npm - unbrowse - Versions diffs - 3.2.1 → 3.2.2-experiments.128ff09 - Mend

unbrowse 3.2.1 → 3.2.2-experiments.128ff09

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/server.js CHANGED Viewed

@@ -4210,7 +4210,7 @@ function extractEndpoints(requests, wsMessages, context) {
           return "";
         }
       })();
-      const isApiUrl = /\/(api|graphql)\b/i.test(urlPath) || /\.(json)(\?|$)/.test(req.url);
+      const isApiUrl = /\/(api|graphql|youtubei|__ssr_data__)\b/i.test(urlPath) || /\.(json)(\?|$)/.test(req.url);
       let graphqlOpName;
       if (/graphql/i.test(req.url)) {
         if (req.request_body) {
@@ -4299,7 +4299,12 @@ function extractEndpoints(requests, wsMessages, context) {
     const sanitizedQParams = isGet ? sanitizeQueryParams(extractQueryParams(req.url)) : undefined;
     let pathTemplate = sanitizeUrlTemplate(normalized);
     const qBindings = sanitizedQParams ? buildQueryBindingMap(Object.keys(sanitizedQParams)) : {};
-    const qTemplateStr = sanitizedQParams && Object.keys(sanitizedQParams).length > 0 ? Object.keys(sanitizedQParams).map((k) => `${encodeURIComponent(k)}={${qBindings[k] ?? k}}`).join("&") : null;
+    const existingQKeys = new Set;
+    try {
+      for (const k of new URL(pathTemplate).searchParams.keys())
+        existingQKeys.add(k.toLowerCase());
+    } catch {}
+    const qTemplateStr = sanitizedQParams && Object.keys(sanitizedQParams).length > 0 ? Object.keys(sanitizedQParams).filter((k) => !existingQKeys.has(k.toLowerCase())).map((k) => `${encodeURIComponent(k)}={${qBindings[k] ?? k}}`).join("&") || null : null;
     const { url: templatizedPath, pathParams, pathBindingCandidates } = templatizePathSegments(pathTemplate, req.url, context);
     pathTemplate = templatizedPath;
     const parsedRequestBody = !isGet && req.request_body ? tryParseBody(req.request_body) : undefined;
@@ -4315,7 +4320,7 @@ function extractEndpoints(requests, wsMessages, context) {
     let endpoint = {
       endpoint_id: nanoid2(),
       method: req.method,
-      url_template: qTemplateStr ? `${pathTemplate}?${qTemplateStr}` : pathTemplate,
+      url_template: qTemplateStr ? `${pathTemplate}${pathTemplate.includes("?") ? "&" : "?"}${qTemplateStr}` : pathTemplate,
       description: buildEndpointDescription(req, sampleRequest, sampleResponse),
       headers_template: sanitizeHeaders(req.request_headers),
       query: sanitizedQParams,
@@ -4946,7 +4951,7 @@ var init_reverse_engineer = __esm(() => {
   SKIP_HOSTS = /(cloudflare\.com|google-analytics\.com|doubleclick\.net|gstatic\.com|accounts\.google\.com|login\.microsoftonline\.com|auth0\.com|cognito-idp\.|appleid\.apple\.com|github\.com\/login|facebook\.com\/login|protechts\.net|demdex\.net|litms|platform-telemetry|datadoghq\.com|fullstory\.com|launchdarkly\.com|intercom\.io|privy\.io|mypinata\.cloud|sentry\.io|segment\.io|amplitude\.com|mixpanel\.com|hotjar\.com|clarity\.ms|googletagmanager\.com|walletconnect\.com|imagedelivery\.net|cloudflareinsights\.com)/i;
   SKIP_TELEMETRY_HOSTS = /(waa-pa\.|signaler-pa\.|appsgrowthpromo-pa\.|ogads-pa\.|peoplestackwebexperiments-pa\.)/i;
   SKIP_TELEMETRY_PATHS = /\/(log|logging|telemetry|analytics|beacon|ping|heartbeat|metrics)(\/|$)/i;
-  RPC_HINTS = /(\/$rpc\/|\/rpc\/|graphql|trending|search|feed|results|batchexecute|\/api\/)/i;
+  RPC_HINTS = /(\/$rpc\/|\/rpc\/|graphql|trending|search|feed|results|batchexecute|\/api\/|youtubei|__ssr_data__)/i;
   ALLOWED_METHODS = new Set(["GET", "POST", "PUT", "PATCH", "DELETE"]);
   STRIP_HEADERS = new Set([
     "cookie",
@@ -5024,7 +5029,180 @@ var init_reverse_engineer = __esm(() => {
     "adsize",
     "lineitemid"
   ]);
-  ON_DOMAIN_NOISE = /\/(recaptcha|captcha|update-recaptcha|csrf|consent|data-protection|badge|drawer|header-action|geolocation|onboarding|wana\/bids|prebid|bids\/request|ads\/|pixel|beacon|collect|impression|click-tracking|heartbeat|webConfig|config\.json|manifest\.json|service-worker|sw\.js|favicon|robots\.txt|sitemap|opensearch|partial\/[a-zA-Z]+\/mod-|logging|csp-report|gen_204|generate_204|sodar|__|devvit-|user-drawer|action-item)/i;
+  ON_DOMAIN_NOISE = /\/(recaptcha|captcha|update-recaptcha|csrf|consent|data-protection|badge|drawer|header-action|geolocation|onboarding|wana\/bids|prebid|bids\/request|ads\/|pixel|beacon|collect|impression|click-tracking|heartbeat|webConfig|config\.json|manifest\.json|service-worker|sw\.js|favicon|robots\.txt|sitemap|opensearch|partial\/[a-zA-Z]+\/mod-|logging|csp-report|gen_204|generate_204|sodar|__webpack|__next|devvit-|user-drawer|action-item)/i;
+});
+// ../../src/vault/index.ts
+var exports_vault = {};
+__export(exports_vault, {
+  storeCredential: () => storeCredential,
+  setKeytarClientForTests: () => setKeytarClientForTests,
+  resetKeytarClientForTests: () => resetKeytarClientForTests,
+  normalizeKeytarModule: () => normalizeKeytarModule,
+  getCredential: () => getCredential,
+  deleteCredential: () => deleteCredential
+});
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+import { existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync, writeFileSync as writeFileSync2 } from "fs";
+import { join as join2 } from "path";
+import { homedir } from "os";
+function normalizeKeytarModule(mod) {
+  let candidate = mod;
+  for (let depth = 0;depth < 3; depth++) {
+    if (!candidate || typeof candidate !== "object" || !("default" in candidate))
+      break;
+    candidate = candidate.default;
+  }
+  if (!candidate)
+    return null;
+  if (typeof candidate.setPassword === "function" && typeof candidate.getPassword === "function" && typeof candidate.deletePassword === "function") {
+    return candidate;
+  }
+  return null;
+}
+function isKeytarBindingError(error) {
+  const message = error instanceof Error ? `${error.name}: ${error.message}` : String(error);
+  return KEYTAR_BINDING_ERROR_RE.test(message);
+}
+function disableKeytar(error) {
+  keytar = null;
+  if (keytarFallbackLogged)
+    return;
+  const summary = error instanceof Error ? error.message : String(error);
+  log("vault", `keytar runtime unavailable (${summary}); using encrypted file fallback`);
+  keytarFallbackLogged = true;
+}
+async function callKeytar(op) {
+  if (!keytar)
+    return KEYTAR_UNAVAILABLE;
+  try {
+    return await op(keytar);
+  } catch (error) {
+    if (!isKeytarBindingError(error))
+      throw error;
+    disableKeytar(error);
+    return KEYTAR_UNAVAILABLE;
+  }
+}
+function setKeytarClientForTests(client) {
+  keytar = client;
+  keytarFallbackLogged = false;
+}
+function resetKeytarClientForTests() {
+  keytar = importedKeytar;
+  keytarFallbackLogged = false;
+}
+function getOrCreateKey() {
+  if (!existsSync3(VAULT_DIR))
+    mkdirSync3(VAULT_DIR, { recursive: true, mode: 448 });
+  if (existsSync3(KEY_FILE))
+    return readFileSync(KEY_FILE);
+  const key = randomBytes(32);
+  writeFileSync2(KEY_FILE, key, { mode: 384 });
+  return key;
+}
+function withVaultLock(fn) {
+  const prev = vaultLock;
+  let release;
+  vaultLock = new Promise((r) => {
+    release = r;
+  });
+  return prev.then(fn).finally(() => release());
+}
+function readVaultFile() {
+  if (!existsSync3(VAULT_FILE))
+    return {};
+  try {
+    const key = getOrCreateKey();
+    const raw = readFileSync(VAULT_FILE);
+    const iv = raw.subarray(0, 16);
+    const enc = raw.subarray(16);
+    const decipher = createDecipheriv("aes-256-cbc", key, iv);
+    const dec = Buffer.concat([decipher.update(enc), decipher.final()]);
+    return JSON.parse(dec.toString("utf8"));
+  } catch {
+    return {};
+  }
+}
+function writeVaultFile(data) {
+  const key = getOrCreateKey();
+  const iv = randomBytes(16);
+  const cipher = createCipheriv("aes-256-cbc", key, iv);
+  const enc = Buffer.concat([cipher.update(JSON.stringify(data), "utf8"), cipher.final()]);
+  writeFileSync2(VAULT_FILE, Buffer.concat([iv, enc]), { mode: 384 });
+}
+async function storeCredential(account, value, opts) {
+  const wrapped = {
+    value,
+    stored_at: new Date().toISOString(),
+    expires_at: opts?.expires_at,
+    max_age_ms: opts?.max_age_ms
+  };
+  const serialized = JSON.stringify(wrapped);
+  const keytarResult = await callKeytar((client) => client.setPassword(SERVICE, account, serialized));
+  if (keytarResult !== KEYTAR_UNAVAILABLE)
+    return;
+  await withVaultLock(() => {
+    const data = readVaultFile();
+    data[account] = serialized;
+    writeVaultFile(data);
+  });
+}
+function isExpired(cred) {
+  if (cred.expires_at) {
+    return new Date(cred.expires_at).getTime() <= Date.now();
+  }
+  if (cred.max_age_ms) {
+    return new Date(cred.stored_at).getTime() + cred.max_age_ms <= Date.now();
+  }
+  return false;
+}
+async function getCredential(account) {
+  let raw;
+  const keytarResult = await callKeytar((client) => client.getPassword(SERVICE, account));
+  if (keytarResult !== KEYTAR_UNAVAILABLE) {
+    raw = keytarResult;
+  } else {
+    const data = readVaultFile();
+    raw = data[account] ?? null;
+  }
+  if (!raw)
+    return null;
+  try {
+    const parsed = JSON.parse(raw);
+    if (parsed.value && parsed.stored_at) {
+      if (isExpired(parsed)) {
+        await deleteCredential(account);
+        return null;
+      }
+      return parsed.value;
+    }
+  } catch {}
+  return raw;
+}
+async function deleteCredential(account) {
+  const keytarResult = await callKeytar((client) => client.deletePassword(SERVICE, account));
+  if (keytarResult !== KEYTAR_UNAVAILABLE)
+    return;
+  await withVaultLock(() => {
+    const data = readVaultFile();
+    delete data[account];
+    writeVaultFile(data);
+  });
+}
+var KEYTAR_UNAVAILABLE, KEYTAR_BINDING_ERROR_RE, keytar = null, importedKeytar, keytarFallbackLogged = false, SERVICE = "unbrowse", VAULT_DIR, VAULT_FILE, KEY_FILE, vaultLock;
+var init_vault = __esm(async () => {
+  init_logger();
+  KEYTAR_UNAVAILABLE = Symbol("KEYTAR_UNAVAILABLE");
+  KEYTAR_BINDING_ERROR_RE = /(keytar(?:\.node)?|native bindings?|bindings file|no native build was found|could not locate the bindings file|module did not self-register|err_dlopen_failed|dlopen\(|compiled against a different node\.js version|cannot find module .*keytar|wasm is not supported on this platform|(set|get|delete)password is not a function)/i;
+  try {
+    keytar = normalizeKeytarModule(await import("keytar"));
+  } catch {}
+  importedKeytar = keytar;
+  VAULT_DIR = join2(homedir(), ".unbrowse", "vault");
+  VAULT_FILE = join2(VAULT_DIR, "credentials.enc");
+  KEY_FILE = join2(VAULT_DIR, ".key");
+  vaultLock = Promise.resolve();
 });
 // ../../src/runtime/browser-access.ts
@@ -5477,7 +5655,12 @@ function normalizeCapturedUrl(url, baseUrl) {
   if (!url)
     return url;
   try {
-    return new URL(url).toString();
+    const parsed = new URL(url);
+    if (baseUrl && (parsed.hostname === "127.0.0.1" || parsed.hostname === "localhost")) {
+      const pageOrigin = new URL(baseUrl).origin;
+      return `${pageOrigin}${parsed.pathname}${parsed.search}`;
+    }
+    return parsed.toString();
   } catch {
     if (!baseUrl)
       return url;
@@ -5878,7 +6061,76 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
         log("capture", "scriptInject unavailable — falling back to evaluate injection");
       }
     }
-    await phase("harStart", () => harStart(tabId));
+    try {
+      await phase("harStart", () => harStart(tabId));
+    } catch {}
+    const cdpNetworkEntries = [];
+    const cdpRequestMap = new Map;
+    const cdpResponseMeta = new Map;
+    const cdpFinishedRequests = new Set;
+    let cdpWs = null;
+    let cdpMsgId = 10;
+    const cdpPendingBodies = new Map;
+    const cdpResolvedBodies = new Map;
+    const API_URL_PATTERN = /\/api\/|\/graphql|voyager|youtubei|\/v\d+\//i;
+    try {
+      const cdpPort = getCdpPort();
+      if (cdpPort) {
+        const tabsResp = await fetch(`http://127.0.0.1:${cdpPort}/json`);
+        const tabs = await tabsResp.json();
+        const cdpTab = tabs.find((t) => t.id === tabId) ?? tabs.find((t) => t.type === "page");
+        if (cdpTab?.webSocketDebuggerUrl) {
+          cdpWs = new WebSocket(cdpTab.webSocketDebuggerUrl);
+          await new Promise((resolve, reject) => {
+            cdpWs.onopen = () => resolve();
+            cdpWs.onerror = () => reject(new Error("CDP WS failed"));
+            setTimeout(() => reject(new Error("CDP WS timeout")), 3000);
+          });
+          cdpWs.onmessage = (ev) => {
+            try {
+              const msg = JSON.parse(String(ev.data));
+              if (msg.method === "Network.requestWillBeSent") {
+                const p = msg.params;
+                const reqHeaders = Object.entries(p.request?.headers ?? {}).map(([name, value]) => ({ name, value: String(value) }));
+                cdpRequestMap.set(p.requestId, {
+                  method: p.request?.method ?? "GET",
+                  url: p.request?.url ?? "",
+                  headers: reqHeaders,
+                  postData: p.request?.postData
+                });
+              } else if (msg.method === "Network.responseReceived") {
+                const p = msg.params;
+                const respHeaders = Object.entries(p.response?.headers ?? {}).map(([name, value]) => ({ name, value: String(value) }));
+                cdpResponseMeta.set(p.requestId, {
+                  status: p.response?.status ?? 0,
+                  headers: respHeaders,
+                  mimeType: p.response?.mimeType ?? ""
+                });
+              } else if (msg.method === "Network.loadingFinished") {
+                const requestId = msg.params?.requestId;
+                cdpFinishedRequests.add(requestId);
+                const req = cdpRequestMap.get(requestId);
+                const resp = cdpResponseMeta.get(requestId);
+                if (req && resp && API_URL_PATTERN.test(req.url) && (resp.mimeType.includes("json") || resp.mimeType.includes("text"))) {
+                  const id = ++cdpMsgId;
+                  cdpPendingBodies.set(id, req.url);
+                  cdpWs.send(JSON.stringify({ id, method: "Network.getResponseBody", params: { requestId } }));
+                }
+              } else if (msg.id && cdpPendingBodies.has(msg.id)) {
+                const reqUrl = cdpPendingBodies.get(msg.id);
+                cdpPendingBodies.delete(msg.id);
+                if (msg.result?.body) {
+                  cdpResolvedBodies.set(reqUrl, msg.result.body);
+                }
+              }
+            } catch {}
+          };
+          cdpWs.send(JSON.stringify({ id: 1, method: "Network.enable", params: {} }));
+          await new Promise((r) => setTimeout(r, 200));
+          log("capture", "CDP network capture enabled (direct websocket)");
+        }
+      }
+    } catch {}
     let pageDomain;
     try {
       pageDomain = getRegistrableDomain(new URL(url).hostname);
@@ -5932,11 +6184,85 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
       const perfEntries = await phase("evaluate:perf", () => collectPerformanceResourceEntries(tabId));
       performanceUrls = await phase("replay-fetch", () => replayPerformanceApiResponses(tabId, perfEntries, responseBodies, url, intent));
     } catch {}
+    if (cdpRequestMap.size > 0) {
+      try {
+        const cdpRawReqs = [...cdpRequestMap.values()].map((r) => ({
+          url: r.url,
+          method: r.method,
+          request_headers: Object.fromEntries(r.headers.map((h) => [h.name.toLowerCase(), h.value])),
+          response_status: 200,
+          response_headers: {},
+          response_body: undefined,
+          timestamp: ""
+        }));
+        const authHeaders2 = extractAuthHeaders(cdpRawReqs);
+        if (Object.keys(authHeaders2).length > 0) {
+          const rawKey = `${domain}-session`;
+          const { getCredential: getCredential2 } = await init_vault().then(() => exports_vault);
+          let existing = {};
+          try {
+            const stored = await getCredential2(rawKey);
+            if (stored)
+              existing = JSON.parse(stored);
+          } catch {}
+          if (!existing.cookies || existing.cookies.length === 0) {
+            try {
+              const loginKey = `auth:${getRegistrableDomain(domain)}`;
+              const loginStored = await getCredential2(loginKey);
+              if (loginStored) {
+                const loginData = JSON.parse(loginStored);
+                if (loginData.cookies?.length)
+                  existing.cookies = loginData.cookies;
+              }
+            } catch {}
+          }
+          await storeCredential(rawKey, JSON.stringify({
+            ...existing,
+            headers: { ...existing.headers ?? {}, ...authHeaders2 }
+          }));
+          log("capture", `early auth store: ${Object.keys(authHeaders2).join(", ")} for ${domain}`);
+        }
+      } catch (e) {
+        log("capture", `early auth store failed: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
     let harEntries = [];
     try {
-      const harResult = await phase("harStop", () => harStop(tabId));
-      harEntries = harResult.entries;
+      const harPromise = harStop(tabId);
+      const timeoutPromise = new Promise((resolve) => setTimeout(() => resolve({ entries: [] }), 5000));
+      const harResult = await Promise.race([harPromise, timeoutPromise]);
+      harEntries = harResult.entries ?? [];
     } catch {}
+    if (cdpPendingBodies.size > 0) {
+      await new Promise((r) => setTimeout(r, 1500));
+    }
+    if (cdpWs) {
+      try {
+        cdpWs.close();
+      } catch {}
+    }
+    const harUrls = new Set(harEntries.map((e) => e.request?.url).filter(Boolean));
+    let cdpAdded = 0;
+    for (const [requestId, req] of cdpRequestMap) {
+      if (harUrls.has(req.url))
+        continue;
+      const resp = cdpResponseMeta.get(requestId);
+      if (!resp)
+        continue;
+      const body = cdpResolvedBodies.get(req.url);
+      harEntries.push({
+        startedDateTime: new Date().toISOString(),
+        request: { method: req.method, url: req.url, headers: req.headers, postData: req.postData ? { text: req.postData } : undefined },
+        response: { status: resp.status, headers: resp.headers, content: body ? { text: body, mimeType: resp.mimeType } : {} }
+      });
+      if (body && body.length > 0 && !responseBodies.has(req.url)) {
+        responseBodies.set(req.url, body);
+      }
+      cdpAdded++;
+    }
+    if (cdpAdded > 0) {
+      log("capture", `CDP direct capture added ${cdpAdded} entries (${cdpResolvedBodies.size} with bodies, ${harEntries.length} total HAR)`);
+    }
     const HAR_REPLAY_CT2 = /application\/json|text\/plain|\+json/i;
     let harReplayCount = 0;
     for (const entry of harEntries) {
@@ -5952,7 +6278,7 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
       if (status < 200 || status >= 400)
         continue;
       const ct = (entry.response?.headers ?? []).find((h) => h.name.toLowerCase() === "content-type")?.value ?? "";
-      if (!HAR_REPLAY_CT2.test(ct) && !harUrl.includes("/api/") && !harUrl.includes("_search") && !harUrl.includes("graphql"))
+      if (!HAR_REPLAY_CT2.test(ct) && !harUrl.includes("/api/") && !harUrl.includes("_search") && !harUrl.includes("graphql") && !harUrl.includes("youtubei"))
         continue;
       if (harReplayCount >= 20)
         break;
@@ -5960,7 +6286,7 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
         const postData = method !== "GET" ? entry.request?.postData?.text : undefined;
         const replayScript = method === "GET" || !postData ? `(function(){var x=new XMLHttpRequest();x.open('GET','${harUrl.replace(/'/g, "\\'")}',false);x.send();return x.status>=200&&x.status<400?x.responseText:''})()` : `(function(){var x=new XMLHttpRequest();x.open('${method}','${harUrl.replace(/'/g, "\\'")}',false);x.setRequestHeader('Content-Type','application/json');x.send(${JSON.stringify(postData)});return x.status>=200&&x.status<400?x.responseText:''})()`;
         const body = await phase("har-replay", () => evaluate(tabId, replayScript));
-        if (typeof body === "string" && body.length > 0 && body.length < 512 * 1024) {
+        if (typeof body === "string" && body.length > 0 && body.length < 524288) {
           responseBodies.set(harUrl, body);
           harReplayCount++;
           log("capture", `har-replay-fetched ${harUrl.substring(0, 80)} (${body.length}B)`);
@@ -5987,6 +6313,77 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
       }
       html = await phase("getPageHtml", () => getPageHtml(tabId));
     } catch {}
+    const SSR_DATA_EXTRACTORS = [
+      { name: "ytmusic", script: `(function(){try{var d=ytcfg.get('YTMUSIC_INITIAL_DATA');if(!d||!d.length)return null;var out={};d.forEach(function(x){if(x.path&&x.data)out[x.path]=x.data});out.__apiKey=ytcfg.get('INNERTUBE_API_KEY')||'';out.__context=ytcfg.get('INNERTUBE_CONTEXT')||null;return JSON.stringify(out)}catch(e){return null}})()` },
+      { name: "youtube", script: `(function(){try{return typeof ytInitialData!=='undefined'?JSON.stringify(ytInitialData):null}catch(e){return null}})()` },
+      { name: "nextjs", script: `(function(){try{return window.__NEXT_DATA__?JSON.stringify(window.__NEXT_DATA__):null}catch(e){return null}})()` },
+      { name: "nuxt", script: `(function(){try{return window.__NUXT__?JSON.stringify(window.__NUXT__):null}catch(e){return null}})()` }
+    ];
+    let embeddedDataCount = 0;
+    for (const extractor of SSR_DATA_EXTRACTORS) {
+      try {
+        const raw = await phase(`ssr:${extractor.name}`, () => evaluate(tabId, extractor.script));
+        if (typeof raw !== "string" || !raw || raw === "null")
+          continue;
+        if (extractor.name === "ytmusic") {
+          const parsed = JSON.parse(raw);
+          const apiKey = parsed.__apiKey || "";
+          const innertubeContext = parsed.__context;
+          delete parsed.__apiKey;
+          delete parsed.__context;
+          for (const [path4, data] of Object.entries(parsed)) {
+            if (!data || typeof data !== "object")
+              continue;
+            const cleaned = { ...data };
+            delete cleaned.responseContext;
+            delete cleaned.trackingParams;
+            delete cleaned.header;
+            delete cleaned.background;
+            let bodyStr = JSON.stringify(cleaned);
+            if (bodyStr.length > 1e4) {
+              bodyStr = bodyStr.substring(0, 1e4) + '"}]}';
+              try {
+                JSON.parse(bodyStr);
+              } catch {
+                bodyStr = JSON.stringify(cleaned).substring(0, 1e4);
+              }
+            }
+            if (bodyStr.length < 100)
+              continue;
+            const origin = new URL(url).origin;
+            const contextParams = new URL(url).searchParams;
+            const keyParam = apiKey ? `key=${apiKey}&` : "";
+            const queryStr = path4.includes("search") && contextParams.toString() ? `?${keyParam}${contextParams.toString()}&prettyPrint=false` : `?${keyParam}prettyPrint=false`;
+            const syntheticUrl = `${origin}/youtubei/v1${path4}${queryStr}`;
+            responseBodies.set(syntheticUrl, bodyStr);
+            const queryValue = contextParams.get("q") ?? "";
+            const postBody = path4.includes("search") && innertubeContext ? JSON.stringify({ context: innertubeContext, query: queryValue }) : path4.includes("browse") && innertubeContext ? JSON.stringify({ context: innertubeContext, browseId: "FEmusic_liked_videos" }) : JSON.stringify({ context: innertubeContext ?? {} });
+            harEntries.push({
+              startedDateTime: new Date().toISOString(),
+              request: { method: "POST", url: syntheticUrl, headers: [{ name: "content-type", value: "application/json" }], postData: { text: postBody } },
+              response: { status: 200, headers: [{ name: "content-type", value: "application/json" }], content: { text: bodyStr, mimeType: "application/json" } }
+            });
+            embeddedDataCount++;
+            log("capture", `ssr:${extractor.name} extracted ${path4} (${bodyStr.length}B)`);
+          }
+        } else {
+          if (raw.length < 100)
+            continue;
+          const syntheticUrl = `${new URL(url).origin}/__ssr_data__/${extractor.name}`;
+          responseBodies.set(syntheticUrl, raw);
+          harEntries.push({
+            startedDateTime: new Date().toISOString(),
+            request: { method: "GET", url: syntheticUrl, headers: [] },
+            response: { status: 200, headers: [{ name: "content-type", value: "application/json" }], content: { text: raw, mimeType: "application/json" } }
+          });
+          embeddedDataCount++;
+          log("capture", `ssr:${extractor.name} extracted (${raw.length}B)`);
+        }
+      } catch {}
+    }
+    if (embeddedDataCount > 0) {
+      log("capture", `embedded SSR data: ${embeddedDataCount} synthetic endpoints injected`);
+    }
     const requests = mergePassiveCaptureData(intercepted, harEntries, extensionEntries, responseBodies, performanceUrls);
     log("capture", `tracked ${harEntries.length} HAR, ${intercepted.length} intercepted, ${extensionEntries.length} extension, ${responseBodies.size} bodies → ${requests.length} merged`);
     const rawCookies = await phase("extractCookies", () => extractCookiesFromPage(tabId, url));
@@ -6385,7 +6782,8 @@ var MAX_CONCURRENT_TABS = 3, activeTabs = 0, waitQueue, activeTabRegistry, inter
       var isData = ct.indexOf('json') !== -1 || ct.indexOf('application/x-protobuf') !== -1 ||
                    ct.indexOf('text/plain') !== -1 ||
                    url.indexOf('batchexecute') !== -1 || url.indexOf('/api/') !== -1 ||
-                   url.indexOf('graphql') !== -1 || url.indexOf('voyager') !== -1;
+                   url.indexOf('graphql') !== -1 || url.indexOf('voyager') !== -1 ||
+                   url.indexOf('youtubei') !== -1;
       if (!isJs && !isData) return response;
       if (/\\.(css|woff2?|png|jpg|svg|ico)(\\?|$)/.test(url)) return response;
       var clone = response.clone();
@@ -6435,7 +6833,8 @@ var MAX_CONCURRENT_TABS = 3, activeTabs = 0, waitQueue, activeTabRegistry, inter
       var isData = ct.indexOf('json') !== -1 || ct.indexOf('application/x-protobuf') !== -1 ||
                    ct.indexOf('text/plain') !== -1 ||
                    url.indexOf('batchexecute') !== -1 || url.indexOf('/api/') !== -1 ||
-                   url.indexOf('graphql') !== -1 || url.indexOf('voyager') !== -1;
+                   url.indexOf('graphql') !== -1 || url.indexOf('voyager') !== -1 ||
+                   url.indexOf('youtubei') !== -1;
       if (!isJs && !isData) return;
       if (/\\.(css|woff2?|png|jpg|svg|ico)(\\?|$)/.test(url)) return;
       var respBody = xhr.responseText || '';
@@ -6457,11 +6856,13 @@ var MAX_CONCURRENT_TABS = 3, activeTabs = 0, waitQueue, activeTabRegistry, inter
     return origSend.apply(this, arguments);
   };
 })()`, REPLAY_SKIP, HAR_REPLAY_CT;
-var init_capture = __esm(() => {
+var init_capture = __esm(async () => {
   init_client();
   init_domain();
   init_logger();
+  init_reverse_engineer();
   init_browser_access();
+  await init_vault();
   waitQueue = [];
   activeTabRegistry = new Set;
   interceptorInjectedTabs = new Set;
@@ -6478,17 +6879,17 @@ var init_capture = __esm(() => {
 });
 // ../../src/build-info.generated.ts
-var BUILD_RELEASE_VERSION = "3.2.1", BUILD_GIT_SHA = "150cce0d751e", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4yLjEiLCJnaXRfc2hhIjoiMTUwY2NlMGQ3NTFlIiwiY29kZV9oYXNoIjoiMTQ4OGZjMWQ5MmI3IiwidHJhY2VfdmVyc2lvbiI6IjE0ODhmYzFkOTJiN0AxNTBjY2UwZDc1MWUiLCJpc3N1ZWRfYXQiOiIyMDI2LTA0LTA2VDA3OjM0OjU3LjQ1NFoifQ", BUILD_RELEASE_MANIFEST_SIGNATURE = "2iiYVQS4ow2XkpkyCm072lmrjIIGvkAPjkO1s_LI_Do", BUILD_DEFAULT_BACKEND_URL = "https://beta-api.unbrowse.ai";
+var BUILD_RELEASE_VERSION = "3.2.2-experiments.128ff09", BUILD_GIT_SHA = "128ff09f51b3", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4yLjItZXhwZXJpbWVudHMuMTI4ZmYwOSIsImdpdF9zaGEiOiIxMjhmZjA5ZjUxYjMiLCJjb2RlX2hhc2giOiIxNDg4ZmMxZDkyYjciLCJ0cmFjZV92ZXJzaW9uIjoiMTQ4OGZjMWQ5MmI3QDEyOGZmMDlmNTFiMyIsImlzc3VlZF9hdCI6IjIwMjYtMDQtMDZUMTE6NTk6NDYuOTQyWiJ9", BUILD_RELEASE_MANIFEST_SIGNATURE = "M80x5zV9aWn-teZrpEFDyzwSU53Hwfj6rf19dl9m-jM", BUILD_DEFAULT_BACKEND_URL = "https://unbrowse-backend-experiments.lewis-6d8.workers.dev";
 // ../../src/version.ts
 import { createHash } from "crypto";
-import { existsSync as existsSync3, readFileSync, readdirSync } from "fs";
-import { dirname, join as join2, parse } from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync2, readdirSync } from "fs";
+import { dirname, join as join3, parse } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function collectTsFiles(dir) {
   const results = [];
   for (const entry of readdirSync(dir, { withFileTypes: true })) {
-    const full = join2(dir, entry.name);
+    const full = join3(dir, entry.name);
     if (entry.isDirectory() && entry.name !== "node_modules") {
       results.push(...collectTsFiles(full));
     } else if (entry.name.endsWith(".ts")) {
@@ -6501,21 +6902,21 @@ function hashFiles(srcDir, files) {
   const hash = createHash("sha256");
   for (const file of files) {
     hash.update(file.slice(srcDir.length));
-    hash.update(readFileSync(file, "utf-8"));
+    hash.update(readFileSync2(file, "utf-8"));
   }
   return hash.digest("hex").slice(0, 12);
 }
 function resolveCodeHashSourceDir(moduleDir) {
   const candidates = [
     moduleDir,
-    join2(moduleDir, "runtime-src"),
-    join2(moduleDir, "..", "runtime-src"),
-    join2(moduleDir, "src"),
-    join2(moduleDir, "..", "src")
+    join3(moduleDir, "runtime-src"),
+    join3(moduleDir, "..", "runtime-src"),
+    join3(moduleDir, "src"),
+    join3(moduleDir, "..", "src")
   ];
   for (const candidate of candidates) {
     try {
-      if (!existsSync3(candidate))
+      if (!existsSync4(candidate))
         continue;
       const files = collectTsFiles(candidate);
       if (files.length > 0)
@@ -6565,7 +6966,7 @@ function getPackageVersionForModuleDir(moduleDir) {
   const root = parse(dir).root;
   while (true) {
     try {
-      const pkg = JSON.parse(readFileSync(join2(dir, "package.json"), "utf-8"));
+      const pkg = JSON.parse(readFileSync2(join3(dir, "package.json"), "utf-8"));
       return typeof pkg.version === "string" ? pkg.version : "unknown";
     } catch {}
     if (dir === root)
@@ -6669,18 +7070,18 @@ async function ensureCascadeSplitForSkill(skill, deps = {}) {
 var init_cascade = () => {};
 // ../../src/payments/wallet.ts
-import { existsSync as existsSync4, readFileSync as readFileSync2 } from "node:fs";
-import { homedir } from "node:os";
-import { join as join3 } from "node:path";
+import { existsSync as existsSync5, readFileSync as readFileSync3 } from "node:fs";
+import { homedir as homedir2 } from "node:os";
+import { join as join4 } from "node:path";
 function asNonEmptyString(value) {
   return typeof value === "string" && value.trim() ? value.trim() : undefined;
 }
 function getLobsterWalletFromLocalConfig() {
-  const agentsPath = join3(process.env.HOME || homedir(), ".lobster", "agents.json");
-  if (!existsSync4(agentsPath))
+  const agentsPath = join4(process.env.HOME || homedir2(), ".lobster", "agents.json");
+  if (!existsSync5(agentsPath))
     return;
   try {
-    const raw = JSON.parse(readFileSync2(agentsPath, "utf8"));
+    const raw = JSON.parse(readFileSync3(agentsPath, "utf8"));
     const activeAgentId = asNonEmptyString(raw.activeAgentId);
     const activeAgent = Array.isArray(raw.agents) ? raw.agents.find((agent) => asNonEmptyString(agent.id) === activeAgentId) : activeAgentId ? raw.agents?.[activeAgentId] : undefined;
     return asNonEmptyString(activeAgent?.authorizedWallets?.solana) ?? asNonEmptyString(activeAgent?.walletAddress) ?? asNonEmptyString(activeAgent?.wallet_address);
@@ -6831,9 +7232,9 @@ __export(exports_lobster_pay, {
   isLobsterAvailable: () => isLobsterAvailable
 });
 import { execFile, execFileSync as execFileSync2 } from "node:child_process";
-import { existsSync as existsSync5 } from "node:fs";
-import { homedir as homedir2 } from "node:os";
-import { join as join4 } from "node:path";
+import { existsSync as existsSync6 } from "node:fs";
+import { homedir as homedir3 } from "node:os";
+import { join as join5 } from "node:path";
 function getLobsterCommand() {
   try {
     execFileSync2("lobstercash", ["--version"], { stdio: "ignore", timeout: 3000 });
@@ -6841,8 +7242,8 @@ function getLobsterCommand() {
   } catch (_e) {}
   try {
     const npmPrefix = execFileSync2("npm", ["config", "get", "prefix"], { encoding: "utf8", timeout: 5000 }).trim();
-    const lobsterPath = join4(npmPrefix, "bin", "lobstercash");
-    if (existsSync5(lobsterPath)) {
+    const lobsterPath = join5(npmPrefix, "bin", "lobstercash");
+    if (existsSync6(lobsterPath)) {
       execFileSync2(lobsterPath, ["--version"], { stdio: "ignore", timeout: 3000 });
       return { cmd: lobsterPath, prefix: [] };
     }
@@ -6855,8 +7256,8 @@ function lobsterCmd() {
   return cachedCommand;
 }
 function isLobsterAvailable() {
-  const agentsPath = join4(process.env.HOME || homedir2(), ".lobster", "agents.json");
-  return existsSync5(agentsPath);
+  const agentsPath = join5(process.env.HOME || homedir3(), ".lobster", "agents.json");
+  return existsSync6(agentsPath);
 }
 function lobsterX402Fetch(url, options) {
   return new Promise((resolve) => {
@@ -6988,10 +7389,10 @@ __export(exports_client2, {
   buildDefaultAgentName: () => buildDefaultAgentName,
   autoFileIssue: () => autoFileIssue
 });
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, existsSync as existsSync6, mkdirSync as mkdirSync3, readdirSync as readdirSync2 } from "fs";
-import { join as join5 } from "path";
-import { homedir as homedir3, hostname, release as osRelease } from "os";
-import { randomBytes, createHash as createHash3 } from "crypto";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, existsSync as existsSync7, mkdirSync as mkdirSync4, readdirSync as readdirSync2 } from "fs";
+import { join as join6 } from "path";
+import { homedir as homedir4, hostname, release as osRelease } from "os";
+import { randomBytes as randomBytes2, createHash as createHash3 } from "crypto";
 import { createInterface } from "readline";
 function buildReleaseAttestationHeaders(manifestBase64, signature) {
   const manifest = manifestBase64.trim();
@@ -7025,18 +7426,18 @@ function scopedSkillKey(skillId, scopeId) {
   return scopeId ? `${scopeId}:${skillId}` : skillId;
 }
 function getSkillCacheDir() {
-  return process.env.UNBROWSE_SKILL_CACHE_DIR || join5(getConfigDir(), "skill-cache");
+  return process.env.UNBROWSE_SKILL_CACHE_DIR || join6(getConfigDir(), "skill-cache");
 }
 function getConfigDir() {
   if (process.env.UNBROWSE_CONFIG_DIR)
     return process.env.UNBROWSE_CONFIG_DIR;
-  return PROFILE_NAME ? join5(homedir3(), ".unbrowse", "profiles", PROFILE_NAME) : join5(homedir3(), ".unbrowse");
+  return PROFILE_NAME ? join6(homedir4(), ".unbrowse", "profiles", PROFILE_NAME) : join6(homedir4(), ".unbrowse");
 }
 function getConfigPath() {
-  return join5(getConfigDir(), "config.json");
+  return join6(getConfigDir(), "config.json");
 }
 function getInstallTelemetryPath() {
-  return join5(getConfigDir(), "install-state.json");
+  return join6(getConfigDir(), "install-state.json");
 }
 function getLandingToken() {
   const token = process.env.UNBROWSE_LANDING_TOKEN?.trim();
@@ -7054,8 +7455,8 @@ function isLocalOnlyMode() {
 function loadConfig() {
   try {
     const configPath = getConfigPath();
-    if (existsSync6(configPath)) {
-      return JSON.parse(readFileSync3(configPath, "utf-8"));
+    if (existsSync7(configPath)) {
+      return JSON.parse(readFileSync4(configPath, "utf-8"));
     }
   } catch {}
   return null;
@@ -7063,15 +7464,15 @@ function loadConfig() {
 function saveConfig(config) {
   const configDir = getConfigDir();
   const configPath = getConfigPath();
-  if (!existsSync6(configDir))
-    mkdirSync3(configDir, { recursive: true });
-  writeFileSync2(configPath, JSON.stringify(config, null, 2), { mode: 384 });
+  if (!existsSync7(configDir))
+    mkdirSync4(configDir, { recursive: true });
+  writeFileSync3(configPath, JSON.stringify(config, null, 2), { mode: 384 });
 }
 function loadInstallTelemetryState() {
   try {
     const statePath = getInstallTelemetryPath();
-    if (existsSync6(statePath)) {
-      return JSON.parse(readFileSync3(statePath, "utf-8"));
+    if (existsSync7(statePath)) {
+      return JSON.parse(readFileSync4(statePath, "utf-8"));
     }
   } catch {}
   return null;
@@ -7079,13 +7480,13 @@ function loadInstallTelemetryState() {
 function saveInstallTelemetryState(state) {
   const configDir = getConfigDir();
   const statePath = getInstallTelemetryPath();
-  if (!existsSync6(configDir))
-    mkdirSync3(configDir, { recursive: true });
-  writeFileSync2(statePath, JSON.stringify(state, null, 2), { mode: 384 });
+  if (!existsSync7(configDir))
+    mkdirSync4(configDir, { recursive: true });
+  writeFileSync3(statePath, JSON.stringify(state, null, 2), { mode: 384 });
 }
 function createInstallTelemetryState() {
   return {
-    install_id: `install_${randomBytes(8).toString("hex")}`,
+    install_id: `install_${randomBytes2(8).toString("hex")}`,
     first_seen_at: new Date().toISOString()
   };
 }
@@ -7225,7 +7626,7 @@ function isValidAgentEmail(value) {
   return EMAIL_RE.test(normalizeAgentEmail(value));
 }
 function buildDefaultAgentName() {
-  return `${hostname()}-${randomBytes(3).toString("hex")}`;
+  return `${hostname()}-${randomBytes2(3).toString("hex")}`;
 }
 function resolveAgentName(preferredEmail, fallbackName) {
   const normalized = normalizeAgentEmail(preferredEmail ?? "");
@@ -7580,11 +7981,11 @@ async function waitForBackgroundRegistration(timeoutMs = 0) {
   ]);
 }
 function skillCachePath(skillId) {
-  return join5(getSkillCacheDir(), `${skillId}.json`);
+  return join6(getSkillCacheDir(), `${skillId}.json`);
 }
 function readSkillCache(skillId) {
   try {
-    const raw = readFileSync3(skillCachePath(skillId), "utf-8");
+    const raw = readFileSync4(skillCachePath(skillId), "utf-8");
     return JSON.parse(raw);
   } catch {
     return null;
@@ -7594,8 +7995,8 @@ function writeSkillCache(skill, scopeId) {
   try {
     recentLocalSkills.set(scopedSkillKey(skill.skill_id, scopeId), skill);
     const skillCacheDir = getSkillCacheDir();
-    if (!existsSync6(skillCacheDir))
-      mkdirSync3(skillCacheDir, { recursive: true });
+    if (!existsSync7(skillCacheDir))
+      mkdirSync4(skillCacheDir, { recursive: true });
     const existing = readSkillCache(skill.skill_id);
     if (existing) {
       for (const ep of skill.endpoints) {
@@ -7611,7 +8012,7 @@ function writeSkillCache(skill, scopeId) {
     const hasStrategy = skill.endpoints.some((e) => e.exec_strategy);
     if (hasStrategy)
       console.log(`[cache] writing skill ${skill.skill_id} with exec_strategy`);
-    writeFileSync2(skillCachePath(skill.skill_id), JSON.stringify(skill), "utf-8");
+    writeFileSync3(skillCachePath(skill.skill_id), JSON.stringify(skill), "utf-8");
   } catch {}
 }
 function cachePublishedSkill(skill, scopeId) {
@@ -7646,7 +8047,7 @@ function isIntentCompatible(lhs, rhs) {
 function findExistingSkillForDomain(domain, intent) {
   try {
     const skillCacheDir = getSkillCacheDir();
-    if (!existsSync6(skillCacheDir))
+    if (!existsSync7(skillCacheDir))
       return null;
     const files = readdirSync2(skillCacheDir);
     let compatible = null;
@@ -7655,7 +8056,7 @@ function findExistingSkillForDomain(domain, intent) {
       if (!f.endsWith(".json") || f === "browser-capture.json")
         continue;
       try {
-        const raw = readFileSync3(join5(skillCacheDir, f), "utf-8");
+        const raw = readFileSync4(join6(skillCacheDir, f), "utf-8");
         const skill = JSON.parse(raw);
         if (skill.domain === domain && skill.execution_type === "http") {
           if (!fallback)
@@ -7705,11 +8106,11 @@ async function getSkillChunk2(skillId, opts) {
 async function listSkills() {
   if (LOCAL_ONLY) {
     try {
-      if (!existsSync6(SKILL_CACHE_DIR))
+      if (!existsSync7(SKILL_CACHE_DIR))
         return [];
       return readdirSync2(SKILL_CACHE_DIR).filter((file) => file.endsWith(".json")).map((file) => {
         try {
-          return JSON.parse(readFileSync3(join5(SKILL_CACHE_DIR, file), "utf-8"));
+          return JSON.parse(readFileSync4(join6(SKILL_CACHE_DIR, file), "utf-8"));
         } catch {
           return null;
         }
@@ -8401,10 +8802,10 @@ var init_publish_admission = __esm(() => {
 // ../../src/telemetry.ts
 import { createHash as createHash4 } from "node:crypto";
-import { existsSync as existsSync7, mkdirSync as mkdirSync4, writeFileSync as writeFileSync3 } from "node:fs";
-import { join as join6 } from "node:path";
+import { existsSync as existsSync8, mkdirSync as mkdirSync5, writeFileSync as writeFileSync4 } from "node:fs";
+import { join as join7 } from "node:path";
 function getTraceDir() {
-  return process.env.UNBROWSE_TRACES_DIR ?? join6(process.env.HOME ?? "/tmp", ".unbrowse", "traces");
+  return process.env.UNBROWSE_TRACES_DIR ?? join7(process.env.HOME ?? "/tmp", ".unbrowse", "traces");
 }
 function isTracingEnabled() {
   return process.env.UNBROWSE_DISABLE_TRACES !== "1";
@@ -8478,11 +8879,11 @@ function emitRouteTrace(params) {
   };
   try {
     const traceDir = getTraceDir();
-    if (!existsSync7(traceDir))
-      mkdirSync4(traceDir, { recursive: true });
+    if (!existsSync8(traceDir))
+      mkdirSync5(traceDir, { recursive: true });
     const stamp = params.started_at.replace(/[:.]/g, "-");
-    const file = join6(traceDir, `${stamp}-${params.outcome}-${params.trace_id}.json`);
-    writeFileSync3(file, JSON.stringify(artifact, null, 2), "utf-8");
+    const file = join7(traceDir, `${stamp}-${params.outcome}-${params.trace_id}.json`);
+    writeFileSync4(file, JSON.stringify(artifact, null, 2), "utf-8");
     return file;
   } catch {
     return null;
@@ -9118,161 +9519,6 @@ var init_token_resolver = __esm(() => {
   init_token_sources();
 });
-// ../../src/vault/index.ts
-import { createCipheriv, createDecipheriv, randomBytes as randomBytes2 } from "crypto";
-import { existsSync as existsSync8, mkdirSync as mkdirSync5, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
-import { join as join7 } from "path";
-import { homedir as homedir4 } from "os";
-function normalizeKeytarModule(mod) {
-  let candidate = mod;
-  for (let depth = 0;depth < 3; depth++) {
-    if (!candidate || typeof candidate !== "object" || !("default" in candidate))
-      break;
-    candidate = candidate.default;
-  }
-  if (!candidate)
-    return null;
-  if (typeof candidate.setPassword === "function" && typeof candidate.getPassword === "function" && typeof candidate.deletePassword === "function") {
-    return candidate;
-  }
-  return null;
-}
-function isKeytarBindingError(error) {
-  const message = error instanceof Error ? `${error.name}: ${error.message}` : String(error);
-  return KEYTAR_BINDING_ERROR_RE.test(message);
-}
-function disableKeytar(error) {
-  keytar = null;
-  if (keytarFallbackLogged)
-    return;
-  const summary = error instanceof Error ? error.message : String(error);
-  log("vault", `keytar runtime unavailable (${summary}); using encrypted file fallback`);
-  keytarFallbackLogged = true;
-}
-async function callKeytar(op) {
-  if (!keytar)
-    return KEYTAR_UNAVAILABLE;
-  try {
-    return await op(keytar);
-  } catch (error) {
-    if (!isKeytarBindingError(error))
-      throw error;
-    disableKeytar(error);
-    return KEYTAR_UNAVAILABLE;
-  }
-}
-function getOrCreateKey() {
-  if (!existsSync8(VAULT_DIR))
-    mkdirSync5(VAULT_DIR, { recursive: true, mode: 448 });
-  if (existsSync8(KEY_FILE))
-    return readFileSync4(KEY_FILE);
-  const key = randomBytes2(32);
-  writeFileSync4(KEY_FILE, key, { mode: 384 });
-  return key;
-}
-function withVaultLock(fn) {
-  const prev = vaultLock;
-  let release;
-  vaultLock = new Promise((r) => {
-    release = r;
-  });
-  return prev.then(fn).finally(() => release());
-}
-function readVaultFile() {
-  if (!existsSync8(VAULT_FILE))
-    return {};
-  try {
-    const key = getOrCreateKey();
-    const raw = readFileSync4(VAULT_FILE);
-    const iv = raw.subarray(0, 16);
-    const enc = raw.subarray(16);
-    const decipher = createDecipheriv("aes-256-cbc", key, iv);
-    const dec = Buffer.concat([decipher.update(enc), decipher.final()]);
-    return JSON.parse(dec.toString("utf8"));
-  } catch {
-    return {};
-  }
-}
-function writeVaultFile(data) {
-  const key = getOrCreateKey();
-  const iv = randomBytes2(16);
-  const cipher = createCipheriv("aes-256-cbc", key, iv);
-  const enc = Buffer.concat([cipher.update(JSON.stringify(data), "utf8"), cipher.final()]);
-  writeFileSync4(VAULT_FILE, Buffer.concat([iv, enc]), { mode: 384 });
-}
-async function storeCredential(account, value, opts) {
-  const wrapped = {
-    value,
-    stored_at: new Date().toISOString(),
-    expires_at: opts?.expires_at,
-    max_age_ms: opts?.max_age_ms
-  };
-  const serialized = JSON.stringify(wrapped);
-  const keytarResult = await callKeytar((client) => client.setPassword(SERVICE, account, serialized));
-  if (keytarResult !== KEYTAR_UNAVAILABLE)
-    return;
-  await withVaultLock(() => {
-    const data = readVaultFile();
-    data[account] = serialized;
-    writeVaultFile(data);
-  });
-}
-function isExpired(cred) {
-  if (cred.expires_at) {
-    return new Date(cred.expires_at).getTime() <= Date.now();
-  }
-  if (cred.max_age_ms) {
-    return new Date(cred.stored_at).getTime() + cred.max_age_ms <= Date.now();
-  }
-  return false;
-}
-async function getCredential(account) {
-  let raw;
-  const keytarResult = await callKeytar((client) => client.getPassword(SERVICE, account));
-  if (keytarResult !== KEYTAR_UNAVAILABLE) {
-    raw = keytarResult;
-  } else {
-    const data = readVaultFile();
-    raw = data[account] ?? null;
-  }
-  if (!raw)
-    return null;
-  try {
-    const parsed = JSON.parse(raw);
-    if (parsed.value && parsed.stored_at) {
-      if (isExpired(parsed)) {
-        await deleteCredential(account);
-        return null;
-      }
-      return parsed.value;
-    }
-  } catch {}
-  return raw;
-}
-async function deleteCredential(account) {
-  const keytarResult = await callKeytar((client) => client.deletePassword(SERVICE, account));
-  if (keytarResult !== KEYTAR_UNAVAILABLE)
-    return;
-  await withVaultLock(() => {
-    const data = readVaultFile();
-    delete data[account];
-    writeVaultFile(data);
-  });
-}
-var KEYTAR_UNAVAILABLE, KEYTAR_BINDING_ERROR_RE, keytar = null, keytarFallbackLogged = false, SERVICE = "unbrowse", VAULT_DIR, VAULT_FILE, KEY_FILE, vaultLock;
-var init_vault = __esm(async () => {
-  init_logger();
-  KEYTAR_UNAVAILABLE = Symbol("KEYTAR_UNAVAILABLE");
-  KEYTAR_BINDING_ERROR_RE = /(keytar(?:\.node)?|native bindings?|bindings file|no native build was found|could not locate the bindings file|module did not self-register|err_dlopen_failed|dlopen\(|compiled against a different node\.js version|cannot find module .*keytar|wasm is not supported on this platform|(set|get|delete)password is not a function)/i;
-  try {
-    keytar = normalizeKeytarModule(await import("keytar"));
-  } catch {}
-  VAULT_DIR = join7(homedir4(), ".unbrowse", "vault");
-  VAULT_FILE = join7(VAULT_DIR, "credentials.enc");
-  KEY_FILE = join7(VAULT_DIR, ".key");
-  vaultLock = Promise.resolve();
-});
 // ../../src/runtime/supervisor.ts
 function getDefaultLoginConfig(headless) {
   return {
@@ -13944,6 +14190,10 @@ function validateWorkflowReplayParams(recipe, params) {
       continue;
     const value = valueForSpec(spec, params);
     if (spec.required && (value == null || value === "")) {
+      if (spec.default_value != null && spec.default_value !== "")
+        continue;
+      if (spec.example_value != null && spec.example_value !== "")
+        continue;
       errors.push({ name: spec.name, reason: "required" });
       continue;
     }
@@ -14238,18 +14488,27 @@ async function reloadExecutionAuthState(skill, epDomain, authHeaders, cookies) {
         cookies.push(...resolved);
     } catch {}
   }
-  if (Object.keys(authHeaders).length === 0) {
-    try {
-      const sessionKey = `${getRegistrableDomain(epDomain)}-session`;
-      const sessionData = await getCredential(sessionKey);
-      if (sessionData) {
-        const parsed = JSON.parse(sessionData);
-        if (parsed.headers)
-          Object.assign(authHeaders, parsed.headers);
-        if (parsed.cookies && cookies.length === 0)
-          cookies.push(...parsed.cookies);
-      }
-    } catch {}
+  {
+    for (const sessionKey of [`${epDomain}-session`, `${getRegistrableDomain(epDomain)}-session`]) {
+      try {
+        const sessionData = await getCredential(sessionKey);
+        if (sessionData) {
+          const parsed = JSON.parse(sessionData);
+          if (parsed.headers)
+            Object.assign(authHeaders, parsed.headers);
+          if (parsed.cookies && cookies.length === 0)
+            cookies.push(...parsed.cookies);
+          if (Object.keys(authHeaders).length > 0)
+            break;
+        }
+      } catch {}
+    }
+  }
+  if (cookies.length > 0 && authHeaders["csrf-token"]) {
+    const jsessionId = cookies.find((c) => c.name === "JSESSIONID");
+    if (jsessionId) {
+      authHeaders["csrf-token"] = jsessionId.value.replace(/"/g, "");
+    }
   }
 }
 function persistWorkflowArtifactForCapture(artifactSkill, captured, capturedAuthHeaders) {
@@ -15270,10 +15529,13 @@ async function executeBrowserCapture(skill, params, options) {
     }));
   }
   if (!auth_profile_ref) {
-    const vaultKey = `auth:${targetDomain}`;
-    const hasStoredAuth = await getCredential(vaultKey) != null;
-    if (hasStoredAuth)
-      auth_profile_ref = vaultKey;
+    for (const vaultKey of [`auth:${targetDomain}`, `${domain}-session`, `${targetDomain}-session`]) {
+      const hasStoredAuth = await getCredential(vaultKey) != null;
+      if (hasStoredAuth) {
+        auth_profile_ref = vaultKey;
+        break;
+      }
+    }
   }
   const authBackedCapture = usedStoredAuth || !!auth_profile_ref;
   if (authBackedCapture) {
@@ -15854,7 +16116,7 @@ async function executeEndpoint(skill, endpoint, params = {}, projection, options
           u.searchParams.set(k, String(v));
         }
       }
-      urlTemplate = restoreTemplatePlaceholderEncoding(u.toString());
+      urlTemplate = restoreTemplatePlaceholderEncoding(u.toString()).replace(/%28/gi, "(").replace(/%29/gi, ")").replace(/%2C/gi, ",").replace(/%3A/gi, ":");
     } catch {}
   }
   let url = interpolate(urlTemplate, mergedParams);
@@ -15990,7 +16252,7 @@ async function executeEndpoint(skill, endpoint, params = {}, projection, options
     let last = { data: null, status: 0 };
     for (const replayUrl of replayUrls) {
       const replayHeaders = buildStructuredReplayHeaders(url, replayUrl, headers);
-      log("exec", `server-fetch: ${endpoint.method} ${replayUrl.substring(0, 80)} auth=${(replayHeaders["authorization"] || "none").substring(0, 50)} csrf=${replayHeaders["x-csrf-token"]?.substring(0, 10)}... cookies=${replayHeaders["cookie"]?.length ?? 0}chars`);
+      log("exec", `server-fetch: ${endpoint.method} ${replayUrl.substring(0, 200)} csrf-token=${(replayHeaders["csrf-token"] || "none").substring(0, 20)}... hdrs=${Object.keys(replayHeaders).length} cookies=${replayHeaders["cookie"]?.length ?? 0}chars`);
       const res = await fetch(replayUrl, {
         method: endpoint.method,
         headers: replayHeaders,
@@ -16394,7 +16656,12 @@ function interpolate(template, params) {
   const base = template.substring(0, qIdx);
   const query = template.substring(qIdx + 1);
   const interpolatedBase = base.replace(/\{(\w+)\}/g, (_, k) => params[k] != null ? String(params[k]) : `{${k}}`);
-  const interpolatedQuery = query.replace(/\{(\w+)\}/g, (_, k) => params[k] != null ? encodeURIComponent(String(params[k])) : `{${k}}`);
+  const interpolatedQuery = query.replace(/\{(\w+)\}/g, (_, k) => {
+    if (params[k] == null)
+      return `{${k}}`;
+    const val = String(params[k]);
+    return val.replace(/[#&=\s]/g, (ch) => encodeURIComponent(ch));
+  });
   return `${interpolatedBase}?${interpolatedQuery}`;
 }
 function interpolateObj(obj, params) {
@@ -16709,6 +16976,17 @@ function rankEndpoints(endpoints, intent, skillDomain, contextUrl) {
       }
       score += matches * 100;
     }
+    if (rawTokens.length > 0 && pathname) {
+      const pathLower = pathname.toLowerCase();
+      const pathSegs = pathLower.split("/").filter(Boolean);
+      for (const token of rawTokens) {
+        const stemmed = stem(token);
+        if (pathSegs.some((seg) => seg === stemmed || seg === token || seg.includes(token))) {
+          score += 150;
+          break;
+        }
+      }
+    }
     if (ep.dom_extraction)
       score += 25;
     if (descriptionMeta.needs_review && ep.dom_extraction)
@@ -16943,8 +17221,6 @@ function isSpaShell(html) {
 }
 var DEFAULT_BROWSER_UA = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36", VALID_VERIFICATION_STATUSES, BM25_K1 = 1.2, BM25_B = 0.75, STOPWORDS, SYNONYMS;
 var init_execution = __esm(async () => {
-  init_capture();
-  init_capture();
   init_reverse_engineer();
   init_bundle_scanner();
   init_token_resolver();
@@ -16968,6 +17244,8 @@ var init_execution = __esm(async () => {
   init_compile();
   init_publish();
   await __promiseAll([
+    init_capture(),
+    init_capture(),
     init_vault(),
     init_auth(),
     init_indexer(),
@@ -18568,6 +18846,13 @@ function isCachedSkillRelevantForIntent(skill, intent, contextUrl) {
     const hasStructuredSearchEndpoint = candidateSkill.endpoints.some((endpoint) => endpointHasSearchBindings(endpoint) && (!!endpoint.dom_extraction || !!endpoint.response_schema) && endpointMatchesContextOrigin(endpoint, contextUrl) && endpointMatchesExplicitSearchContext(endpoint, contextUrl));
     if (hasStructuredSearchEndpoint)
       return true;
+    if (top && top.score >= 0) {
+      try {
+        const topPath = new URL(top.endpoint.url_template).pathname.toLowerCase();
+        if (/\/(search|find|query|browse|explore)\b/.test(topPath))
+          return true;
+      } catch {}
+    }
     if (collectExplicitSearchContextBindingKeys(contextUrl).size > 0)
       return false;
   }
@@ -19610,7 +19895,7 @@ async function resolveAndExecute(intent, params = {}, context, projection, optio
       for (const cookie of cookies)
         await setCookie(handoffTabId, cookie).catch(() => {});
     } catch {}
-    await evaluate(handoffTabId, (await Promise.resolve().then(() => (init_capture(), exports_capture))).INTERCEPTOR_SCRIPT).catch(() => {});
+    await evaluate(handoffTabId, (await init_capture().then(() => exports_capture)).INTERCEPTOR_SCRIPT).catch(() => {});
     await harStart(handoffTabId).catch(() => {});
     try {
       const routesModule = await init_routes().then(() => exports_routes);
@@ -24111,13 +24396,13 @@ function schedulePeriodicVerification() {
   }, VERIFICATION_INTERVAL_MS);
 }
 var VERIFICATION_INTERVAL_MS, VERIFY_ENDPOINT_BATCH_SIZE;
-var init_verification = __esm(() => {
-  init_capture();
+var init_verification = __esm(async () => {
   init_marketplace();
   init_marketplace();
   init_drift();
   init_matrix();
   init_candidates();
+  await init_capture();
   VERIFICATION_INTERVAL_MS = 6 * 60 * 60 * 1000;
   VERIFY_ENDPOINT_BATCH_SIZE = Math.max(1, Number(process.env.UNBROWSE_VERIFY_ENDPOINT_BATCH_SIZE ?? 3));
 });
@@ -24224,9 +24509,11 @@ function schedulePeriodicStaleCleanup() {
 var VERIFY_TIMEOUT_MS, CLEANUP_INTERVAL_MS, CLEANUP_BATCH_SIZE, CLEANUP_VERIFY_ENDPOINT_LIMIT;
 var init_stale_cleanup_runner = __esm(async () => {
   init_marketplace();
-  init_verification();
   init_candidates();
-  await init_orchestrator();
+  await __promiseAll([
+    init_verification(),
+    init_orchestrator()
+  ]);
   VERIFY_TIMEOUT_MS = Math.max(5000, Number(process.env.UNBROWSE_STALE_VERIFY_TIMEOUT_MS ?? 15000));
   CLEANUP_INTERVAL_MS = Math.max(30 * 60 * 1000, Number(process.env.UNBROWSE_STALE_CLEANUP_INTERVAL_MS ?? 6 * 60 * 60 * 1000));
   CLEANUP_BATCH_SIZE = Math.max(1, Number(process.env.UNBROWSE_STALE_CLEANUP_BATCH_SIZE ?? 25));
@@ -25268,7 +25555,7 @@ async function registerRoutes(app) {
     if (!skill)
       return reply.code(404).send({ error: "Skill not found" });
     try {
-      const { verifySkill: verifySkill2 } = await Promise.resolve().then(() => (init_verification(), exports_verification));
+      const { verifySkill: verifySkill2 } = await init_verification().then(() => exports_verification);
       const results = await verifySkill2(skill);
       return reply.send({ skill_id, verification: results });
     } catch (err) {
@@ -25861,7 +26148,6 @@ var BETA_API_URL, TRACES_DIR, BROWSE_BROKER_MAX, BROWSE_BROKER_BASE_PORT, browse
 var init_routes = __esm(async () => {
   init_client();
   init_reverse_engineer();
-  init_capture();
   init_marketplace();
   init_graph();
   init_client2();
@@ -25880,6 +26166,7 @@ var init_routes = __esm(async () => {
   init_schema_review();
   init_artifact();
   await __promiseAll([
+    init_capture(),
     init_indexer(),
     init_vault(),
     init_orchestrator(),
@@ -25902,12 +26189,12 @@ import { config as loadEnv } from "dotenv";
 // ../../src/server.ts
 init_ratelimit();
-init_verification();
 init_client2();
-init_capture();
 init_version();
 await __promiseAll([
   init_routes(),
+  init_verification(),
+  init_capture(),
   init_stale_cleanup_runner()
 ]);
 import { execSync as execSync2 } from "node:child_process";