Interesting project. The hard problem feels like surviving API drift after the first happy-path recording. One thing I'd strongly consider is storing a small request contract per generated tool: which params are real user inputs vs session noise, which headers/cookies are auth, and which response fields are invariants. Then webbridge_update could ignore harmless churn (extra analytics params, reordered JSON, renamed endpoints) and surface real semantic breaks. Do you also have a strategy for avoiding overfitting to one user's logged-in state/permissions?
