Forensic analyzer for bot-detection / fingerprinting JavaScript. Given a script (curl dump, Puppeteer/Playwright capture, etc.) it reports which JS builtins and browser APIs are touched so you can reverse-engineer the surfaces a detector probes.
Shared API catalog for the script2builtins family: ALL_APIS, the watched-root index, the endpoint classifier, and the catalog-shape types (ApiDefinition, Severity, SokLayer). Consumed by both script2builtins (static analyzer) and script2builtins-runtime (
Runtime instrumentation companion to script2builtins. Drives a real browser, traps every catalog API + sink + dynamic-execution point, and emits findings in the same shape the static analyzer produces.