", "profiles", PROFILE_NAME) : join5(homedir3(), ".unbrowse");
+  return PROFILE_NAME ? join6(homedir4(), ".unbrowse", "profiles", PROFILE_NAME) : join6(homedir4(), ".unbrowse");
 }
 function getConfigPath() {
-  return join5(getConfigDir(), "config.json");
+  return join6(getConfigDir(), "config.json");
 }
 function getInstallTelemetryPath() {
-  return join5(getConfigDir(), "install-state.json");
+  return join6(getConfigDir(), "install-state.json");
 }
 function getLandingToken() {
   const token = process.env.UNBROWSE_LANDING_TOKEN?.trim();
@@ -6956,8 +7455,8 @@ function isLocalOnlyMode() {
 function loadConfig() {
   try {
     const configPath = getConfigPath();
-    if (existsSync6(configPath)) {
-      return JSON.parse(readFileSync3(configPath, "utf-8"));
+    if (existsSync7(configPath)) {
+      return JSON.parse(readFileSync4(configPath, "utf-8"));
     }
   } catch {}
   return null;
@@ -6965,15 +7464,15 @@ function loadConfig() {
 function saveConfig(config) {
   const configDir = getConfigDir();
   const configPath = getConfigPath();
-  if (!existsSync6(configDir))
-    mkdirSync3(configDir, { recursive: true });
-  writeFileSync2(configPath, JSON.stringify(config, null, 2), { mode: 384 });
+  if (!existsSync7(configDir))
+    mkdirSync4(configDir, { recursive: true });
+  writeFileSync3(configPath, JSON.stringify(config, null, 2), { mode: 384 });
 }
 function loadInstallTelemetryState() {
   try {
     const statePath = getInstallTelemetryPath();
-    if (existsSync6(statePath)) {
-      return JSON.parse(readFileSync3(statePath, "utf-8"));
+    if (existsSync7(statePath)) {
+      return JSON.parse(readFileSync4(statePath, "utf-8"));
     }
   } catch {}
   return null;
@@ -6981,13 +7480,13 @@ function loadInstallTelemetryState() {
 function saveInstallTelemetryState(state) {
   const configDir = getConfigDir();
   const statePath = getInstallTelemetryPath();
-  if (!existsSync6(configDir))
-    mkdirSync3(configDir, { recursive: true });
-  writeFileSync2(statePath, JSON.stringify(state, null, 2), { mode: 384 });
+  if (!existsSync7(configDir))
+    mkdirSync4(configDir, { recursive: true });
+  writeFileSync3(statePath, JSON.stringify(state, null, 2), { mode: 384 });
 }
 function createInstallTelemetryState() {
   return {
-    install_id: `install_${randomBytes(8).toString("hex")}`,
+    install_id: `install_${randomBytes2(8).toString("hex")}`,
     first_seen_at: new Date().toISOString()
   };
 }
@@ -7127,7 +7626,7 @@ function isValidAgentEmail(value) {
   return EMAIL_RE.test(normalizeAgentEmail(value));
 }
 function buildDefaultAgentName() {
-  return `${hostname()}-${randomBytes(3).toString("hex")}`;
+  return `${hostname()}-${randomBytes2(3).toString("hex")}`;
 }
 function resolveAgentName(preferredEmail, fallbackName) {
   const normalized = normalizeAgentEmail(preferredEmail ?? "");
@@ -7482,11 +7981,11 @@ async function waitForBackgroundRegistration(timeoutMs = 0) {
   ]);
 }
 function skillCachePath(skillId) {
-  return join5(getSkillCacheDir(), `${skillId}.json`);
+  return join6(getSkillCacheDir(), `${skillId}.json`);
 }
 function readSkillCache(skillId) {
   try {
-    const raw = readFileSync3(skillCachePath(skillId), "utf-8");
+    const raw = readFileSync4(skillCachePath(skillId), "utf-8");
     return JSON.parse(raw);
   } catch {
     return null;
@@ -7496,8 +7995,8 @@ function writeSkillCache(skill, scopeId) {
   try {
     recentLocalSkills.set(scopedSkillKey(skill.skill_id, scopeId), skill);
     const skillCacheDir = getSkillCacheDir();
-    if (!existsSync6(skillCacheDir))
-      mkdirSync3(skillCacheDir, { recursive: true });
+    if (!existsSync7(skillCacheDir))
+      mkdirSync4(skillCacheDir, { recursive: true });
     const existing = readSkillCache(skill.skill_id);
     if (existing) {
       for (const ep of skill.endpoints) {
@@ -7513,7 +8012,7 @@ function writeSkillCache(skill, scopeId) {
     const hasStrategy = skill.endpoints.some((e) => e.exec_strategy);
     if (hasStrategy)
       console.log(`[cache] writing skill ${skill.skill_id} with exec_strategy`);
-    writeFileSync2(skillCachePath(skill.skill_id), JSON.stringify(skill), "utf-8");
+    writeFileSync3(skillCachePath(skill.skill_id), JSON.stringify(skill), "utf-8");
   } catch {}
 }
 function cachePublishedSkill(skill, scopeId) {
@@ -7548,7 +8047,7 @@ function isIntentCompatible(lhs, rhs) {
 function findExistingSkillForDomain(domain, intent) {
   try {
     const skillCacheDir = getSkillCacheDir();
-    if (!existsSync6(skillCacheDir))
+    if (!existsSync7(skillCacheDir))
       return null;
     const files = readdirSync2(skillCacheDir);
     let compatible = null;
@@ -7557,7 +8056,7 @@ function findExistingSkillForDomain(domain, intent) {
       if (!f.endsWith(".json") || f === "browser-capture.json")
         continue;
       try {
-        const raw = readFileSync3(join5(skillCacheDir, f), "utf-8");
+        const raw = readFileSync4(join6(skillCacheDir, f), "utf-8");
         const skill = JSON.parse(raw);
         if (skill.domain === domain && skill.execution_type === "http") {
           if (!fallback)
@@ -7607,11 +8106,11 @@ async function getSkillChunk2(skillId, opts) {
 async function listSkills() {
   if (LOCAL_ONLY) {
     try {
-      if (!existsSync6(SKILL_CACHE_DIR))
+      if (!existsSync7(SKILL_CACHE_DIR))
         return [];
       return readdirSync2(SKILL_CACHE_DIR).filter((file) => file.endsWith(".json")).map((file) => {
         try {
-          return JSON.parse(readFileSync3(join5(SKILL_CACHE_DIR, file), "utf-8"));
+          return JSON.parse(readFileSync4(join6(SKILL_CACHE_DIR, file), "utf-8"));
         } catch {
           return null;
         }
@@ -8303,10 +8802,10 @@ var init_publish_admission = __esm(() => {
 
 // ../../src/telemetry.ts
 import { createHash as createHash4 } from "node:crypto";
-import { existsSync as existsSync7, mkdirSync as mkdirSync4, writeFileSync as writeFileSync3 } from "node:fs";
-import { join as join6 } from "node:path";
+import { existsSync as existsSync8, mkdirSync as mkdirSync5, writeFileSync as writeFileSync4 } from "node:fs";
+import { join as join7 } from "node:path";
 function getTraceDir() {
-  return process.env.UNBROWSE_TRACES_DIR ?? join6(process.env.HOME ?? "/tmp", ".unbrowse", "traces");
+  return process.env.UNBROWSE_TRACES_DIR ?? join7(process.env.HOME ?? "/tmp", ".unbrowse", "traces");
 }
 function isTracingEnabled() {
   return process.env.UNBROWSE_DISABLE_TRACES !== "1";
@@ -8380,11 +8879,11 @@ function emitRouteTrace(params) {
   };
   try {
     const traceDir = getTraceDir();
-    if (!existsSync7(traceDir))
-      mkdirSync4(traceDir, { recursive: true });
+    if (!existsSync8(traceDir))
+      mkdirSync5(traceDir, { recursive: true });
     const stamp = params.started_at.replace(/[:.]/g, "-");
-    const file = join6(traceDir, `${stamp}-${params.outcome}-${params.trace_id}.json`);
-    writeFileSync3(file, JSON.stringify(artifact, null, 2), "utf-8");
+    const file = join7(traceDir, `${stamp}-${params.outcome}-${params.trace_id}.json`);
+    writeFileSync4(file, JSON.stringify(artifact, null, 2), "utf-8");
     return file;
   } catch {
     return null;
@@ -8818,276 +9317,206 @@ async function resolveAuthTokens(endpoint, cookies, existingAuthHeaders) {
   const triggerUrl = endpoint.trigger_url;
   if (!triggerUrl)
     return {};
-  const headerBindings = bindings.filter((b) => b.param_location === "header");
+  const headerBindings = bindings.filter((b) => b.param_location === "header" && !existingAuthHeaders[b.param_name]);
   if (headerBindings.length === 0)
     return {};
   const resolved = {};
-  try {
-    const tabId = await openResolverTab(triggerUrl, cookies);
-    if (!tabId)
-      return {};
-    try {
-      await waitForLoad2(tabId);
-      const html = await getPageHtml(tabId).catch(() => "");
-      if (typeof html !== "string" || !html.startsWith("<")) {
-        return {};
-      }
-      for (const binding of headerBindings) {
-        let value = await resolveBinding(binding, html, cookies);
-        if (!value && binding.sources.some((s) => s.kind === "js-bundle")) {
-          value = await scanAllScriptResources(tabId, binding);
-        }
-        if (value) {
-          resolved[binding.param_name] = binding.param_name.toLowerCase() === "authorization" ? value.startsWith("Bearer ") ? value : `Bearer ${value}` : value;
-        }
-      }
-    } finally {
-      await closeTab(tabId).catch(() => {});
-    }
-  } catch {}
-  return resolved;
-}
-async function resolveBinding(binding, html, cookies) {
-  for (const source of binding.sources) {
-    let value;
-    if (source.kind === "cookie" && source.cookie_names?.length) {
-      for (const name of source.cookie_names) {
+  for (const binding of headerBindings) {
+    const cookieSources = binding.sources.filter((s) => s.kind === "cookie");
+    if (cookieSources.length === 0)
+      continue;
+    for (const source of cookieSources) {
+      const names = source.cookie_names ?? [];
+      for (const name of names) {
         const cookie = cookies.find((c) => c.name === name);
-        if (cookie?.value) {
-          value = cookie.value;
+        if (cookie?.value && cookie.value.length >= 8) {
+          resolved[binding.param_name] = cookie.value;
           break;
         }
       }
-    } else if (source.kind === "html-meta" || source.kind === "html-inline-script") {
-      value = extractTokenFromHtml(source, html);
-    } else if (source.kind === "js-bundle" && source.bundle_url_pattern) {
-      try {
-        const resp = await fetch(source.bundle_url_pattern);
-        if (resp.ok) {
-          const body = await resp.text();
-          value = extractTokenFromBundle(source, body);
-        }
-      } catch {}
+      if (resolved[binding.param_name])
+        break;
     }
-    if (value && value.length >= 8)
-      return value;
   }
-  return;
-}
-async function openResolverTab(url, cookies) {
-  try {
-    const tab = await newTab(url);
-    const tabId = typeof tab === "string" ? tab : tab?.tab_id;
-    if (!tabId)
-      return;
-    if (cookies.length > 0) {
-      for (const c of cookies) {
-        await setCookie(tabId, c.name, c.value, c.domain).catch(() => {});
+  const remaining = headerBindings.filter((b) => !resolved[b.param_name]);
+  if (remaining.length === 0)
+    return formatHeaders(resolved);
+  if (!hasResolvableSources(remaining))
+    return formatHeaders(resolved);
+  const html = await fetchHtml(triggerUrl, cookies);
+  if (html) {
+    const fromHtml = await resolveFromHtml(remaining, html);
+    Object.assign(resolved, fromHtml);
+    const stillMissing = remaining.filter((b) => !resolved[b.param_name]);
+    if (stillMissing.length === 0)
+      return formatHeaders(resolved);
+    if (Object.keys(fromHtml).length > 0 && hasHtmlResolvableSources(stillMissing)) {
+      const browserHtml = await fetchHtmlViaBrowser(triggerUrl, cookies);
+      if (browserHtml) {
+        Object.assign(resolved, await resolveFromHtml(stillMissing, browserHtml));
       }
-      await navigate(tabId, url).catch(() => {});
     }
-    return tabId;
-  } catch {
-    return;
+    return formatHeaders(resolved);
   }
-}
-async function waitForLoad2(tabId) {
-  const start2 = Date.now();
-  while (Date.now() - start2 < RESOLVE_TIMEOUT_MS) {
-    try {
-      const state = await evaluate(tabId, "document.readyState");
-      if (state === "complete" || state === "interactive")
-        return;
-    } catch {}
-    await new Promise((r) => setTimeout(r, 500));
+  if (hasHtmlResolvableSources(remaining)) {
+    const browserHtml = await fetchHtmlViaBrowser(triggerUrl, cookies);
+    if (browserHtml) {
+      Object.assign(resolved, await resolveFromHtml(remaining, browserHtml));
+    }
   }
+  return formatHeaders(resolved);
 }
-async function scanAllScriptResources(tabId, binding) {
-  try {
-    const raw = await evaluate(tabId, `
-      JSON.stringify(
-        performance.getEntriesByType('resource')
-          .filter(function(e) { return e.initiatorType === 'script'; })
-          .map(function(e) { return e.name; })
-      )
-    `);
-    if (typeof raw !== "string" || !raw.startsWith("["))
-      return;
-    const urls = JSON.parse(raw);
-    const tokenPattern = /AAAAAAAAAAAAAAAAAAA[A-Za-z0-9+/=_%-]{20,}/;
-    for (const url of urls) {
-      try {
-        const resp = await fetch(url);
-        if (!resp.ok)
-          continue;
-        const body = await resp.text();
-        const m = body.match(tokenPattern);
-        if (m && m[0].length >= 20)
-          return m[0];
-      } catch {}
+function hasResolvableSources(bindings) {
+  for (const b of bindings) {
+    for (const s of b.sources) {
+      if (s.kind === "html-meta" || s.kind === "html-inline-script")
+        return true;
+      if (s.kind === "js-bundle" && s.bundle_url_pattern && s.bundle_regex)
+        return true;
     }
-  } catch {}
-  return;
-}
-var RESOLVE_TIMEOUT_MS = 12000;
-var init_token_resolver = __esm(() => {
-  init_token_sources();
-  init_client();
-});
-
-// ../../src/vault/index.ts
-import { createCipheriv, createDecipheriv, randomBytes as randomBytes2 } from "crypto";
-import { existsSync as existsSync8, mkdirSync as mkdirSync5, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
-import { join as join7 } from "path";
-import { homedir as homedir4 } from "os";
-function normalizeKeytarModule(mod) {
-  let candidate = mod;
-  for (let depth = 0;depth < 3; depth++) {
-    if (!candidate || typeof candidate !== "object" || !("default" in candidate))
-      break;
-    candidate = candidate.default;
   }
-  if (!candidate)
-    return null;
-  if (typeof candidate.setPassword === "function" && typeof candidate.getPassword === "function" && typeof candidate.deletePassword === "function") {
-    return candidate;
-  }
-  return null;
+  return false;
 }
-function isKeytarBindingError(error) {
-  const message = error instanceof Error ? `${error.name}: ${error.message}` : String(error);
-  return KEYTAR_BINDING_ERROR_RE.test(message);
+function hasHtmlResolvableSources(bindings) {
+  for (const b of bindings) {
+    for (const s of b.sources) {
+      if (s.kind === "html-meta" || s.kind === "html-inline-script")
+        return true;
+    }
+  }
+  return false;
 }
-function disableKeytar(error) {
-  keytar = null;
-  if (keytarFallbackLogged)
-    return;
-  const summary = error instanceof Error ? error.message : String(error);
-  log("vault", `keytar runtime unavailable (${summary}); using encrypted file fallback`);
-  keytarFallbackLogged = true;
+function formatHeaders(raw) {
+  const out = {};
+  for (const [k, v] of Object.entries(raw)) {
+    if (k.toLowerCase() === "authorization" && !v.startsWith("Bearer ")) {
+      out[k] = `Bearer ${v}`;
+    } else {
+      out[k] = v;
+    }
+  }
+  return out;
 }
-async function callKeytar(op) {
-  if (!keytar)
-    return KEYTAR_UNAVAILABLE;
-  try {
-    return await op(keytar);
-  } catch (error) {
-    if (!isKeytarBindingError(error))
-      throw error;
-    disableKeytar(error);
-    return KEYTAR_UNAVAILABLE;
+async function resolveFromHtml(bindings, html) {
+  const resolved = {};
+  for (const binding of bindings) {
+    const value = await resolveBinding(binding, html);
+    if (value)
+      resolved[binding.param_name] = value;
   }
+  return resolved;
 }
-function getOrCreateKey() {
-  if (!existsSync8(VAULT_DIR))
-    mkdirSync5(VAULT_DIR, { recursive: true, mode: 448 });
-  if (existsSync8(KEY_FILE))
-    return readFileSync4(KEY_FILE);
-  const key = randomBytes2(32);
-  writeFileSync4(KEY_FILE, key, { mode: 384 });
-  return key;
+async function resolveBinding(binding, html) {
+  for (const source of binding.sources) {
+    let value;
+    if (source.kind === "html-meta" || source.kind === "html-inline-script") {
+      value = extractTokenFromHtml(source, html);
+    } else if (source.kind === "js-bundle" && source.bundle_url_pattern && source.bundle_regex) {
+      value = await resolveJsBundle(source, html);
+    }
+    if (value && value.length >= 8)
+      return value;
+  }
+  return;
 }
-function withVaultLock(fn) {
-  const prev = vaultLock;
-  let release;
-  vaultLock = new Promise((r) => {
-    release = r;
-  });
-  return prev.then(fn).finally(() => release());
+async function resolveJsBundle(source, html) {
+  const pattern = source.bundle_url_pattern;
+  const scriptSrcRe = /<script[^>]+src=["']([^"']+)["']/gi;
+  let match;
+  while ((match = scriptSrcRe.exec(html)) !== null) {
+    const src = match[1];
+    if (!src.includes(pattern))
+      continue;
+    try {
+      const url = src.startsWith("http") ? src : `https:${src}`;
+      const controller = new AbortController;
+      const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+      const res = await fetch(url, {
+        headers: { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" },
+        signal: controller.signal
+      });
+      clearTimeout(timeout);
+      if (!res.ok)
+        continue;
+      const bundleContent = await res.text();
+      const extracted = extractTokenFromBundle(source, bundleContent);
+      if (extracted && extracted.length >= 8)
+        return extracted;
+    } catch {}
+  }
+  return;
 }
-function readVaultFile() {
-  if (!existsSync8(VAULT_FILE))
-    return {};
+async function fetchHtml(url, cookies) {
   try {
-    const key = getOrCreateKey();
-    const raw = readFileSync4(VAULT_FILE);
-    const iv = raw.subarray(0, 16);
-    const enc = raw.subarray(16);
-    const decipher = createDecipheriv("aes-256-cbc", key, iv);
-    const dec = Buffer.concat([decipher.update(enc), decipher.final()]);
-    return JSON.parse(dec.toString("utf8"));
+    const cookieHeader = cookies.map((c) => `${c.name}=${c.value}`).join("; ");
+    const controller = new AbortController;
+    const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+    const res = await fetch(url, {
+      headers: {
+        Cookie: cookieHeader,
+        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
+        Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+        "Accept-Language": "en-US,en;q=0.9"
+      },
+      redirect: "follow",
+      signal: controller.signal
+    });
+    clearTimeout(timeout);
+    if (!res.ok)
+      return null;
+    const ct = res.headers.get("content-type") ?? "";
+    if (!ct.includes("text/html") && !ct.includes("text/plain") && !ct.includes("application/xhtml"))
+      return null;
+    const html = await res.text();
+    if (!html || html.length < 200 || !html.includes("<"))
+      return null;
+    return html;
   } catch {
-    return {};
-  }
-}
-function writeVaultFile(data) {
-  const key = getOrCreateKey();
-  const iv = randomBytes2(16);
-  const cipher = createCipheriv("aes-256-cbc", key, iv);
-  const enc = Buffer.concat([cipher.update(JSON.stringify(data), "utf8"), cipher.final()]);
-  writeFileSync4(VAULT_FILE, Buffer.concat([iv, enc]), { mode: 384 });
-}
-async function storeCredential(account, value, opts) {
-  const wrapped = {
-    value,
-    stored_at: new Date().toISOString(),
-    expires_at: opts?.expires_at,
-    max_age_ms: opts?.max_age_ms
-  };
-  const serialized = JSON.stringify(wrapped);
-  const keytarResult = await callKeytar((client) => client.setPassword(SERVICE, account, serialized));
-  if (keytarResult !== KEYTAR_UNAVAILABLE)
-    return;
-  await withVaultLock(() => {
-    const data = readVaultFile();
-    data[account] = serialized;
-    writeVaultFile(data);
-  });
-}
-function isExpired(cred) {
-  if (cred.expires_at) {
-    return new Date(cred.expires_at).getTime() <= Date.now();
-  }
-  if (cred.max_age_ms) {
-    return new Date(cred.stored_at).getTime() + cred.max_age_ms <= Date.now();
+    return null;
   }
-  return false;
 }
-async function getCredential(account) {
-  let raw;
-  const keytarResult = await callKeytar((client) => client.getPassword(SERVICE, account));
-  if (keytarResult !== KEYTAR_UNAVAILABLE) {
-    raw = keytarResult;
-  } else {
-    const data = readVaultFile();
-    raw = data[account] ?? null;
-  }
-  if (!raw)
+async function fetchHtmlViaBrowser(url, cookies) {
+  let kuri;
+  try {
+    kuri = await Promise.resolve().then(() => (init_client(), exports_client));
+  } catch {
     return null;
+  }
+  let tabId;
   try {
-    const parsed = JSON.parse(raw);
-    if (parsed.value && parsed.stored_at) {
-      if (isExpired(parsed)) {
-        await deleteCredential(account);
-        return null;
+    const tab = await kuri.newTab(url);
+    tabId = typeof tab === "string" ? tab : tab?.tab_id;
+    if (!tabId)
+      return null;
+    if (cookies.length > 0) {
+      for (const c of cookies) {
+        await kuri.setCookie(tabId, c.name, c.value, c.domain).catch(() => {});
       }
-      return parsed.value;
+      await kuri.navigate(tabId, url).catch(() => {});
     }
-  } catch {}
-  return raw;
-}
-async function deleteCredential(account) {
-  const keytarResult = await callKeytar((client) => client.deletePassword(SERVICE, account));
-  if (keytarResult !== KEYTAR_UNAVAILABLE)
-    return;
-  await withVaultLock(() => {
-    const data = readVaultFile();
-    delete data[account];
-    writeVaultFile(data);
-  });
+    const start2 = Date.now();
+    while (Date.now() - start2 < 12000) {
+      try {
+        const state = await kuri.evaluate(tabId, "document.readyState");
+        if (state === "complete" || state === "interactive")
+          break;
+      } catch {}
+      await new Promise((r) => setTimeout(r, 500));
+    }
+    const html = await kuri.getPageHtml(tabId).catch(() => "");
+    if (typeof html !== "string" || !html.startsWith("<"))
+      return null;
+    return html;
+  } catch {
+    return null;
+  } finally {
+    if (tabId)
+      await kuri.closeTab(tabId).catch(() => {});
+  }
 }
-var KEYTAR_UNAVAILABLE, KEYTAR_BINDING_ERROR_RE, keytar = null, keytarFallbackLogged = false, SERVICE = "unbrowse", VAULT_DIR, VAULT_FILE, KEY_FILE, vaultLock;
-var init_vault = __esm(async () => {
-  init_logger();
-  KEYTAR_UNAVAILABLE = Symbol("KEYTAR_UNAVAILABLE");
-  KEYTAR_BINDING_ERROR_RE = /(keytar(?:\.node)?|native bindings?|bindings file|no native build was found|could not locate the bindings file|module did not self-register|err_dlopen_failed|dlopen\(|compiled against a different node\.js version|cannot find module .*keytar|wasm is not supported on this platform|(set|get|delete)password is not a function)/i;
-  try {
-    keytar = normalizeKeytarModule(await import("keytar"));
-  } catch {}
-  VAULT_DIR = join7(homedir4(), ".unbrowse", "vault");
-  VAULT_FILE = join7(VAULT_DIR, "credentials.enc");
-  KEY_FILE = join7(VAULT_DIR, ".key");
-  vaultLock = Promise.resolve();
+var FETCH_TIMEOUT_MS = 8000;
+var init_token_resolver = __esm(() => {
+  init_token_sources();
 });
 
 // ../../src/runtime/supervisor.ts
@@ -13761,6 +14190,10 @@ function validateWorkflowReplayParams(recipe, params) {
       continue;
     const value = valueForSpec(spec, params);
     if (spec.required && (value == null || value === "")) {
+      if (spec.default_value != null && spec.default_value !== "")
+        continue;
+      if (spec.example_value != null && spec.example_value !== "")
+        continue;
       errors.push({ name: spec.name, reason: "required" });
       continue;
     }
@@ -14055,18 +14488,27 @@ async function reloadExecutionAuthState(skill, epDomain, authHeaders, cookies) {
         cookies.push(...resolved);
     } catch {}
   }
-  if (Object.keys(authHeaders).length === 0) {
-    try {
-      const sessionKey = `${getRegistrableDomain(epDomain)}-session`;
-      const sessionData = await getCredential(sessionKey);
-      if (sessionData) {
-        const parsed = JSON.parse(sessionData);
-        if (parsed.headers)
-          Object.assign(authHeaders, parsed.headers);
-        if (parsed.cookies && cookies.length === 0)
-          cookies.push(...parsed.cookies);
-      }
-    } catch {}
+  {
+    for (const sessionKey of [`${epDomain}-session`, `${getRegistrableDomain(epDomain)}-session`]) {
+      try {
+        const sessionData = await getCredential(sessionKey);
+        if (sessionData) {
+          const parsed = JSON.parse(sessionData);
+          if (parsed.headers)
+            Object.assign(authHeaders, parsed.headers);
+          if (parsed.cookies && cookies.length === 0)
+            cookies.push(...parsed.cookies);
+          if (Object.keys(authHeaders).length > 0)
+            break;
+        }
+      } catch {}
+    }
+  }
+  if (cookies.length > 0 && authHeaders["csrf-token"]) {
+    const jsessionId = cookies.find((c) => c.name === "JSESSIONID");
+    if (jsessionId) {
+      authHeaders["csrf-token"] = jsessionId.value.replace(/"/g, "");
+    }
   }
 }
 function persistWorkflowArtifactForCapture(artifactSkill, captured, capturedAuthHeaders) {
@@ -15087,10 +15529,13 @@ async function executeBrowserCapture(skill, params, options) {
     }));
   }
   if (!auth_profile_ref) {
-    const vaultKey = `auth:${targetDomain}`;
-    const hasStoredAuth = await getCredential(vaultKey) != null;
-    if (hasStoredAuth)
-      auth_profile_ref = vaultKey;
+    for (const vaultKey of [`auth:${targetDomain}`, `${domain}-session`, `${targetDomain}-session`]) {
+      const hasStoredAuth = await getCredential(vaultKey) != null;
+      if (hasStoredAuth) {
+        auth_profile_ref = vaultKey;
+        break;
+      }
+    }
   }
   const authBackedCapture = usedStoredAuth || !!auth_profile_ref;
   if (authBackedCapture) {
@@ -15671,7 +16116,7 @@ async function executeEndpoint(skill, endpoint, params = {}, projection, options
           u.searchParams.set(k, String(v));
         }
       }
-      urlTemplate = restoreTemplatePlaceholderEncoding(u.toString());
+      urlTemplate = restoreTemplatePlaceholderEncoding(u.toString()).replace(/%28/gi, "(").replace(/%29/gi, ")").replace(/%2C/gi, ",").replace(/%3A/gi, ":");
     } catch {}
   }
   let url = interpolate(urlTemplate, mergedParams);
@@ -15807,7 +16252,7 @@ async function executeEndpoint(skill, endpoint, params = {}, projection, options
     let last = { data: null, status: 0 };
     for (const replayUrl of replayUrls) {
       const replayHeaders = buildStructuredReplayHeaders(url, replayUrl, headers);
-      log("exec", `server-fetch: ${endpoint.method} ${replayUrl.substring(0, 80)} auth=${(replayHeaders["authorization"] || "none").substring(0, 50)} csrf=${replayHeaders["x-csrf-token"]?.substring(0, 10)}... cookies=${replayHeaders["cookie"]?.length ?? 0}chars`);
+      log("exec", `server-fetch: ${endpoint.method} ${replayUrl.substring(0, 200)} csrf-token=${(replayHeaders["csrf-token"] || "none").substring(0, 20)}... hdrs=${Object.keys(replayHeaders).length} cookies=${replayHeaders["cookie"]?.length ?? 0}chars`);
       const res = await fetch(replayUrl, {
         method: endpoint.method,
         headers: replayHeaders,
@@ -16211,7 +16656,12 @@ function interpolate(template, params) {
   const base = template.substring(0, qIdx);
   const query = template.substring(qIdx + 1);
   const interpolatedBase = base.replace(/\{(\w+)\}/g, (_, k) => params[k] != null ? String(params[k]) : `{${k}}`);
-  const interpolatedQuery = query.replace(/\{(\w+)\}/g, (_, k) => params[k] != null ? encodeURIComponent(String(params[k])) : `{${k}}`);
+  const interpolatedQuery = query.replace(/\{(\w+)\}/g, (_, k) => {
+    if (params[k] == null)
+      return `{${k}}`;
+    const val = String(params[k]);
+    return val.replace(/[#&=\s]/g, (ch) => encodeURIComponent(ch));
+  });
   return `${interpolatedBase}?${interpolatedQuery}`;
 }
 function interpolateObj(obj, params) {
@@ -16526,6 +16976,17 @@ function rankEndpoints(endpoints, intent, skillDomain, contextUrl) {
       }
       score += matches * 100;
     }
+    if (rawTokens.length > 0 && pathname) {
+      const pathLower = pathname.toLowerCase();
+      const pathSegs = pathLower.split("/").filter(Boolean);
+      for (const token of rawTokens) {
+        const stemmed = stem(token);
+        if (pathSegs.some((seg) => seg === stemmed || seg === token || seg.includes(token))) {
+          score += 150;
+          break;
+        }
+      }
+    }
     if (ep.dom_extraction)
       score += 25;
     if (descriptionMeta.needs_review && ep.dom_extraction)
@@ -16760,8 +17221,6 @@ function isSpaShell(html) {
 }
 var DEFAULT_BROWSER_UA = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36", VALID_VERIFICATION_STATUSES, BM25_K1 = 1.2, BM25_B = 0.75, STOPWORDS, SYNONYMS;
 var init_execution = __esm(async () => {
-  init_capture();
-  init_capture();
   init_reverse_engineer();
   init_bundle_scanner();
   init_token_resolver();
@@ -16785,6 +17244,8 @@ var init_execution = __esm(async () => {
   init_compile();
   init_publish();
   await __promiseAll([
+    init_capture(),
+    init_capture(),
     init_vault(),
     init_auth(),
     init_indexer(),
@@ -18385,6 +18846,13 @@ function isCachedSkillRelevantForIntent(skill, intent, contextUrl) {
     const hasStructuredSearchEndpoint = candidateSkill.endpoints.some((endpoint) => endpointHasSearchBindings(endpoint) && (!!endpoint.dom_extraction || !!endpoint.response_schema) && endpointMatchesContextOrigin(endpoint, contextUrl) && endpointMatchesExplicitSearchContext(endpoint, contextUrl));
     if (hasStructuredSearchEndpoint)
       return true;
+    if (top && top.score >= 0) {
+      try {
+        const topPath = new URL(top.endpoint.url_template).pathname.toLowerCase();
+        if (/\/(search|find|query|browse|explore)\b/.test(topPath))
+          return true;
+      } catch {}
+    }
     if (collectExplicitSearchContextBindingKeys(contextUrl).size > 0)
       return false;
   }
@@ -19427,7 +19895,7 @@ async function resolveAndExecute(intent, params = {}, context, projection, optio
       for (const cookie of cookies)
         await setCookie(handoffTabId, cookie).catch(() => {});
     } catch {}
-    await evaluate(handoffTabId, (await Promise.resolve().then(() => (init_capture(), exports_capture))).INTERCEPTOR_SCRIPT).catch(() => {});
+    await evaluate(handoffTabId, (await init_capture().then(() => exports_capture)).INTERCEPTOR_SCRIPT).catch(() => {});
     await harStart(handoffTabId).catch(() => {});
     try {
       const routesModule = await init_routes().then(() => exports_routes);
@@ -20592,7 +21060,7 @@ async function resolveAndExecute(intent, params = {}, context, projection, optio
       }
     } catch {}
   }
-  if (context?.url && !forceCapture) {
+  if (process.env.UNBROWSE_LOCAL_ONLY === "1" && !forceCapture) {
     return buildNoCachedMatch();
   }
   if (!context?.url) {
@@ -23928,13 +24396,13 @@ function schedulePeriodicVerification() {
   }, VERIFICATION_INTERVAL_MS);
 }
 var VERIFICATION_INTERVAL_MS, VERIFY_ENDPOINT_BATCH_SIZE;
-var init_verification = __esm(() => {
-  init_capture();
+var init_verification = __esm(async () => {
   init_marketplace();
   init_marketplace();
   init_drift();
   init_matrix();
   init_candidates();
+  await init_capture();
   VERIFICATION_INTERVAL_MS = 6 * 60 * 60 * 1000;
   VERIFY_ENDPOINT_BATCH_SIZE = Math.max(1, Number(process.env.UNBROWSE_VERIFY_ENDPOINT_BATCH_SIZE ?? 3));
 });
@@ -24041,9 +24509,11 @@ function schedulePeriodicStaleCleanup() {
 var VERIFY_TIMEOUT_MS, CLEANUP_INTERVAL_MS, CLEANUP_BATCH_SIZE, CLEANUP_VERIFY_ENDPOINT_LIMIT;
 var init_stale_cleanup_runner = __esm(async () => {
   init_marketplace();
-  init_verification();
   init_candidates();
-  await init_orchestrator();
+  await __promiseAll([
+    init_verification(),
+    init_orchestrator()
+  ]);
   VERIFY_TIMEOUT_MS = Math.max(5000, Number(process.env.UNBROWSE_STALE_VERIFY_TIMEOUT_MS ?? 15000));
   CLEANUP_INTERVAL_MS = Math.max(30 * 60 * 1000, Number(process.env.UNBROWSE_STALE_CLEANUP_INTERVAL_MS ?? 6 * 60 * 60 * 1000));
   CLEANUP_BATCH_SIZE = Math.max(1, Number(process.env.UNBROWSE_STALE_CLEANUP_BATCH_SIZE ?? 25));
@@ -25085,7 +25555,7 @@ async function registerRoutes(app) {
     if (!skill)
       return reply.code(404).send({ error: "Skill not found" });
     try {
-      const { verifySkill: verifySkill2 } = await Promise.resolve().then(() => (init_verification(), exports_verification));
+      const { verifySkill: verifySkill2 } = await init_verification().then(() => exports_verification);
       const results = await verifySkill2(skill);
       return reply.send({ skill_id, verification: results });
     } catch (err) {
@@ -25678,7 +26148,6 @@ var BETA_API_URL, TRACES_DIR, BROWSE_BROKER_MAX, BROWSE_BROKER_BASE_PORT, browse
 var init_routes = __esm(async () => {
   init_client();
   init_reverse_engineer();
-  init_capture();
   init_marketplace();
   init_graph();
   init_client2();
@@ -25697,6 +26166,7 @@ var init_routes = __esm(async () => {
   init_schema_review();
   init_artifact();
   await __promiseAll([
+    init_capture(),
     init_indexer(),
     init_vault(),
     init_orchestrator(),
@@ -25719,12 +26189,12 @@ import { config as loadEnv } from "dotenv";
 
 // ../../src/server.ts
 init_ratelimit();
-init_verification();
 init_client2();
-init_capture();
 init_version();
 await __promiseAll([
   init_routes(),
+  init_verification(),
+  init_capture(),
   init_stale_cleanup_runner()
 ]);
 import { execSync as execSync2 } from "node:child_process";