npm - unbrowse - Versions diffs - 3.5.4 → 3.6.0-preview.0 - Mend

unbrowse 3.5.4 → 3.6.0-preview.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli.js CHANGED Viewed

@@ -31,7 +31,7 @@ var __promiseAll = (args) => Promise.all(args);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 // ../../src/build-info.generated.ts
-var BUILD_RELEASE_VERSION = "3.5.4", BUILD_GIT_SHA = "e14c693e42f0", BUILD_CODE_HASH = "5d9ebf619c61", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy41LjQiLCJnaXRfc2hhIjoiZTE0YzY5M2U0MmYwIiwiY29kZV9oYXNoIjoiNWQ5ZWJmNjE5YzYxIiwidHJhY2VfdmVyc2lvbiI6IjVkOWViZjYxOWM2MUBlMTRjNjkzZTQyZjAiLCJpc3N1ZWRfYXQiOiIyMDI2LTA0LTA5VDE4OjEyOjAxLjE4OVoifQ", BUILD_RELEASE_MANIFEST_SIGNATURE = "MQYUcKr6SaFhd8PR79a_yn8ew_74o9mSDnH47V0Jqm0", BUILD_DEFAULT_BACKEND_URL = "https://beta-api.unbrowse.ai";
+var BUILD_RELEASE_VERSION = "3.6.0-preview.0", BUILD_GIT_SHA = "53592d89047b", BUILD_CODE_HASH = "5d9ebf619c61", BUILD_RELEASE_MANIFEST_BASE64 = "eyJzY2hlbWFfdmVyc2lvbiI6MSwicmVsZWFzZV92ZXJzaW9uIjoiMy42LjAtcHJldmlldy4wIiwiZ2l0X3NoYSI6IjUzNTkyZDg5MDQ3YiIsImNvZGVfaGFzaCI6IjVkOWViZjYxOWM2MSIsInRyYWNlX3ZlcnNpb24iOiI1ZDllYmY2MTljNjFANTM1OTJkODkwNDdiIiwiaXNzdWVkX2F0IjoiMjAyNi0wNC0wOVQyMDo0MTozMC4wODJaIn0", BUILD_RELEASE_MANIFEST_SIGNATURE = "HlE5m4HLbj0SjURsLry2pCTQTH-KmnP05XG5sH6-CSk", BUILD_DEFAULT_BACKEND_URL = "https://beta-api.unbrowse.ai";
 // ../../src/version.ts
 import { createHash } from "crypto";
@@ -529,6 +529,11 @@ function getRegistrableDomain(hostname2) {
   }
   return parts.slice(-2).join(".");
 }
+function isDomainMatch(cookieDomain, targetDomain) {
+  const c = cookieDomain.replace(/^\./, "").toLowerCase();
+  const t = targetDomain.replace(/^\./, "").toLowerCase();
+  return t === c || t.endsWith("." + c);
+}
 var CC_TLDS, GEO_TLD_SUFFIXES;
 var init_domain = __esm(() => {
   CC_TLDS = new Set([
@@ -634,6 +639,7 @@ var init_logger = __esm(() => {
 // ../../src/kuri/client.ts
 import { execFileSync as execFileSync2, spawn as spawn2 } from "node:child_process";
 import { existsSync as existsSync9 } from "node:fs";
+import net from "node:net";
 import path5 from "node:path";
 function createBrokerState(port = KURI_DEFAULT_PORT) {
   return {
@@ -646,6 +652,39 @@ function createBrokerState(port = KURI_DEFAULT_PORT) {
     requestedPort: port
   };
 }
+function brokerCacheKey(port) {
+  return port === undefined ? "default" : `port:${port}`;
+}
+function rememberBrokerClient(client, state) {
+  brokerClients.set(brokerCacheKey(state.requestedPort), client);
+  brokerClients.set(brokerCacheKey(state.port), client);
+}
+function forgetBrokerClient(state) {
+  brokerClients.delete(brokerCacheKey(state.requestedPort));
+  brokerClients.delete(brokerCacheKey(state.port));
+}
+function envFlag(value) {
+  return value === "1" || value?.toLowerCase() === "true";
+}
+function falseyEnv(value) {
+  if (!value)
+    return false;
+  const normalized = value.trim().toLowerCase();
+  return normalized === "0" || normalized === "false" || normalized === "no" || normalized === "off";
+}
+function resolveKuriLaunchConfig(env = process.env) {
+  const explicitHeadless = env.KURI_HEADLESS ?? env.HEADLESS;
+  const headless = explicitHeadless !== undefined ? envFlag(explicitHeadless) : process.platform === "linux" && !env.DISPLAY;
+  const cleanRoom = envFlag(env.UNBROWSE_LOCAL_ONLY) || envFlag(env.KURI_CLEAN_ROOM);
+  const browserCookieOptOut = falseyEnv(env.UNBROWSE_IMPORT_BROWSER_COOKIES);
+  const explicitAttach = envFlag(env.KURI_ATTACH_EXISTING_CHROME ?? env.UNBROWSE_ATTACH_EXISTING_CHROME);
+  const disableCdpAttach = envFlag(env.KURI_DISABLE_CDP_ATTACH);
+  const canAttachToExistingChrome = !headless && !disableCdpAttach && !cleanRoom;
+  return {
+    headless,
+    attachToExistingChrome: canAttachToExistingChrome && (explicitAttach || browserCookieOptOut)
+  };
+}
 function kuriBinaryName() {
   return process.platform === "win32" ? "kuri.exe" : "kuri";
 }
@@ -704,13 +743,676 @@ function getKuriBinaryCandidates() {
   addCandidate(candidates, resolveBinaryOnPath("kuri"));
   return candidates;
 }
+async function discoverCdpPort(state) {
+  const portsToTry = [9222, 9223, 9224, 9225];
+  for (const port of portsToTry) {
+    try {
+      const res = await fetch(`http://127.0.0.1:${port}/json/version`, {
+        signal: AbortSignal.timeout(500)
+      });
+      if (res.ok) {
+        state.cdpPort = port;
+        kuriCdpPort = port;
+        log("kuri", `found Chrome CDP on port ${port}`);
+        return;
+      }
+    } catch {}
+  }
+  log("kuri", "could not discover CDP port — tab discovery may fail");
+}
+async function findFreeCdpPort() {
+  for (let port = 9222;port < 9230; port++) {
+    try {
+      await fetch(`http://127.0.0.1:${port}/json/version`, {
+        signal: AbortSignal.timeout(300)
+      });
+    } catch {
+      return port;
+    }
+  }
+  return 9222;
+}
+async function isKuriHealthyOnPort(port) {
+  try {
+    const health = await fetch(`http://127.0.0.1:${port}/health`, {
+      signal: AbortSignal.timeout(1000)
+    });
+    return health.ok;
+  } catch {
+    return false;
+  }
+}
+async function isChromeCdpAvailable(port) {
+  try {
+    const res = await fetch(`http://127.0.0.1:${port}/json/version`, {
+      signal: AbortSignal.timeout(1000)
+    });
+    return res.ok;
+  } catch {
+    return false;
+  }
+}
+async function listRegisteredTabs(state) {
+  try {
+    const tabs = await kuriGet(state, "/tabs");
+    if (!Array.isArray(tabs))
+      return [];
+    return tabs.filter((tab) => typeof tab?.id === "string").map((tab) => ({ id: tab.id, url: tab.url ?? "", title: tab.title }));
+  } catch {
+    return [];
+  }
+}
+async function waitForChromeCdpReady(state, timeoutMs = KURI_CDP_READY_TIMEOUT_MS) {
+  if (typeof state.cdpPort !== "number")
+    return false;
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    if (await isChromeCdpAvailable(state.cdpPort))
+      return true;
+    await new Promise((resolve) => setTimeout(resolve, KURI_CDP_POLL_INTERVAL_MS));
+  }
+  return false;
+}
+function shouldReuseManagedChrome(launchConfig, state, managedChromeAvailable) {
+  return !launchConfig.attachToExistingChrome && state.managedChrome === true && typeof state.cdpPort === "number" && managedChromeAvailable;
+}
+async function isTcpPortOpen(port, timeoutMs = 400) {
+  return await new Promise((resolve) => {
+    const socket = net.createConnection({ host: "127.0.0.1", port });
+    const finish = (open) => {
+      socket.removeAllListeners();
+      socket.destroy();
+      resolve(open);
+    };
+    socket.setTimeout(timeoutMs);
+    socket.once("connect", () => finish(true));
+    socket.once("timeout", () => finish(false));
+    socket.once("error", () => finish(false));
+  });
+}
+async function resolveKuriPort(preferredPort, deps = {}) {
+  const isHealthyPort = deps.isHealthyPort ?? isKuriHealthyOnPort;
+  const isPortOpen = deps.isPortOpen ?? isTcpPortOpen;
+  const searchLimit = deps.searchLimit ?? KURI_PORT_SEARCH_LIMIT;
+  if (await isHealthyPort(preferredPort))
+    return preferredPort;
+  if (!await isPortOpen(preferredPort))
+    return preferredPort;
+  for (let candidate = preferredPort + 1;candidate <= preferredPort + searchLimit; candidate++) {
+    if (await isHealthyPort(candidate))
+      return candidate;
+    if (!await isPortOpen(candidate))
+      return candidate;
+  }
+  return preferredPort;
+}
+async function ensureUserChromeRunning(state) {
+  for (const port2 of [9222, 9223, 9224, 9225]) {
+    try {
+      const res = await fetch(`http://127.0.0.1:${port2}/json/version`, { signal: AbortSignal.timeout(500) });
+      if (res.ok) {
+        state.cdpPort = port2;
+        return;
+      }
+    } catch {}
+  }
+  const chromePaths = {
+    darwin: "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",
+    linux: "google-chrome",
+    win32: "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
+  };
+  const chromeBin = chromePaths[process.platform];
+  if (!chromeBin)
+    return;
+  const port = await findFreeCdpPort();
+  state.cdpPort = port;
+  log("kuri", `launching user Chrome with CDP on port ${port}`);
+  try {
+    const child = spawn2(chromeBin, [
+      `--remote-debugging-port=${port}`,
+      "--no-first-run",
+      "--no-default-browser-check"
+    ], {
+      stdio: "ignore",
+      detached: true
+    });
+    child.unref();
+    const deadline = Date.now() + 8000;
+    while (Date.now() < deadline) {
+      try {
+        const res = await fetch(`http://127.0.0.1:${port}/json/version`, { signal: AbortSignal.timeout(500) });
+        if (res.ok) {
+          log("kuri", `user Chrome ready with CDP on port ${port}`);
+          return;
+        }
+      } catch {}
+      await new Promise((r) => setTimeout(r, 300));
+    }
+    log("kuri", "user Chrome launched but CDP not responding — Kuri will launch managed Chrome");
+    state.cdpPort = null;
+  } catch (err) {
+    log("kuri", `failed to launch user Chrome: ${err instanceof Error ? err.message : err}`);
+    state.cdpPort = null;
+  }
+}
+async function terminateBrokerOnPort(port) {
+  try {
+    const output = execFileSync2("lsof", ["-tiTCP:" + String(port), "-sTCP:LISTEN"], {
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    const pids = output.split(/\r?\n/).map((line) => Number(line.trim())).filter((pid) => Number.isInteger(pid) && pid > 0);
+    for (const pid of pids) {
+      try {
+        process.kill(pid, "SIGTERM");
+      } catch {}
+    }
+    if (pids.length > 0) {
+      await new Promise((resolve) => setTimeout(resolve, 500));
+    }
+  } catch {}
+}
+async function reuseHealthyBrokerIfPossible(state, launchConfig, deps = {}) {
+  const isHealthyPort = deps.isHealthyPort ?? isKuriHealthyOnPort;
+  if (!await isHealthyPort(state.port))
+    return false;
+  log("kuri", `already running on port ${state.port}`);
+  state.ready = true;
+  const cdpAvailable = deps.isChromeCdpAvailable ?? isChromeCdpAvailable;
+  const discover = deps.discoverCdpPort ?? discoverCdpPort;
+  await discover(state);
+  if (!state.cdpPort && launchConfig.attachToExistingChrome) {
+    const ensureChrome = deps.ensureUserChromeRunning ?? ensureUserChromeRunning;
+    await ensureChrome(state);
+  }
+  if (typeof state.cdpPort === "number" && !await cdpAvailable(state.cdpPort)) {
+    state.cdpPort = null;
+  }
+  const syncTabs = deps.ensureTabsDiscovered ?? ensureTabsDiscovered;
+  await syncTabs(state).catch(() => {});
+  const tabs = await (deps.listTabs ?? listRegisteredTabs)(state).catch(() => []);
+  if (state.cdpPort) {
+    return true;
+  }
+  if (tabs.length > 0) {
+    log("kuri", `healthy broker on port ${state.port} has stale registered tabs but no CDP; recycling startup path`);
+  } else {
+    log("kuri", `healthy broker on port ${state.port} has no CDP or tabs; recycling startup path`);
+  }
+  state.ready = false;
+  if (state.process) {
+    state.process.kill("SIGTERM");
+    await waitForChildExit(state.process);
+    state.process = null;
+  } else {
+    const terminate = deps.terminateBrokerOnPort ?? terminateBrokerOnPort;
+    await terminate(state.port);
+  }
+  return false;
+}
+function kuriUrl(state, path6, params) {
+  const base = `http://127.0.0.1:${state.port}${path6}`;
+  if (!params || Object.keys(params).length === 0)
+    return base;
+  const parts = Object.entries(params).map(([k, v]) => `${k}=${v.replace(/#/g, "%23").replace(/&/g, "%26").replace(/\+/g, "%2B")}`);
+  return `${base}?${parts.join("&")}`;
+}
+function shouldRetryKuriTransportError(error) {
+  const message = error instanceof Error ? error.message : String(error ?? "");
+  return /fetch failed|econnrefused|connection refused|socket hang up|other side closed|transport closed/i.test(message);
+}
+async function kuriGet(state, path6, params, retryOnTransportFailure = true) {
+  const url = kuriUrl(state, path6, params);
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), KURI_REQUEST_TIMEOUT_MS);
+  try {
+    const res = await fetch(url, { signal: controller.signal });
+    const text = await res.text();
+    try {
+      return JSON.parse(text);
+    } catch {
+      return text;
+    }
+  } catch (error) {
+    if (retryOnTransportFailure && path6 !== "/health" && shouldRetryKuriTransportError(error)) {
+      log("kuri", `transport failed for ${path6}; restarting Kuri and retrying once on port ${state.port}`);
+      await stopOn(state);
+      await startOn(state, state.requestedPort || state.port);
+      return await kuriGet(state, path6, params, false);
+    }
+    throw error;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
 function findKuriBinary() {
   if (process.env.KURI_BIN)
     return process.env.KURI_BIN;
   const candidates = getKuriBinaryCandidates();
   return candidates.find((candidate) => existsSync9(candidate)) ?? candidates[0] ?? kuriBinaryName();
 }
-var KURI_DEFAULT_PORT = 7700, defaultBrokerState, brokerClients;
+async function waitForChildExit(child, timeoutMs = 2000) {
+  if (!child)
+    return;
+  if (child.exitCode !== null || child.killed)
+    return;
+  await new Promise((resolve) => {
+    const timer = setTimeout(resolve, timeoutMs);
+    child.once("exit", () => {
+      clearTimeout(timer);
+      resolve();
+    });
+  });
+}
+async function startOn(state, port) {
+  const requestedPort = port ?? Number(process.env.KURI_PORT || KURI_DEFAULT_PORT);
+  const externalPort = process.env.KURI_EXTERNAL_PORT;
+  if (externalPort && !state.ready) {
+    const ep = Number(externalPort);
+    if (await isKuriHealthyOnPort(ep)) {
+      state.port = ep;
+      state.requestedPort = ep;
+      state.ready = true;
+      state.managedChrome = false;
+      const cdpUrl = process.env.CDP_URL;
+      if (cdpUrl) {
+        const m = cdpUrl.match(/:(\d+)/);
+        if (m)
+          state.cdpPort = Number(m[1]);
+      }
+      log("kuri", `using external Kuri broker on port ${ep}${state.cdpPort ? ` (CDP port ${state.cdpPort})` : ""}`);
+      return;
+    }
+    log("kuri", `external Kuri on port ${ep} not healthy — falling through to normal start`);
+  }
+  if (state.ready) {
+    const activePort = state.port || requestedPort;
+    if (await isKuriHealthyOnPort(activePort))
+      return;
+    log("kuri", `cached ready state stale on port ${activePort}; restarting`);
+    state.ready = false;
+    state.process = null;
+    state.startPromise = null;
+  }
+  if (state.startPromise)
+    return state.startPromise;
+  const startPromise = (async () => {
+    const launchConfig = resolveKuriLaunchConfig();
+    state.requestedPort = requestedPort;
+    state.port = await resolveKuriPort(requestedPort);
+    const existingClient = brokerClients.get(brokerCacheKey(requestedPort));
+    if (existingClient)
+      rememberBrokerClient(existingClient, state);
+    if (state.port !== requestedPort) {
+      log("kuri", `preferred port ${requestedPort} is occupied but unhealthy; falling back to ${state.port}`);
+    }
+    if (await reuseHealthyBrokerIfPossible(state, launchConfig))
+      return;
+    const binary = findKuriBinary();
+    log("kuri", `starting: ${binary} on port ${state.port}`);
+    if (!existsSync9(binary)) {
+      throw new Error(`Kuri binary not found at ${binary}`);
+    }
+    const reusableManagedChrome = shouldReuseManagedChrome(launchConfig, state, typeof state.cdpPort === "number" && await isChromeCdpAvailable(state.cdpPort));
+    if (launchConfig.attachToExistingChrome) {
+      await discoverCdpPort(state);
+      state.managedChrome = false;
+    } else if (reusableManagedChrome) {
+      log("kuri", `reconnecting to surviving managed Chrome on port ${state.cdpPort}`);
+    } else {
+      state.cdpPort = null;
+      state.managedChrome = false;
+    }
+    const env = {
+      ...process.env,
+      PORT: String(state.port),
+      HOST: "127.0.0.1",
+      HEADLESS: launchConfig.headless ? "true" : "false"
+    };
+    if (state.cdpPort && (launchConfig.attachToExistingChrome || reusableManagedChrome)) {
+      env.CDP_URL = `ws://127.0.0.1:${state.cdpPort}`;
+      log("kuri", reusableManagedChrome ? `connecting to surviving managed Chrome on port ${state.cdpPort}` : `connecting to existing Chrome on port ${state.cdpPort}`);
+    } else if (launchConfig.headless) {
+      log("kuri", "starting in headless mode with managed Chrome");
+    } else {
+      log("kuri", "no existing Chrome found — Kuri will launch managed Chrome");
+    }
+    const maxAttempts = KURI_SPAWN_RETRIES + 1;
+    for (let attempt = 1;attempt <= maxAttempts; attempt++) {
+      if (attempt > 1) {
+        log("kuri", `spawn retry ${attempt}/${maxAttempts} after ${KURI_SPAWN_RETRY_DELAY_MS}ms`);
+        await new Promise((r) => setTimeout(r, KURI_SPAWN_RETRY_DELAY_MS));
+      }
+      let exitedBeforeReady = false;
+      state.process = spawn2(binary, [], {
+        env,
+        stdio: ["ignore", "pipe", "pipe"]
+      });
+      const childPid = state.process.pid;
+      log("kuri", `spawned pid ${childPid ?? "unknown"} on broker port ${state.port}`);
+      state.process.stderr?.on("data", (chunk) => {
+        const line = chunk.toString().trim();
+        if (line)
+          log("kuri", `[stderr] ${line}`);
+        const cdpMatch = line.match(/CDP port:\s*(\d+)/);
+        if (cdpMatch) {
+          state.cdpPort = parseInt(cdpMatch[1], 10);
+          kuriCdpPort = state.cdpPort;
+          log("kuri", `discovered CDP port: ${state.cdpPort}`);
+        }
+        if (/launched Chrome \(pid=\d+\) on CDP port/i.test(line) || /launching managed Chrome instance/i.test(line)) {
+          state.managedChrome = true;
+        }
+      });
+      state.process.on("exit", (code, signal) => {
+        if (!state.ready)
+          exitedBeforeReady = true;
+        log("kuri", `process exited pid=${childPid ?? "unknown"} code=${code === null ? "null" : code} signal=${signal ?? "none"} broker_port=${state.port} cdp_port=${state.cdpPort ?? "unknown"}`);
+        state.ready = false;
+        state.process = null;
+        forgetBrokerClient(state);
+      });
+      const deadline = Date.now() + KURI_STARTUP_TIMEOUT_MS;
+      while (Date.now() < deadline) {
+        if (exitedBeforeReady)
+          break;
+        try {
+          const res = await fetch(`http://127.0.0.1:${state.port}/health`, {
+            signal: AbortSignal.timeout(500)
+          });
+          if (res.ok) {
+            state.ready = true;
+            log("kuri", `ready on port ${state.port}`);
+            await new Promise((r) => setTimeout(r, 300));
+            if (!state.cdpPort)
+              await discoverCdpPort(state);
+            await waitForChromeCdpReady(state).catch(() => false);
+            await ensureTabsDiscovered(state);
+            return;
+          }
+        } catch {}
+        await new Promise((r) => setTimeout(r, 200));
+      }
+      if (state.ready)
+        return;
+      if (state.process) {
+        state.process.kill();
+        await waitForChildExit(state.process);
+      }
+      try {
+        execFileSync2("pkill", ["-f", `remote-debugging-port=${state.cdpPort ?? 9222}`], { stdio: "ignore" });
+        await new Promise((r) => setTimeout(r, 1000));
+      } catch {}
+    }
+    throw new Error(`Kuri failed to start after ${maxAttempts} attempts`);
+  })();
+  state.startPromise = startPromise.finally(() => {
+    if (state.startPromise === startPromise) {
+      state.startPromise = null;
+    }
+  });
+  return state.startPromise;
+}
+async function stopOn(state) {
+  if (state.startPromise) {
+    await state.startPromise.catch(() => {});
+  }
+  if (state.process) {
+    state.process.kill("SIGTERM");
+    state.process = null;
+  }
+  state.ready = false;
+  state.cdpPort = null;
+  kuriCdpPort = null;
+  state.managedChrome = false;
+  state.startPromise = null;
+  forgetBrokerClient(state);
+}
+async function getDefaultTabOn(state) {
+  await ensureTabsDiscovered(state);
+  try {
+    const tabs = await kuriGet(state, "/tabs");
+    if (Array.isArray(tabs) && tabs.length > 0)
+      return tabs[0].id;
+  } catch {}
+  const cdpTabId = await createTabViaChromeCdp("about:blank", state);
+  if (cdpTabId)
+    return cdpTabId;
+  throw new Error("No tabs available and failed to create one");
+}
+async function start(port, state = defaultBrokerState) {
+  return startOn(state, port);
+}
+async function getDefaultTab(state = defaultBrokerState) {
+  return getDefaultTabOn(state);
+}
+async function ensureTabsDiscovered(state) {
+  try {
+    if (state.cdpPort)
+      await waitForChromeCdpReady(state).catch(() => false);
+    const params = {};
+    if (state.cdpPort)
+      params.cdp_url = `ws://127.0.0.1:${state.cdpPort}`;
+    await kuriGet(state, "/discover", params);
+  } catch {}
+}
+async function waitForTabRegistration(state, tabId, timeoutMs = 2000) {
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    await ensureTabsDiscovered(state);
+    try {
+      const tabs = await kuriGet(state, "/tabs");
+      if (Array.isArray(tabs) && tabs.some((tab) => tab?.id === tabId))
+        return;
+    } catch {}
+    await new Promise((resolve) => setTimeout(resolve, 100));
+  }
+}
+async function createTabViaChromeCdp(url = "about:blank", state = defaultBrokerState) {
+  if (!state.cdpPort)
+    return "";
+  for (let attempt = 0;attempt < KURI_TAB_CREATE_RETRIES; attempt += 1) {
+    await waitForChromeCdpReady(state).catch(() => false);
+    try {
+      const res = await fetch(`http://127.0.0.1:${state.cdpPort}/json/new?${url}`, {
+        method: "PUT",
+        signal: AbortSignal.timeout(5000)
+      });
+      const target = await res.json();
+      const tabId = target?.id ?? target?.targetId ?? "";
+      if (tabId) {
+        log("kuri", `created new Chrome tab: ${tabId}`);
+        await new Promise((resolve) => setTimeout(resolve, 300));
+        await ensureTabsDiscovered(state).catch(() => {});
+        await waitForTabRegistration(state, tabId).catch(() => {});
+        return tabId;
+      }
+    } catch (err) {
+      if (attempt === KURI_TAB_CREATE_RETRIES - 1) {
+        log("kuri", `Chrome tab creation failed: ${err instanceof Error ? err.message : err}`);
+        return "";
+      }
+    }
+    await new Promise((resolve) => setTimeout(resolve, KURI_CDP_POLL_INTERVAL_MS));
+  }
+  return "";
+}
+async function navigate(tabId, url, state = defaultBrokerState) {
+  await kuriGet(state, "/navigate", { tab_id: tabId, url });
+}
+async function evaluate(tabId, expression, state = defaultBrokerState) {
+  let raw;
+  if (expression.length > 2000) {
+    const url = kuriUrl(state, "/evaluate", { tab_id: tabId, expression });
+    const controller = new AbortController;
+    const timeout = setTimeout(() => controller.abort(), KURI_REQUEST_TIMEOUT_MS);
+    try {
+      const res = await fetch(url, {
+        method: "POST",
+        headers: { "Content-Type": "text/plain" },
+        body: expression,
+        signal: controller.signal
+      });
+      const text = await res.text();
+      try {
+        raw = JSON.parse(text);
+      } catch {
+        raw = text;
+      }
+    } finally {
+      clearTimeout(timeout);
+    }
+  } else {
+    raw = await kuriGet(state, "/evaluate", { tab_id: tabId, expression });
+  }
+  const inner = raw?.result?.result;
+  if (!inner)
+    return raw;
+  if (inner.type === "undefined")
+    return;
+  if ("value" in inner)
+    return inner.value;
+  return inner.description ?? raw;
+}
+async function getCookies(tabId, state = defaultBrokerState) {
+  const raw = await kuriGet(state, "/cookies", { tab_id: tabId });
+  return raw?.result?.cookies ?? [];
+}
+async function setCookieViaCDP(wsUrl, cookie) {
+  return new Promise((resolve) => {
+    const timer = setTimeout(() => {
+      resolve(false);
+    }, 3000);
+    try {
+      const ws = new (__require("ws"))(wsUrl);
+      ws.on("open", () => {
+        ws.send(JSON.stringify({
+          id: 1,
+          method: "Network.setCookie",
+          params: {
+            ...cookie,
+            url: `https://${cookie.domain.replace(/^\./, "")}/`
+          }
+        }));
+      });
+      ws.on("message", (data) => {
+        clearTimeout(timer);
+        try {
+          const msg = JSON.parse(data.toString());
+          if (msg.id === 1) {
+            ws.close();
+            resolve(msg.result?.success ?? false);
+          }
+        } catch {
+          ws.close();
+          resolve(false);
+        }
+      });
+      ws.on("error", () => {
+        clearTimeout(timer);
+        resolve(false);
+      });
+    } catch {
+      clearTimeout(timer);
+      resolve(false);
+    }
+  });
+}
+async function resolveCdpDebuggerUrlForTab(tabId) {
+  const portsToTry = Array.from(new Set([kuriCdpPort, 9222, 9223, 9224, 9225].filter((port) => typeof port === "number")));
+  for (const port of portsToTry) {
+    try {
+      const res = await fetch(`http://127.0.0.1:${port}/json`, { signal: AbortSignal.timeout(1000) });
+      if (!res.ok)
+        continue;
+      const pages = await res.json();
+      const page = pages.find((candidate) => candidate.id === tabId);
+      if (page?.webSocketDebuggerUrl) {
+        if (kuriCdpPort !== port) {
+          kuriCdpPort = port;
+          log("kuri", `updated CDP port from tab discovery: ${port}`);
+        }
+        return page.webSocketDebuggerUrl;
+      }
+    } catch {}
+  }
+  return null;
+}
+async function setCookie(tabId, cookie, state = defaultBrokerState) {
+  const value = cookie.value.replace(/^"|"$/g, "");
+  if (cookie.secure || cookie.httpOnly) {
+    try {
+      const debuggerUrl = await resolveCdpDebuggerUrlForTab(tabId);
+      if (debuggerUrl) {
+        const success = await setCookieViaCDP(debuggerUrl, {
+          name: cookie.name,
+          value,
+          domain: cookie.domain,
+          path: cookie.path || "/",
+          secure: cookie.secure ?? false,
+          httpOnly: cookie.httpOnly ?? false,
+          sameSite: cookie.sameSite || "Lax",
+          ...cookie.expires && cookie.expires > 0 ? { expires: cookie.expires } : {}
+        });
+        if (success)
+          return;
+        log("kuri", `CDP cookie set failed for ${cookie.name} on ${cookie.domain}; falling back to /cookies`);
+      } else {
+        log("kuri", `no CDP websocket for tab ${tabId}; falling back to /cookies for secure cookie ${cookie.name}`);
+      }
+    } catch {}
+  }
+  await kuriGet(state, "/cookies", {
+    tab_id: tabId,
+    name: cookie.name,
+    value,
+    domain: cookie.domain,
+    ...cookie.path ? { path: cookie.path } : {}
+  });
+}
+async function networkEnable(tabId, state = defaultBrokerState) {
+  await kuriGet(state, "/network", { tab_id: tabId, mode: "enable" });
+}
+async function getCurrentUrl(tabId, state = defaultBrokerState) {
+  const result = await evaluate(tabId, "window.location.href", state);
+  return typeof result === "string" ? result : "";
+}
+async function action(tabId, actionType, ref, value, state = defaultBrokerState) {
+  const params = { tab_id: tabId, action: actionType, ref };
+  if (value !== undefined)
+    params.value = value;
+  return kuriGet(state, "/action", params);
+}
+async function click(tabId, ref, state = defaultBrokerState) {
+  await scrollIntoView(tabId, ref, state);
+  return action(tabId, "click", ref, undefined, state);
+}
+async function fill(tabId, ref, value, state = defaultBrokerState) {
+  await click(tabId, ref, state);
+  const result = await action(tabId, "fill", ref, value, state);
+  const currentValue = await evaluate(tabId, `(() => {
+    const active = document.activeElement;
+    return active && "value" in active ? active.value : undefined;
+  })()`, state);
+  if (currentValue !== value) {
+    return evaluate(tabId, `(function() {
+      const active = document.activeElement;
+      if (!active || !("value" in active)) return false;
+      active.value = ${JSON.stringify(value)};
+      active.dispatchEvent(new Event("input", { bubbles: true }));
+      active.dispatchEvent(new Event("change", { bubbles: true }));
+      return active.value;
+    })()`, state);
+  }
+  return result;
+}
+async function scrollIntoView(tabId, ref, state = defaultBrokerState) {
+  return kuriGet(state, "/scrollintoview", { tab_id: tabId, ref });
+}
+async function authProfileSave(tabId, name, state = defaultBrokerState) {
+  return kuriGet(state, "/auth/profile/save", { tab_id: tabId, name });
+}
+var KURI_DEFAULT_PORT = 7700, KURI_STARTUP_TIMEOUT_MS = 60000, KURI_REQUEST_TIMEOUT_MS = 30000, KURI_SPAWN_RETRIES = 3, KURI_SPAWN_RETRY_DELAY_MS = 1000, KURI_PORT_SEARCH_LIMIT = 10, KURI_CDP_READY_TIMEOUT_MS = 5000, KURI_CDP_POLL_INTERVAL_MS = 200, KURI_TAB_CREATE_RETRIES = 5, kuriCdpPort = null, defaultBrokerState, brokerClients;
 var init_client2 = __esm(() => {
   init_logger();
   init_paths();
@@ -829,6 +1531,8 @@ var init_reverse_engineer = __esm(() => {
 });
 // ../../src/vault/index.ts
+import { createCipheriv, createDecipheriv, randomBytes as randomBytes2 } from "crypto";
+import { existsSync as existsSync10, mkdirSync as mkdirSync5, readFileSync as readFileSync6, writeFileSync as writeFileSync3 } from "fs";
 import { join as join7 } from "path";
 import { homedir as homedir5 } from "os";
 function normalizeKeytarModule(mod) {
@@ -845,10 +1549,133 @@ function normalizeKeytarModule(mod) {
   }
   return null;
 }
-var KEYTAR_UNAVAILABLE, keytar = null, VAULT_DIR, VAULT_FILE, KEY_FILE, vaultLock;
+function isKeytarBindingError(error) {
+  const message = error instanceof Error ? `${error.name}: ${error.message}` : String(error);
+  return KEYTAR_BINDING_ERROR_RE.test(message);
+}
+function disableKeytar(error) {
+  keytar = null;
+  if (keytarFallbackLogged)
+    return;
+  const summary = error instanceof Error ? error.message : String(error);
+  log("vault", `keytar runtime unavailable (${summary}); using encrypted file fallback`);
+  keytarFallbackLogged = true;
+}
+async function callKeytar(op) {
+  if (!keytar)
+    return KEYTAR_UNAVAILABLE;
+  try {
+    return await op(keytar);
+  } catch (error) {
+    if (!isKeytarBindingError(error))
+      throw error;
+    disableKeytar(error);
+    return KEYTAR_UNAVAILABLE;
+  }
+}
+function getOrCreateKey() {
+  if (!existsSync10(VAULT_DIR))
+    mkdirSync5(VAULT_DIR, { recursive: true, mode: 448 });
+  if (existsSync10(KEY_FILE))
+    return readFileSync6(KEY_FILE);
+  const key = randomBytes2(32);
+  writeFileSync3(KEY_FILE, key, { mode: 384 });
+  return key;
+}
+function withVaultLock(fn) {
+  const prev = vaultLock;
+  let release;
+  vaultLock = new Promise((r) => {
+    release = r;
+  });
+  return prev.then(fn).finally(() => release());
+}
+function readVaultFile() {
+  if (!existsSync10(VAULT_FILE))
+    return {};
+  try {
+    const key = getOrCreateKey();
+    const raw = readFileSync6(VAULT_FILE);
+    const iv = raw.subarray(0, 16);
+    const enc = raw.subarray(16);
+    const decipher = createDecipheriv("aes-256-cbc", key, iv);
+    const dec = Buffer.concat([decipher.update(enc), decipher.final()]);
+    return JSON.parse(dec.toString("utf8"));
+  } catch {
+    return {};
+  }
+}
+function writeVaultFile(data) {
+  const key = getOrCreateKey();
+  const iv = randomBytes2(16);
+  const cipher = createCipheriv("aes-256-cbc", key, iv);
+  const enc = Buffer.concat([cipher.update(JSON.stringify(data), "utf8"), cipher.final()]);
+  writeFileSync3(VAULT_FILE, Buffer.concat([iv, enc]), { mode: 384 });
+}
+async function storeCredential(account, value, opts) {
+  const wrapped = {
+    value,
+    stored_at: new Date().toISOString(),
+    expires_at: opts?.expires_at,
+    max_age_ms: opts?.max_age_ms
+  };
+  const serialized = JSON.stringify(wrapped);
+  const keytarResult = await callKeytar((client) => client.setPassword(SERVICE, account, serialized));
+  if (keytarResult !== KEYTAR_UNAVAILABLE)
+    return;
+  await withVaultLock(() => {
+    const data = readVaultFile();
+    data[account] = serialized;
+    writeVaultFile(data);
+  });
+}
+function isExpired(cred) {
+  if (cred.expires_at) {
+    return new Date(cred.expires_at).getTime() <= Date.now();
+  }
+  if (cred.max_age_ms) {
+    return new Date(cred.stored_at).getTime() + cred.max_age_ms <= Date.now();
+  }
+  return false;
+}
+async function getCredential(account) {
+  let raw;
+  const keytarResult = await callKeytar((client) => client.getPassword(SERVICE, account));
+  if (keytarResult !== KEYTAR_UNAVAILABLE) {
+    raw = keytarResult;
+  } else {
+    const data = readVaultFile();
+    raw = data[account] ?? null;
+  }
+  if (!raw)
+    return null;
+  try {
+    const parsed = JSON.parse(raw);
+    if (parsed.value && parsed.stored_at) {
+      if (isExpired(parsed)) {
+        await deleteCredential(account);
+        return null;
+      }
+      return parsed.value;
+    }
+  } catch {}
+  return raw;
+}
+async function deleteCredential(account) {
+  const keytarResult = await callKeytar((client) => client.deletePassword(SERVICE, account));
+  if (keytarResult !== KEYTAR_UNAVAILABLE)
+    return;
+  await withVaultLock(() => {
+    const data = readVaultFile();
+    delete data[account];
+    writeVaultFile(data);
+  });
+}
+var KEYTAR_UNAVAILABLE, KEYTAR_BINDING_ERROR_RE, keytar = null, keytarFallbackLogged = false, SERVICE = "unbrowse", VAULT_DIR, VAULT_FILE, KEY_FILE, vaultLock;
 var init_vault = __esm(async () => {
   init_logger();
   KEYTAR_UNAVAILABLE = Symbol("KEYTAR_UNAVAILABLE");
+  KEYTAR_BINDING_ERROR_RE = /(keytar(?:\.node)?|native bindings?|bindings file|no native build was found|could not locate the bindings file|module did not self-register|err_dlopen_failed|dlopen\(|compiled against a different node\.js version|cannot find module .*keytar|wasm is not supported on this platform|(set|get|delete)password is not a function)/i;
   try {
     keytar = normalizeKeytarModule(await import("keytar"));
   } catch {}
@@ -866,37 +1693,1061 @@ import { nanoid as nanoid4 } from "nanoid";
 var activeTabRegistry, interceptorInjectedTabs, cdpDocStartTabs, cdpCapturedHeaders;
 var init_capture = __esm(async () => {
   init_client2();
-  init_domain();
-  init_logger();
-  init_reverse_engineer();
-  init_browser_access();
-  await init_vault();
-  activeTabRegistry = new Set;
-  interceptorInjectedTabs = new Set;
-  cdpDocStartTabs = new Set;
-  cdpCapturedHeaders = new Map;
-});
-// ../../src/reverse-engineer/bundle-scanner.ts
-var init_bundle_scanner = __esm(() => {
+  init_domain();
+  init_logger();
+  init_reverse_engineer();
+  init_browser_access();
+  await init_vault();
+  activeTabRegistry = new Set;
+  interceptorInjectedTabs = new Set;
+  cdpDocStartTabs = new Set;
+  cdpCapturedHeaders = new Map;
+});
+// ../../src/reverse-engineer/bundle-scanner.ts
+var init_bundle_scanner = __esm(() => {
+  init_logger();
+});
+// ../../src/reverse-engineer/token-sources.ts
+var init_token_sources = () => {};
+// ../../src/execution/token-resolver.ts
+var init_token_resolver = __esm(() => {
+  init_token_sources();
+});
+// ../../src/auth/agent-mail.ts
+var exports_agent_mail = {};
+__export(exports_agent_mail, {
+  waitForVerificationEmail: () => waitForVerificationEmail,
+  tryAgentMailAuth: () => tryAgentMailAuth,
+  isAgentMailAvailable: () => isAgentMailAvailable,
+  getOrCreateSiteInbox: () => getOrCreateSiteInbox,
+  extractVerificationLink: () => extractVerificationLink,
+  extractOtpFromEmail: () => extractOtpFromEmail,
+  autonomousEmailLogin: () => autonomousEmailLogin
+});
+import { AgentMailClient } from "agentmail";
+function getClient() {
+  if (_client)
+    return _client;
+  const apiKey = process.env.AGENTMAIL_API_KEY;
+  if (!apiKey)
+    throw new Error("AGENTMAIL_API_KEY not set — cannot use agent mail");
+  _client = new AgentMailClient({ apiKey });
+  return _client;
+}
+async function getStoredInbox(domain) {
+  const key = `${VAULT_PREFIX}${getRegistrableDomain(domain)}`;
+  const raw = await getCredential(key);
+  if (!raw)
+    return null;
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+async function storeInbox(domain, inbox) {
+  const key = `${VAULT_PREFIX}${getRegistrableDomain(domain)}`;
+  await storeCredential(key, JSON.stringify(inbox));
+  log("agent-mail", `stored inbox ${inbox.email} for ${domain}`);
+}
+async function getOrCreateSiteInbox(domain) {
+  const stored = await getStoredInbox(domain);
+  if (stored) {
+    log("agent-mail", `reusing stored inbox ${stored.email} for ${domain}`);
+    return { inboxId: stored.inboxId, email: stored.email };
+  }
+  const client = getClient();
+  const safeDomain = getRegistrableDomain(domain).replace(/[^a-z0-9-]/gi, "-").toLowerCase();
+  const username = `unbrowse-${safeDomain}`;
+  const clientId = `unbrowse-login-${safeDomain}`;
+  try {
+    const inbox = await client.inboxes.create({
+      username,
+      domain: "agentmail.to",
+      displayName: `Unbrowse Agent - ${domain}`,
+      clientId
+    });
+    const result = { inboxId: inbox.inboxId, email: inbox.email };
+    await storeInbox(domain, { ...result, domain, createdAt: new Date().toISOString() });
+    log("agent-mail", `created inbox ${inbox.email} for ${domain}`);
+    return result;
+  } catch (err) {
+    log("agent-mail", `create failed (likely exists), listing to find match: ${err instanceof Error ? err.message : err}`);
+    try {
+      const list = await client.inboxes.list({ limit: 100 });
+      const match = list.inboxes.find((i) => i.clientId === clientId || i.email === `${username}@agentmail.to`);
+      if (match) {
+        const result = { inboxId: match.inboxId, email: match.email };
+        await storeInbox(domain, { ...result, domain, createdAt: new Date().toISOString() });
+        return result;
+      }
+    } catch {}
+    throw new Error(`Failed to create or find AgentMail inbox for ${domain}`);
+  }
+}
+async function waitForVerificationEmail(inboxId, fromDomain, timeoutMs = DEFAULT_TIMEOUT_MS) {
+  const client = getClient();
+  const start2 = Date.now();
+  const normalizedDomain = fromDomain.toLowerCase();
+  log("agent-mail", `polling inbox ${inboxId} for email from *@${normalizedDomain} (timeout: ${timeoutMs}ms)`);
+  while (Date.now() - start2 < timeoutMs) {
+    try {
+      const response = await client.inboxes.messages.list(inboxId, {
+        limit: 10,
+        labels: ["received"]
+      });
+      for (const item of response.messages ?? []) {
+        const msg = await client.inboxes.messages.get(inboxId, item.messageId);
+        const from = typeof msg.from === "string" ? msg.from : (msg.from ?? []).join(", ");
+        if (from.toLowerCase().includes(normalizedDomain)) {
+          log("agent-mail", `found verification email from ${from}: "${msg.subject}"`);
+          return {
+            messageId: msg.messageId,
+            threadId: msg.threadId,
+            subject: msg.subject ?? "",
+            from,
+            text: msg.extractedText ?? msg.text ?? "",
+            html: msg.extractedHtml ?? msg.html ?? "",
+            receivedAt: msg.createdAt
+          };
+        }
+      }
+    } catch (err) {
+      log("agent-mail", `poll error: ${err instanceof Error ? err.message : err}`);
+    }
+    await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
+  }
+  log("agent-mail", `timeout waiting for email from ${normalizedDomain}`);
+  return null;
+}
+function extractOtpFromEmail(text) {
+  const codePhrase = text.match(/(?:verification|confirm|security|login|one[- ]time|otp)\s*(?:code|pin|number)[:\s]+(\w{4,8})/i);
+  if (codePhrase)
+    return codePhrase[1];
+  const codeIs = text.match(/(?:code|otp|pin)[:\s]+(\w{4,8})/i);
+  if (codeIs)
+    return codeIs[1];
+  const six = text.match(/\b(\d{6})\b/);
+  if (six)
+    return six[1];
+  const four = text.match(/\b(\d{4})\b/);
+  if (four)
+    return four[1];
+  return null;
+}
+function extractVerificationLink(text, html) {
+  const htmlLink = html.match(/href="(https?:\/\/[^"]*(?:verify|confirm|activate|magic|token|auth|callback|validate|approve|email)[^"]*)"/i);
+  if (htmlLink)
+    return htmlLink[1];
+  const textLink = text.match(/(https?:\/\/\S*(?:verify|confirm|activate|magic|token|auth|callback|validate|approve|email)\S*)/i);
+  if (textLink)
+    return textLink[1];
+  const anyHtmlLink = html.match(/href="(https?:\/\/[^"]+)"/);
+  if (anyHtmlLink)
+    return anyHtmlLink[1];
+  const anyTextLink = text.match(/(https?:\/\/\S+)/);
+  if (anyTextLink)
+    return anyTextLink[1];
+  return null;
+}
+async function autonomousEmailLogin(domain) {
+  const inbox = await getOrCreateSiteInbox(domain);
+  const client = getClient();
+  log("agent-mail", `session ready for ${domain} — email: ${inbox.email}`);
+  return {
+    email: inbox.email,
+    inboxId: inbox.inboxId,
+    domain,
+    waitForOtp: async (timeoutMs = DEFAULT_TIMEOUT_MS) => {
+      const email = await waitForVerificationEmail(inbox.inboxId, domain, timeoutMs);
+      if (!email)
+        return null;
+      const otp = extractOtpFromEmail(email.text);
+      if (otp)
+        log("agent-mail", `extracted OTP: ${otp} from ${email.subject}`);
+      return otp;
+    },
+    waitForLink: async (timeoutMs = DEFAULT_TIMEOUT_MS) => {
+      const email = await waitForVerificationEmail(inbox.inboxId, domain, timeoutMs);
+      if (!email)
+        return null;
+      const link = extractVerificationLink(email.text, email.html);
+      if (link)
+        log("agent-mail", `extracted verification link from ${email.subject}`);
+      return link;
+    },
+    waitForEmail: (timeoutMs = DEFAULT_TIMEOUT_MS) => waitForVerificationEmail(inbox.inboxId, domain, timeoutMs),
+    sendEmail: async (to, subject, body) => {
+      const result = await client.inboxes.messages.send(inbox.inboxId, {
+        to: [to],
+        subject,
+        text: body
+      });
+      log("agent-mail", `sent email to ${to}: "${subject}" (${result.messageId})`);
+      return { messageId: result.messageId, threadId: result.threadId };
+    },
+    replyTo: async (messageId, body) => {
+      const result = await client.inboxes.messages.reply(inbox.inboxId, messageId, {
+        text: body
+      });
+      log("agent-mail", `replied to ${messageId} (${result.messageId})`);
+      return { messageId: result.messageId, threadId: result.threadId };
+    }
+  };
+}
+function isAgentMailAvailable() {
+  return Boolean(process.env.AGENTMAIL_API_KEY);
+}
+async function tryAgentMailAuth(domain) {
+  if (!isAgentMailAvailable()) {
+    log("agent-mail", `skipping — AGENTMAIL_API_KEY not set`);
+    return null;
+  }
+  try {
+    return await autonomousEmailLogin(domain);
+  } catch (err) {
+    log("agent-mail", `auth failed for ${domain}: ${err instanceof Error ? err.message : err}`);
+    return null;
+  }
+}
+var POLL_INTERVAL_MS = 3000, DEFAULT_TIMEOUT_MS = 90000, _client = null, VAULT_PREFIX = "agentmail:";
+var init_agent_mail = __esm(async () => {
+  init_logger();
+  init_domain();
+  await init_vault();
+});
+// ../../src/auth/browser-cookies.ts
+var exports_browser_cookies = {};
+__export(exports_browser_cookies, {
+  scanAllBrowserSessions: () => scanAllBrowserSessions,
+  resolveChromiumCookiesPath: () => resolveChromiumCookiesPath,
+  findBestBrowserSession: () => findBestBrowserSession,
+  extractFromFirefox: () => extractFromFirefox,
+  extractFromChromium: () => extractFromChromium,
+  extractFromChrome: () => extractFromChrome,
+  extractBrowserCookies: () => extractBrowserCookies,
+  decodeChromiumCookieValue: () => decodeChromiumCookieValue
+});
+import { execFileSync as execFileSync3 } from "node:child_process";
+import { createDecipheriv as createDecipheriv2, pbkdf2Sync } from "node:crypto";
+import { copyFileSync, existsSync as existsSync11, mkdtempSync, readdirSync as readdirSync3, rmSync } from "node:fs";
+import { tmpdir, homedir as homedir6, platform } from "node:os";
+import { join as join8 } from "node:path";
+function getChromeUserDataDir() {
+  const home = homedir6();
+  if (platform() === "darwin") {
+    return join8(home, "Library", "Application Support", "Google", "Chrome");
+  }
+  if (platform() === "win32") {
+    const appData = process.env.LOCALAPPDATA ?? join8(home, "AppData", "Local");
+    return join8(appData, "Google", "Chrome", "User Data");
+  }
+  return join8(home, ".config", "google-chrome");
+}
+function resolveChromiumCookiesPath(opts) {
+  if (opts?.cookieDbPath) {
+    return opts.cookieDbPath.replace(/^~\//, homedir6() + "/");
+  }
+  const profileDir = opts?.profile || "Default";
+  const userDataDir = (opts?.userDataDir || getChromeUserDataDir()).replace(/^~\//, homedir6() + "/");
+  const candidates = [
+    join8(userDataDir, profileDir, "Network", "Cookies"),
+    join8(userDataDir, profileDir, "Cookies"),
+    join8(userDataDir, "Network", "Cookies"),
+    join8(userDataDir, "Cookies")
+  ];
+  return candidates.find((candidate) => existsSync11(candidate)) ?? candidates[0] ?? null;
+}
+function getFirefoxProfilesRoot() {
+  const home = homedir6();
+  if (platform() === "darwin") {
+    return join8(home, "Library", "Application Support", "Firefox", "Profiles");
+  }
+  if (platform() === "linux") {
+    return join8(home, ".mozilla", "firefox");
+  }
+  if (platform() === "win32") {
+    const appData = process.env.APPDATA;
+    if (!appData)
+      return null;
+    return join8(appData, "Mozilla", "Firefox", "Profiles");
+  }
+  return null;
+}
+function pickFirefoxProfile(profilesRoot, profile) {
+  if (profile) {
+    const candidate2 = join8(profilesRoot, profile, "cookies.sqlite");
+    return existsSync11(candidate2) ? candidate2 : null;
+  }
+  const entries = readdirSync3(profilesRoot, { withFileTypes: true });
+  const defaultRelease = entries.find((e) => e.isDirectory() && e.name.includes("default-release"));
+  const targetDir = defaultRelease?.name ?? entries.find((e) => e.isDirectory())?.name;
+  if (!targetDir)
+    return null;
+  const candidate = join8(profilesRoot, targetDir, "cookies.sqlite");
+  return existsSync11(candidate) ? candidate : null;
+}
+function getFirefoxCookiesPath(profile) {
+  const profilesRoot = getFirefoxProfilesRoot();
+  if (!profilesRoot || !existsSync11(profilesRoot))
+    return null;
+  return pickFirefoxProfile(profilesRoot, profile);
+}
+function getChromiumKeychainServiceName(opts) {
+  if (opts?.safeStorageService)
+    return opts.safeStorageService;
+  return `${opts?.browserName || "Chrome"} Safe Storage`;
+}
+function getChromiumDecryptionKey(opts) {
+  const service = getChromiumKeychainServiceName(opts);
+  const cached = _chromiumKeyCache.get(service);
+  if (cached)
+    return cached;
+  if (platform() !== "darwin")
+    return null;
+  try {
+    const keyOutput = execFileSync3("security", ["find-generic-password", "-s", service, "-w"], { encoding: "utf8", stdio: ["pipe", "pipe", "pipe"] }).trim();
+    if (!keyOutput)
+      return null;
+    const derived = pbkdf2Sync(keyOutput, "saltysalt", 1003, 16, "sha1");
+    _chromiumKeyCache.set(service, derived);
+    return derived;
+  } catch {
+    return null;
+  }
+}
+function decryptChromiumValue(encryptedHex, opts) {
+  try {
+    const buf = Buffer.from(encryptedHex, "hex");
+    if (buf.length < 4)
+      return null;
+    const version = buf.subarray(0, 3).toString("utf8");
+    if (version !== "v10" && version !== "v11") {
+      return buf.toString("utf8");
+    }
+    const key = getChromiumDecryptionKey(opts);
+    if (!key)
+      return null;
+    const payload = buf.subarray(3);
+    if (payload.length >= 48) {
+      try {
+        const iv2 = payload.subarray(16, 32);
+        const encrypted = payload.subarray(32);
+        const decipher2 = createDecipheriv2("aes-128-cbc", key, iv2);
+        decipher2.setAutoPadding(true);
+        const decrypted2 = Buffer.concat([decipher2.update(encrypted), decipher2.final()]);
+        const val = decrypted2.toString("utf8").replace(/[^\x20-\x7E]/g, "");
+        if (val.length > 0)
+          return val;
+      } catch {}
+    }
+    const iv = Buffer.alloc(16, 32);
+    const decipher = createDecipheriv2("aes-128-cbc", key, iv);
+    decipher.setAutoPadding(true);
+    const decrypted = Buffer.concat([decipher.update(payload), decipher.final()]);
+    return decrypted.toString("utf8").replace(/[^\x20-\x7E]/g, "");
+  } catch {
+    return null;
+  }
+}
+function decodeChromiumCookieValue(rawValue, encryptedHex, opts) {
+  if (rawValue)
+    return rawValue;
+  if (!encryptedHex)
+    return null;
+  return decryptChromiumValue(encryptedHex, opts);
+}
+function withTempCopy(dbPath, fn) {
+  const tempDir = mkdtempSync(join8(tmpdir(), "unbrowse-cookies-"));
+  const tempDb = join8(tempDir, "cookies.db");
+  try {
+    copyFileSync(dbPath, tempDb);
+    for (const ext of ["-wal", "-shm"]) {
+      const src = dbPath + ext;
+      if (existsSync11(src))
+        copyFileSync(src, tempDb + ext);
+    }
+    return fn(tempDb);
+  } finally {
+    try {
+      rmSync(tempDir, { recursive: true, force: true });
+    } catch {}
+  }
+}
+function sqliteQuery(dbPath, sql) {
+  return execFileSync3("sqlite3", ["-separator", "|", dbPath, sql], {
+    encoding: "utf8",
+    maxBuffer: 4 * 1024 * 1024
+  }).trim();
+}
+function buildDomainWhereClause(domain, column) {
+  const reg = getRegistrableDomain(domain);
+  const variants = new Set([
+    reg,
+    `.${reg}`,
+    domain,
+    `.${domain}`,
+    `www.${reg}`,
+    `.www.${reg}`
+  ]);
+  for (const d of variants) {
+    if (d.includes("'"))
+      throw new Error(`Invalid domain for cookie query: ${d}`);
+  }
+  const escaped = [...variants].map((d) => `'${d}'`);
+  const likeReg = reg.includes("'") ? reg : reg;
+  const likePattern = `'%.${likeReg}'`;
+  return `(${column} IN (${escaped.join(", ")}) OR ${column} LIKE ${likePattern})`;
+}
+function extractFromChrome(domain, opts) {
+  return extractFromChromium(domain, {
+    profile: opts?.profile,
+    browserName: "Chrome"
+  });
+}
+function extractFromChromium(domain, opts) {
+  const warnings = [];
+  const dbPath = resolveChromiumCookiesPath(opts);
+  const sourceLabel = opts?.browserName || "Chromium";
+  if (!dbPath || !existsSync11(dbPath)) {
+    warnings.push(`${sourceLabel} cookies DB not found${dbPath ? ` at ${dbPath}` : ""}`);
+    return { cookies: [], source: null, warnings };
+  }
+  try {
+    const cookies = withTempCopy(dbPath, (tempDb) => {
+      const where = buildDomainWhereClause(domain, "host_key");
+      const sql = `SELECT name, value, hex(encrypted_value) as ev, host_key, path, is_secure, is_httponly, samesite, expires_utc FROM cookies WHERE ${where};`;
+      const rows = sqliteQuery(tempDb, sql);
+      if (!rows)
+        return [];
+      const results = [];
+      for (const line of rows.split(`
+`)) {
+        const parts = line.split("|");
+        if (parts.length < 9)
+          continue;
+        const [name, rawValue, encHex, host, cookiePath, secure, httpOnly, sameSite, expiresUtc] = parts;
+        const value = decodeChromiumCookieValue(rawValue, encHex, opts);
+        if (!value)
+          continue;
+        results.push({
+          name,
+          value,
+          domain: host,
+          path: cookiePath || "/",
+          secure: secure === "1",
+          httpOnly: httpOnly === "1",
+          sameSite: sameSite === "0" ? "None" : sameSite === "1" ? "Lax" : "Strict",
+          expires: expiresUtc === "0" ? -1 : Math.floor((Number(expiresUtc) - 11644473600000000) / 1e6)
+        });
+      }
+      return results;
+    });
+    const source = opts?.cookieDbPath ? `${sourceLabel} cookie DB "${dbPath}"` : opts?.userDataDir ? `${sourceLabel} user data "${opts.userDataDir}"${opts.profile ? ` profile "${opts.profile}"` : ""}` : opts?.profile ? `${sourceLabel} profile "${opts.profile}"` : `${sourceLabel} default profile`;
+    if (cookies.length === 0) {
+      warnings.push(`No cookies for ${domain} found in ${source}`);
+    }
+    log("auth", `extracted ${cookies.length} cookies for ${domain} from ${source}`);
+    return { cookies, source: cookies.length > 0 ? source : null, warnings };
+  } catch (err) {
+    warnings.push(`${sourceLabel} extraction failed: ${err instanceof Error ? err.message : err}`);
+    return { cookies: [], source: null, warnings };
+  }
+}
+function extractFromFirefox(domain, opts) {
+  const warnings = [];
+  const dbPath = getFirefoxCookiesPath(opts?.profile);
+  if (!dbPath) {
+    warnings.push("Firefox cookies DB not found");
+    return { cookies: [], source: null, warnings };
+  }
+  try {
+    const cookies = withTempCopy(dbPath, (tempDb) => {
+      const where = buildDomainWhereClause(domain, "host");
+      const sql = `SELECT name, value, host, path, isSecure, isHttpOnly, sameSite, expiry FROM moz_cookies WHERE ${where};`;
+      const rows = sqliteQuery(tempDb, sql);
+      if (!rows)
+        return [];
+      const results = [];
+      for (const line of rows.split(`
+`)) {
+        const parts = line.split("|");
+        if (parts.length < 8)
+          continue;
+        const [name, value, host, cookiePath, secure, httpOnly, sameSite, expiry] = parts;
+        if (!name || !value)
+          continue;
+        results.push({
+          name,
+          value,
+          domain: host,
+          path: cookiePath || "/",
+          secure: secure === "1",
+          httpOnly: httpOnly === "1",
+          sameSite: sameSite === "0" ? "None" : sameSite === "1" ? "Lax" : "Strict",
+          expires: Number(expiry) || -1
+        });
+      }
+      return results;
+    });
+    const source = opts?.profile ? `Firefox profile "${opts.profile}"` : "Firefox default profile";
+    if (cookies.length === 0) {
+      warnings.push(`No cookies for ${domain} found in ${source}`);
+    }
+    log("auth", `extracted ${cookies.length} cookies for ${domain} from ${source}`);
+    return { cookies, source: cookies.length > 0 ? source : null, warnings };
+  } catch (err) {
+    warnings.push(`Firefox extraction failed: ${err instanceof Error ? err.message : err}`);
+    return { cookies: [], source: null, warnings };
+  }
+}
+function extractBrowserCookies(domain, opts) {
+  if (opts?.browser === "firefox") {
+    return extractFromFirefox(domain, { profile: opts.firefoxProfile });
+  }
+  if (opts?.browser === "chrome") {
+    return extractFromChrome(domain, { profile: opts.chromeProfile });
+  }
+  if (opts?.browser === "chromium") {
+    return extractFromChromium(domain, opts.chromium);
+  }
+  const ff = extractFromFirefox(domain, { profile: opts?.firefoxProfile });
+  if (ff.cookies.length > 0)
+    return ff;
+  if (opts?.chromium?.cookieDbPath || opts?.chromium?.userDataDir) {
+    const chromium = extractFromChromium(domain, opts.chromium);
+    chromium.warnings.push(...ff.warnings);
+    return chromium;
+  }
+  const chrome = extractFromChrome(domain, { profile: opts?.chromeProfile });
+  chrome.warnings.push(...ff.warnings);
+  return chrome;
+}
+function scanAllBrowserSessions(domain) {
+  const results = [];
+  const home = homedir6();
+  for (const browser of CHROMIUM_BROWSERS) {
+    const userDataDir = platform() === "darwin" ? join8(home, "Library", "Application Support", browser.macPath) : platform() === "win32" ? join8(process.env.LOCALAPPDATA ?? join8(home, "AppData", "Local"), browser.macPath, "User Data") : join8(home, ".config", browser.macPath.toLowerCase());
+    if (!existsSync11(userDataDir))
+      continue;
+    try {
+      const result = extractFromChromium(domain, {
+        userDataDir,
+        browserName: browser.name
+      });
+      if (result.cookies.length > 0) {
+        const sessionCookies = result.cookies.filter((c) => c.httpOnly || c.secure).length;
+        results.push({
+          browser: browser.name,
+          cookies: result.cookies,
+          sessionCookies,
+          source: result.source
+        });
+      }
+    } catch {}
+  }
+  try {
+    const ff = extractFromFirefox(domain);
+    if (ff.cookies.length > 0) {
+      const sessionCookies = ff.cookies.filter((c) => c.httpOnly || c.secure).length;
+      results.push({
+        browser: "Firefox",
+        cookies: ff.cookies,
+        sessionCookies,
+        source: ff.source
+      });
+    }
+  } catch {}
+  results.sort((a, b) => b.sessionCookies - a.sessionCookies);
+  return results;
+}
+function findBestBrowserSession(domain) {
+  const sessions = scanAllBrowserSessions(domain);
+  return sessions[0] ?? null;
+}
+var _chromiumKeyCache, CHROMIUM_BROWSERS;
+var init_browser_cookies = __esm(() => {
+  init_logger();
+  init_domain();
+  _chromiumKeyCache = new Map;
+  CHROMIUM_BROWSERS = [
+    { name: "Chrome", macPath: "Google/Chrome" },
+    { name: "Arc", macPath: "Arc/User Data" },
+    { name: "Brave", macPath: "BraveSoftware/Brave-Browser" },
+    { name: "Edge", macPath: "Microsoft Edge" },
+    { name: "Vivaldi", macPath: "Vivaldi" },
+    { name: "Opera", macPath: "com.operasoftware.Opera" },
+    { name: "Dia", macPath: "Dia/User Data" },
+    { name: "Chromium", macPath: "Chromium" }
+  ];
+});
+// ../../src/auth/index.ts
+function formatAuthError(error) {
+  if (error instanceof Error && error.message)
+    return error.message;
+  if (typeof error === "string")
+    return error;
+  try {
+    return JSON.stringify(error);
+  } catch {
+    return String(error);
+  }
+}
+function normalizeAuthDomain(domain) {
+  return domain.toLowerCase().replace(/^www\./, "");
+}
+function shouldImportBrowserCookies() {
+  const raw = process.env.UNBROWSE_IMPORT_BROWSER_COOKIES?.trim();
+  if (!raw)
+    return true;
+  return !DISABLE_BROWSER_COOKIE_IMPORT.test(raw);
+}
+function isLikelyAuthenticatedCookie(targetDomain, cookie) {
+  const cookieName = cookie.name.toLowerCase();
+  const registrableDomain = getRegistrableDomain(normalizeAuthDomain(targetDomain));
+  const requiredCookieNames = DOMAIN_AUTH_COOKIE_NAMES[registrableDomain];
+  if (requiredCookieNames)
+    return requiredCookieNames.includes(cookieName);
+  return GENERIC_AUTH_COOKIE_NAMES.test(cookieName);
+}
+function getAuthenticatedCookiesForDomain(targetDomain, cookies) {
+  return cookies.filter((cookie) => isDomainMatch(cookie.domain, targetDomain) && isLikelyAuthenticatedCookie(targetDomain, cookie));
+}
+async function importBrowserCookiesIntoTab(tabId, domain) {
+  if (!shouldImportBrowserCookies())
+    return 0;
+  try {
+    const { extractBrowserCookies: extractBrowserCookies2, findBestBrowserSession: findBestBrowserSession2 } = await Promise.resolve().then(() => (init_browser_cookies(), exports_browser_cookies));
+    const bestSession = findBestBrowserSession2(domain);
+    const cookies = bestSession ? bestSession.cookies : extractBrowserCookies2(domain).cookies;
+    let imported = 0;
+    for (const cookie of cookies) {
+      try {
+        await setCookie(tabId, cookie);
+        imported += 1;
+      } catch (error) {
+        log("auth", `browser_cookie_import_failed domain=${normalizeAuthDomain(domain)} tab_id=${tabId} cookie=${cookie.name} error=${formatAuthError(error)}`);
+      }
+    }
+    if (imported > 0) {
+      log("auth", `browser_cookie_imported domain=${normalizeAuthDomain(domain)} tab_id=${tabId} count=${imported}`);
+    }
+    return imported;
+  } catch (error) {
+    log("auth", `browser_cookie_extract_failed domain=${normalizeAuthDomain(domain)} tab_id=${tabId} error=${formatAuthError(error)}`);
+    return 0;
+  }
+}
+async function saveAuthProfileBestEffort(tabId, domain, context = "auth") {
+  const profileName = normalizeAuthDomain(domain);
+  if (!profileName || profileName === "unknown")
+    return false;
+  try {
+    await authProfileSave(tabId, profileName);
+    return true;
+  } catch (error) {
+    log("auth", `${context} auth_profile_failed op=save domain=${profileName} tab_id=${tabId} error=${formatAuthError(error)}`);
+    return false;
+  }
+}
+async function extractBrowserAuth(domain, opts) {
+  const { extractBrowserCookies: extractBrowserCookies2 } = await Promise.resolve().then(() => (init_browser_cookies(), exports_browser_cookies));
+  const result = extractBrowserCookies2(domain, opts);
+  if (result.cookies.length === 0) {
+    return {
+      success: false,
+      domain,
+      cookies_stored: 0,
+      error: result.warnings.join("; ") || "No cookies found in any browser"
+    };
+  }
+  const storableCookies = result.cookies.map((c) => ({
+    name: c.name,
+    value: c.value,
+    domain: c.domain,
+    path: c.path,
+    secure: c.secure,
+    httpOnly: c.httpOnly,
+    sameSite: c.sameSite,
+    expires: c.expires
+  }));
+  const vaultKey = `auth:${getRegistrableDomain(domain)}`;
+  await storeCredential(vaultKey, JSON.stringify({ cookies: storableCookies }));
+  log("auth", `stored ${storableCookies.length} cookies for ${domain} (key: ${vaultKey}) from ${result.source}`);
+  return { success: true, domain, cookies_stored: storableCookies.length };
+}
+function filterExpired(cookies) {
+  const now = Math.floor(Date.now() / 1000);
+  return cookies.filter((c) => {
+    if (c.expires == null || c.expires <= 0)
+      return true;
+    return c.expires > now;
+  });
+}
+async function getStoredAuth(domain) {
+  const bundle = await getStoredAuthBundle(domain);
+  return bundle?.cookies?.length ? bundle.cookies : null;
+}
+async function getStoredAuthBundle(domain) {
+  const regDomain = getRegistrableDomain(domain);
+  const keysToTry = [`auth:${regDomain}`];
+  if (domain !== regDomain)
+    keysToTry.push(`auth:${domain}`);
+  for (const key of keysToTry) {
+    const stored = await getCredential(key);
+    if (!stored)
+      continue;
+    try {
+      const parsed = JSON.parse(stored);
+      const cookies = parsed.cookies ?? [];
+      const valid = filterExpired(cookies);
+      if (cookies.length > 0 && valid.length === 0 && Object.keys(parsed.headers ?? {}).length === 0) {
+        log("auth", `all ${cookies.length} cookies for ${domain} (key: ${key}) are expired — deleting`);
+        await deleteCredential(key);
+        continue;
+      }
+      if (valid.length < cookies.length) {
+        log("auth", `filtered ${cookies.length - valid.length} expired cookies for ${domain}`);
+      }
+      return {
+        cookies: valid,
+        headers: parsed.headers ?? {},
+        source_keys: parsed.source_keys ?? [],
+        source_meta: parsed.source_meta ?? null
+      };
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
+async function getAuthCookies(domain) {
+  const vaultCookies = await getStoredAuth(domain);
+  if (vaultCookies && vaultCookies.length > 0)
+    return vaultCookies;
+  log("auth", `no vault cookies for ${domain} — auto-extracting from browser`);
+  try {
+    const result = await extractBrowserAuth(domain);
+    if (result.success && result.cookies_stored > 0) {
+      return getStoredAuth(domain);
+    }
+  } catch (err) {
+    log("auth", `browser auto-extract failed for ${domain}: ${err instanceof Error ? err.message : err}`);
+  }
+  return null;
+}
+var DISABLE_BROWSER_COOKIE_IMPORT, GENERIC_AUTH_COOKIE_NAMES, DOMAIN_AUTH_COOKIE_NAMES;
+var init_auth = __esm(async () => {
+  init_client2();
+  init_domain();
+  init_logger();
+  init_supervisor();
+  await __promiseAll([
+    init_vault(),
+    init_agent_mail()
+  ]);
+  DISABLE_BROWSER_COOKIE_IMPORT = /^(0|false|no|off)$/i;
+  GENERIC_AUTH_COOKIE_NAMES = /(^|[_\-.])(sess(?:ion)?(?:id)?|auth|token|csrf|xsrf|jwt|sid|sso|remember|logged[_-]?in|connect\.sid)([_\-.]|$)/i;
+  DOMAIN_AUTH_COOKIE_NAMES = {
+    "linkedin.com": ["li_at"]
+  };
+});
+// ../../src/auth/email-provider.ts
+class AgentMailProvider {
+  name = "agentmail";
+  get configured() {
+    return Boolean(process.env.AGENTMAIL_API_KEY);
+  }
+  async getAddress(domain) {
+    const { getOrCreateSiteInbox: getOrCreateSiteInbox2 } = await init_agent_mail().then(() => exports_agent_mail);
+    const inbox = await getOrCreateSiteInbox2(domain);
+    return inbox.email;
+  }
+  async send(to, subject, body) {
+    const { autonomousEmailLogin: autonomousEmailLogin2 } = await init_agent_mail().then(() => exports_agent_mail);
+    const session = await autonomousEmailLogin2("general");
+    const result = await session.sendEmail(to, subject, body);
+    return { messageId: result.messageId };
+  }
+  async waitForMessage(fromDomain, timeoutMs = 90000) {
+    const { autonomousEmailLogin: autonomousEmailLogin2, waitForVerificationEmail: waitForVerificationEmail2 } = await init_agent_mail().then(() => exports_agent_mail);
+    const session = await autonomousEmailLogin2(fromDomain);
+    const email = await waitForVerificationEmail2(session.inboxId, fromDomain, timeoutMs);
+    return email;
+  }
+}
+class GmailProvider {
+  name = "gmail";
+  get configured() {
+    try {
+      const { existsSync: existsSync12 } = __require("fs");
+      const { homedir: homedir7 } = __require("os");
+      const { join: join9 } = __require("path");
+      return existsSync12(join9(homedir7(), ".config", "gcloud", "application_default_credentials.json"));
+    } catch {
+      return false;
+    }
+  }
+  async getAddress(_domain) {
+    const { execSync: execSync3 } = __require("child_process");
+    try {
+      const email = execSync3("gcloud config get-value account 2>/dev/null", { encoding: "utf-8" }).trim();
+      if (email && email.includes("@"))
+        return email;
+    } catch {}
+    throw new Error("Gmail not configured — run: gcloud auth login");
+  }
+  async send(_to, _subject, _body) {
+    throw new Error("Gmail send not yet wired — use AgentMail or the gws-gmail-send skill directly");
+  }
+  async waitForMessage(_fromDomain, _timeoutMs = 90000) {
+    throw new Error("Gmail inbox polling not yet wired — use AgentMail or the gws-gmail skill directly");
+  }
+}
+function getEmailProvider(purpose = "general") {
+  if (purpose === "register") {
+    const agentmail = providers.find((p) => p.name === "agentmail" && p.configured);
+    if (agentmail)
+      return agentmail;
+  }
+  if (purpose === "login") {
+    const gmail = providers.find((p) => p.name === "gmail" && p.configured);
+    if (gmail)
+      return gmail;
+  }
+  return providers.find((p) => p.configured) ?? null;
+}
+var providers;
+var init_email_provider = __esm(() => {
+  providers = [
+    new GmailProvider,
+    new AgentMailProvider
+  ];
+});
+// ../../src/auth/autonomous-login.ts
+async function detectEmailInput(tabId) {
+  const ref = await evaluate(tabId, `(() => {
+    // Priority order: type=email, name/id containing email, placeholder containing email
+    const byType = document.querySelector('input[type="email"]');
+    if (byType) return byType.getAttribute("data-ref") || "input[type=email]";
+    const byName = document.querySelector('input[name*="email" i], input[id*="email" i]');
+    if (byName) return byName.getAttribute("data-ref") || 'input[name*="email" i]';
+    const byPlaceholder = document.querySelector('input[placeholder*="email" i]');
+    if (byPlaceholder) return byPlaceholder.getAttribute("data-ref") || 'input[placeholder*="email" i]';
+    // Generic text input on a login page (single input + submit button pattern)
+    const inputs = document.querySelectorAll('input[type="text"], input:not([type])');
+    const submit = document.querySelector('button[type="submit"], input[type="submit"], button:not([type])');
+    if (inputs.length === 1 && submit) {
+      return inputs[0].getAttribute("data-ref") || 'input[type="text"]';
+    }
+    return null;
+  })()`);
+  return typeof ref === "string" ? ref : null;
+}
+async function detectOtpInput(tabId) {
+  const ref = await evaluate(tabId, `(() => {
+    // OTP-specific inputs
+    const byAutocomplete = document.querySelector('input[autocomplete="one-time-code"]');
+    if (byAutocomplete) return byAutocomplete.getAttribute("data-ref") || 'input[autocomplete="one-time-code"]';
+    // Name/id/placeholder containing otp, code, verification, pin
+    const byName = document.querySelector(
+      'input[name*="otp" i], input[name*="code" i], input[name*="verification" i], input[name*="pin" i], ' +
+      'input[id*="otp" i], input[id*="code" i], input[id*="verification" i], ' +
+      'input[placeholder*="code" i], input[placeholder*="verification" i], input[placeholder*="otp" i]'
+    );
+    if (byName) return byName.getAttribute("data-ref") || 'input[name*="code" i]';
+    // Numeric input with maxlength 4-8 (common OTP pattern)
+    const numericInputs = document.querySelectorAll('input[type="number"], input[type="tel"], input[inputmode="numeric"]');
+    for (const el of numericInputs) {
+      const ml = parseInt(el.getAttribute("maxlength") || "0");
+      if (ml >= 4 && ml <= 8) return el.getAttribute("data-ref") || 'input[inputmode="numeric"]';
+    }
+    // Single short text input that appeared after email submit
+    const textInputs = document.querySelectorAll('input[type="text"], input:not([type])');
+    for (const el of textInputs) {
+      const ml = parseInt(el.getAttribute("maxlength") || "0");
+      if (ml >= 4 && ml <= 8) return el.getAttribute("data-ref") || 'input[type="text"]';
+    }
+    return null;
+  })()`);
+  return typeof ref === "string" ? ref : null;
+}
+async function detectSubmitButton(tabId) {
+  const ref = await evaluate(tabId, `(() => {
+    const submit = document.querySelector(
+      'button[type="submit"], input[type="submit"], ' +
+      'button:not([type]):not([aria-label*="close" i]):not([aria-label*="cancel" i])'
+    );
+    if (submit) return submit.getAttribute("data-ref") || 'button[type="submit"]';
+    // Look for buttons with login/register/continue/verify text
+    const buttons = document.querySelectorAll('button, a[role="button"]');
+    for (const btn of buttons) {
+      const text = btn.textContent?.toLowerCase() || "";
+      if (/logs*in|signs*in|register|signs*up|continue|submit|verify|next/i.test(text)) {
+        return btn.getAttribute("data-ref") || null;
+      }
+    }
+    return null;
+  })()`);
+  return typeof ref === "string" ? ref : null;
+}
+async function checkLoginSuccess(tabId, domain) {
+  const cookies = await getCookies(tabId);
+  const domainCookies = cookies.filter((c) => isDomainMatch(c.domain, domain));
+  const authCookies = getAuthenticatedCookiesForDomain(domain, domainCookies);
+  return authCookies.length > 0;
+}
+async function autonomousLogin(loginUrl, domain) {
+  const start2 = Date.now();
+  const targetDomain = domain ?? (() => {
+    try {
+      return new URL(loginUrl).hostname.replace(/^www\./, "");
+    } catch {
+      return loginUrl;
+    }
+  })();
+  const elapsed = () => Date.now() - start2;
+  const emailProvider = getEmailProvider("register");
+  if (!emailProvider) {
+    return { success: false, method: "failed", domain: targetDomain, cookies_stored: 0, error: "No email provider configured (set AGENTMAIL_API_KEY or configure Gmail via gcloud)", duration_ms: elapsed() };
+  }
+  log("autonomous-login", `starting for ${targetDomain} — url: ${loginUrl}`);
+  const prevHeadless = process.env.HEADLESS;
+  process.env.HEADLESS = "false";
+  let tabId;
+  try {
+    await start();
+    tabId = await getDefaultTab();
+    await networkEnable(tabId);
+  } catch (err) {
+    if (prevHeadless !== undefined)
+      process.env.HEADLESS = prevHeadless;
+    else
+      delete process.env.HEADLESS;
+    return { success: false, method: "failed", domain: targetDomain, cookies_stored: 0, error: `Kuri start failed: ${err}`, duration_ms: elapsed() };
+  }
+  try {
+    await navigate(tabId, loginUrl);
+    await new Promise((r) => setTimeout(r, 2000));
+    let emailRef = await detectEmailInput(tabId);
+    if (!emailRef) {
+      const regUrl = loginUrl.replace(/login|signin|sign-in/i, "register").replace(/register/i, "signup");
+      if (regUrl !== loginUrl) {
+        await navigate(tabId, regUrl);
+        await new Promise((r) => setTimeout(r, 2000));
+        emailRef = await detectEmailInput(tabId);
+      }
+    }
+    if (!emailRef) {
+      log("autonomous-login", `no email input found on ${loginUrl}`);
+      return { success: false, method: "failed", domain: targetDomain, cookies_stored: 0, error: "no email input field detected", duration_ms: elapsed() };
+    }
+    let agentEmail;
+    try {
+      agentEmail = await emailProvider.getAddress(targetDomain);
+    } catch (err) {
+      return { success: false, method: "failed", domain: targetDomain, cookies_stored: 0, error: `Email provider (${emailProvider.name}) failed: ${err}`, duration_ms: elapsed() };
+    }
+    log("autonomous-login", `filling email: ${agentEmail} (via ${emailProvider.name}) into ${emailRef}`);
+    await fill(tabId, emailRef, agentEmail);
+    const submitRef = await detectSubmitButton(tabId);
+    if (submitRef) {
+      await click(tabId, submitRef);
+    } else {
+      await evaluate(tabId, `document.querySelector('${emailRef}')?.dispatchEvent(new KeyboardEvent('keydown', { key: 'Enter', bubbles: true }))`);
+    }
+    await new Promise((r) => setTimeout(r, POST_SUBMIT_SETTLE_MS));
+    const otpRef = await detectOtpInput(tabId);
+    if (otpRef) {
+      log("autonomous-login", `OTP input detected (${otpRef}), waiting for verification email via ${emailProvider.name}...`);
+      const verificationEmail = await emailProvider.waitForMessage(targetDomain, OTP_FILL_TIMEOUT_MS);
+      const otp = verificationEmail ? extractOtpFromEmail(verificationEmail.text) : null;
+      if (!otp) {
+        return { success: false, method: "failed", domain: targetDomain, email: agentEmail, cookies_stored: 0, error: "OTP email not received within timeout", duration_ms: elapsed() };
+      }
+      log("autonomous-login", `filling OTP: ${otp}`);
+      await fill(tabId, otpRef, otp);
+      const otpSubmitRef = await detectSubmitButton(tabId);
+      if (otpSubmitRef) {
+        await click(tabId, otpSubmitRef);
+      }
+      await new Promise((r) => setTimeout(r, POST_SUBMIT_SETTLE_MS));
+    } else {
+      log("autonomous-login", `no OTP input, trying magic link flow via ${emailProvider.name}...`);
+      const verificationEmail = await emailProvider.waitForMessage(targetDomain, OTP_FILL_TIMEOUT_MS);
+      const link = verificationEmail ? extractVerificationLink(verificationEmail.text, verificationEmail.html) : null;
+      if (link) {
+        log("autonomous-login", `navigating to magic link`);
+        await navigate(tabId, link);
+        await new Promise((r) => setTimeout(r, POST_SUBMIT_SETTLE_MS));
+      } else {
+        log("autonomous-login", `no magic link received, checking if already authenticated...`);
+      }
+    }
+    const success = await checkLoginSuccess(tabId, targetDomain);
+    if (success) {
+      const cookies = await getCookies(tabId);
+      const domainCookies = cookies.filter((c) => isDomainMatch(c.domain, targetDomain));
+      const storableCookies = domainCookies.map((c) => ({
+        name: c.name,
+        value: c.value,
+        domain: c.domain,
+        path: c.path,
+        secure: c.secure,
+        httpOnly: c.httpOnly,
+        sameSite: c.sameSite,
+        expires: c.expires
+      }));
+      const vaultKey = `auth:${getRegistrableDomain(targetDomain)}`;
+      await storeCredential(vaultKey, JSON.stringify({ cookies: storableCookies }));
+      await saveAuthProfileBestEffort(tabId, targetDomain, "autonomous_login");
+      log("autonomous-login", `login succeeded for ${targetDomain} — stored ${storableCookies.length} cookies (${elapsed()}ms)`);
+      return {
+        success: true,
+        method: otpRef ? "agent-mail-otp" : "agent-mail-link",
+        domain: targetDomain,
+        email: agentEmail,
+        cookies_stored: storableCookies.length,
+        duration_ms: elapsed()
+      };
+    }
+    return { success: false, method: "failed", domain: targetDomain, email: agentEmail, cookies_stored: 0, error: "login flow completed but no auth cookies detected", duration_ms: elapsed() };
+  } finally {
+    if (prevHeadless !== undefined)
+      process.env.HEADLESS = prevHeadless;
+    else
+      delete process.env.HEADLESS;
+  }
+}
+var OTP_FILL_TIMEOUT_MS = 120000, POST_SUBMIT_SETTLE_MS = 3000;
+var init_autonomous_login = __esm(async () => {
+  init_client2();
   init_logger();
-});
-// ../../src/reverse-engineer/token-sources.ts
-var init_token_sources = () => {};
-// ../../src/execution/token-resolver.ts
-var init_token_resolver = __esm(() => {
-  init_token_sources();
-});
-// ../../src/auth/index.ts
-var init_auth = __esm(async () => {
-  init_client2();
+  init_email_provider();
   init_domain();
-  init_logger();
-  init_supervisor();
-  await init_vault();
+  await __promiseAll([
+    init_agent_mail(),
+    init_auth(),
+    init_vault()
+  ]);
 });
 // ../../src/auth/runtime.ts
@@ -904,16 +2755,32 @@ class LocalAuthRuntime {
   sessions = new Map;
   async resolveAuth(dep) {
     if (dep.strategy === "none")
-      return { authenticated: true };
+      return { authenticated: true, method: "cached" };
     const session = this.sessions.get(dep.domain);
     if (session && session.expires > Date.now()) {
-      return { authenticated: true, session_token: session.token };
+      return { authenticated: true, session_token: session.token, method: "cached" };
     }
+    try {
+      const cookies = await getStoredAuth(dep.domain);
+      if (cookies && cookies.length > 0) {
+        log("auth-runtime", `found ${cookies.length} stored cookies for ${dep.domain}`);
+        this.setSession(dep.domain, "vault-cookies", 3600000);
+        return { authenticated: true, method: "cookies" };
+      }
+    } catch {}
+    try {
+      const result = await extractBrowserAuth(dep.domain);
+      if (result.success && result.cookies_stored > 0) {
+        log("auth-runtime", `extracted ${result.cookies_stored} browser cookies for ${dep.domain}`);
+        this.setSession(dep.domain, "browser-cookies", 3600000);
+        return { authenticated: true, method: "cookies" };
+      }
+    } catch {}
     if (dep.strategy === "refresh_session" && session) {
       const refreshed = await this.refreshSession(dep.domain);
       if (refreshed) {
         const updated = this.sessions.get(dep.domain);
-        return { authenticated: true, session_token: updated?.token };
+        return { authenticated: true, session_token: updated?.token, method: "cached" };
       }
     }
     return { authenticated: false };
@@ -930,10 +2797,30 @@ class LocalAuthRuntime {
     }
     return false;
   }
-  async loginIfNeeded(domain, _loginUrl) {
+  async loginIfNeeded(domain, loginUrl) {
     const refreshed = await this.refreshSession(domain);
     if (refreshed)
       return true;
+    try {
+      const cookies = await getAuthCookies(domain);
+      if (cookies && cookies.length > 0) {
+        this.setSession(domain, "auto-cookies", 3600000);
+        log("auth-runtime", `loginIfNeeded resolved via cookies for ${domain}`);
+        return true;
+      }
+    } catch {}
+    const url = loginUrl ?? `https://${domain}/login`;
+    try {
+      const result = await autonomousLogin(url, domain);
+      if (result.success) {
+        this.setSession(domain, "autonomous-login", 3600000);
+        log("auth-runtime", `loginIfNeeded resolved via autonomous login for ${domain} (${result.method}, ${result.duration_ms}ms)`);
+        return true;
+      }
+      log("auth-runtime", `autonomous login failed for ${domain}: ${result.error}`);
+    } catch (err) {
+      log("auth-runtime", `autonomous login error for ${domain}: ${err instanceof Error ? err.message : err}`);
+    }
     return false;
   }
   setSession(domain, token, ttlMs = 3600000) {
@@ -941,7 +2828,12 @@ class LocalAuthRuntime {
   }
 }
 var authRuntime;
-var init_runtime = __esm(() => {
+var init_runtime = __esm(async () => {
+  init_logger();
+  await __promiseAll([
+    init_auth(),
+    init_autonomous_login()
+  ]);
   authRuntime = new LocalAuthRuntime;
 });
@@ -1025,7 +2917,7 @@ var init_schema_review = __esm(() => {
 });
 // ../../src/indexer/index.ts
-import { join as join8 } from "node:path";
+import { join as join9 } from "node:path";
 var SKILL_SNAPSHOT_DIR, indexInFlight, pendingIndexJobs;
 var init_indexer = __esm(async () => {
   init_graph();
@@ -1040,7 +2932,7 @@ var init_indexer = __esm(async () => {
   init_graph();
   init_schema_review();
   await init_orchestrator();
-  SKILL_SNAPSHOT_DIR = process.env.UNBROWSE_SKILL_SNAPSHOT_DIR ?? join8(process.env.HOME ?? "/tmp", ".unbrowse", "skill-snapshots");
+  SKILL_SNAPSHOT_DIR = process.env.UNBROWSE_SKILL_SNAPSHOT_DIR ?? join9(process.env.HOME ?? "/tmp", ".unbrowse", "skill-snapshots");
   indexInFlight = new Map;
   pendingIndexJobs = new Map;
 });
@@ -1123,7 +3015,6 @@ var init_execution = __esm(async () => {
   init_bundle_scanner();
   init_token_resolver();
   init_marketplace();
-  init_runtime();
   init_transform();
   init_drift();
   init_client();
@@ -1146,6 +3037,8 @@ var init_execution = __esm(async () => {
     init_capture(),
     init_vault(),
     init_auth(),
+    init_runtime(),
+    init_autonomous_login(),
     init_indexer(),
     init_orchestrator()
   ]);
@@ -1186,9 +3079,9 @@ var init_execution = __esm(async () => {
 // ../../src/graph/planner.ts
 var MUTABLE_METHODS, sessionNegatives, sessionTraces;
-var init_planner = __esm(() => {
+var init_planner = __esm(async () => {
   init_graph();
-  init_runtime();
+  await init_runtime();
   MUTABLE_METHODS = new Set(["POST", "PUT", "DELETE", "PATCH"]);
   sessionNegatives = new Map;
   sessionTraces = new Map;
@@ -1204,9 +3097,9 @@ var init_graph_client = __esm(() => {
 });
 // ../../src/orchestrator/dag-advisor.ts
-var init_dag_advisor = __esm(() => {
-  init_planner();
+var init_dag_advisor = __esm(async () => {
   init_graph_client();
+  await init_planner();
 });
 // ../../src/orchestrator/dag-feedback.ts
@@ -1262,15 +3155,15 @@ var init_routing_telemetry = __esm(() => {
 });
 // ../../src/orchestrator/index.ts
 import { nanoid as nanoid9 } from "nanoid";
-import { existsSync as existsSync10, writeFileSync as writeFileSync3, readFileSync as readFileSync6, mkdirSync as mkdirSync5, readdirSync as readdirSync3 } from "node:fs";
-import { dirname as dirname3, join as join9 } from "node:path";
+import { existsSync as existsSync12, writeFileSync as writeFileSync4, readFileSync as readFileSync7, mkdirSync as mkdirSync6, readdirSync as readdirSync4 } from "node:fs";
+import { dirname as dirname3, join as join10 } from "node:path";
 function _writeRouteCacheToDisk() {
   try {
     const dir = dirname3(ROUTE_CACHE_FILE);
-    if (!existsSync10(dir))
-      mkdirSync5(dir, { recursive: true });
+    if (!existsSync12(dir))
+      mkdirSync6(dir, { recursive: true });
     const entries = Object.fromEntries(skillRouteCache);
-    writeFileSync3(ROUTE_CACHE_FILE, JSON.stringify(entries), "utf-8");
+    writeFileSync4(ROUTE_CACHE_FILE, JSON.stringify(entries), "utf-8");
   } catch {}
   _routeCacheDirty = false;
 }
@@ -1281,7 +3174,6 @@ var init_orchestrator = __esm(async () => {
   init_telemetry();
   init_marketplace();
   init_graph();
-  init_dag_advisor();
   init_domain();
   init_debug_trace();
   init_dag_feedback();
@@ -1292,24 +3184,25 @@ var init_orchestrator = __esm(async () => {
   init_payments();
   init_wallet();
   init_version();
-  init_runtime();
   init_routing_telemetry();
   await __promiseAll([
     init_execution(),
-    init_prefetch()
+    init_dag_advisor(),
+    init_prefetch(),
+    init_runtime()
   ]);
   LIVE_CAPTURE_TIMEOUT_MS = Number(process.env.UNBROWSE_LIVE_CAPTURE_TIMEOUT_MS ?? "120000");
   capturedDomainCache = new Map;
   captureInFlight = new Map;
   captureDomainLocks = new Map;
   skillRouteCache = new Map;
-  ROUTE_CACHE_FILE = join9(process.env.HOME ?? "/tmp", ".unbrowse", "route-cache.json");
-  SKILL_SNAPSHOT_DIR2 = process.env.UNBROWSE_SKILL_SNAPSHOT_DIR ?? join9(process.env.HOME ?? "/tmp", ".unbrowse", "skill-snapshots");
+  ROUTE_CACHE_FILE = join10(process.env.HOME ?? "/tmp", ".unbrowse", "route-cache.json");
+  SKILL_SNAPSHOT_DIR2 = process.env.UNBROWSE_SKILL_SNAPSHOT_DIR ?? join10(process.env.HOME ?? "/tmp", ".unbrowse", "skill-snapshots");
   domainSkillCache = new Map;
-  DOMAIN_CACHE_FILE = join9(process.env.HOME ?? "/tmp", ".unbrowse", "domain-skill-cache.json");
+  DOMAIN_CACHE_FILE = join10(process.env.HOME ?? "/tmp", ".unbrowse", "domain-skill-cache.json");
   try {
-    if (existsSync10(DOMAIN_CACHE_FILE)) {
-      const data = JSON.parse(readFileSync6(DOMAIN_CACHE_FILE, "utf-8"));
+    if (existsSync12(DOMAIN_CACHE_FILE)) {
+      const data = JSON.parse(readFileSync7(DOMAIN_CACHE_FILE, "utf-8"));
       for (const [k, v] of Object.entries(data)) {
         const entry = v;
         if (Date.now() - entry.ts < 7 * 24 * 60 * 60000) {
@@ -1326,8 +3219,8 @@ var init_orchestrator = __esm(async () => {
   }, 5000);
   routeCacheFlushTimer.unref?.();
   try {
-    if (existsSync10(ROUTE_CACHE_FILE)) {
-      const data = JSON.parse(readFileSync6(ROUTE_CACHE_FILE, "utf-8"));
+    if (existsSync12(ROUTE_CACHE_FILE)) {
+      const data = JSON.parse(readFileSync7(ROUTE_CACHE_FILE, "utf-8"));
       for (const [k, v] of Object.entries(data)) {
         const entry = v;
         if (Date.now() - entry.ts < 24 * 60 * 60000) {
@@ -1423,18 +3316,18 @@ __export(exports_wallet, {
   getWalletContext: () => getWalletContext2,
   checkWalletConfigured: () => checkWalletConfigured2
 });
-import { existsSync as existsSync14, readFileSync as readFileSync9 } from "node:fs";
-import { homedir as homedir6 } from "node:os";
-import { join as join11 } from "node:path";
+import { existsSync as existsSync16, readFileSync as readFileSync10 } from "node:fs";
+import { homedir as homedir7 } from "node:os";
+import { join as join12 } from "node:path";
 function asNonEmptyString2(value) {
   return typeof value === "string" && value.trim() ? value.trim() : undefined;
 }
 function getLobsterWalletFromLocalConfig2() {
-  const agentsPath = join11(process.env.HOME || homedir6(), ".lobster", "agents.json");
-  if (!existsSync14(agentsPath))
+  const agentsPath = join12(process.env.HOME || homedir7(), ".lobster", "agents.json");
+  if (!existsSync16(agentsPath))
     return;
   try {
-    const raw = JSON.parse(readFileSync9(agentsPath, "utf8"));
+    const raw = JSON.parse(readFileSync10(agentsPath, "utf8"));
     const activeAgentId = asNonEmptyString2(raw.activeAgentId);
     const activeAgent = Array.isArray(raw.agents) ? raw.agents.find((agent) => asNonEmptyString2(agent.id) === activeAgentId) : activeAgentId ? raw.agents?.[activeAgentId] : undefined;
     return asNonEmptyString2(activeAgent?.authorizedWallets?.solana) ?? asNonEmptyString2(activeAgent?.walletAddress) ?? asNonEmptyString2(activeAgent?.wallet_address);
@@ -1471,6 +3364,173 @@ function checkWalletConfigured2() {
 }
 var init_wallet2 = () => {};
+// ../../src/auth/bootstrap-agentmail.ts
+var exports_bootstrap_agentmail = {};
+__export(exports_bootstrap_agentmail, {
+  bootstrapAgentMailKey: () => bootstrapAgentMailKey
+});
+import os6 from "node:os";
+import fs2 from "node:fs";
+import path9 from "node:path";
+async function bootstrapAgentMailKey() {
+  log("bootstrap-agentmail", "starting — opening console.agentmail.to");
+  const prevHeadless = process.env.HEADLESS;
+  process.env.HEADLESS = "false";
+  try {
+    await start();
+    const tabId = await getDefaultTab();
+    await networkEnable(tabId);
+    await importBrowserCookiesIntoTab(tabId, "agentmail.to");
+    await importBrowserCookiesIntoTab(tabId, "clerk.agentmail.to");
+    await importBrowserCookiesIntoTab(tabId, "github.com");
+    await navigate(tabId, CONSOLE_URL);
+    await new Promise((r) => setTimeout(r, SETTLE_MS));
+    let currentUrl = await getCurrentUrl(tabId);
+    let onDashboard = typeof currentUrl === "string" && currentUrl.includes("/dashboard");
+    if (!onDashboard) {
+      log("bootstrap-agentmail", "not logged in — looking for GitHub OAuth");
+      const githubBtn = await evaluate(tabId, `(() => {
+        // Clerk renders OAuth buttons — look for GitHub
+        const btns = document.querySelectorAll('button, a');
+        for (const btn of btns) {
+          const text = (btn.textContent || '').toLowerCase();
+          const ariaLabel = (btn.getAttribute('aria-label') || '').toLowerCase();
+          if (text.includes('github') || ariaLabel.includes('github') ||
+              btn.querySelector('img[alt*="github" i], svg[aria-label*="github" i]')) {
+            btn.click();
+            return 'clicked';
+          }
+        }
+        // Also check for social login containers
+        const social = document.querySelector('.cl-socialButtonsBlockButton__github, [data-provider="github"]');
+        if (social) { social.click(); return 'clicked'; }
+        return 'not_found';
+      })()`);
+      if (githubBtn === "clicked") {
+        log("bootstrap-agentmail", "clicked GitHub OAuth — waiting for redirect");
+        const start2 = Date.now();
+        while (Date.now() - start2 < AUTH_TIMEOUT_MS) {
+          await new Promise((r) => setTimeout(r, 2000));
+          currentUrl = await getCurrentUrl(tabId);
+          if (typeof currentUrl === "string" && currentUrl.includes("/dashboard")) {
+            onDashboard = true;
+            log("bootstrap-agentmail", "GitHub OAuth completed — on dashboard");
+            break;
+          }
+        }
+      }
+      if (!onDashboard) {
+        log("bootstrap-agentmail", "could not auto-login — manual setup needed");
+        return {
+          success: false,
+          method: "manual",
+          error: "Could not auto-login to AgentMail console. Sign up at https://console.agentmail.to and create an API key manually."
+        };
+      }
+    }
+    log("bootstrap-agentmail", "on dashboard — navigating to API keys");
+    await navigate(tabId, `${DASHBOARD_URL}/api-keys`);
+    await new Promise((r) => setTimeout(r, SETTLE_MS));
+    const createResult = await evaluate(tabId, `(() => {
+      const btns = document.querySelectorAll('button, a');
+      for (const btn of btns) {
+        const text = (btn.textContent || '').toLowerCase();
+        if (text.includes('create') && (text.includes('key') || text.includes('api'))) {
+          btn.click();
+          return 'clicked';
+        }
+      }
+      return 'not_found';
+    })()`);
+    if (createResult === "clicked") {
+      await new Promise((r) => setTimeout(r, 2000));
+      await evaluate(tabId, `(() => {
+        const input = document.querySelector('input[placeholder*="name" i], input[name*="name" i], input[type="text"]');
+        if (input) {
+          input.value = 'unbrowse-agent';
+          input.dispatchEvent(new Event('input', { bubbles: true }));
+          input.dispatchEvent(new Event('change', { bubbles: true }));
+        }
+      })()`);
+      await evaluate(tabId, `(() => {
+        const btns = document.querySelectorAll('button');
+        for (const btn of btns) {
+          const text = (btn.textContent || '').toLowerCase();
+          if (text.includes('create') || text.includes('confirm') || text.includes('generate')) {
+            btn.click();
+            return 'clicked';
+          }
+        }
+      })()`);
+      await new Promise((r) => setTimeout(r, 2000));
+    }
+    const apiKey = await evaluate(tabId, `(() => {
+      // Look for the key in common patterns
+      // 1. Input/textarea with the key value
+      const inputs = document.querySelectorAll('input[readonly], input[type="text"], textarea, code, pre');
+      for (const el of inputs) {
+        const val = el.value || el.textContent || '';
+        // AgentMail keys typically start with 'am_' or are long alphanumeric strings
+        if (/^(am_|sk_|key_)/.test(val) || (val.length > 30 && /^[a-zA-Z0-9_-]+$/.test(val))) {
+          return val.trim();
+        }
+      }
+      // 2. Look in the page text for key patterns
+      const text = document.body.innerText;
+      const match = text.match(/(am_[a-zA-Z0-9_-]{20,}|sk_[a-zA-Z0-9_-]{20,})/);
+      if (match) return match[1];
+      return null;
+    })()`);
+    if (apiKey && typeof apiKey === "string" && apiKey.length > 10) {
+      log("bootstrap-agentmail", `extracted API key: ${apiKey.substring(0, 8)}...`);
+      await storeCredential("agentmail:api_key", apiKey);
+      persistApiKeyToShell(apiKey);
+      process.env.AGENTMAIL_API_KEY = apiKey;
+      return {
+        success: true,
+        api_key: apiKey,
+        method: onDashboard ? "existing-session" : "github-oauth"
+      };
+    }
+    return {
+      success: false,
+      error: "Reached dashboard but could not extract API key. Create one manually at https://console.agentmail.to/dashboard/api-keys"
+    };
+  } finally {
+    if (prevHeadless !== undefined)
+      process.env.HEADLESS = prevHeadless;
+    else
+      delete process.env.HEADLESS;
+  }
+}
+function persistApiKeyToShell(apiKey) {
+  const shell = process.env.SHELL ?? "/bin/zsh";
+  const rcFile = shell.includes("zsh") ? path9.join(os6.homedir(), ".zshrc") : path9.join(os6.homedir(), ".bashrc");
+  try {
+    const content = fs2.existsSync(rcFile) ? fs2.readFileSync(rcFile, "utf-8") : "";
+    if (content.includes("AGENTMAIL_API_KEY")) {
+      log("bootstrap-agentmail", `${rcFile} already has AGENTMAIL_API_KEY — not overwriting`);
+      return;
+    }
+    fs2.appendFileSync(rcFile, `
+# AgentMail API key (added by unbrowse setup)
+export AGENTMAIL_API_KEY="${apiKey}"
+`);
+    log("bootstrap-agentmail", `wrote AGENTMAIL_API_KEY to ${rcFile}`);
+  } catch (err) {
+    log("bootstrap-agentmail", `failed to write to ${rcFile}: ${err}`);
+  }
+}
+var CONSOLE_URL = "https://console.agentmail.to", DASHBOARD_URL = "https://console.agentmail.to/dashboard", SETTLE_MS = 3000, AUTH_TIMEOUT_MS = 120000;
+var init_bootstrap_agentmail = __esm(async () => {
+  init_client2();
+  init_logger();
+  await __promiseAll([
+    init_vault(),
+    init_auth()
+  ]);
+});
 // ../../src/version.ts
 var exports_version = {};
 __export(exports_version, {
@@ -1487,13 +3547,13 @@ __export(exports_version, {
   CODE_HASH: () => CODE_HASH2
 });
 import { createHash as createHash3 } from "crypto";
-import { existsSync as existsSync15, readFileSync as readFileSync10, readdirSync as readdirSync4 } from "fs";
-import { dirname as dirname4, join as join12, parse as parse2 } from "path";
+import { existsSync as existsSync17, readFileSync as readFileSync11, readdirSync as readdirSync5 } from "fs";
+import { dirname as dirname4, join as join13, parse as parse2 } from "path";
 import { fileURLToPath as fileURLToPath4 } from "url";
 function collectTsFiles2(dir) {
   const results = [];
-  for (const entry of readdirSync4(dir, { withFileTypes: true })) {
-    const full = join12(dir, entry.name);
+  for (const entry of readdirSync5(dir, { withFileTypes: true })) {
+    const full = join13(dir, entry.name);
     if (entry.isDirectory() && entry.name !== "node_modules") {
       results.push(...collectTsFiles2(full));
     } else if (entry.name.endsWith(".ts")) {
@@ -1506,21 +3566,21 @@ function hashFiles2(srcDir, files) {
   const hash = createHash3("sha256");
   for (const file of files) {
     hash.update(file.slice(srcDir.length));
-    hash.update(readFileSync10(file, "utf-8"));
+    hash.update(readFileSync11(file, "utf-8"));
   }
   return hash.digest("hex").slice(0, 12);
 }
 function resolveCodeHashSourceDir2(moduleDir) {
   const candidates = [
     moduleDir,
-    join12(moduleDir, "runtime-src"),
-    join12(moduleDir, "..", "runtime-src"),
-    join12(moduleDir, "src"),
-    join12(moduleDir, "..", "src")
+    join13(moduleDir, "runtime-src"),
+    join13(moduleDir, "..", "runtime-src"),
+    join13(moduleDir, "src"),
+    join13(moduleDir, "..", "src")
   ];
   for (const candidate of candidates) {
     try {
-      if (!existsSync15(candidate))
+      if (!existsSync17(candidate))
         continue;
       const files = collectTsFiles2(candidate);
       if (files.length > 0)
@@ -1570,7 +3630,7 @@ function getPackageVersionForModuleDir2(moduleDir) {
   const root = parse2(dir).root;
   while (true) {
     try {
-      const pkg = JSON.parse(readFileSync10(join12(dir, "package.json"), "utf-8"));
+      const pkg = JSON.parse(readFileSync11(join13(dir, "package.json"), "utf-8"));
       return typeof pkg.version === "string" ? pkg.version : "unknown";
     } catch {}
     if (dir === root)
@@ -1597,218 +3657,310 @@ var init_version2 = __esm(() => {
 });
 // ../../src/auth/agent-mail.ts
-var exports_agent_mail = {};
-__export(exports_agent_mail, {
-  waitForVerificationEmail: () => waitForVerificationEmail,
-  getOrCreateSiteInbox: () => getOrCreateSiteInbox,
-  extractVerificationLink: () => extractVerificationLink,
-  extractOtpFromEmail: () => extractOtpFromEmail,
-  autonomousEmailLogin: () => autonomousEmailLogin
+var exports_agent_mail2 = {};
+__export(exports_agent_mail2, {
+  waitForVerificationEmail: () => waitForVerificationEmail2,
+  tryAgentMailAuth: () => tryAgentMailAuth2,
+  isAgentMailAvailable: () => isAgentMailAvailable2,
+  getOrCreateSiteInbox: () => getOrCreateSiteInbox2,
+  extractVerificationLink: () => extractVerificationLink2,
+  extractOtpFromEmail: () => extractOtpFromEmail2,
+  autonomousEmailLogin: () => autonomousEmailLogin2
 });
-async function amFetch(method, path9, body) {
-  const res = await fetch(`${AGENTMAIL_API}${path9}`, {
-    method,
-    headers: {
-      Authorization: `Bearer ${AGENTMAIL_KEY}`,
-      "Content-Type": "application/json"
-    },
-    ...body ? { body: JSON.stringify(body) } : {}
-  });
-  if (!res.ok) {
-    const text = await res.text().catch(() => "");
-    throw new Error(`AgentMail ${method} ${path9}: ${res.status} ${text}`);
+import { AgentMailClient as AgentMailClient2 } from "agentmail";
+function getClient2() {
+  if (_client2)
+    return _client2;
+  const apiKey = process.env.AGENTMAIL_API_KEY;
+  if (!apiKey)
+    throw new Error("AGENTMAIL_API_KEY not set — cannot use agent mail");
+  _client2 = new AgentMailClient2({ apiKey });
+  return _client2;
+}
+async function getStoredInbox2(domain) {
+  const key = `${VAULT_PREFIX2}${getRegistrableDomain(domain)}`;
+  const raw = await getCredential(key);
+  if (!raw)
+    return null;
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return null;
   }
-  return res.json();
 }
-async function getOrCreateSiteInbox(domain) {
-  const safeDomain = domain.replace(/[^a-z0-9-]/gi, "-").toLowerCase();
+async function storeInbox2(domain, inbox) {
+  const key = `${VAULT_PREFIX2}${getRegistrableDomain(domain)}`;
+  await storeCredential(key, JSON.stringify(inbox));
+  log("agent-mail", `stored inbox ${inbox.email} for ${domain}`);
+}
+async function getOrCreateSiteInbox2(domain) {
+  const stored = await getStoredInbox2(domain);
+  if (stored) {
+    log("agent-mail", `reusing stored inbox ${stored.email} for ${domain}`);
+    return { inboxId: stored.inboxId, email: stored.email };
+  }
+  const client = getClient2();
+  const safeDomain = getRegistrableDomain(domain).replace(/[^a-z0-9-]/gi, "-").toLowerCase();
   const username = `unbrowse-${safeDomain}`;
   const clientId = `unbrowse-login-${safeDomain}`;
   try {
-    const inbox = await amFetch("POST", "/inboxes", {
+    const inbox = await client.inboxes.create({
       username,
       domain: "agentmail.to",
-      display_name: `Unbrowse Agent - ${domain}`,
-      client_id: clientId
+      displayName: `Unbrowse Agent - ${domain}`,
+      clientId
     });
-    return inbox;
-  } catch {
-    const email = `${username}@agentmail.to`;
+    const result = { inboxId: inbox.inboxId, email: inbox.email };
+    await storeInbox2(domain, { ...result, domain, createdAt: new Date().toISOString() });
+    log("agent-mail", `created inbox ${inbox.email} for ${domain}`);
+    return result;
+  } catch (err) {
+    log("agent-mail", `create failed (likely exists), listing to find match: ${err instanceof Error ? err.message : err}`);
     try {
-      const inbox = await amFetch("GET", `/inboxes/${encodeURIComponent(email)}`);
-      return inbox;
-    } catch {
-      return { inbox_id: "unbrowse-agent@agentmail.to", email: "unbrowse-agent@agentmail.to" };
-    }
+      const list = await client.inboxes.list({ limit: 100 });
+      const match = list.inboxes.find((i) => i.clientId === clientId || i.email === `${username}@agentmail.to`);
+      if (match) {
+        const result = { inboxId: match.inboxId, email: match.email };
+        await storeInbox2(domain, { ...result, domain, createdAt: new Date().toISOString() });
+        return result;
+      }
+    } catch {}
+    throw new Error(`Failed to create or find AgentMail inbox for ${domain}`);
   }
 }
-async function waitForVerificationEmail(inboxId, fromDomain, timeoutMs = 60000) {
+async function waitForVerificationEmail2(inboxId, fromDomain, timeoutMs = DEFAULT_TIMEOUT_MS2) {
+  const client = getClient2();
   const start2 = Date.now();
-  const pollInterval = 3000;
+  const normalizedDomain = fromDomain.toLowerCase();
+  log("agent-mail", `polling inbox ${inboxId} for email from *@${normalizedDomain} (timeout: ${timeoutMs}ms)`);
   while (Date.now() - start2 < timeoutMs) {
-    const data = await amFetch("GET", `/inboxes/${encodeURIComponent(inboxId)}/messages?limit=5&labels=unread`);
-    for (const msg of data.messages ?? []) {
-      if (msg.from?.toLowerCase().includes(fromDomain.toLowerCase())) {
-        return {
-          subject: msg.subject ?? "",
-          text: msg.extractedText ?? msg.text ?? "",
-          html: msg.extractedHtml ?? msg.html ?? ""
-        };
+    try {
+      const response = await client.inboxes.messages.list(inboxId, {
+        limit: 10,
+        labels: ["received"]
+      });
+      for (const item of response.messages ?? []) {
+        const msg = await client.inboxes.messages.get(inboxId, item.messageId);
+        const from = typeof msg.from === "string" ? msg.from : (msg.from ?? []).join(", ");
+        if (from.toLowerCase().includes(normalizedDomain)) {
+          log("agent-mail", `found verification email from ${from}: "${msg.subject}"`);
+          return {
+            messageId: msg.messageId,
+            threadId: msg.threadId,
+            subject: msg.subject ?? "",
+            from,
+            text: msg.extractedText ?? msg.text ?? "",
+            html: msg.extractedHtml ?? msg.html ?? "",
+            receivedAt: msg.createdAt
+          };
+        }
       }
+    } catch (err) {
+      log("agent-mail", `poll error: ${err instanceof Error ? err.message : err}`);
     }
-    await new Promise((r) => setTimeout(r, pollInterval));
+    await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS2));
   }
+  log("agent-mail", `timeout waiting for email from ${normalizedDomain}`);
   return null;
 }
-function extractOtpFromEmail(text) {
+function extractOtpFromEmail2(text) {
+  const codePhrase = text.match(/(?:verification|confirm|security|login|one[- ]time|otp)\s*(?:code|pin|number)[:\s]+(\w{4,8})/i);
+  if (codePhrase)
+    return codePhrase[1];
+  const codeIs = text.match(/(?:code|otp|pin)[:\s]+(\w{4,8})/i);
+  if (codeIs)
+    return codeIs[1];
   const six = text.match(/\b(\d{6})\b/);
   if (six)
     return six[1];
   const four = text.match(/\b(\d{4})\b/);
   if (four)
     return four[1];
-  const codeIs = text.match(/code[:\s]+(\w{4,8})/i);
-  if (codeIs)
-    return codeIs[1];
   return null;
 }
-function extractVerificationLink(text, html) {
-  const htmlLink = html.match(/href="(https?:\/\/[^"]*(?:verify|confirm|activate|magic|token|auth)[^"]*)"/i);
+function extractVerificationLink2(text, html) {
+  const htmlLink = html.match(/href="(https?:\/\/[^"]*(?:verify|confirm|activate|magic|token|auth|callback|validate|approve|email)[^"]*)"/i);
   if (htmlLink)
     return htmlLink[1];
-  const textLink = text.match(/(https?:\/\/\S*(?:verify|confirm|activate|magic|token|auth)\S*)/i);
+  const textLink = text.match(/(https?:\/\/\S*(?:verify|confirm|activate|magic|token|auth|callback|validate|approve|email)\S*)/i);
   if (textLink)
     return textLink[1];
-  const anyLink = text.match(/(https?:\/\/\S+)/);
-  if (anyLink)
-    return anyLink[1];
+  const anyHtmlLink = html.match(/href="(https?:\/\/[^"]+)"/);
+  if (anyHtmlLink)
+    return anyHtmlLink[1];
+  const anyTextLink = text.match(/(https?:\/\/\S+)/);
+  if (anyTextLink)
+    return anyTextLink[1];
   return null;
 }
-async function autonomousEmailLogin(domain) {
-  const inbox = await getOrCreateSiteInbox(domain);
+async function autonomousEmailLogin2(domain) {
+  const inbox = await getOrCreateSiteInbox2(domain);
+  const client = getClient2();
+  log("agent-mail", `session ready for ${domain} — email: ${inbox.email}`);
   return {
     email: inbox.email,
-    inboxId: inbox.inbox_id,
-    waitForOtp: async () => {
-      const email = await waitForVerificationEmail(inbox.inbox_id, domain, 90000);
+    inboxId: inbox.inboxId,
+    domain,
+    waitForOtp: async (timeoutMs = DEFAULT_TIMEOUT_MS2) => {
+      const email = await waitForVerificationEmail2(inbox.inboxId, domain, timeoutMs);
       if (!email)
         return null;
-      return extractOtpFromEmail(email.text);
+      const otp = extractOtpFromEmail2(email.text);
+      if (otp)
+        log("agent-mail", `extracted OTP: ${otp} from ${email.subject}`);
+      return otp;
     },
-    waitForLink: async () => {
-      const email = await waitForVerificationEmail(inbox.inbox_id, domain, 90000);
+    waitForLink: async (timeoutMs = DEFAULT_TIMEOUT_MS2) => {
+      const email = await waitForVerificationEmail2(inbox.inboxId, domain, timeoutMs);
       if (!email)
         return null;
-      return extractVerificationLink(email.text, email.html);
+      const link = extractVerificationLink2(email.text, email.html);
+      if (link)
+        log("agent-mail", `extracted verification link from ${email.subject}`);
+      return link;
+    },
+    waitForEmail: (timeoutMs = DEFAULT_TIMEOUT_MS2) => waitForVerificationEmail2(inbox.inboxId, domain, timeoutMs),
+    sendEmail: async (to, subject, body) => {
+      const result = await client.inboxes.messages.send(inbox.inboxId, {
+        to: [to],
+        subject,
+        text: body
+      });
+      log("agent-mail", `sent email to ${to}: "${subject}" (${result.messageId})`);
+      return { messageId: result.messageId, threadId: result.threadId };
+    },
+    replyTo: async (messageId, body) => {
+      const result = await client.inboxes.messages.reply(inbox.inboxId, messageId, {
+        text: body
+      });
+      log("agent-mail", `replied to ${messageId} (${result.messageId})`);
+      return { messageId: result.messageId, threadId: result.threadId };
     }
   };
 }
-var AGENTMAIL_API = "https://api.agentmail.to", AGENTMAIL_KEY;
-var init_agent_mail = __esm(() => {
-  AGENTMAIL_KEY = process.env.AGENTMAIL_API_KEY ?? "";
+function isAgentMailAvailable2() {
+  return Boolean(process.env.AGENTMAIL_API_KEY);
+}
+async function tryAgentMailAuth2(domain) {
+  if (!isAgentMailAvailable2()) {
+    log("agent-mail", `skipping — AGENTMAIL_API_KEY not set`);
+    return null;
+  }
+  try {
+    return await autonomousEmailLogin2(domain);
+  } catch (err) {
+    log("agent-mail", `auth failed for ${domain}: ${err instanceof Error ? err.message : err}`);
+    return null;
+  }
+}
+var POLL_INTERVAL_MS2 = 3000, DEFAULT_TIMEOUT_MS2 = 90000, _client2 = null, VAULT_PREFIX2 = "agentmail:";
+var init_agent_mail2 = __esm(async () => {
+  init_logger();
+  init_domain();
+  await init_vault();
 });
 // ../../src/auth/browser-cookies.ts
-var exports_browser_cookies = {};
-__export(exports_browser_cookies, {
-  scanAllBrowserSessions: () => scanAllBrowserSessions,
-  resolveChromiumCookiesPath: () => resolveChromiumCookiesPath,
-  findBestBrowserSession: () => findBestBrowserSession,
-  extractFromFirefox: () => extractFromFirefox,
-  extractFromChromium: () => extractFromChromium,
-  extractFromChrome: () => extractFromChrome,
-  extractBrowserCookies: () => extractBrowserCookies,
-  decodeChromiumCookieValue: () => decodeChromiumCookieValue
+var exports_browser_cookies2 = {};
+__export(exports_browser_cookies2, {
+  scanAllBrowserSessions: () => scanAllBrowserSessions2,
+  resolveChromiumCookiesPath: () => resolveChromiumCookiesPath2,
+  findBestBrowserSession: () => findBestBrowserSession2,
+  extractFromFirefox: () => extractFromFirefox2,
+  extractFromChromium: () => extractFromChromium2,
+  extractFromChrome: () => extractFromChrome2,
+  extractBrowserCookies: () => extractBrowserCookies2,
+  decodeChromiumCookieValue: () => decodeChromiumCookieValue2
 });
-import { execFileSync as execFileSync4 } from "node:child_process";
-import { createDecipheriv, pbkdf2Sync } from "node:crypto";
-import { copyFileSync, existsSync as existsSync16, mkdtempSync, readdirSync as readdirSync5, rmSync } from "node:fs";
-import { tmpdir, homedir as homedir7, platform } from "node:os";
-import { join as join13 } from "node:path";
-function getChromeUserDataDir() {
-  const home = homedir7();
-  if (platform() === "darwin") {
-    return join13(home, "Library", "Application Support", "Google", "Chrome");
-  }
-  if (platform() === "win32") {
-    const appData = process.env.LOCALAPPDATA ?? join13(home, "AppData", "Local");
-    return join13(appData, "Google", "Chrome", "User Data");
-  }
-  return join13(home, ".config", "google-chrome");
-}
-function resolveChromiumCookiesPath(opts) {
+import { execFileSync as execFileSync5 } from "node:child_process";
+import { createDecipheriv as createDecipheriv3, pbkdf2Sync as pbkdf2Sync2 } from "node:crypto";
+import { copyFileSync as copyFileSync2, existsSync as existsSync18, mkdtempSync as mkdtempSync2, readdirSync as readdirSync6, rmSync as rmSync2 } from "node:fs";
+import { tmpdir as tmpdir2, homedir as homedir8, platform as platform2 } from "node:os";
+import { join as join14 } from "node:path";
+function getChromeUserDataDir2() {
+  const home = homedir8();
+  if (platform2() === "darwin") {
+    return join14(home, "Library", "Application Support", "Google", "Chrome");
+  }
+  if (platform2() === "win32") {
+    const appData = process.env.LOCALAPPDATA ?? join14(home, "AppData", "Local");
+    return join14(appData, "Google", "Chrome", "User Data");
+  }
+  return join14(home, ".config", "google-chrome");
+}
+function resolveChromiumCookiesPath2(opts) {
   if (opts?.cookieDbPath) {
-    return opts.cookieDbPath.replace(/^~\//, homedir7() + "/");
+    return opts.cookieDbPath.replace(/^~\//, homedir8() + "/");
   }
   const profileDir = opts?.profile || "Default";
-  const userDataDir = (opts?.userDataDir || getChromeUserDataDir()).replace(/^~\//, homedir7() + "/");
+  const userDataDir = (opts?.userDataDir || getChromeUserDataDir2()).replace(/^~\//, homedir8() + "/");
   const candidates = [
-    join13(userDataDir, profileDir, "Network", "Cookies"),
-    join13(userDataDir, profileDir, "Cookies"),
-    join13(userDataDir, "Network", "Cookies"),
-    join13(userDataDir, "Cookies")
+    join14(userDataDir, profileDir, "Network", "Cookies"),
+    join14(userDataDir, profileDir, "Cookies"),
+    join14(userDataDir, "Network", "Cookies"),
+    join14(userDataDir, "Cookies")
   ];
-  return candidates.find((candidate) => existsSync16(candidate)) ?? candidates[0] ?? null;
+  return candidates.find((candidate) => existsSync18(candidate)) ?? candidates[0] ?? null;
 }
-function getFirefoxProfilesRoot() {
-  const home = homedir7();
-  if (platform() === "darwin") {
-    return join13(home, "Library", "Application Support", "Firefox", "Profiles");
+function getFirefoxProfilesRoot2() {
+  const home = homedir8();
+  if (platform2() === "darwin") {
+    return join14(home, "Library", "Application Support", "Firefox", "Profiles");
   }
-  if (platform() === "linux") {
-    return join13(home, ".mozilla", "firefox");
+  if (platform2() === "linux") {
+    return join14(home, ".mozilla", "firefox");
   }
-  if (platform() === "win32") {
+  if (platform2() === "win32") {
     const appData = process.env.APPDATA;
     if (!appData)
       return null;
-    return join13(appData, "Mozilla", "Firefox", "Profiles");
+    return join14(appData, "Mozilla", "Firefox", "Profiles");
   }
   return null;
 }
-function pickFirefoxProfile(profilesRoot, profile) {
+function pickFirefoxProfile2(profilesRoot, profile) {
   if (profile) {
-    const candidate2 = join13(profilesRoot, profile, "cookies.sqlite");
-    return existsSync16(candidate2) ? candidate2 : null;
+    const candidate2 = join14(profilesRoot, profile, "cookies.sqlite");
+    return existsSync18(candidate2) ? candidate2 : null;
   }
-  const entries = readdirSync5(profilesRoot, { withFileTypes: true });
+  const entries = readdirSync6(profilesRoot, { withFileTypes: true });
   const defaultRelease = entries.find((e) => e.isDirectory() && e.name.includes("default-release"));
   const targetDir = defaultRelease?.name ?? entries.find((e) => e.isDirectory())?.name;
   if (!targetDir)
     return null;
-  const candidate = join13(profilesRoot, targetDir, "cookies.sqlite");
-  return existsSync16(candidate) ? candidate : null;
+  const candidate = join14(profilesRoot, targetDir, "cookies.sqlite");
+  return existsSync18(candidate) ? candidate : null;
 }
-function getFirefoxCookiesPath(profile) {
-  const profilesRoot = getFirefoxProfilesRoot();
-  if (!profilesRoot || !existsSync16(profilesRoot))
+function getFirefoxCookiesPath2(profile) {
+  const profilesRoot = getFirefoxProfilesRoot2();
+  if (!profilesRoot || !existsSync18(profilesRoot))
     return null;
-  return pickFirefoxProfile(profilesRoot, profile);
+  return pickFirefoxProfile2(profilesRoot, profile);
 }
-function getChromiumKeychainServiceName(opts) {
+function getChromiumKeychainServiceName2(opts) {
   if (opts?.safeStorageService)
     return opts.safeStorageService;
   return `${opts?.browserName || "Chrome"} Safe Storage`;
 }
-function getChromiumDecryptionKey(opts) {
-  const service = getChromiumKeychainServiceName(opts);
-  const cached = _chromiumKeyCache.get(service);
+function getChromiumDecryptionKey2(opts) {
+  const service = getChromiumKeychainServiceName2(opts);
+  const cached = _chromiumKeyCache2.get(service);
   if (cached)
     return cached;
-  if (platform() !== "darwin")
+  if (platform2() !== "darwin")
     return null;
   try {
-    const keyOutput = execFileSync4("security", ["find-generic-password", "-s", service, "-w"], { encoding: "utf8", stdio: ["pipe", "pipe", "pipe"] }).trim();
+    const keyOutput = execFileSync5("security", ["find-generic-password", "-s", service, "-w"], { encoding: "utf8", stdio: ["pipe", "pipe", "pipe"] }).trim();
     if (!keyOutput)
       return null;
-    const derived = pbkdf2Sync(keyOutput, "saltysalt", 1003, 16, "sha1");
-    _chromiumKeyCache.set(service, derived);
+    const derived = pbkdf2Sync2(keyOutput, "saltysalt", 1003, 16, "sha1");
+    _chromiumKeyCache2.set(service, derived);
     return derived;
   } catch {
     return null;
   }
 }
-function decryptChromiumValue(encryptedHex, opts) {
+function decryptChromiumValue2(encryptedHex, opts) {
   try {
     const buf = Buffer.from(encryptedHex, "hex");
     if (buf.length < 4)
@@ -1817,7 +3969,7 @@ function decryptChromiumValue(encryptedHex, opts) {
     if (version !== "v10" && version !== "v11") {
       return buf.toString("utf8");
     }
-    const key = getChromiumDecryptionKey(opts);
+    const key = getChromiumDecryptionKey2(opts);
     if (!key)
       return null;
     const payload = buf.subarray(3);
@@ -1825,7 +3977,7 @@ function decryptChromiumValue(encryptedHex, opts) {
       try {
         const iv2 = payload.subarray(16, 32);
         const encrypted = payload.subarray(32);
-        const decipher2 = createDecipheriv("aes-128-cbc", key, iv2);
+        const decipher2 = createDecipheriv3("aes-128-cbc", key, iv2);
         decipher2.setAutoPadding(true);
         const decrypted2 = Buffer.concat([decipher2.update(encrypted), decipher2.final()]);
         const val = decrypted2.toString("utf8").replace(/[^\x20-\x7E]/g, "");
@@ -1834,7 +3986,7 @@ function decryptChromiumValue(encryptedHex, opts) {
       } catch {}
     }
     const iv = Buffer.alloc(16, 32);
-    const decipher = createDecipheriv("aes-128-cbc", key, iv);
+    const decipher = createDecipheriv3("aes-128-cbc", key, iv);
     decipher.setAutoPadding(true);
     const decrypted = Buffer.concat([decipher.update(payload), decipher.final()]);
     return decrypted.toString("utf8").replace(/[^\x20-\x7E]/g, "");
@@ -1842,37 +3994,37 @@ function decryptChromiumValue(encryptedHex, opts) {
     return null;
   }
 }
-function decodeChromiumCookieValue(rawValue, encryptedHex, opts) {
+function decodeChromiumCookieValue2(rawValue, encryptedHex, opts) {
   if (rawValue)
     return rawValue;
   if (!encryptedHex)
     return null;
-  return decryptChromiumValue(encryptedHex, opts);
+  return decryptChromiumValue2(encryptedHex, opts);
 }
-function withTempCopy(dbPath, fn) {
-  const tempDir = mkdtempSync(join13(tmpdir(), "unbrowse-cookies-"));
-  const tempDb = join13(tempDir, "cookies.db");
+function withTempCopy2(dbPath, fn) {
+  const tempDir = mkdtempSync2(join14(tmpdir2(), "unbrowse-cookies-"));
+  const tempDb = join14(tempDir, "cookies.db");
   try {
-    copyFileSync(dbPath, tempDb);
+    copyFileSync2(dbPath, tempDb);
     for (const ext of ["-wal", "-shm"]) {
       const src = dbPath + ext;
-      if (existsSync16(src))
-        copyFileSync(src, tempDb + ext);
+      if (existsSync18(src))
+        copyFileSync2(src, tempDb + ext);
     }
     return fn(tempDb);
   } finally {
     try {
-      rmSync(tempDir, { recursive: true, force: true });
+      rmSync2(tempDir, { recursive: true, force: true });
     } catch {}
   }
 }
-function sqliteQuery(dbPath, sql) {
-  return execFileSync4("sqlite3", ["-separator", "|", dbPath, sql], {
+function sqliteQuery2(dbPath, sql) {
+  return execFileSync5("sqlite3", ["-separator", "|", dbPath, sql], {
     encoding: "utf8",
     maxBuffer: 4 * 1024 * 1024
   }).trim();
 }
-function buildDomainWhereClause(domain, column) {
+function buildDomainWhereClause2(domain, column) {
   const reg = getRegistrableDomain(domain);
   const variants = new Set([
     reg,
@@ -1891,25 +4043,25 @@ function buildDomainWhereClause(domain, column) {
   const likePattern = `'%.${likeReg}'`;
   return `(${column} IN (${escaped.join(", ")}) OR ${column} LIKE ${likePattern})`;
 }
-function extractFromChrome(domain, opts) {
-  return extractFromChromium(domain, {
+function extractFromChrome2(domain, opts) {
+  return extractFromChromium2(domain, {
     profile: opts?.profile,
     browserName: "Chrome"
   });
 }
-function extractFromChromium(domain, opts) {
+function extractFromChromium2(domain, opts) {
   const warnings = [];
-  const dbPath = resolveChromiumCookiesPath(opts);
+  const dbPath = resolveChromiumCookiesPath2(opts);
   const sourceLabel = opts?.browserName || "Chromium";
-  if (!dbPath || !existsSync16(dbPath)) {
+  if (!dbPath || !existsSync18(dbPath)) {
     warnings.push(`${sourceLabel} cookies DB not found${dbPath ? ` at ${dbPath}` : ""}`);
     return { cookies: [], source: null, warnings };
   }
   try {
-    const cookies = withTempCopy(dbPath, (tempDb) => {
-      const where = buildDomainWhereClause(domain, "host_key");
+    const cookies = withTempCopy2(dbPath, (tempDb) => {
+      const where = buildDomainWhereClause2(domain, "host_key");
       const sql = `SELECT name, value, hex(encrypted_value) as ev, host_key, path, is_secure, is_httponly, samesite, expires_utc FROM cookies WHERE ${where};`;
-      const rows = sqliteQuery(tempDb, sql);
+      const rows = sqliteQuery2(tempDb, sql);
       if (!rows)
         return [];
       const results = [];
@@ -1919,7 +4071,7 @@ function extractFromChromium(domain, opts) {
         if (parts.length < 9)
           continue;
         const [name, rawValue, encHex, host, cookiePath, secure, httpOnly, sameSite, expiresUtc] = parts;
-        const value = decodeChromiumCookieValue(rawValue, encHex, opts);
+        const value = decodeChromiumCookieValue2(rawValue, encHex, opts);
         if (!value)
           continue;
         results.push({
@@ -1946,18 +4098,18 @@ function extractFromChromium(domain, opts) {
     return { cookies: [], source: null, warnings };
   }
 }
-function extractFromFirefox(domain, opts) {
+function extractFromFirefox2(domain, opts) {
   const warnings = [];
-  const dbPath = getFirefoxCookiesPath(opts?.profile);
+  const dbPath = getFirefoxCookiesPath2(opts?.profile);
   if (!dbPath) {
     warnings.push("Firefox cookies DB not found");
     return { cookies: [], source: null, warnings };
   }
   try {
-    const cookies = withTempCopy(dbPath, (tempDb) => {
-      const where = buildDomainWhereClause(domain, "host");
+    const cookies = withTempCopy2(dbPath, (tempDb) => {
+      const where = buildDomainWhereClause2(domain, "host");
       const sql = `SELECT name, value, host, path, isSecure, isHttpOnly, sameSite, expiry FROM moz_cookies WHERE ${where};`;
-      const rows = sqliteQuery(tempDb, sql);
+      const rows = sqliteQuery2(tempDb, sql);
       if (!rows)
         return [];
       const results = [];
@@ -1993,37 +4145,37 @@ function extractFromFirefox(domain, opts) {
     return { cookies: [], source: null, warnings };
   }
 }
-function extractBrowserCookies(domain, opts) {
+function extractBrowserCookies2(domain, opts) {
   if (opts?.browser === "firefox") {
-    return extractFromFirefox(domain, { profile: opts.firefoxProfile });
+    return extractFromFirefox2(domain, { profile: opts.firefoxProfile });
   }
   if (opts?.browser === "chrome") {
-    return extractFromChrome(domain, { profile: opts.chromeProfile });
+    return extractFromChrome2(domain, { profile: opts.chromeProfile });
   }
   if (opts?.browser === "chromium") {
-    return extractFromChromium(domain, opts.chromium);
+    return extractFromChromium2(domain, opts.chromium);
   }
-  const ff = extractFromFirefox(domain, { profile: opts?.firefoxProfile });
+  const ff = extractFromFirefox2(domain, { profile: opts?.firefoxProfile });
   if (ff.cookies.length > 0)
     return ff;
   if (opts?.chromium?.cookieDbPath || opts?.chromium?.userDataDir) {
-    const chromium = extractFromChromium(domain, opts.chromium);
+    const chromium = extractFromChromium2(domain, opts.chromium);
     chromium.warnings.push(...ff.warnings);
     return chromium;
   }
-  const chrome = extractFromChrome(domain, { profile: opts?.chromeProfile });
+  const chrome = extractFromChrome2(domain, { profile: opts?.chromeProfile });
   chrome.warnings.push(...ff.warnings);
   return chrome;
 }
-function scanAllBrowserSessions(domain) {
+function scanAllBrowserSessions2(domain) {
   const results = [];
-  const home = homedir7();
-  for (const browser of CHROMIUM_BROWSERS) {
-    const userDataDir = platform() === "darwin" ? join13(home, "Library", "Application Support", browser.macPath) : platform() === "win32" ? join13(process.env.LOCALAPPDATA ?? join13(home, "AppData", "Local"), browser.macPath, "User Data") : join13(home, ".config", browser.macPath.toLowerCase());
-    if (!existsSync16(userDataDir))
+  const home = homedir8();
+  for (const browser of CHROMIUM_BROWSERS2) {
+    const userDataDir = platform2() === "darwin" ? join14(home, "Library", "Application Support", browser.macPath) : platform2() === "win32" ? join14(process.env.LOCALAPPDATA ?? join14(home, "AppData", "Local"), browser.macPath, "User Data") : join14(home, ".config", browser.macPath.toLowerCase());
+    if (!existsSync18(userDataDir))
       continue;
     try {
-      const result = extractFromChromium(domain, {
+      const result = extractFromChromium2(domain, {
         userDataDir,
         browserName: browser.name
       });
@@ -2039,7 +4191,7 @@ function scanAllBrowserSessions(domain) {
     } catch {}
   }
   try {
-    const ff = extractFromFirefox(domain);
+    const ff = extractFromFirefox2(domain);
     if (ff.cookies.length > 0) {
       const sessionCookies = ff.cookies.filter((c) => c.httpOnly || c.secure).length;
       results.push({
@@ -2053,16 +4205,16 @@ function scanAllBrowserSessions(domain) {
   results.sort((a, b) => b.sessionCookies - a.sessionCookies);
   return results;
 }
-function findBestBrowserSession(domain) {
-  const sessions = scanAllBrowserSessions(domain);
+function findBestBrowserSession2(domain) {
+  const sessions = scanAllBrowserSessions2(domain);
   return sessions[0] ?? null;
 }
-var _chromiumKeyCache, CHROMIUM_BROWSERS;
-var init_browser_cookies = __esm(() => {
+var _chromiumKeyCache2, CHROMIUM_BROWSERS2;
+var init_browser_cookies2 = __esm(() => {
   init_logger();
   init_domain();
-  _chromiumKeyCache = new Map;
-  CHROMIUM_BROWSERS = [
+  _chromiumKeyCache2 = new Map;
+  CHROMIUM_BROWSERS2 = [
     { name: "Chrome", macPath: "Google/Chrome" },
     { name: "Arc", macPath: "Arc/User Data" },
     { name: "Brave", macPath: "BraveSoftware/Brave-Browser" },
@@ -3328,8 +5480,8 @@ init_publish();
 init_settings();
 init_graph();
 init_schema_review();
-import { join as join10 } from "node:path";
-var SKILL_SNAPSHOT_DIR3 = process.env.UNBROWSE_SKILL_SNAPSHOT_DIR ?? join10(process.env.HOME ?? "/tmp", ".unbrowse", "skill-snapshots");
+import { join as join11 } from "node:path";
+var SKILL_SNAPSHOT_DIR3 = process.env.UNBROWSE_SKILL_SNAPSHOT_DIR ?? join11(process.env.HOME ?? "/tmp", ".unbrowse", "skill-snapshots");
 var indexInFlight2 = new Map;
 var pendingIndexJobs2 = new Map;
 async function drainPendingIndexJobs() {
@@ -3366,14 +5518,14 @@ init_paths();
 init_client2();
 init_logger();
 init_wallet();
-import { execFileSync as execFileSync3 } from "node:child_process";
-import { existsSync as existsSync12, mkdirSync as mkdirSync7, writeFileSync as writeFileSync5 } from "node:fs";
+import { execFileSync as execFileSync4 } from "node:child_process";
+import { existsSync as existsSync14, mkdirSync as mkdirSync8, writeFileSync as writeFileSync6 } from "node:fs";
 import os4 from "node:os";
 import path7 from "node:path";
 // ../../src/runtime/update-hints.ts
 init_paths();
-import { existsSync as existsSync11, mkdirSync as mkdirSync6, readFileSync as readFileSync7, writeFileSync as writeFileSync4 } from "node:fs";
+import { existsSync as existsSync13, mkdirSync as mkdirSync7, readFileSync as readFileSync8, writeFileSync as writeFileSync5 } from "node:fs";
 import os3 from "node:os";
 import path6 from "node:path";
 var DEFAULT_INTERVAL_MS = 12 * 60 * 60 * 1000;
@@ -3387,20 +5539,20 @@ function getConfigDir2() {
   return path6.join(getHomeDir(), ".unbrowse");
 }
 function ensureDir3(dir) {
-  if (!existsSync11(dir))
-    mkdirSync6(dir, { recursive: true });
+  if (!existsSync13(dir))
+    mkdirSync7(dir, { recursive: true });
   return dir;
 }
 function readJsonFile(file) {
   try {
-    return JSON.parse(readFileSync7(file, "utf8"));
+    return JSON.parse(readFileSync8(file, "utf8"));
   } catch {
     return null;
   }
 }
 function writeJsonFile(file, value) {
   ensureDir3(path6.dirname(file));
-  writeFileSync4(file, `${JSON.stringify(value, null, 2)}
+  writeFileSync5(file, `${JSON.stringify(value, null, 2)}
 `);
 }
 function getInstallSourcePath() {
@@ -3410,7 +5562,7 @@ function detectRepoRoot(start2) {
   let dir = path6.resolve(start2);
   const root = path6.parse(dir).root;
   while (dir !== root) {
-    if (existsSync11(path6.join(dir, ".git")))
+    if (existsSync13(path6.join(dir, ".git")))
       return dir;
     dir = path6.dirname(dir);
   }
@@ -3489,13 +5641,13 @@ codex_hooks = true
 }
 function writeCodexHook(metaUrl) {
   const configPath = getCodexConfigPath();
-  if (!existsSync11(path6.dirname(configPath))) {
+  if (!existsSync13(path6.dirname(configPath))) {
     return { host: "codex", action: "not-detected", config_file: configPath };
   }
   try {
     const hookScript = getHookScriptPath(metaUrl).replace(/\\/g, "/");
-    const fileExistsBefore = existsSync11(configPath);
-    let content = fileExistsBefore ? readFileSync7(configPath, "utf8") : "";
+    const fileExistsBefore = existsSync13(configPath);
+    let content = fileExistsBefore ? readFileSync8(configPath, "utf8") : "";
     const previous = content;
     content = ensureCodexHooksFeature(content);
     if (!content.includes("unbrowse-update-hint.mjs")) {
@@ -3510,7 +5662,7 @@ command = ${JSON.stringify(command)}
 `;
     }
     if (content !== previous) {
-      writeFileSync4(configPath, content, "utf8");
+      writeFileSync5(configPath, content, "utf8");
       return {
         host: "codex",
         action: fileExistsBefore ? "updated" : "installed",
@@ -3529,13 +5681,13 @@ command = ${JSON.stringify(command)}
 }
 function writeClaudeHook(metaUrl) {
   const settingsPath = getClaudeSettingsPath();
-  if (!existsSync11(path6.dirname(settingsPath))) {
+  if (!existsSync13(path6.dirname(settingsPath))) {
     return { host: "claude", action: "not-detected", config_file: settingsPath };
   }
   try {
     const hookScript = getHookScriptPath(metaUrl).replace(/\\/g, "/");
     const command = `node "${hookScript}"`;
-    const fileExistsBefore = existsSync11(settingsPath);
+    const fileExistsBefore = existsSync13(settingsPath);
     const settings = readJsonFile(settingsPath) ?? {};
     settings.hooks ??= {};
     settings.hooks.SessionStart ??= [];
@@ -3573,7 +5725,7 @@ function configureUpdateHintHooks(metaUrl, install) {
 function hasBinary(name) {
   const checker = process.platform === "win32" ? "where" : "which";
   try {
-    execFileSync3(checker, [name], { stdio: "ignore" });
+    execFileSync4(checker, [name], { stdio: "ignore" });
     return true;
   } catch {
     return false;
@@ -3600,7 +5752,7 @@ function getOpenCodeProjectCommandsDir(cwd) {
   return path7.join(cwd, ".opencode", "commands");
 }
 function detectOpenCode(cwd) {
-  return hasBinary("opencode") || existsSync12(path7.join(resolveConfigHome(), "opencode")) || existsSync12(path7.join(cwd, ".opencode"));
+  return hasBinary("opencode") || existsSync14(path7.join(resolveConfigHome(), "opencode")) || existsSync14(path7.join(cwd, ".opencode"));
 }
 function renderOpenCodeCommand() {
   return `---
@@ -3628,13 +5780,13 @@ function writeOpenCodeCommand(scope, cwd) {
   if (scope === "auto" && !detected) {
     return { detected: false, action: "not-detected", scope: "off" };
   }
-  const resolvedScope = scope === "project" ? "project" : scope === "global" ? "global" : existsSync12(path7.join(cwd, ".opencode")) ? "project" : "global";
+  const resolvedScope = scope === "project" ? "project" : scope === "global" ? "global" : existsSync14(path7.join(cwd, ".opencode")) ? "project" : "global";
   const commandsDir = resolvedScope === "project" ? getOpenCodeProjectCommandsDir(cwd) : getOpenCodeGlobalCommandsDir();
   const commandFile = path7.join(ensureDir2(commandsDir), "unbrowse.md");
   const content = renderOpenCodeCommand();
-  const action2 = existsSync12(commandFile) ? "updated" : "installed";
-  mkdirSync7(path7.dirname(commandFile), { recursive: true });
-  writeFileSync5(commandFile, content);
+  const action2 = existsSync14(commandFile) ? "updated" : "installed";
+  mkdirSync8(path7.dirname(commandFile), { recursive: true });
+  writeFileSync6(commandFile, content);
   return {
     detected: detected || scope !== "auto",
     action: action2,
@@ -3644,10 +5796,10 @@ function writeOpenCodeCommand(scope, cwd) {
 }
 async function ensureBrowserEngineInstalled() {
   const binary = findKuriBinary();
-  if (existsSync12(binary)) {
+  if (existsSync14(binary)) {
     return { installed: true, action: "already-installed" };
   }
-  const sourceDir = getKuriSourceCandidates().find((candidate) => existsSync12(path7.join(candidate, "build.zig")));
+  const sourceDir = getKuriSourceCandidates().find((candidate) => existsSync14(path7.join(candidate, "build.zig")));
   if (!sourceDir) {
     return {
       installed: false,
@@ -3663,13 +5815,13 @@ async function ensureBrowserEngineInstalled() {
     };
   }
   try {
-    execFileSync3("zig", ["build", "-Doptimize=ReleaseFast"], {
+    execFileSync4("zig", ["build", "-Doptimize=ReleaseFast"], {
       cwd: sourceDir,
       stdio: "inherit",
       timeout: 300000
     });
     const builtBinary = findKuriBinary();
-    if (existsSync12(builtBinary)) {
+    if (existsSync14(builtBinary)) {
       return {
         installed: true,
         action: "installed",
@@ -3694,12 +5846,12 @@ async function runSetup(options) {
   const browser = options?.installBrowser === false ? { installed: false, action: "skipped" } : await ensureBrowserEngineInstalled();
   const walletCheck = checkWalletConfigured();
   const skipWalletSetup = process.env.UNBROWSE_SKIP_WALLET_SETUP === "1";
-  let lobsterInstalled = hasBinary("lobstercash") || existsSync12(path7.join(os4.homedir(), ".agents", "skills", "lobstercash", "SKILL.md"));
+  let lobsterInstalled = hasBinary("lobstercash") || existsSync14(path7.join(os4.homedir(), ".agents", "skills", "lobstercash", "SKILL.md"));
   if (!skipWalletSetup && !walletCheck.configured) {
     if (!lobsterInstalled) {
       console.log("[unbrowse] Setting up Crossmint wallet (required for earning + payments)...");
       try {
-        execFileSync3("npx", ["@crossmint/lobster-cli", "setup"], {
+        execFileSync4("npx", ["@crossmint/lobster-cli", "setup"], {
           stdio: "inherit",
           timeout: 120000
         });
@@ -3711,7 +5863,7 @@ async function runSetup(options) {
     } else {
       console.log("[unbrowse] Crossmint lobster.cash detected but wallet not configured — running wallet setup...");
       try {
-        execFileSync3("npx", ["@crossmint/lobster-cli", "setup"], {
+        execFileSync4("npx", ["@crossmint/lobster-cli", "setup"], {
           stdio: "inherit",
           timeout: 60000
         });
@@ -3742,13 +5894,17 @@ async function runSetup(options) {
     browser_engine: browser,
     opencode: writeOpenCodeCommand(options?.opencode ?? "auto", cwd),
     update_hints: configureUpdateHintHooks(import.meta.url, installSource),
-    wallet
+    wallet,
+    agent_mail: {
+      configured: Boolean(process.env.AGENTMAIL_API_KEY),
+      message: process.env.AGENTMAIL_API_KEY ? "AgentMail configured — autonomous email login enabled." : "AgentMail not configured. Set AGENTMAIL_API_KEY to enable autonomous email login/registration. Get a key at https://agentmail.to"
+    }
   };
 }
 // ../../src/runtime/update-hints.ts
 init_paths();
-import { existsSync as existsSync13, mkdirSync as mkdirSync8, readFileSync as readFileSync8, writeFileSync as writeFileSync6 } from "node:fs";
+import { existsSync as existsSync15, mkdirSync as mkdirSync9, readFileSync as readFileSync9, writeFileSync as writeFileSync7 } from "node:fs";
 import os5 from "node:os";
 import path8 from "node:path";
 var INSTALL_SCRIPT_URL = "https://unbrowse.ai/install.sh";
@@ -3762,20 +5918,20 @@ function getConfigDir3() {
   return path8.join(getHomeDir2(), ".unbrowse");
 }
 function ensureDir4(dir) {
-  if (!existsSync13(dir))
-    mkdirSync8(dir, { recursive: true });
+  if (!existsSync15(dir))
+    mkdirSync9(dir, { recursive: true });
   return dir;
 }
 function readJsonFile2(file) {
   try {
-    return JSON.parse(readFileSync8(file, "utf8"));
+    return JSON.parse(readFileSync9(file, "utf8"));
   } catch {
     return null;
   }
 }
 function writeJsonFile2(file, value) {
   ensureDir4(path8.dirname(file));
-  writeFileSync6(file, `${JSON.stringify(value, null, 2)}
+  writeFileSync7(file, `${JSON.stringify(value, null, 2)}
 `);
 }
 function getInstallSourcePath2() {
@@ -3788,7 +5944,7 @@ function detectRepoRoot2(start2) {
   let dir = path8.resolve(start2);
   const root = path8.parse(dir).root;
   while (dir !== root) {
-    if (existsSync13(path8.join(dir, ".git")))
+    if (existsSync15(path8.join(dir, ".git")))
       return dir;
     dir = path8.dirname(dir);
   }
@@ -3821,7 +5977,7 @@ function detectInstallHost2(repoRoot) {
 function getInstalledVersion(metaUrl) {
   const packageRoot = getPackageRoot(metaUrl);
   try {
-    const pkg = JSON.parse(readFileSync8(path8.join(packageRoot, "package.json"), "utf8"));
+    const pkg = JSON.parse(readFileSync9(path8.join(packageRoot, "package.json"), "utf8"));
     return pkg.version ?? "unknown";
   } catch {
     return "unknown";
@@ -3946,8 +6102,8 @@ function parseArgs(argv) {
   }
   return { command, args: positional, flags };
 }
-async function api2(method, path9, body) {
-  let target = `${BASE_URL}${path9}`;
+async function api2(method, path10, body) {
+  let target = `${BASE_URL}${path10}`;
   let requestBody = body;
   if (method === "GET" && body && typeof body === "object") {
     const params = new URLSearchParams;
@@ -4251,7 +6407,7 @@ async function cmdResolve(flags) {
         const { checkWalletConfigured: checkWalletConfigured3 } = await Promise.resolve().then(() => (init_wallet2(), exports_wallet));
         const wallet = checkWalletConfigured3();
         if (!wallet.configured) {
-          info("You're indexing routes but have no payout wallet. Run: npx @crossmint/lobster-cli setup");
+          info("No payout wallet \u2014 you won't earn when others reuse your routes. Run: npx @crossmint/lobster-cli setup");
           walletNudgeShown = true;
         }
       } catch (_e) {}
@@ -4277,8 +6433,8 @@ async function cmdResolve(flags) {
     throw error;
   }
 }
-function drillPath(data, path9) {
-  const segments = path9.split(/\./).flatMap((s) => {
+function drillPath(data, path10) {
+  const segments = path10.split(/\./).flatMap((s) => {
     const m = s.match(/^(.+)\[\]$/);
     return m ? [m[1], "[]"] : [s];
   });
@@ -4305,9 +6461,9 @@ function drillPath(data, path9) {
   }
   return values;
 }
-function resolveDotPath(obj, path9) {
+function resolveDotPath(obj, path10) {
   let cur = obj;
-  for (const key of path9.split(".")) {
+  for (const key of path10.split(".")) {
     if (cur == null || typeof cur !== "object")
       return;
     cur = cur[key];
@@ -4324,8 +6480,8 @@ function applyExtract(items, extractSpec) {
   return items.map((item) => {
     const row = {};
     let hasValue = false;
-    for (const { alias, path: path9 } of fields) {
-      const val = resolveDotPath(item, path9);
+    for (const { alias, path: path10 } of fields) {
+      const val = resolveDotPath(item, path10);
       row[alias] = val ?? null;
       if (val != null)
         hasValue = true;
@@ -4675,13 +6831,49 @@ async function cmdSetup(flags) {
   if (report.wallet.configured) {
     info(`Wallet configured (${report.wallet.provider}): ${report.wallet.wallet_address ?? "linked"}`);
   } else if (report.wallet.lobster_installed) {
-    info("Wallet not paired \u2014 your indexed routes won't earn payouts.");
+    info("Wallet not paired \u2014 you won't earn when other agents use routes you discovered.");
     info("Run: npx @crossmint/lobster-cli setup");
   } else {
-    info("No wallet configured \u2014 you're indexing routes for free.");
-    info("Set up a wallet so you earn when agents use your routes:");
+    info("No wallet configured \u2014 you earn when other agents reuse routes you discovered.");
+    info("Set up a wallet to start earning:");
     info("  npx @crossmint/lobster-cli setup");
   }
+  if (!report.agent_mail.configured) {
+    info("AgentMail not configured \u2014 attempting to bootstrap via console.agentmail.to...");
+    try {
+      const { bootstrapAgentMailKey: bootstrapAgentMailKey2 } = await init_bootstrap_agentmail().then(() => exports_bootstrap_agentmail);
+      const result = await bootstrapAgentMailKey2();
+      if (result.success) {
+        info(`AgentMail API key obtained (${result.method}) \u2014 autonomous email login enabled`);
+        report.agent_mail.configured = true;
+      } else {
+        info(`AgentMail bootstrap: ${result.error}`);
+      }
+    } catch (err) {
+      info(`AgentMail bootstrap failed: ${err instanceof Error ? err.message : err}`);
+    }
+  }
+  const hasGcloud = (() => {
+    try {
+      const { existsSync: existsSync19 } = __require("fs");
+      const { homedir: homedir9 } = __require("os");
+      const { join: join15 } = __require("path");
+      return existsSync19(join15(homedir9(), ".config", "gcloud", "application_default_credentials.json"));
+    } catch {
+      return false;
+    }
+  })();
+  const emailProviders = [];
+  if (hasGcloud)
+    emailProviders.push("Gmail (via GWS)");
+  if (report.agent_mail.configured)
+    emailProviders.push("AgentMail");
+  if (emailProviders.length > 0) {
+    info(`Email providers: ${emailProviders.join(", ")} \u2014 autonomous login enabled`);
+  } else {
+    info("No email provider configured \u2014 agents can't auto-register on gated sites.");
+    info("Options: export AGENTMAIL_API_KEY=<key> (https://agentmail.to) or gcloud auth login (Gmail)");
+  }
   await recordInstallTelemetryEvent("setup", {
     hostType,
     status: report.browser_engine.action === "failed" ? "failed" : "installed",
@@ -5062,7 +7254,7 @@ async function cmdEarnings(flags) {
       lines.push(`  Progress: ${pct}% to self-sustaining`);
     }
     lines.push("");
-    lines.push("Keep resolving to index more routes and earn from other agents!");
+    lines.push("Every resolve discovers routes \u2014 you earn when other agents reuse them.");
     info(lines.join(`
 `));
   } catch (err) {
@@ -5417,56 +7609,69 @@ async function cmdSync(flags) {
 async function cmdClose(flags) {
   output(await api2("POST", "/v1/browse/close", typeof flags.session === "string" ? { session_id: flags.session } : undefined), false);
 }
-async function cmdLoginAuto(flags) {
-  const url = flags.url;
-  if (!url)
-    return die("--url is required");
+async function cmdLoginAuto(args, flags) {
+  const urlOrDomain = args[0] ?? flags.url ?? flags.domain;
+  if (!urlOrDomain)
+    return die("usage: unbrowse login-auto <domain-or-url> [--wait-otp | --wait-link | --send-to <email>]");
   const domain = (() => {
     try {
-      return new URL(url).hostname.replace(/^www\./, "");
+      return new URL(urlOrDomain.startsWith("http") ? urlOrDomain : `https://${urlOrDomain}`).hostname.replace(/^www\./, "");
     } catch {
-      return url;
+      return urlOrDomain;
     }
   })();
+  const { autonomousEmailLogin: autonomousEmailLogin3, isAgentMailAvailable: isAgentMailAvailable3 } = await init_agent_mail2().then(() => exports_agent_mail2);
+  if (!isAgentMailAvailable3())
+    return die("AGENTMAIL_API_KEY not set \u2014 run: export AGENTMAIL_API_KEY=<key>");
   info(`[login-auto] creating agent email for ${domain}...`);
-  const { autonomousEmailLogin: autonomousEmailLogin2 } = await Promise.resolve().then(() => (init_agent_mail(), exports_agent_mail));
-  const session = await autonomousEmailLogin2(domain);
-  info(`[login-auto] agent email: ${session.email}`);
-  info(`[login-auto] use this email to register/login on ${domain}`);
-  info(`[login-auto] then run: unbrowse login-auto --url ${url} --wait-otp`);
-  info(`[login-auto]    or:    unbrowse login-auto --url ${url} --wait-link`);
+  const session = await autonomousEmailLogin3(domain);
+  info(`[login-auto] email: ${session.email}`);
+  const sendTo = flags["send-to"];
+  if (sendTo) {
+    const subject = flags.subject ?? `Verify ${domain}`;
+    const body = flags.body ?? `This is an automated verification email from Unbrowse agent for ${domain}.`;
+    info(`[login-auto] sending email to ${sendTo}...`);
+    const result = await session.sendEmail(sendTo, subject, body);
+    output({ email: session.email, sent_to: sendTo, message_id: result.messageId, domain });
+    return;
+  }
   if (flags["wait-otp"]) {
-    info(`[login-auto] waiting for OTP email from ${domain}...`);
-    const otp = await session.waitForOtp();
+    const timeout = Number(flags.timeout) || 90000;
+    info(`[login-auto] waiting for OTP from ${domain} (${Math.round(timeout / 1000)}s timeout)...`);
+    const otp = await session.waitForOtp(timeout);
     if (otp) {
-      info(`[login-auto] OTP received: ${otp}`);
+      info(`[login-auto] OTP: ${otp}`);
       output({ email: session.email, otp, domain });
     } else {
-      info(`[login-auto] no OTP received within 90 seconds`);
+      info(`[login-auto] no OTP received`);
       output({ email: session.email, otp: null, domain, error: "timeout" });
     }
     return;
   }
   if (flags["wait-link"]) {
-    info(`[login-auto] waiting for verification link from ${domain}...`);
-    const link = await session.waitForLink();
+    const timeout = Number(flags.timeout) || 90000;
+    info(`[login-auto] waiting for verification link from ${domain} (${Math.round(timeout / 1000)}s timeout)...`);
+    const link = await session.waitForLink(timeout);
     if (link) {
-      info(`[login-auto] verification link: ${link}`);
+      info(`[login-auto] link: ${link}`);
       output({ email: session.email, link, domain });
     } else {
-      info(`[login-auto] no verification email within 90 seconds`);
+      info(`[login-auto] no verification link received`);
       output({ email: session.email, link: null, domain, error: "timeout" });
     }
     return;
   }
+  info(`[login-auto] use this email to register/login on ${domain}`);
+  info(`[login-auto] then: unbrowse login-auto ${domain} --wait-otp`);
+  info(`[login-auto]   or: unbrowse login-auto ${domain} --wait-link`);
   output({ email: session.email, inbox_id: session.inboxId, domain });
 }
 async function cmdSessionsScan(flags) {
   const domain = flags.domain;
-  const { scanAllBrowserSessions: scanAllBrowserSessions2, findBestBrowserSession: findBestBrowserSession2 } = await Promise.resolve().then(() => (init_browser_cookies(), exports_browser_cookies));
-  const { execFileSync: execFileSync5, existsSync: existsSync17 } = await import("./cli-imports.js").catch(() => ({ execFileSync: __require("child_process").execFileSync, existsSync: __require("fs").existsSync }));
+  const { scanAllBrowserSessions: scanAllBrowserSessions3, findBestBrowserSession: findBestBrowserSession3 } = await Promise.resolve().then(() => (init_browser_cookies2(), exports_browser_cookies2));
+  const { execFileSync: execFileSync6, existsSync: existsSync19 } = await import("./cli-imports.js").catch(() => ({ execFileSync: __require("child_process").execFileSync, existsSync: __require("fs").existsSync }));
   if (domain) {
-    const sessions = scanAllBrowserSessions2(domain);
+    const sessions = scanAllBrowserSessions3(domain);
     if (sessions.length === 0) {
       info(`No browser has a session for ${domain}`);
       output({ domain, sessions: [], best: null });
@@ -5486,13 +7691,13 @@ async function cmdSessionsScan(flags) {
     return;
   }
   const home = __require("os").homedir();
-  const { join: join14 } = __require("path");
+  const { join: join15 } = __require("path");
   const browsers = [
-    { name: "Chrome", path: join14(home, "Library/Application Support/Google/Chrome/Default/Cookies") },
-    { name: "Dia", path: join14(home, "Library/Application Support/Dia/User Data/Default/Cookies") },
-    { name: "Arc", path: join14(home, "Library/Application Support/Arc/User Data/Default/Cookies") },
-    { name: "Brave", path: join14(home, "Library/Application Support/BraveSoftware/Brave-Browser/Default/Cookies") },
-    { name: "Edge", path: join14(home, "Library/Application Support/Microsoft Edge/Default/Cookies") }
+    { name: "Chrome", path: join15(home, "Library/Application Support/Google/Chrome/Default/Cookies") },
+    { name: "Dia", path: join15(home, "Library/Application Support/Dia/User Data/Default/Cookies") },
+    { name: "Arc", path: join15(home, "Library/Application Support/Arc/User Data/Default/Cookies") },
+    { name: "Brave", path: join15(home, "Library/Application Support/BraveSoftware/Brave-Browser/Default/Cookies") },
+    { name: "Edge", path: join15(home, "Library/Application Support/Microsoft Edge/Default/Cookies") }
   ];
   const allSessions = [];
   for (const b of browsers) {
@@ -5603,8 +7808,8 @@ async function cmdCorpusRun(flags) {
   }
   let gitSha = "unknown";
   try {
-    const { execSync: execSync3 } = __require("child_process");
-    gitSha = execSync3("git rev-parse --short HEAD", { encoding: "utf-8" }).trim();
+    const { execSync: execSync4 } = __require("child_process");
+    gitSha = execSync4("git rev-parse --short HEAD", { encoding: "utf-8" }).trim();
   } catch {}
   const startTime = Date.now();
   const results = [];
@@ -5680,7 +7885,7 @@ async function cmdCorpusRun(flags) {
   output(snapshot2, !!flags.pretty);
 }
 async function cmdConnectChrome() {
-  const { execSync: execSync3, spawn: spawnProc } = __require("child_process");
+  const { execSync: execSync4, spawn: spawnProc } = __require("child_process");
   try {
     const res = await fetch("http://127.0.0.1:9222/json/version", { signal: AbortSignal.timeout(1000) });
     if (res.ok) {
@@ -5693,16 +7898,16 @@ async function cmdConnectChrome() {
     }
   } catch {}
   try {
-    execSync3("pkill -f kuri/chrome-profile", { stdio: "ignore" });
+    execSync4("pkill -f kuri/chrome-profile", { stdio: "ignore" });
   } catch {}
   console.log("Quitting Chrome to relaunch with remote debugging...");
   if (process.platform === "darwin") {
     try {
-      execSync3('osascript -e "quit app \\"Google Chrome\\""', { stdio: "ignore", timeout: 5000 });
+      execSync4('osascript -e "quit app \\"Google Chrome\\""', { stdio: "ignore", timeout: 5000 });
     } catch {}
   } else {
     try {
-      execSync3("pkill -f chrome", { stdio: "ignore" });
+      execSync4("pkill -f chrome", { stdio: "ignore" });
     } catch {}
   }
   await new Promise((r) => setTimeout(r, 2000));
@@ -5761,7 +7966,7 @@ async function main() {
   if (command === "sessions-scan")
     return cmdSessionsScan(flags);
   if (command === "login-auto")
-    return cmdLoginAuto(flags);
+    return cmdLoginAuto(args, flags);
   const KNOWN_COMMANDS = new Set([
     "health",
     "mcp",
@@ -5925,7 +8130,7 @@ async function main() {
     case "sessions-scan":
       return cmdSessionsScan(flags);
     case "login-auto":
-      return cmdLoginAuto(flags);
+      return cmdLoginAuto(args, flags);
     default:
       info(`Unknown command: ${command}`);
       printHelp();