Guide a user through capturing and analyzing a HAR file from their own logged-in browser session, extracting the minimum auth material needed, mapping the ex...
--- name: lockpicker description: Guide a user through capturing and analyzing a HAR file from their own logged-in browser session, extracting the minimum auth material needed, mapping the exact request chain behind a website action, and turning that known-good browser workflow into a reusable local script. Use when a user wants to reverse-engineer a legitimate action they are already authorized to perform on a website, such as upload, publish, schedule, or queue operations, especially when browser automation is flaky and a direct authenticated web-request workflow is preferred. --- # Lockpicker Guide the work from a user-owned browser session outward. Do not start by guessing endpoints. ## Core rules - Use this only for services the user is authorized to access and operate. - Use the user's own authenticated browser session. - Reproduce a workflow the user can already perform manually. - Prefer captured evidence over speculation. - Do not brute-force hidden endpoints, fuzz auth, or expand scope beyond the requested action. - If cookies, csrf, or auth headers are stale, refresh them cleanly from the browser session instead of trying bypasses. - Warn the user that replaying private web calls may violate site terms, can break without notice, and may lock or rate-limit the account. - Minimize sensitive retention: store only the auth material actually needed, keep it local, and avoid copying it into chat unless the user explicitly chooses that. ## Workflow 1. Confirm the target action. 2. Capture a clean HAR of one successful manual run. 3. Extract auth material from the same browser session. 4. Isolate the exact request chain. 5. Identify reusable constants vs dynamic fields. 6. Rebuild the workflow as a local script. 7. Test one item first. 8. Only then add queueing, scheduling, or batching. ## Step 1: confirm the target action Write down the exact user goal in one sentence. Examples: - schedule a post with one image - publish a drafted gallery item - upload a file and submit metadata - create a queued post for later release Also record the success condition: - returned id - visible scheduled item - published permalink - draft created ## Step 2: capture a clean HAR Read `references/har-capture-checklist.md` before capture. Capture one clean successful run with as little extra noise as possible. Prefer this sequence: - open a fresh tab - open DevTools Network - Preserve log on - Disable cache on - clear old requests - perform only the target action once - export HAR immediately after success If a site uses chunked upload or several chained calls, make sure the HAR includes the full sequence. ## Step 3: extract auth material Read `references/auth-materials.md`. Collect only what is actually needed for replay, typically: - Cookie header - csrf token - Authorization header if present - key client headers if the request depends on them Save them as local runtime files in `workspace/tmp/` unless the user requests another location. ## Step 4: isolate the request chain Read `references/request-analysis-patterns.md`. Separate the workflow into stages such as: - init - append/upload - finalize - status/poll - mutation/create - confirm/readback For each stage, identify: - method - url - query params - required headers - body shape - values copied from previous responses Ignore decorative noise like analytics, passive feed refreshes, and unrelated GraphQL calls. ## Step 5: identify reusable vs dynamic fields Mark each field as one of: - constant across runs - auth/session-derived - generated per request - user-supplied content - returned from prior step Examples: - query id may be reusable until the site changes it - csrf comes from session - media id comes from upload init/finalize - scheduled timestamp is user-supplied - permalink may be derived from returned rest id ## Step 6: rebuild as a local script Keep the first script narrow. Preferred first-pass shape: - one script that executes one known-good workflow end to end - plain text auth files - one media file - one text payload - one schedule timestamp if relevant - JSON output file preserving step results Use the bundled helpers when useful: - `scripts/extract_har_requests.py` to summarize and filter HAR requests - `scripts/extract_cookie_headers.py` to pull cookie / csrf / authorization material from a matching HAR request - `scripts/diff_request_shapes.py` to compare two request JSON shapes and spot dynamic fields - `scripts/scaffold_direct_client.py` to generate a first-pass replay script from one captured request JSON ## Step 7: test one item first Do not batch first. Validate: - upload succeeds - returned ids look real - final mutation succeeds - user-visible result exists If the first test fails, compare the failing request with the HAR rather than guessing. ## Step 8: add queueing or scheduling Only after a single-item success. Use a queue manifest when the user wants repeated runs. Include fields like: - scheduled_at - text - media_file - status - result ids - permalink - notes Prefer small batches and pauses between groups when operating against production sites. ## Helper scripts ### Summarize matching HAR requests ```powershell python scripts/extract_har_requests.py capture.har --contains graphql --contains upload --out requests.json ``` ### Extract auth materials from a matching request ```powershell python scripts/extract_cookie_headers.py capture.har --contains x.com/i/api/graphql --out-dir runtime-auth ``` ### Compare two request shapes ```powershell python scripts/diff_request_shapes.py request-a.json request-b.json ``` ### Scaffold a first direct client ```powershell python scripts/scaffold_direct_client.py request.json --out first_client.py ``` ## When to read references - Read `references/har-capture-checklist.md` before capture. - Read `references/auth-materials.md` when extracting cookies, csrf, and auth headers. - Read `references/request-analysis-patterns.md` when tracing the chain from HAR. - Read `references/common-web-flows.md` when the workflow involves uploads, polling, GraphQL mutations, or delayed scheduling. - Read `references/safety-boundaries.md` when the task touches terms-of-service, account-risk, or scope concerns.
don't have the plugin yet? install it then click "run inline in claude" again.
formalized intent, inputs with edge cases, explicit 8-step procedure with input/output for each step, decision points covering stale auth/graphql/chunked uploads/polling/encryption/compliance, comprehensive output contract, and outcome signal criteria.
guide the work from a user-owned browser session outward. do not start by guessing endpoints.
reverse-engineer a legitimate website workflow you're already authorized to perform by capturing your own authenticated browser session, extracting only the auth material you actually need, and converting the request chain into a reusable local script. use this when you want to automate a browser action (upload, publish, schedule, queue) and browser automation feels flaky, or when you need direct authenticated web requests instead. only for services you own or have explicit permission to access.
edge cases and constraints:
write down your exact goal in one sentence. include what success looks like.
examples:
input: user describes the action and success condition output: written one-liner describing the goal and expected result
read references/har-capture-checklist.md before starting.
capture one successful run with minimal noise:
if the site uses chunked uploads, polling loops, or chained mutations, ensure the HAR includes the complete sequence from start to finish.
input: browser, devtools, target website, user credentials output: capture.har file on disk
read references/auth-materials.md.
collect only what you actually need for replay:
save these as local plaintext files in workspace/tmp/ (or user-specified location). do not copy into chat unless you explicitly decide to.
input: HAR file, browser session output: plaintext files in workspace/tmp/ containing cookie, csrf, and auth headers
read references/request-analysis-patterns.md.
break the workflow into stages:
for each stage, extract:
ignore decorative noise: analytics pings, passive feed refreshes, unrelated graphql subscriptions, favicon fetches, stylesheet loads.
input: HAR file, list of stages output: request-chain.json documenting each stage with method, url, headers, body, and response fields
classify each field in every request as one of:
input: request-chain.json from step 4 output: annotated request-chain.json with field classifications
keep the first script narrow and single-purpose.
shape:
use bundled helpers if available:
scripts/extract_har_requests.py capture.har --contains keyword --out requests.json to filter and summarize HAR requestsscripts/extract_cookie_headers.py capture.har --contains endpoint --out-dir runtime-auth to pull auth material from a matching requestscripts/diff_request_shapes.py request-a.json request-b.json to spot dynamic fields by comparing two requestsscripts/scaffold_direct_client.py request.json --out first_client.py to generate a first-pass replay scriptinput: request-chain.json, field classifications, auth files output: single-purpose script (python, bash, curl, or other) that replays one full workflow
do not batch yet.
run the script against the live site and validate:
if the test fails, diff the failing request against the corresponding HAR request rather than guessing at fixes.
input: script from step 6, one media file or payload, auth files output: script runs without error, user-visible artifact created (post scheduled, file uploaded, etc.), result ids in output.json
once step 7 passes, you can add batch processing.
use a queue manifest for repeated runs (json or csv):
prefer small batches (5-10 items) and pauses (30 seconds to 5 minutes) between batches when hitting production sites. monitor for rate limits, account locks, or changed response formats.
input: working single-item script, batch manifest output: queue runner that processes manifest, logs results, pauses between batches
if the captured har contains stale auth material (expired cookies, csrf tokens issued hours ago):
if the site requires graphql instead of rest:
if the site uses multi-step upload (init, chunk, finalize):
if the workflow involves polling or delayed status checks:
if the site uses client-side encryption, signing, or challenge-response:
if the user cannot or should not store auth material locally (compliance, security policy):
if the site's terms of service prohibit or restrict automated access:
success means you deliver:
you know it worked when: