unbrowse 3.2.2 → 3.2.3

package/dist/cli.js

@@ -31,7 +31,7 @@ var __promiseAll = (args) => Promise.all(args);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 // ../../src/build-info.generated.ts
-var BUILD_RELEASE_VERSION = "3.2.2", BUILD_GIT_SHA = "150cce0d751e", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4yLjIiLCJnaXRfc2hhIjoiMTUwY2NlMGQ3NTFlIiwiY29kZV9oYXNoIjoiMTQ4OGZjMWQ5MmI3IiwidHJhY2VfdmVyc2lvbiI6IjE0ODhmYzFkOTJiN0AxNTBjY2UwZDc1MWUiLCJpc3N1ZWRfYXQiOiIyMDI2LTA0LTA2VDA4OjQ2OjM5LjIwNVoifQ", BUILD_RELEASE_MANIFEST_SIGNATURE = "ZS7C10DGuwyn1m02shMHyz6cN5UbTHfa8yqnkELg_L8", BUILD_DEFAULT_BACKEND_URL = "https://beta-api.unbrowse.ai";
+var BUILD_RELEASE_VERSION = "3.2.2", BUILD_GIT_SHA = "150cce0d751e", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4yLjIiLCJnaXRfc2hhIjoiMTUwY2NlMGQ3NTFlIiwiY29kZV9oYXNoIjoiMTQ4OGZjMWQ5MmI3IiwidHJhY2VfdmVyc2lvbiI6IjE0ODhmYzFkOTJiN0AxNTBjY2UwZDc1MWUiLCJpc3N1ZWRfYXQiOiIyMDI2LTA0LTA2VDExOjU4OjM1LjkxNFoifQ", BUILD_RELEASE_MANIFEST_SIGNATURE = "Lfph_KbGZrv74O5Pnop_b_0GcSTspB27fOgkCMZK6tk", BUILD_DEFAULT_BACKEND_URL = "https://beta-api.unbrowse.ai";
 
 // ../../src/version.ts
 import { createHash } from "crypto";
@@ -679,23 +679,6 @@ var init_telemetry = __esm(() => {
   autoFiledKeys = new Set;
 });
 
-// ../../src/runtime/browser-access.ts
-var init_browser_access = () => {};
-
-// ../../src/capture/index.ts
-import { nanoid as nanoid2 } from "nanoid";
-var activeTabRegistry, interceptorInjectedTabs, cdpDocStartTabs, cdpCapturedHeaders;
-var init_capture = __esm(() => {
-  init_client2();
-  init_domain();
-  init_logger();
-  init_browser_access();
-  activeTabRegistry = new Set;
-  interceptorInjectedTabs = new Set;
-  cdpDocStartTabs = new Set;
-  cdpCapturedHeaders = new Map;
-});
-
 // ../../src/transform/index.ts
 var EPHEMERAL_KEYS;
 var init_transform = __esm(() => {
@@ -704,7 +687,7 @@ var init_transform = __esm(() => {
 
 // ../../src/debug-trace.ts
 import { join as join6 } from "node:path";
-import { nanoid as nanoid3 } from "nanoid";
+import { nanoid as nanoid2 } from "nanoid";
 var TRACE_DIR;
 var init_debug_trace = __esm(() => {
   TRACE_DIR = process.env.TRACES_DIR ?? join6(process.cwd(), "traces");
@@ -719,7 +702,7 @@ var init_description_prompt = __esm(() => {
   init_sanitize();
 });
 // ../../src/reverse-engineer/index.ts
-import { nanoid as nanoid4 } from "nanoid";
+import { nanoid as nanoid3 } from "nanoid";
 var ALLOWED_METHODS, STRIP_HEADERS, REPLAY_HEADER_EXACT, SAFE_HEADERS, AD_SCHEMA_KEYS;
 var init_reverse_engineer = __esm(() => {
   init_transform();
@@ -791,19 +774,6 @@ var init_reverse_engineer = __esm(() => {
   ]);
 });
 
-// ../../src/reverse-engineer/bundle-scanner.ts
-var init_bundle_scanner = __esm(() => {
-  init_logger();
-});
-
-// ../../src/reverse-engineer/token-sources.ts
-var init_token_sources = () => {};
-
-// ../../src/execution/token-resolver.ts
-var init_token_resolver = __esm(() => {
-  init_token_sources();
-});
-
 // ../../src/vault/index.ts
 import { join as join7 } from "path";
 import { homedir as homedir5 } from "os";
@@ -834,6 +804,38 @@ var init_vault = __esm(async () => {
   vaultLock = Promise.resolve();
 });
 
+// ../../src/runtime/browser-access.ts
+var init_browser_access = () => {};
+
+// ../../src/capture/index.ts
+import { nanoid as nanoid4 } from "nanoid";
+var activeTabRegistry, interceptorInjectedTabs, cdpDocStartTabs, cdpCapturedHeaders;
+var init_capture = __esm(async () => {
+  init_client2();
+  init_domain();
+  init_logger();
+  init_reverse_engineer();
+  init_browser_access();
+  await init_vault();
+  activeTabRegistry = new Set;
+  interceptorInjectedTabs = new Set;
+  cdpDocStartTabs = new Set;
+  cdpCapturedHeaders = new Map;
+});
+
+// ../../src/reverse-engineer/bundle-scanner.ts
+var init_bundle_scanner = __esm(() => {
+  init_logger();
+});
+
+// ../../src/reverse-engineer/token-sources.ts
+var init_token_sources = () => {};
+
+// ../../src/execution/token-resolver.ts
+var init_token_resolver = __esm(() => {
+  init_token_sources();
+});
+
 // ../../src/auth/index.ts
 var init_auth = __esm(async () => {
   init_client2();
@@ -1018,8 +1020,6 @@ var init_compile = () => {};
 import { nanoid as nanoid6 } from "nanoid";
 var VALID_VERIFICATION_STATUSES, STOPWORDS;
 var init_execution = __esm(async () => {
-  init_capture();
-  init_capture();
   init_reverse_engineer();
   init_bundle_scanner();
   init_token_resolver();
@@ -1043,6 +1043,8 @@ var init_execution = __esm(async () => {
   init_compile();
   init_publish();
   await __promiseAll([
+    init_capture(),
+    init_capture(),
     init_vault(),
     init_auth(),
     init_indexer(),

package/dist/mcp.js

@@ -228,8 +228,8 @@ import { fileURLToPath as fileURLToPath2 } from "url";
 var BUILD_RELEASE_VERSION = "3.2.2";
 var BUILD_GIT_SHA = "150cce0d751e";
 var BUILD_CODE_HASH = "1488fc1d92b7";
-var BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4yLjIiLCJnaXRfc2hhIjoiMTUwY2NlMGQ3NTFlIiwiY29kZV9oYXNoIjoiMTQ4OGZjMWQ5MmI3IiwidHJhY2VfdmVyc2lvbiI6IjE0ODhmYzFkOTJiN0AxNTBjY2UwZDc1MWUiLCJpc3N1ZWRfYXQiOiIyMDI2LTA0LTA2VDA4OjQ2OjM5LjIwNVoifQ";
-var BUILD_RELEASE_MANIFEST_SIGNATURE = "ZS7C10DGuwyn1m02shMHyz6cN5UbTHfa8yqnkELg_L8";
+var BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4yLjIiLCJnaXRfc2hhIjoiMTUwY2NlMGQ3NTFlIiwiY29kZV9oYXNoIjoiMTQ4OGZjMWQ5MmI3IiwidHJhY2VfdmVyc2lvbiI6IjE0ODhmYzFkOTJiN0AxNTBjY2UwZDc1MWUiLCJpc3N1ZWRfYXQiOiIyMDI2LTA0LTA2VDExOjU4OjM1LjkxNFoifQ";
+var BUILD_RELEASE_MANIFEST_SIGNATURE = "Lfph_KbGZrv74O5Pnop_b_0GcSTspB27fOgkCMZK6tk";
 var BUILD_DEFAULT_BACKEND_URL = "https://beta-api.unbrowse.ai";
 
 // ../../src/version.ts

package/dist/server.js

@@ -4299,7 +4299,12 @@ function extractEndpoints(requests, wsMessages, context) {
     const sanitizedQParams = isGet ? sanitizeQueryParams(extractQueryParams(req.url)) : undefined;
     let pathTemplate = sanitizeUrlTemplate(normalized);
     const qBindings = sanitizedQParams ? buildQueryBindingMap(Object.keys(sanitizedQParams)) : {};
-    const qTemplateStr = sanitizedQParams && Object.keys(sanitizedQParams).length > 0 ? Object.keys(sanitizedQParams).map((k) => `${encodeURIComponent(k)}={${qBindings[k] ?? k}}`).join("&") : null;
+    const existingQKeys = new Set;
+    try {
+      for (const k of new URL(pathTemplate).searchParams.keys())
+        existingQKeys.add(k.toLowerCase());
+    } catch {}
+    const qTemplateStr = sanitizedQParams && Object.keys(sanitizedQParams).length > 0 ? Object.keys(sanitizedQParams).filter((k) => !existingQKeys.has(k.toLowerCase())).map((k) => `${encodeURIComponent(k)}={${qBindings[k] ?? k}}`).join("&") || null : null;
     const { url: templatizedPath, pathParams, pathBindingCandidates } = templatizePathSegments(pathTemplate, req.url, context);
     pathTemplate = templatizedPath;
     const parsedRequestBody = !isGet && req.request_body ? tryParseBody(req.request_body) : undefined;
@@ -4315,7 +4320,7 @@ function extractEndpoints(requests, wsMessages, context) {
     let endpoint = {
       endpoint_id: nanoid2(),
       method: req.method,
-      url_template: qTemplateStr ? `${pathTemplate}?${qTemplateStr}` : pathTemplate,
+      url_template: qTemplateStr ? `${pathTemplate}${pathTemplate.includes("?") ? "&" : "?"}${qTemplateStr}` : pathTemplate,
       description: buildEndpointDescription(req, sampleRequest, sampleResponse),
       headers_template: sanitizeHeaders(req.request_headers),
       query: sanitizedQParams,
@@ -5027,6 +5032,179 @@ var init_reverse_engineer = __esm(() => {
   ON_DOMAIN_NOISE = /\/(recaptcha|captcha|update-recaptcha|csrf|consent|data-protection|badge|drawer|header-action|geolocation|onboarding|wana\/bids|prebid|bids\/request|ads\/|pixel|beacon|collect|impression|click-tracking|heartbeat|webConfig|config\.json|manifest\.json|service-worker|sw\.js|favicon|robots\.txt|sitemap|opensearch|partial\/[a-zA-Z]+\/mod-|logging|csp-report|gen_204|generate_204|sodar|__webpack|__next|devvit-|user-drawer|action-item)/i;
 });
 
+// ../../src/vault/index.ts
+var exports_vault = {};
+__export(exports_vault, {
+  storeCredential: () => storeCredential,
+  setKeytarClientForTests: () => setKeytarClientForTests,
+  resetKeytarClientForTests: () => resetKeytarClientForTests,
+  normalizeKeytarModule: () => normalizeKeytarModule,
+  getCredential: () => getCredential,
+  deleteCredential: () => deleteCredential
+});
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+import { existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync, writeFileSync as writeFileSync2 } from "fs";
+import { join as join2 } from "path";
+import { homedir } from "os";
+function normalizeKeytarModule(mod) {
+  let candidate = mod;
+  for (let depth = 0;depth < 3; depth++) {
+    if (!candidate || typeof candidate !== "object" || !("default" in candidate))
+      break;
+    candidate = candidate.default;
+  }
+  if (!candidate)
+    return null;
+  if (typeof candidate.setPassword === "function" && typeof candidate.getPassword === "function" && typeof candidate.deletePassword === "function") {
+    return candidate;
+  }
+  return null;
+}
+function isKeytarBindingError(error) {
+  const message = error instanceof Error ? `${error.name}: ${error.message}` : String(error);
+  return KEYTAR_BINDING_ERROR_RE.test(message);
+}
+function disableKeytar(error) {
+  keytar = null;
+  if (keytarFallbackLogged)
+    return;
+  const summary = error instanceof Error ? error.message : String(error);
+  log("vault", `keytar runtime unavailable (${summary}); using encrypted file fallback`);
+  keytarFallbackLogged = true;
+}
+async function callKeytar(op) {
+  if (!keytar)
+    return KEYTAR_UNAVAILABLE;
+  try {
+    return await op(keytar);
+  } catch (error) {
+    if (!isKeytarBindingError(error))
+      throw error;
+    disableKeytar(error);
+    return KEYTAR_UNAVAILABLE;
+  }
+}
+function setKeytarClientForTests(client) {
+  keytar = client;
+  keytarFallbackLogged = false;
+}
+function resetKeytarClientForTests() {
+  keytar = importedKeytar;
+  keytarFallbackLogged = false;
+}
+function getOrCreateKey() {
+  if (!existsSync3(VAULT_DIR))
+    mkdirSync3(VAULT_DIR, { recursive: true, mode: 448 });
+  if (existsSync3(KEY_FILE))
+    return readFileSync(KEY_FILE);
+  const key = randomBytes(32);
+  writeFileSync2(KEY_FILE, key, { mode: 384 });
+  return key;
+}
+function withVaultLock(fn) {
+  const prev = vaultLock;
+  let release;
+  vaultLock = new Promise((r) => {
+    release = r;
+  });
+  return prev.then(fn).finally(() => release());
+}
+function readVaultFile() {
+  if (!existsSync3(VAULT_FILE))
+    return {};
+  try {
+    const key = getOrCreateKey();
+    const raw = readFileSync(VAULT_FILE);
+    const iv = raw.subarray(0, 16);
+    const enc = raw.subarray(16);
+    const decipher = createDecipheriv("aes-256-cbc", key, iv);
+    const dec = Buffer.concat([decipher.update(enc), decipher.final()]);
+    return JSON.parse(dec.toString("utf8"));
+  } catch {
+    return {};
+  }
+}
+function writeVaultFile(data) {
+  const key = getOrCreateKey();
+  const iv = randomBytes(16);
+  const cipher = createCipheriv("aes-256-cbc", key, iv);
+  const enc = Buffer.concat([cipher.update(JSON.stringify(data), "utf8"), cipher.final()]);
+  writeFileSync2(VAULT_FILE, Buffer.concat([iv, enc]), { mode: 384 });
+}
+async function storeCredential(account, value, opts) {
+  const wrapped = {
+    value,
+    stored_at: new Date().toISOString(),
+    expires_at: opts?.expires_at,
+    max_age_ms: opts?.max_age_ms
+  };
+  const serialized = JSON.stringify(wrapped);
+  const keytarResult = await callKeytar((client) => client.setPassword(SERVICE, account, serialized));
+  if (keytarResult !== KEYTAR_UNAVAILABLE)
+    return;
+  await withVaultLock(() => {
+    const data = readVaultFile();
+    data[account] = serialized;
+    writeVaultFile(data);
+  });
+}
+function isExpired(cred) {
+  if (cred.expires_at) {
+    return new Date(cred.expires_at).getTime() <= Date.now();
+  }
+  if (cred.max_age_ms) {
+    return new Date(cred.stored_at).getTime() + cred.max_age_ms <= Date.now();
+  }
+  return false;
+}
+async function getCredential(account) {
+  let raw;
+  const keytarResult = await callKeytar((client) => client.getPassword(SERVICE, account));
+  if (keytarResult !== KEYTAR_UNAVAILABLE) {
+    raw = keytarResult;
+  } else {
+    const data = readVaultFile();
+    raw = data[account] ?? null;
+  }
+  if (!raw)
+    return null;
+  try {
+    const parsed = JSON.parse(raw);
+    if (parsed.value && parsed.stored_at) {
+      if (isExpired(parsed)) {
+        await deleteCredential(account);
+        return null;
+      }
+      return parsed.value;
+    }
+  } catch {}
+  return raw;
+}
+async function deleteCredential(account) {
+  const keytarResult = await callKeytar((client) => client.deletePassword(SERVICE, account));
+  if (keytarResult !== KEYTAR_UNAVAILABLE)
+    return;
+  await withVaultLock(() => {
+    const data = readVaultFile();
+    delete data[account];
+    writeVaultFile(data);
+  });
+}
+var KEYTAR_UNAVAILABLE, KEYTAR_BINDING_ERROR_RE, keytar = null, importedKeytar, keytarFallbackLogged = false, SERVICE = "unbrowse", VAULT_DIR, VAULT_FILE, KEY_FILE, vaultLock;
+var init_vault = __esm(async () => {
+  init_logger();
+  KEYTAR_UNAVAILABLE = Symbol("KEYTAR_UNAVAILABLE");
+  KEYTAR_BINDING_ERROR_RE = /(keytar(?:\.node)?|native bindings?|bindings file|no native build was found|could not locate the bindings file|module did not self-register|err_dlopen_failed|dlopen\(|compiled against a different node\.js version|cannot find module .*keytar|wasm is not supported on this platform|(set|get|delete)password is not a function)/i;
+  try {
+    keytar = normalizeKeytarModule(await import("keytar"));
+  } catch {}
+  importedKeytar = keytar;
+  VAULT_DIR = join2(homedir(), ".unbrowse", "vault");
+  VAULT_FILE = join2(VAULT_DIR, "credentials.enc");
+  KEY_FILE = join2(VAULT_DIR, ".key");
+  vaultLock = Promise.resolve();
+});
+
 // ../../src/runtime/browser-access.ts
 var DEFAULT_BROWSER_ACCESS;
 var init_browser_access = __esm(() => {
@@ -5477,7 +5655,12 @@ function normalizeCapturedUrl(url, baseUrl) {
   if (!url)
     return url;
   try {
-    return new URL(url).toString();
+    const parsed = new URL(url);
+    if (baseUrl && (parsed.hostname === "127.0.0.1" || parsed.hostname === "localhost")) {
+      const pageOrigin = new URL(baseUrl).origin;
+      return `${pageOrigin}${parsed.pathname}${parsed.search}`;
+    }
+    return parsed.toString();
   } catch {
     if (!baseUrl)
       return url;
@@ -5878,7 +6061,76 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
         log("capture", "scriptInject unavailable — falling back to evaluate injection");
       }
     }
-    await phase("harStart", () => harStart(tabId));
+    try {
+      await phase("harStart", () => harStart(tabId));
+    } catch {}
+    const cdpNetworkEntries = [];
+    const cdpRequestMap = new Map;
+    const cdpResponseMeta = new Map;
+    const cdpFinishedRequests = new Set;
+    let cdpWs = null;
+    let cdpMsgId = 10;
+    const cdpPendingBodies = new Map;
+    const cdpResolvedBodies = new Map;
+    const API_URL_PATTERN = /\/api\/|\/graphql|voyager|youtubei|\/v\d+\//i;
+    try {
+      const cdpPort = getCdpPort();
+      if (cdpPort) {
+        const tabsResp = await fetch(`http://127.0.0.1:${cdpPort}/json`);
+        const tabs = await tabsResp.json();
+        const cdpTab = tabs.find((t) => t.id === tabId) ?? tabs.find((t) => t.type === "page");
+        if (cdpTab?.webSocketDebuggerUrl) {
+          cdpWs = new WebSocket(cdpTab.webSocketDebuggerUrl);
+          await new Promise((resolve, reject) => {
+            cdpWs.onopen = () => resolve();
+            cdpWs.onerror = () => reject(new Error("CDP WS failed"));
+            setTimeout(() => reject(new Error("CDP WS timeout")), 3000);
+          });
+          cdpWs.onmessage = (ev) => {
+            try {
+              const msg = JSON.parse(String(ev.data));
+              if (msg.method === "Network.requestWillBeSent") {
+                const p = msg.params;
+                const reqHeaders = Object.entries(p.request?.headers ?? {}).map(([name, value]) => ({ name, value: String(value) }));
+                cdpRequestMap.set(p.requestId, {
+                  method: p.request?.method ?? "GET",
+                  url: p.request?.url ?? "",
+                  headers: reqHeaders,
+                  postData: p.request?.postData
+                });
+              } else if (msg.method === "Network.responseReceived") {
+                const p = msg.params;
+                const respHeaders = Object.entries(p.response?.headers ?? {}).map(([name, value]) => ({ name, value: String(value) }));
+                cdpResponseMeta.set(p.requestId, {
+                  status: p.response?.status ?? 0,
+                  headers: respHeaders,
+                  mimeType: p.response?.mimeType ?? ""
+                });
+              } else if (msg.method === "Network.loadingFinished") {
+                const requestId = msg.params?.requestId;
+                cdpFinishedRequests.add(requestId);
+                const req = cdpRequestMap.get(requestId);
+                const resp = cdpResponseMeta.get(requestId);
+                if (req && resp && API_URL_PATTERN.test(req.url) && (resp.mimeType.includes("json") || resp.mimeType.includes("text"))) {
+                  const id = ++cdpMsgId;
+                  cdpPendingBodies.set(id, req.url);
+                  cdpWs.send(JSON.stringify({ id, method: "Network.getResponseBody", params: { requestId } }));
+                }
+              } else if (msg.id && cdpPendingBodies.has(msg.id)) {
+                const reqUrl = cdpPendingBodies.get(msg.id);
+                cdpPendingBodies.delete(msg.id);
+                if (msg.result?.body) {
+                  cdpResolvedBodies.set(reqUrl, msg.result.body);
+                }
+              }
+            } catch {}
+          };
+          cdpWs.send(JSON.stringify({ id: 1, method: "Network.enable", params: {} }));
+          await new Promise((r) => setTimeout(r, 200));
+          log("capture", "CDP network capture enabled (direct websocket)");
+        }
+      }
+    } catch {}
     let pageDomain;
     try {
       pageDomain = getRegistrableDomain(new URL(url).hostname);
@@ -5932,11 +6184,85 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
       const perfEntries = await phase("evaluate:perf", () => collectPerformanceResourceEntries(tabId));
       performanceUrls = await phase("replay-fetch", () => replayPerformanceApiResponses(tabId, perfEntries, responseBodies, url, intent));
     } catch {}
+    if (cdpRequestMap.size > 0) {
+      try {
+        const cdpRawReqs = [...cdpRequestMap.values()].map((r) => ({
+          url: r.url,
+          method: r.method,
+          request_headers: Object.fromEntries(r.headers.map((h) => [h.name.toLowerCase(), h.value])),
+          response_status: 200,
+          response_headers: {},
+          response_body: undefined,
+          timestamp: ""
+        }));
+        const authHeaders2 = extractAuthHeaders(cdpRawReqs);
+        if (Object.keys(authHeaders2).length > 0) {
+          const rawKey = `${domain}-session`;
+          const { getCredential: getCredential2 } = await init_vault().then(() => exports_vault);
+          let existing = {};
+          try {
+            const stored = await getCredential2(rawKey);
+            if (stored)
+              existing = JSON.parse(stored);
+          } catch {}
+          if (!existing.cookies || existing.cookies.length === 0) {
+            try {
+              const loginKey = `auth:${getRegistrableDomain(domain)}`;
+              const loginStored = await getCredential2(loginKey);
+              if (loginStored) {
+                const loginData = JSON.parse(loginStored);
+                if (loginData.cookies?.length)
+                  existing.cookies = loginData.cookies;
+              }
+            } catch {}
+          }
+          await storeCredential(rawKey, JSON.stringify({
+            ...existing,
+            headers: { ...existing.headers ?? {}, ...authHeaders2 }
+          }));
+          log("capture", `early auth store: ${Object.keys(authHeaders2).join(", ")} for ${domain}`);
+        }
+      } catch (e) {
+        log("capture", `early auth store failed: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
     let harEntries = [];
     try {
-      const harResult = await phase("harStop", () => harStop(tabId));
-      harEntries = harResult.entries;
+      const harPromise = harStop(tabId);
+      const timeoutPromise = new Promise((resolve) => setTimeout(() => resolve({ entries: [] }), 5000));
+      const harResult = await Promise.race([harPromise, timeoutPromise]);
+      harEntries = harResult.entries ?? [];
     } catch {}
+    if (cdpPendingBodies.size > 0) {
+      await new Promise((r) => setTimeout(r, 1500));
+    }
+    if (cdpWs) {
+      try {
+        cdpWs.close();
+      } catch {}
+    }
+    const harUrls = new Set(harEntries.map((e) => e.request?.url).filter(Boolean));
+    let cdpAdded = 0;
+    for (const [requestId, req] of cdpRequestMap) {
+      if (harUrls.has(req.url))
+        continue;
+      const resp = cdpResponseMeta.get(requestId);
+      if (!resp)
+        continue;
+      const body = cdpResolvedBodies.get(req.url);
+      harEntries.push({
+        startedDateTime: new Date().toISOString(),
+        request: { method: req.method, url: req.url, headers: req.headers, postData: req.postData ? { text: req.postData } : undefined },
+        response: { status: resp.status, headers: resp.headers, content: body ? { text: body, mimeType: resp.mimeType } : {} }
+      });
+      if (body && body.length > 0 && !responseBodies.has(req.url)) {
+        responseBodies.set(req.url, body);
+      }
+      cdpAdded++;
+    }
+    if (cdpAdded > 0) {
+      log("capture", `CDP direct capture added ${cdpAdded} entries (${cdpResolvedBodies.size} with bodies, ${harEntries.length} total HAR)`);
+    }
     const HAR_REPLAY_CT2 = /application\/json|text\/plain|\+json/i;
     let harReplayCount = 0;
     for (const entry of harEntries) {
@@ -5960,7 +6286,7 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
         const postData = method !== "GET" ? entry.request?.postData?.text : undefined;
         const replayScript = method === "GET" || !postData ? `(function(){var x=new XMLHttpRequest();x.open('GET','${harUrl.replace(/'/g, "\\'")}',false);x.send();return x.status>=200&&x.status<400?x.responseText:''})()` : `(function(){var x=new XMLHttpRequest();x.open('${method}','${harUrl.replace(/'/g, "\\'")}',false);x.setRequestHeader('Content-Type','application/json');x.send(${JSON.stringify(postData)});return x.status>=200&&x.status<400?x.responseText:''})()`;
         const body = await phase("har-replay", () => evaluate(tabId, replayScript));
-        if (typeof body === "string" && body.length > 0 && body.length < 512 * 1024) {
+        if (typeof body === "string" && body.length > 0 && body.length < 524288) {
           responseBodies.set(harUrl, body);
           harReplayCount++;
           log("capture", `har-replay-fetched ${harUrl.substring(0, 80)} (${body.length}B)`);
@@ -5988,7 +6314,7 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
       html = await phase("getPageHtml", () => getPageHtml(tabId));
     } catch {}
     const SSR_DATA_EXTRACTORS = [
-      { name: "ytmusic", script: `(function(){try{var d=ytcfg.get('YTMUSIC_INITIAL_DATA');if(!d||!d.length)return null;var out={};d.forEach(function(x){if(x.path&&x.data)out[x.path]=x.data});return JSON.stringify(out)}catch(e){return null}})()` },
+      { name: "ytmusic", script: `(function(){try{var d=ytcfg.get('YTMUSIC_INITIAL_DATA');if(!d||!d.length)return null;var out={};d.forEach(function(x){if(x.path&&x.data)out[x.path]=x.data});out.__apiKey=ytcfg.get('INNERTUBE_API_KEY')||'';out.__context=ytcfg.get('INNERTUBE_CONTEXT')||null;return JSON.stringify(out)}catch(e){return null}})()` },
       { name: "youtube", script: `(function(){try{return typeof ytInitialData!=='undefined'?JSON.stringify(ytInitialData):null}catch(e){return null}})()` },
       { name: "nextjs", script: `(function(){try{return window.__NEXT_DATA__?JSON.stringify(window.__NEXT_DATA__):null}catch(e){return null}})()` },
       { name: "nuxt", script: `(function(){try{return window.__NUXT__?JSON.stringify(window.__NUXT__):null}catch(e){return null}})()` }
@@ -6000,8 +6326,12 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
         if (typeof raw !== "string" || !raw || raw === "null")
           continue;
         if (extractor.name === "ytmusic") {
-          const paths = JSON.parse(raw);
-          for (const [path4, data] of Object.entries(paths)) {
+          const parsed = JSON.parse(raw);
+          const apiKey = parsed.__apiKey || "";
+          const innertubeContext = parsed.__context;
+          delete parsed.__apiKey;
+          delete parsed.__context;
+          for (const [path4, data] of Object.entries(parsed)) {
             if (!data || typeof data !== "object")
               continue;
             const cleaned = { ...data };
@@ -6022,12 +6352,15 @@ async function captureSession(url, authHeaders, cookies, intent, options) {
               continue;
             const origin = new URL(url).origin;
             const contextParams = new URL(url).searchParams;
-            const queryStr = path4.includes("search") && contextParams.toString() ? `?${contextParams.toString()}&prettyPrint=false` : "?prettyPrint=false";
+            const keyParam = apiKey ? `key=${apiKey}&` : "";
+            const queryStr = path4.includes("search") && contextParams.toString() ? `?${keyParam}${contextParams.toString()}&prettyPrint=false` : `?${keyParam}prettyPrint=false`;
             const syntheticUrl = `${origin}/youtubei/v1${path4}${queryStr}`;
             responseBodies.set(syntheticUrl, bodyStr);
+            const queryValue = contextParams.get("q") ?? "";
+            const postBody = path4.includes("search") && innertubeContext ? JSON.stringify({ context: innertubeContext, query: queryValue }) : path4.includes("browse") && innertubeContext ? JSON.stringify({ context: innertubeContext, browseId: "FEmusic_liked_videos" }) : JSON.stringify({ context: innertubeContext ?? {} });
             harEntries.push({
               startedDateTime: new Date().toISOString(),
-              request: { method: "POST", url: syntheticUrl, headers: [{ name: "content-type", value: "application/json" }], postData: { text: "{}" } },
+              request: { method: "POST", url: syntheticUrl, headers: [{ name: "content-type", value: "application/json" }], postData: { text: postBody } },
               response: { status: 200, headers: [{ name: "content-type", value: "application/json" }], content: { text: bodyStr, mimeType: "application/json" } }
             });
             embeddedDataCount++;
@@ -6523,11 +6856,13 @@ var MAX_CONCURRENT_TABS = 3, activeTabs = 0, waitQueue, activeTabRegistry, inter
     return origSend.apply(this, arguments);
   };
 })()`, REPLAY_SKIP, HAR_REPLAY_CT;
-var init_capture = __esm(() => {
+var init_capture = __esm(async () => {
   init_client();
   init_domain();
   init_logger();
+  init_reverse_engineer();
   init_browser_access();
+  await init_vault();
   waitQueue = [];
   activeTabRegistry = new Set;
   interceptorInjectedTabs = new Set;
@@ -6544,17 +6879,17 @@ var init_capture = __esm(() => {
 });
 
 // ../../src/build-info.generated.ts
-var BUILD_RELEASE_VERSION = "3.2.2", BUILD_GIT_SHA = "150cce0d751e", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4yLjIiLCJnaXRfc2hhIjoiMTUwY2NlMGQ3NTFlIiwiY29kZV9oYXNoIjoiMTQ4OGZjMWQ5MmI3IiwidHJhY2VfdmVyc2lvbiI6IjE0ODhmYzFkOTJiN0AxNTBjY2UwZDc1MWUiLCJpc3N1ZWRfYXQiOiIyMDI2LTA0LTA2VDA4OjQ2OjM5LjIwNVoifQ", BUILD_RELEASE_MANIFEST_SIGNATURE = "ZS7C10DGuwyn1m02shMHyz6cN5UbTHfa8yqnkELg_L8", BUILD_DEFAULT_BACKEND_URL = "https://beta-api.unbrowse.ai";
+var BUILD_RELEASE_VERSION = "3.2.2", BUILD_GIT_SHA = "150cce0d751e", BUILD_CODE_HASH = "1488fc1d92b7", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy4yLjIiLCJnaXRfc2hhIjoiMTUwY2NlMGQ3NTFlIiwiY29kZV9oYXNoIjoiMTQ4OGZjMWQ5MmI3IiwidHJhY2VfdmVyc2lvbiI6IjE0ODhmYzFkOTJiN0AxNTBjY2UwZDc1MWUiLCJpc3N1ZWRfYXQiOiIyMDI2LTA0LTA2VDExOjU4OjM1LjkxNFoifQ", BUILD_RELEASE_MANIFEST_SIGNATURE = "Lfph_KbGZrv74O5Pnop_b_0GcSTspB27fOgkCMZK6tk", BUILD_DEFAULT_BACKEND_URL = "https://beta-api.unbrowse.ai";
 
 // ../../src/version.ts
 import { createHash } from "crypto";
-import { existsSync as existsSync3, readFileSync, readdirSync } from "fs";
-import { dirname, join as join2, parse } from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync2, readdirSync } from "fs";
+import { dirname, join as join3, parse } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function collectTsFiles(dir) {
   const results = [];
   for (const entry of readdirSync(dir, { withFileTypes: true })) {
-    const full = join2(dir, entry.name);
+    const full = join3(dir, entry.name);
     if (entry.isDirectory() && entry.name !== "node_modules") {
       results.push(...collectTsFiles(full));
     } else if (entry.name.endsWith(".ts")) {
@@ -6567,21 +6902,21 @@ function hashFiles(srcDir, files) {
   const hash = createHash("sha256");
   for (const file of files) {
     hash.update(file.slice(srcDir.length));
-    hash.update(readFileSync(file, "utf-8"));
+    hash.update(readFileSync2(file, "utf-8"));
   }
   return hash.digest("hex").slice(0, 12);
 }
 function resolveCodeHashSourceDir(moduleDir) {
   const candidates = [
     moduleDir,
-    join2(moduleDir, "runtime-src"),
-    join2(moduleDir, "..", "runtime-src"),
-    join2(moduleDir, "src"),
-    join2(moduleDir, "..", "src")
+    join3(moduleDir, "runtime-src"),
+    join3(moduleDir, "..", "runtime-src"),
+    join3(moduleDir, "src"),
+    join3(moduleDir, "..", "src")
   ];
   for (const candidate of candidates) {
     try {
-      if (!existsSync3(candidate))
+      if (!existsSync4(candidate))
         continue;
       const files = collectTsFiles(candidate);
       if (files.length > 0)
@@ -6631,7 +6966,7 @@ function getPackageVersionForModuleDir(moduleDir) {
   const root = parse(dir).root;
   while (true) {
     try {
-      const pkg = JSON.parse(readFileSync(join2(dir, "package.json"), "utf-8"));
+      const pkg = JSON.parse(readFileSync2(join3(dir, "package.json"), "utf-8"));
       return typeof pkg.version === "string" ? pkg.version : "unknown";
     } catch {}
     if (dir === root)
@@ -6735,18 +7070,18 @@ async function ensureCascadeSplitForSkill(skill, deps = {}) {
 var init_cascade = () => {};
 
 // ../../src/payments/wallet.ts
-import { existsSync as existsSync4, readFileSync as readFileSync2 } from "node:fs";
-import { homedir } from "node:os";
-import { join as join3 } from "node:path";
+import { existsSync as existsSync5, readFileSync as readFileSync3 } from "node:fs";
+import { homedir as homedir2 } from "node:os";
+import { join as join4 } from "node:path";
 function asNonEmptyString(value) {
   return typeof value === "string" && value.trim() ? value.trim() : undefined;
 }
 function getLobsterWalletFromLocalConfig() {
-  const agentsPath = join3(process.env.HOME || homedir(), ".lobster", "agents.json");
-  if (!existsSync4(agentsPath))
+  const agentsPath = join4(process.env.HOME || homedir2(), ".lobster", "agents.json");
+  if (!existsSync5(agentsPath))
     return;
   try {
-    const raw = JSON.parse(readFileSync2(agentsPath, "utf8"));
+    const raw = JSON.parse(readFileSync3(agentsPath, "utf8"));
     const activeAgentId = asNonEmptyString(raw.activeAgentId);
     const activeAgent = Array.isArray(raw.agents) ? raw.agents.find((agent) => asNonEmptyString(agent.id) === activeAgentId) : activeAgentId ? raw.agents?.[activeAgentId] : undefined;
     return asNonEmptyString(activeAgent?.authorizedWallets?.solana) ?? asNonEmptyString(activeAgent?.walletAddress) ?? asNonEmptyString(activeAgent?.wallet_address);
@@ -6897,9 +7232,9 @@ __export(exports_lobster_pay, {
   isLobsterAvailable: () => isLobsterAvailable
 });
 import { execFile, execFileSync as execFileSync2 } from "node:child_process";
-import { existsSync as existsSync5 } from "node:fs";
-import { homedir as homedir2 } from "node:os";
-import { join as join4 } from "node:path";
+import { existsSync as existsSync6 } from "node:fs";
+import { homedir as homedir3 } from "node:os";
+import { join as join5 } from "node:path";
 function getLobsterCommand() {
   try {
     execFileSync2("lobstercash", ["--version"], { stdio: "ignore", timeout: 3000 });
@@ -6907,8 +7242,8 @@ function getLobsterCommand() {
   } catch (_e) {}
   try {
     const npmPrefix = execFileSync2("npm", ["config", "get", "prefix"], { encoding: "utf8", timeout: 5000 }).trim();
-    const lobsterPath = join4(npmPrefix, "bin", "lobstercash");
-    if (existsSync5(lobsterPath)) {
+    const lobsterPath = join5(npmPrefix, "bin", "lobstercash");
+    if (existsSync6(lobsterPath)) {
       execFileSync2(lobsterPath, ["--version"], { stdio: "ignore", timeout: 3000 });
       return { cmd: lobsterPath, prefix: [] };
     }
@@ -6921,8 +7256,8 @@ function lobsterCmd() {
   return cachedCommand;
 }
 function isLobsterAvailable() {
-  const agentsPath = join4(process.env.HOME || homedir2(), ".lobster", "agents.json");
-  return existsSync5(agentsPath);
+  const agentsPath = join5(process.env.HOME || homedir3(), ".lobster", "agents.json");
+  return existsSync6(agentsPath);
 }
 function lobsterX402Fetch(url, options) {
   return new Promise((resolve) => {
@@ -7054,10 +7389,10 @@ __export(exports_client2, {
   buildDefaultAgentName: () => buildDefaultAgentName,
   autoFileIssue: () => autoFileIssue
 });
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync2, existsSync as existsSync6, mkdirSync as mkdirSync3, readdirSync as readdirSync2 } from "fs";
-import { join as join5 } from "path";
-import { homedir as homedir3, hostname, release as osRelease } from "os";
-import { randomBytes, createHash as createHash3 } from "crypto";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync3, existsSync as existsSync7, mkdirSync as mkdirSync4, readdirSync as readdirSync2 } from "fs";
+import { join as join6 } from "path";
+import { homedir as homedir4, hostname, release as osRelease } from "os";
+import { randomBytes as randomBytes2, createHash as createHash3 } from "crypto";
 import { createInterface } from "readline";
 function buildReleaseAttestationHeaders(manifestBase64, signature) {
   const manifest = manifestBase64.trim();
@@ -7091,18 +7426,18 @@ function scopedSkillKey(skillId, scopeId) {
   return scopeId ? `${scopeId}:${skillId}` : skillId;
 }
 function getSkillCacheDir() {
-  return process.env.UNBROWSE_SKILL_CACHE_DIR || join5(getConfigDir(), "skill-cache");
+  return process.env.UNBROWSE_SKILL_CACHE_DIR || join6(getConfigDir(), "skill-cache");
 }
 function getConfigDir() {
   if (process.env.UNBROWSE_CONFIG_DIR)
     return process.env.UNBROWSE_CONFIG_DIR;
-  return PROFILE_NAME ? join5(homedir3(), ".unbrowse", "profiles", PROFILE_NAME) : join5(homedir3(), ".unbrowse");
+  return PROFILE_NAME ? join6(homedir4(), ".unbrowse", "profiles", PROFILE_NAME) : join6(homedir4(), ".unbrowse");
 }
 function getConfigPath() {
-  return join5(getConfigDir(), "config.json");
+  return join6(getConfigDir(), "config.json");
 }
 function getInstallTelemetryPath() {
-  return join5(getConfigDir(), "install-state.json");
+  return join6(getConfigDir(), "install-state.json");
 }
 function getLandingToken() {
   const token = process.env.UNBROWSE_LANDING_TOKEN?.trim();
@@ -7120,8 +7455,8 @@ function isLocalOnlyMode() {
 function loadConfig() {
   try {
     const configPath = getConfigPath();
-    if (existsSync6(configPath)) {
-      return JSON.parse(readFileSync3(configPath, "utf-8"));
+    if (existsSync7(configPath)) {
+      return JSON.parse(readFileSync4(configPath, "utf-8"));
     }
   } catch {}
   return null;
@@ -7129,15 +7464,15 @@ function loadConfig() {
 function saveConfig(config) {
   const configDir = getConfigDir();
   const configPath = getConfigPath();
-  if (!existsSync6(configDir))
-    mkdirSync3(configDir, { recursive: true });
-  writeFileSync2(configPath, JSON.stringify(config, null, 2), { mode: 384 });
+  if (!existsSync7(configDir))
+    mkdirSync4(configDir, { recursive: true });
+  writeFileSync3(configPath, JSON.stringify(config, null, 2), { mode: 384 });
 }
 function loadInstallTelemetryState() {
   try {
     const statePath = getInstallTelemetryPath();
-    if (existsSync6(statePath)) {
-      return JSON.parse(readFileSync3(statePath, "utf-8"));
+    if (existsSync7(statePath)) {
+      return JSON.parse(readFileSync4(statePath, "utf-8"));
     }
   } catch {}
   return null;
@@ -7145,13 +7480,13 @@ function loadInstallTelemetryState() {
 function saveInstallTelemetryState(state) {
   const configDir = getConfigDir();
   const statePath = getInstallTelemetryPath();
-  if (!existsSync6(configDir))
-    mkdirSync3(configDir, { recursive: true });
-  writeFileSync2(statePath, JSON.stringify(state, null, 2), { mode: 384 });
+  if (!existsSync7(configDir))
+    mkdirSync4(configDir, { recursive: true });
+  writeFileSync3(statePath, JSON.stringify(state, null, 2), { mode: 384 });
 }
 function createInstallTelemetryState() {
   return {
-    install_id: `install_${randomBytes(8).toString("hex")}`,
+    install_id: `install_${randomBytes2(8).toString("hex")}`,
     first_seen_at: new Date().toISOString()
   };
 }
@@ -7291,7 +7626,7 @@ function isValidAgentEmail(value) {
   return EMAIL_RE.test(normalizeAgentEmail(value));
 }
 function buildDefaultAgentName() {
-  return `${hostname()}-${randomBytes(3).toString("hex")}`;
+  return `${hostname()}-${randomBytes2(3).toString("hex")}`;
 }
 function resolveAgentName(preferredEmail, fallbackName) {
   const normalized = normalizeAgentEmail(preferredEmail ?? "");
@@ -7646,11 +7981,11 @@ async function waitForBackgroundRegistration(timeoutMs = 0) {
   ]);
 }
 function skillCachePath(skillId) {
-  return join5(getSkillCacheDir(), `${skillId}.json`);
+  return join6(getSkillCacheDir(), `${skillId}.json`);
 }
 function readSkillCache(skillId) {
   try {
-    const raw = readFileSync3(skillCachePath(skillId), "utf-8");
+    const raw = readFileSync4(skillCachePath(skillId), "utf-8");
     return JSON.parse(raw);
   } catch {
     return null;
@@ -7660,8 +7995,8 @@ function writeSkillCache(skill, scopeId) {
   try {
     recentLocalSkills.set(scopedSkillKey(skill.skill_id, scopeId), skill);
     const skillCacheDir = getSkillCacheDir();
-    if (!existsSync6(skillCacheDir))
-      mkdirSync3(skillCacheDir, { recursive: true });
+    if (!existsSync7(skillCacheDir))
+      mkdirSync4(skillCacheDir, { recursive: true });
     const existing = readSkillCache(skill.skill_id);
     if (existing) {
       for (const ep of skill.endpoints) {
@@ -7677,7 +8012,7 @@ function writeSkillCache(skill, scopeId) {
     const hasStrategy = skill.endpoints.some((e) => e.exec_strategy);
     if (hasStrategy)
       console.log(`[cache] writing skill ${skill.skill_id} with exec_strategy`);
-    writeFileSync2(skillCachePath(skill.skill_id), JSON.stringify(skill), "utf-8");
+    writeFileSync3(skillCachePath(skill.skill_id), JSON.stringify(skill), "utf-8");
   } catch {}
 }
 function cachePublishedSkill(skill, scopeId) {
@@ -7712,7 +8047,7 @@ function isIntentCompatible(lhs, rhs) {
 function findExistingSkillForDomain(domain, intent) {
   try {
     const skillCacheDir = getSkillCacheDir();
-    if (!existsSync6(skillCacheDir))
+    if (!existsSync7(skillCacheDir))
       return null;
     const files = readdirSync2(skillCacheDir);
     let compatible = null;
@@ -7721,7 +8056,7 @@ function findExistingSkillForDomain(domain, intent) {
       if (!f.endsWith(".json") || f === "browser-capture.json")
         continue;
       try {
-        const raw = readFileSync3(join5(skillCacheDir, f), "utf-8");
+        const raw = readFileSync4(join6(skillCacheDir, f), "utf-8");
         const skill = JSON.parse(raw);
         if (skill.domain === domain && skill.execution_type === "http") {
           if (!fallback)
@@ -7771,11 +8106,11 @@ async function getSkillChunk2(skillId, opts) {
 async function listSkills() {
   if (LOCAL_ONLY) {
     try {
-      if (!existsSync6(SKILL_CACHE_DIR))
+      if (!existsSync7(SKILL_CACHE_DIR))
         return [];
       return readdirSync2(SKILL_CACHE_DIR).filter((file) => file.endsWith(".json")).map((file) => {
         try {
-          return JSON.parse(readFileSync3(join5(SKILL_CACHE_DIR, file), "utf-8"));
+          return JSON.parse(readFileSync4(join6(SKILL_CACHE_DIR, file), "utf-8"));
         } catch {
           return null;
         }
@@ -8467,10 +8802,10 @@ var init_publish_admission = __esm(() => {
 
 // ../../src/telemetry.ts
 import { createHash as createHash4 } from "node:crypto";
-import { existsSync as existsSync7, mkdirSync as mkdirSync4, writeFileSync as writeFileSync3 } from "node:fs";
-import { join as join6 } from "node:path";
+import { existsSync as existsSync8, mkdirSync as mkdirSync5, writeFileSync as writeFileSync4 } from "node:fs";
+import { join as join7 } from "node:path";
 function getTraceDir() {
-  return process.env.UNBROWSE_TRACES_DIR ?? join6(process.env.HOME ?? "/tmp", ".unbrowse", "traces");
+  return process.env.UNBROWSE_TRACES_DIR ?? join7(process.env.HOME ?? "/tmp", ".unbrowse", "traces");
 }
 function isTracingEnabled() {
   return process.env.UNBROWSE_DISABLE_TRACES !== "1";
@@ -8544,11 +8879,11 @@ function emitRouteTrace(params) {
   };
   try {
     const traceDir = getTraceDir();
-    if (!existsSync7(traceDir))
-      mkdirSync4(traceDir, { recursive: true });
+    if (!existsSync8(traceDir))
+      mkdirSync5(traceDir, { recursive: true });
     const stamp = params.started_at.replace(/[:.]/g, "-");
-    const file = join6(traceDir, `${stamp}-${params.outcome}-${params.trace_id}.json`);
-    writeFileSync3(file, JSON.stringify(artifact, null, 2), "utf-8");
+    const file = join7(traceDir, `${stamp}-${params.outcome}-${params.trace_id}.json`);
+    writeFileSync4(file, JSON.stringify(artifact, null, 2), "utf-8");
     return file;
   } catch {
     return null;
@@ -9184,161 +9519,6 @@ var init_token_resolver = __esm(() => {
   init_token_sources();
 });
 
-// ../../src/vault/index.ts
-import { createCipheriv, createDecipheriv, randomBytes as randomBytes2 } from "crypto";
-import { existsSync as existsSync8, mkdirSync as mkdirSync5, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
-import { join as join7 } from "path";
-import { homedir as homedir4 } from "os";
-function normalizeKeytarModule(mod) {
-  let candidate = mod;
-  for (let depth = 0;depth < 3; depth++) {
-    if (!candidate || typeof candidate !== "object" || !("default" in candidate))
-      break;
-    candidate = candidate.default;
-  }
-  if (!candidate)
-    return null;
-  if (typeof candidate.setPassword === "function" && typeof candidate.getPassword === "function" && typeof candidate.deletePassword === "function") {
-    return candidate;
-  }
-  return null;
-}
-function isKeytarBindingError(error) {
-  const message = error instanceof Error ? `${error.name}: ${error.message}` : String(error);
-  return KEYTAR_BINDING_ERROR_RE.test(message);
-}
-function disableKeytar(error) {
-  keytar = null;
-  if (keytarFallbackLogged)
-    return;
-  const summary = error instanceof Error ? error.message : String(error);
-  log("vault", `keytar runtime unavailable (${summary}); using encrypted file fallback`);
-  keytarFallbackLogged = true;
-}
-async function callKeytar(op) {
-  if (!keytar)
-    return KEYTAR_UNAVAILABLE;
-  try {
-    return await op(keytar);
-  } catch (error) {
-    if (!isKeytarBindingError(error))
-      throw error;
-    disableKeytar(error);
-    return KEYTAR_UNAVAILABLE;
-  }
-}
-function getOrCreateKey() {
-  if (!existsSync8(VAULT_DIR))
-    mkdirSync5(VAULT_DIR, { recursive: true, mode: 448 });
-  if (existsSync8(KEY_FILE))
-    return readFileSync4(KEY_FILE);
-  const key = randomBytes2(32);
-  writeFileSync4(KEY_FILE, key, { mode: 384 });
-  return key;
-}
-function withVaultLock(fn) {
-  const prev = vaultLock;
-  let release;
-  vaultLock = new Promise((r) => {
-    release = r;
-  });
-  return prev.then(fn).finally(() => release());
-}
-function readVaultFile() {
-  if (!existsSync8(VAULT_FILE))
-    return {};
-  try {
-    const key = getOrCreateKey();
-    const raw = readFileSync4(VAULT_FILE);
-    const iv = raw.subarray(0, 16);
-    const enc = raw.subarray(16);
-    const decipher = createDecipheriv("aes-256-cbc", key, iv);
-    const dec = Buffer.concat([decipher.update(enc), decipher.final()]);
-    return JSON.parse(dec.toString("utf8"));
-  } catch {
-    return {};
-  }
-}
-function writeVaultFile(data) {
-  const key = getOrCreateKey();
-  const iv = randomBytes2(16);
-  const cipher = createCipheriv("aes-256-cbc", key, iv);
-  const enc = Buffer.concat([cipher.update(JSON.stringify(data), "utf8"), cipher.final()]);
-  writeFileSync4(VAULT_FILE, Buffer.concat([iv, enc]), { mode: 384 });
-}
-async function storeCredential(account, value, opts) {
-  const wrapped = {
-    value,
-    stored_at: new Date().toISOString(),
-    expires_at: opts?.expires_at,
-    max_age_ms: opts?.max_age_ms
-  };
-  const serialized = JSON.stringify(wrapped);
-  const keytarResult = await callKeytar((client) => client.setPassword(SERVICE, account, serialized));
-  if (keytarResult !== KEYTAR_UNAVAILABLE)
-    return;
-  await withVaultLock(() => {
-    const data = readVaultFile();
-    data[account] = serialized;
-    writeVaultFile(data);
-  });
-}
-function isExpired(cred) {
-  if (cred.expires_at) {
-    return new Date(cred.expires_at).getTime() <= Date.now();
-  }
-  if (cred.max_age_ms) {
-    return new Date(cred.stored_at).getTime() + cred.max_age_ms <= Date.now();
-  }
-  return false;
-}
-async function getCredential(account) {
-  let raw;
-  const keytarResult = await callKeytar((client) => client.getPassword(SERVICE, account));
-  if (keytarResult !== KEYTAR_UNAVAILABLE) {
-    raw = keytarResult;
-  } else {
-    const data = readVaultFile();
-    raw = data[account] ?? null;
-  }
-  if (!raw)
-    return null;
-  try {
-    const parsed = JSON.parse(raw);
-    if (parsed.value && parsed.stored_at) {
-      if (isExpired(parsed)) {
-        await deleteCredential(account);
-        return null;
-      }
-      return parsed.value;
-    }
-  } catch {}
-  return raw;
-}
-async function deleteCredential(account) {
-  const keytarResult = await callKeytar((client) => client.deletePassword(SERVICE, account));
-  if (keytarResult !== KEYTAR_UNAVAILABLE)
-    return;
-  await withVaultLock(() => {
-    const data = readVaultFile();
-    delete data[account];
-    writeVaultFile(data);
-  });
-}
-var KEYTAR_UNAVAILABLE, KEYTAR_BINDING_ERROR_RE, keytar = null, keytarFallbackLogged = false, SERVICE = "unbrowse", VAULT_DIR, VAULT_FILE, KEY_FILE, vaultLock;
-var init_vault = __esm(async () => {
-  init_logger();
-  KEYTAR_UNAVAILABLE = Symbol("KEYTAR_UNAVAILABLE");
-  KEYTAR_BINDING_ERROR_RE = /(keytar(?:\.node)?|native bindings?|bindings file|no native build was found|could not locate the bindings file|module did not self-register|err_dlopen_failed|dlopen\(|compiled against a different node\.js version|cannot find module .*keytar|wasm is not supported on this platform|(set|get|delete)password is not a function)/i;
-  try {
-    keytar = normalizeKeytarModule(await import("keytar"));
-  } catch {}
-  VAULT_DIR = join7(homedir4(), ".unbrowse", "vault");
-  VAULT_FILE = join7(VAULT_DIR, "credentials.enc");
-  KEY_FILE = join7(VAULT_DIR, ".key");
-  vaultLock = Promise.resolve();
-});
-
 // ../../src/runtime/supervisor.ts
 function getDefaultLoginConfig(headless) {
   return {
@@ -14010,6 +14190,10 @@ function validateWorkflowReplayParams(recipe, params) {
       continue;
     const value = valueForSpec(spec, params);
     if (spec.required && (value == null || value === "")) {
+      if (spec.default_value != null && spec.default_value !== "")
+        continue;
+      if (spec.example_value != null && spec.example_value !== "")
+        continue;
       errors.push({ name: spec.name, reason: "required" });
       continue;
     }
@@ -14304,18 +14488,27 @@ async function reloadExecutionAuthState(skill, epDomain, authHeaders, cookies) {
         cookies.push(...resolved);
     } catch {}
   }
-  if (Object.keys(authHeaders).length === 0) {
-    try {
-      const sessionKey = `${getRegistrableDomain(epDomain)}-session`;
-      const sessionData = await getCredential(sessionKey);
-      if (sessionData) {
-        const parsed = JSON.parse(sessionData);
-        if (parsed.headers)
-          Object.assign(authHeaders, parsed.headers);
-        if (parsed.cookies && cookies.length === 0)
-          cookies.push(...parsed.cookies);
-      }
-    } catch {}
+  {
+    for (const sessionKey of [`${epDomain}-session`, `${getRegistrableDomain(epDomain)}-session`]) {
+      try {
+        const sessionData = await getCredential(sessionKey);
+        if (sessionData) {
+          const parsed = JSON.parse(sessionData);
+          if (parsed.headers)
+            Object.assign(authHeaders, parsed.headers);
+          if (parsed.cookies && cookies.length === 0)
+            cookies.push(...parsed.cookies);
+          if (Object.keys(authHeaders).length > 0)
+            break;
+        }
+      } catch {}
+    }
+  }
+  if (cookies.length > 0 && authHeaders["csrf-token"]) {
+    const jsessionId = cookies.find((c) => c.name === "JSESSIONID");
+    if (jsessionId) {
+      authHeaders["csrf-token"] = jsessionId.value.replace(/"/g, "");
+    }
   }
 }
 function persistWorkflowArtifactForCapture(artifactSkill, captured, capturedAuthHeaders) {
@@ -15336,10 +15529,13 @@ async function executeBrowserCapture(skill, params, options) {
     }));
   }
   if (!auth_profile_ref) {
-    const vaultKey = `auth:${targetDomain}`;
-    const hasStoredAuth = await getCredential(vaultKey) != null;
-    if (hasStoredAuth)
-      auth_profile_ref = vaultKey;
+    for (const vaultKey of [`auth:${targetDomain}`, `${domain}-session`, `${targetDomain}-session`]) {
+      const hasStoredAuth = await getCredential(vaultKey) != null;
+      if (hasStoredAuth) {
+        auth_profile_ref = vaultKey;
+        break;
+      }
+    }
   }
   const authBackedCapture = usedStoredAuth || !!auth_profile_ref;
   if (authBackedCapture) {
@@ -15920,7 +16116,7 @@ async function executeEndpoint(skill, endpoint, params = {}, projection, options
           u.searchParams.set(k, String(v));
         }
       }
-      urlTemplate = restoreTemplatePlaceholderEncoding(u.toString());
+      urlTemplate = restoreTemplatePlaceholderEncoding(u.toString()).replace(/%28/gi, "(").replace(/%29/gi, ")").replace(/%2C/gi, ",").replace(/%3A/gi, ":");
     } catch {}
   }
   let url = interpolate(urlTemplate, mergedParams);
@@ -16056,7 +16252,7 @@ async function executeEndpoint(skill, endpoint, params = {}, projection, options
     let last = { data: null, status: 0 };
     for (const replayUrl of replayUrls) {
       const replayHeaders = buildStructuredReplayHeaders(url, replayUrl, headers);
-      log("exec", `server-fetch: ${endpoint.method} ${replayUrl.substring(0, 80)} auth=${(replayHeaders["authorization"] || "none").substring(0, 50)} csrf=${replayHeaders["x-csrf-token"]?.substring(0, 10)}... cookies=${replayHeaders["cookie"]?.length ?? 0}chars`);
+      log("exec", `server-fetch: ${endpoint.method} ${replayUrl.substring(0, 200)} csrf-token=${(replayHeaders["csrf-token"] || "none").substring(0, 20)}... hdrs=${Object.keys(replayHeaders).length} cookies=${replayHeaders["cookie"]?.length ?? 0}chars`);
       const res = await fetch(replayUrl, {
         method: endpoint.method,
         headers: replayHeaders,
@@ -16460,7 +16656,12 @@ function interpolate(template, params) {
   const base = template.substring(0, qIdx);
   const query = template.substring(qIdx + 1);
   const interpolatedBase = base.replace(/\{(\w+)\}/g, (_, k) => params[k] != null ? String(params[k]) : `{${k}}`);
-  const interpolatedQuery = query.replace(/\{(\w+)\}/g, (_, k) => params[k] != null ? encodeURIComponent(String(params[k])) : `{${k}}`);
+  const interpolatedQuery = query.replace(/\{(\w+)\}/g, (_, k) => {
+    if (params[k] == null)
+      return `{${k}}`;
+    const val = String(params[k]);
+    return val.replace(/[#&=\s]/g, (ch) => encodeURIComponent(ch));
+  });
   return `${interpolatedBase}?${interpolatedQuery}`;
 }
 function interpolateObj(obj, params) {
@@ -17020,8 +17221,6 @@ function isSpaShell(html) {
 }
 var DEFAULT_BROWSER_UA = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36", VALID_VERIFICATION_STATUSES, BM25_K1 = 1.2, BM25_B = 0.75, STOPWORDS, SYNONYMS;
 var init_execution = __esm(async () => {
-  init_capture();
-  init_capture();
   init_reverse_engineer();
   init_bundle_scanner();
   init_token_resolver();
@@ -17045,6 +17244,8 @@ var init_execution = __esm(async () => {
   init_compile();
   init_publish();
   await __promiseAll([
+    init_capture(),
+    init_capture(),
     init_vault(),
     init_auth(),
     init_indexer(),
@@ -19694,7 +19895,7 @@ async function resolveAndExecute(intent, params = {}, context, projection, optio
       for (const cookie of cookies)
         await setCookie(handoffTabId, cookie).catch(() => {});
     } catch {}
-    await evaluate(handoffTabId, (await Promise.resolve().then(() => (init_capture(), exports_capture))).INTERCEPTOR_SCRIPT).catch(() => {});
+    await evaluate(handoffTabId, (await init_capture().then(() => exports_capture)).INTERCEPTOR_SCRIPT).catch(() => {});
     await harStart(handoffTabId).catch(() => {});
     try {
       const routesModule = await init_routes().then(() => exports_routes);
@@ -24195,13 +24396,13 @@ function schedulePeriodicVerification() {
   }, VERIFICATION_INTERVAL_MS);
 }
 var VERIFICATION_INTERVAL_MS, VERIFY_ENDPOINT_BATCH_SIZE;
-var init_verification = __esm(() => {
-  init_capture();
+var init_verification = __esm(async () => {
   init_marketplace();
   init_marketplace();
   init_drift();
   init_matrix();
   init_candidates();
+  await init_capture();
   VERIFICATION_INTERVAL_MS = 6 * 60 * 60 * 1000;
   VERIFY_ENDPOINT_BATCH_SIZE = Math.max(1, Number(process.env.UNBROWSE_VERIFY_ENDPOINT_BATCH_SIZE ?? 3));
 });
@@ -24308,9 +24509,11 @@ function schedulePeriodicStaleCleanup() {
 var VERIFY_TIMEOUT_MS, CLEANUP_INTERVAL_MS, CLEANUP_BATCH_SIZE, CLEANUP_VERIFY_ENDPOINT_LIMIT;
 var init_stale_cleanup_runner = __esm(async () => {
   init_marketplace();
-  init_verification();
   init_candidates();
-  await init_orchestrator();
+  await __promiseAll([
+    init_verification(),
+    init_orchestrator()
+  ]);
   VERIFY_TIMEOUT_MS = Math.max(5000, Number(process.env.UNBROWSE_STALE_VERIFY_TIMEOUT_MS ?? 15000));
   CLEANUP_INTERVAL_MS = Math.max(30 * 60 * 1000, Number(process.env.UNBROWSE_STALE_CLEANUP_INTERVAL_MS ?? 6 * 60 * 60 * 1000));
   CLEANUP_BATCH_SIZE = Math.max(1, Number(process.env.UNBROWSE_STALE_CLEANUP_BATCH_SIZE ?? 25));
@@ -25352,7 +25555,7 @@ async function registerRoutes(app) {
     if (!skill)
       return reply.code(404).send({ error: "Skill not found" });
     try {
-      const { verifySkill: verifySkill2 } = await Promise.resolve().then(() => (init_verification(), exports_verification));
+      const { verifySkill: verifySkill2 } = await init_verification().then(() => exports_verification);
       const results = await verifySkill2(skill);
       return reply.send({ skill_id, verification: results });
     } catch (err) {
@@ -25945,7 +26148,6 @@ var BETA_API_URL, TRACES_DIR, BROWSE_BROKER_MAX, BROWSE_BROKER_BASE_PORT, browse
 var init_routes = __esm(async () => {
   init_client();
   init_reverse_engineer();
-  init_capture();
   init_marketplace();
   init_graph();
   init_client2();
@@ -25964,6 +26166,7 @@ var init_routes = __esm(async () => {
   init_schema_review();
   init_artifact();
   await __promiseAll([
+    init_capture(),
     init_indexer(),
     init_vault(),
     init_orchestrator(),
@@ -25986,12 +26189,12 @@ import { config as loadEnv } from "dotenv";
 
 // ../../src/server.ts
 init_ratelimit();
-init_verification();
 init_client2();
-init_capture();
 init_version();
 await __promiseAll([
   init_routes(),
+  init_verification(),
+  init_capture(),
   init_stale_cleanup_runner()
 ]);
 import { execSync as execSync2 } from "node:child_process";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbrowse",
-  "version": "3.2.2",
+  "version": "3.2.3",
   "description": "Reverse-engineer any website into reusable API skills. Zero-dep single binary with embedded browser engine.",
   "type": "module",
   "bin": {