npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@mushi-mushi/inventory-auth-runner

v0.1.1

Published

Runs the inventory.yaml auth.scripted block via Playwright and seeds the resulting cookies into project_settings so the Mushi crawler + synthetic monitor can hit auth-gated routes.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

kensauruskensaurus

Keywords

mushi-mushiinventoryauthplaywrightqacookie-refresh

Readme

@mushi-mushi/inventory-auth-runner

Refresh the cookie that lets the Mushi Mushi v2.1 crawler + synthetic monitor + observed-route diffing reach auth-gated routes in your app.

Part of the Mushi Mushi v2 bidirectional inventory pipeline. Pairs with @mushi-mushi/inventory-schema (the auth.scripted block in inventory.yaml) and the inventory-crawler / synthetic-monitor Edge Functions in @mushi-mushi/server.

What it does

  1. Reads the project's currently-ingested inventory.yaml from GET /v1/admin/inventory/:projectId.
  2. Finds the auth.scripted block and runs its script against app.base_url + auth.config.login_path in a headless Chromium instance via Playwright.
  3. Picks the resulting session cookie (prefers *session* / *auth* / sb-* / next-auth* names, then HttpOnly + Secure).
  4. PATCHes that cookie into project_settings.crawler_auth_config via PATCH /v1/admin/inventory/:projectId/settings.

After a successful refresh, the crawler and synthetic monitor can authenticate to gated routes without ever seeing your test credentials — they only ever see the cookie.

What it deliberately does NOT do

  • It does not run user-supplied JS in a privileged context. The script field executes inside Playwright's page.* API only — i.e. anything the host app could already do via the browser.
  • It does not store credentials on the Mushi server. Creds are read from the local environment (TEST_USER_EMAIL, TEST_USER_PASSWORD, or whatever variables your script references) and only the cookie is shipped to the server.
  • It does not persist the browser context between runs. Every invocation starts a clean Chromium profile.

Install

# As a one-shot via npx (no install needed):
npx --yes @mushi-mushi/inventory-auth-runner refresh

# Or as a dev dependency in your repo:
pnpm add -D @mushi-mushi/inventory-auth-runner

The mushi-mushi-auth bin is exposed by the package; npx mushi-mushi-auth refresh works once it's installed.

Use

Set the four required env vars and run refresh:

MUSHI_API_KEY=mushi_xxx \
MUSHI_PROJECT=00000000-0000-0000-0000-000000000000 \
[email protected] \
TEST_USER_PASSWORD=… \
npx --yes @mushi-mushi/inventory-auth-runner refresh

| Var | Required | Description | | -------------------- | -------- | ---------------------------------------------------------------------------------------------------------- | | MUSHI_API_KEY | yes | Project-scoped API key with the inventory:write scope. Mint one in /settings/keys in the admin console. | | MUSHI_PROJECT | yes | Mushi project UUID. | | MUSHI_API_ENDPOINT | no | API base URL. Defaults to the hosted Supabase functions endpoint. | | TEST_USER_EMAIL / TEST_USER_PASSWORD | usually | Picked up by your auth.scripted.script; the runner itself doesn't read them. Add whatever your script needs. |

--debug prints the captured cookie name + a 6-char prefix of the value to stdout. Never use --debug in CI — anything in stdout ends up in your build logs.

Inventory snippet

Your inventory.yaml declares the script the runner will execute:

app:
  id: glot-it
  base_url: https://app.example.com

auth:
  type: scripted
  config:
    login_path: /login
    script: |
      await page.fill('[data-testid=email]', env.TEST_USER_EMAIL)
      await page.fill('[data-testid=password]', env.TEST_USER_PASSWORD)
      await page.click('[data-testid=submit]')
      await page.waitForURL('**/dashboard')

Two script shapes are accepted:

  1. Inline (above) — function body that receives page, env, context. Runs via new Function(...) so it has no access to the runner's local closure.
  2. File referencescript: 'js:./scripts/login.js'. The runner import()s the path relative to CWD; the module must default-export an (page, env, context) => Promise<void> function. Use this when you'd rather commit the script to your repo without inline-escaping it into YAML.

CI integration

The mushi-mushi-gates GitHub Action exposes an auth-bootstrap command that shells out to this runner:

- uses: mushi-mushi/mushi-mushi/packages/mcp-ci@v1
  with:
    api-key: ${{ secrets.MUSHI_API_KEY }}
    project-id: ${{ secrets.MUSHI_PROJECT_ID }}
    command: auth-bootstrap
  env:
    TEST_USER_EMAIL: ${{ secrets.MUSHI_TEST_USER_EMAIL }}
    TEST_USER_PASSWORD: ${{ secrets.MUSHI_TEST_USER_PASSWORD }}

Run this before any gates step that triggers a crawl, and on a nightly schedule so the cookie stays fresh.

Security model

  • Cookies land in project_settings.crawler_auth_config.value, which RLS-gates on project membership.
  • The runner refuses to run if MUSHI_API_KEY is missing the inventory:write scope.
  • Cookies have a soft TTL via last_refreshed_at; re-run on a daily cron or after every CI deploy.
  • The runner shells out to a fresh headless Chromium per invocation — no persisted browser profile, no shared cookies between runs.

Scripts

pnpm auth         # tsx src/run.ts (local dev)
pnpm typecheck    # tsc --noEmit

There is no build step — the package ships TypeScript directly and runs via tsx.

License

See root LICENSE.