diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json
new file mode 100644
index 000000000..ddde0dbcc
--- /dev/null
+++ b/.claude-plugin/marketplace.json
@@ -0,0 +1,9 @@
+{
+  "plugins": [
+    {
+      "name": "js-asset-auditor",
+      "description": "Audit publisher pages for third-party JS assets and generate js-assets.toml entries using Playwright",
+      "path": "packages/js-asset-auditor"
+    }
+  ]
+}
diff --git a/.claude/settings.json b/.claude/settings.json
index 02b602d4f..8a63480bf 100644
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -23,9 +23,13 @@
       "Bash(git diff:*)",
       "Bash(git log:*)",
       "Bash(git status:*)",
+      "Bash(node scripts/js-asset-slug.mjs:*)",
       "mcp__plugin_chrome-devtools-mcp_chrome-devtools__new_page",
-      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__performance_stop_trace",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__navigate_page",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__list_network_requests",
       "mcp__plugin_chrome-devtools-mcp_chrome-devtools__evaluate_script",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__close_page",
+      "mcp__plugin_chrome-devtools-mcp_chrome-devtools__performance_stop_trace"
     ]
   },
   "enabledPlugins": {
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 5eea36a74..688520c24 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -66,7 +66,7 @@ jobs:
         with:
           node-version: ${{ steps.node-version.outputs.node-version }}
           cache: "npm"
-          cache-dependency-path: crates/js/lib/package.json
+          cache-dependency-path: crates/js/lib/package-lock.json
 
       - name: Install dependencies
         run: npm ci
@@ -76,3 +76,31 @@ jobs:
 
       - name: Run unit tests
         run: npm test -- --run
+
+  test-js-asset-auditor:
+    name: js-asset-auditor tests
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: packages/js-asset-auditor
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Retrieve Node.js version
+        id: node-version
+        working-directory: .
+        run: echo "node-version=$(grep '^nodejs ' .tool-versions | awk '{print $2}')" >> $GITHUB_OUTPUT
+        shell: bash
+
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ steps.node-version.outputs.node-version }}
+          cache: "npm"
+          cache-dependency-path: packages/js-asset-auditor/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run unit tests
+        run: npm test
diff --git a/.gitignore b/.gitignore
index af70c452a..f9bc0ef27 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,6 +31,9 @@ src/*.html
 /guest-profiles
 /benchmark-results/**
 
+# JS Asset Auditor plugin
+/packages/js-asset-auditor/node_modules/
+
 # Playwright browser tests
 /crates/integration-tests/browser/node_modules/
 /crates/integration-tests/browser/test-results/
diff --git a/docs/.vitepress/config.mts b/docs/.vitepress/config.mts
index 6b7e9396d..accca115c 100644
--- a/docs/.vitepress/config.mts
+++ b/docs/.vitepress/config.mts
@@ -106,6 +106,7 @@ export default withMermaid(
             { text: 'Configuration', link: '/guide/configuration' },
             { text: 'Testing', link: '/guide/testing' },
             { text: 'Integration Guide', link: '/guide/integration-guide' },
+            { text: 'JS Asset Auditor', link: '/guide/js-asset-auditor' },
           ],
         },
         {
diff --git a/docs/guide/js-asset-auditor.md b/docs/guide/js-asset-auditor.md
new file mode 100644
index 000000000..53a00cee2
--- /dev/null
+++ b/docs/guide/js-asset-auditor.md
@@ -0,0 +1,242 @@
+# JS Asset Auditor
+
+Use the JS Asset Auditor to sweep a publisher page, capture third-party script requests, and generate candidate `js-assets.toml` and integration config entries for review.
+
+The auditor is a Claude Code plugin and a standalone Node.js CLI. Use it during onboarding to create the first asset list, then run it in diff mode when the publisher page changes.
+
+## What it generates
+
+The auditor can produce two outputs:
+
+- `js-assets.toml`, candidate `[[js_assets]]` entries for the page sweep
+- `trusted-server.generated.toml`, a generated integration config skeleton when `--config` is used
+
+Review both files before committing or deploying them.
+
+## Setup
+
+Install the plugin dependencies and browser once:
+
+```bash
+cd packages/js-asset-auditor
+npm install
+npx playwright install chromium
+```
+
+## Basic usage
+
+Run the auditor against a publisher URL from the repository root:
+
+```bash
+audit-js-assets https://www.publisher.com
+```
+
+This writes `js-assets.toml` in the current directory and prints a JSON summary to stdout. Progress messages print to stderr.
+
+You can also run the package directly:
+
+```bash
+node packages/js-asset-auditor/lib/audit.mjs https://www.publisher.com
+```
+
+## How it works
+
+The auditor launches Chromium through Playwright, loads the target page, and records script network responses. It also reads the final set of `<script src>` elements present in `<head>` after the settle window.
+
+Each captured script URL is normalized before the auditor creates an asset entry. Normalization removes fragments, removes query parameters, and strips a trailing slash from the path. The normalized URL is stored as `origin_url` and is used for slug generation.
+
+The generated `inject_in_head` value is based on the final DOM snapshot. If a loader briefly inserts a script into `<head>` and removes it before the page settles, the generated entry uses `inject_in_head = false`.
+
+## Sequence
+
+A sweep follows this sequence:
+
+1. Resolve the publisher domain from `--domain`, then `[publisher].domain` in `trusted-server.toml`, then the target URL hostname.
+2. Launch Chromium. The browser is headed by default. Use `--headless` for CI or automation.
+3. Register a response listener for script resources.
+4. Navigate to the target URL and wait for the configured settle window.
+5. Read `<head>` script URLs from the page DOM.
+6. Normalize URLs and remove first-party scripts.
+7. Apply heuristic filtering unless `--no-filter` is set.
+8. Detect wildcardable path segments, generate slugs, and format TOML.
+9. Write `js-assets.toml` or append commented suggestions in diff mode.
+10. Print the JSON summary.
+
+## Domain precedence
+
+The publisher domain used for slug generation is resolved in this order:
+
+1. `--domain <domain>`
+2. `[publisher].domain` from `trusted-server.toml`
+3. The target URL hostname when `trusted-server.toml` is missing
+
+That means the auditor may show a configured domain such as `test.publisher.com` even when you sweep a different URL. Pass `--domain` when you want the slugs to reflect a different publisher domain than the one in `trusted-server.toml`.
+
+Example:
+
+```bash
+audit-js-assets https://preview.publisher.com --domain publisher.com
+```
+
+The target URL hostname is also treated as first party. This prevents a sweep of `https://golf.com` from surfacing `golf.com` scripts when `trusted-server.toml` contains a different publisher domain. Publisher-owned CDN subdomains are not excluded by default. Add them with `--first-party` when they should be treated as first party.
+
+```bash
+audit-js-assets https://www.publisher.com --first-party cdn.publisher.com
+```
+
+## Asset entry format
+
+Each surfaced script produces a `[[js_assets]]` entry:
+
+```toml
+[[js_assets]]
+# https://web.prebidwrapper.com/golf-WnLmpLyEjL/default-v2/prebid-load.js
+slug = "aB3kR7mN:prebid-load"
+path = "/js-assets/aB3kR7mN/prebid-load.js"
+origin_url = "https://web.prebidwrapper.com/golf-WnLmpLyEjL/default-v2/prebid-load.js"
+inject_in_head = true
+```
+
+| Field            | Description                                                            |
+| ---------------- | ---------------------------------------------------------------------- |
+| `slug`           | Hash-derived identifier in the form `{publisher_prefix}:{asset_stem}`. |
+| `path`           | First-party path where the asset proxy serves the script.              |
+| `origin_url`     | Normalized vendor URL.                                                 |
+| `inject_in_head` | `true` when the script appears in `<head>` after the page settles.     |
+
+The auditor omits `ttl_sec` and `stale_ttl_sec`. The asset proxy applies its defaults when those fields are absent.
+
+## Slugs and wildcard paths
+
+The auditor generates slugs from the publisher domain and normalized origin URL:
+
+```text
+publisher_prefix = first_8_chars(base62(sha256(publisher.domain + "|" + origin_url)))
+asset_stem = filename_without_extension(origin_url)
+slug = "{publisher_prefix}:{asset_stem}"
+```
+
+The canonical implementation is in `packages/js-asset-auditor/lib/process.mjs`. The standalone slug utilities import that implementation so the generated values stay aligned.
+
+When a path contains a version or hash segment, the auditor replaces that segment with `*` and writes a wildcard path:
+
+```toml
+[[js_assets]]
+# https://raven-static.vendor.io/prod/1.19.8-hcskhn/raven.js (wildcard detected)
+slug = "xQ9pL2wY:raven"
+path = "/js-assets/xQ9pL2wY/*"
+origin_url = "https://raven-static.vendor.io/prod/*/raven.js"
+inject_in_head = false
+```
+
+Review wildcard entries before committing them. Confirm that the wildcard segment is a version or hash, not a stable path component.
+
+## Filtering
+
+The auditor always removes first-party scripts. It also filters common framework, font, social, ad rendering, ad verification, fraud detection, and reCAPTCHA origins so the output focuses on scripts a publisher is likely to proxy.
+
+`googletagmanager.com` is not filtered. `securepubads.g.doubleclick.net` is not filtered because it serves the GPT ad server SDK.
+
+Use `--no-filter` to surface all non-first-party scripts:
+
+```bash
+audit-js-assets https://www.publisher.com --no-filter
+```
+
+## Diff mode
+
+Use `--diff` to compare a fresh sweep with an existing `js-assets.toml`:
+
+```bash
+audit-js-assets https://www.publisher.com --diff
+```
+
+Diff mode:
+
+- confirms assets still present on the page
+- appends newly detected assets as commented suggestions
+- reports missing assets that were not seen in the latest sweep
+
+New entries are appended as comments so the file stays valid and nothing is activated until you uncomment the entry.
+
+```toml
+# --- NEW (detected by /audit-js-assets --diff on 2026-04-01, uncomment to activate) ---
+# [[js_assets]]
+# # https://googletagmanager.com/gtm.js
+# slug = "zM4nK8vP:gtm"
+# path = "/js-assets/zM4nK8vP/gtm.js"
+# origin_url = "https://googletagmanager.com/gtm.js"
+# inject_in_head = true
+```
+
+Repeated diff runs against unchanged input are designed to stay idempotent and not keep re-appending the same commented suggestions.
+
+## Generating integration config
+
+Use `--config` to generate a separate Trusted Server config skeleton:
+
+```bash
+audit-js-assets https://www.publisher.com --config
+```
+
+By default this writes:
+
+```text
+trusted-server.generated.toml
+```
+
+You can also provide an explicit path:
+
+```bash
+audit-js-assets https://www.publisher.com --config ./tmp/publisher-audit.toml
+```
+
+If the target config file already exists, the command fails unless you pass `--force`.
+
+The auditor detects known integrations from the raw swept URLs, before URL normalization. It can generate sections for GPT, Google Tag Manager, Didomi, Datadome, Lockr, Permutive, Prebid, and APS.
+
+Generated sections are enabled only when all required fields are present or have defaults. Sections that need manual values include `# TODO:` comments and are generated with `enabled = false`.
+
+```toml
+[publisher]
+domain = "publisher.com"
+# cookie_domain = ".publisher.com"
+# origin_url = "https://origin.publisher.com"
+# proxy_secret = "change-me"
+
+[integrations.gpt]
+enabled = true
+script_url = "https://securepubads.g.doubleclick.net/tag/js/gpt.js"  # auto-detected
+# cache_ttl_seconds = 3600
+
+[integrations.google_tag_manager]
+enabled = true
+container_id = "GTM-TRCJMD6"  # auto-detected
+```
+
+## Recommended review workflow
+
+1. Run the sweep against the target page.
+2. Review `js-assets.toml` for false positives, wildcarded assets, and `inject_in_head` values.
+3. If using `--config`, review generated integration blocks and fill in all TODO fields before enabling incomplete integrations.
+4. Re-run with `--diff` after site changes to confirm additions and removals.
+5. Commit only the reviewed files.
+
+## Common options
+
+| Option                 | Description                                                                  |
+| ---------------------- | ---------------------------------------------------------------------------- |
+| `--diff`               | Compare against existing `js-assets.toml`.                                   |
+| `--domain <domain>`    | Override publisher domain used for slug generation.                          |
+| `--settle <ms>`        | Settle window after page load. The default is 6000 ms.                       |
+| `--first-party <host>` | Additional first-party host. Pass a comma-separated list for multiple hosts. |
+| `--no-filter`          | Bypass heuristic filtering.                                                  |
+| `--headless`           | Run browser headlessly.                                                      |
+| `--output <path>`      | Output `js-assets.toml` path.                                                |
+| `--config [path]`      | Generate Trusted Server config skeleton.                                     |
+| `--force`              | Overwrite an existing output or `--config` target.                           |
+
+## Related docs
+
+- [Configuration](/guide/configuration)
+- [Integration Guide](/guide/integration-guide)
diff --git a/docs/superpowers/specs/implemented/2026-04-01-js-asset-auditor-design.md b/docs/superpowers/specs/implemented/2026-04-01-js-asset-auditor-design.md
new file mode 100644
index 000000000..c3ce60e6f
--- /dev/null
+++ b/docs/superpowers/specs/implemented/2026-04-01-js-asset-auditor-design.md
@@ -0,0 +1,372 @@
+---
+status: implemented
+implemented_in: feature/js-asset-auditor
+last_reviewed: 2026-05-04
+---
+
+# JS Asset Auditor Engineering Spec
+
+**Date:** 2026-04-01
+**Status:** Implemented
+**Related:** [JS Asset Proxy spec](../2026-04-01-js-asset-proxy-design.md) (on `js-asset-proxy-spec` branch until merged)
+
+---
+
+## Context
+
+The JS Asset Proxy requires a `js-assets.toml` file declaring which third-party JS assets to proxy. Without tooling, populating this file requires manually inspecting network requests in browser DevTools, extracting URLs, generating opaque slugs, and writing TOML, a tedious error-prone process that is a barrier to publisher onboarding.
+
+The Auditor eliminates this friction. It sweeps a publisher's page using Playwright (headless Chromium), detects third-party JS assets, auto-generates `js-assets.toml` entries, and auto-detects `inject_in_head` from the page DOM. The operator's only remaining decision is reviewing the output before committing.
+
+It also runs as a monitoring tool, `--diff` mode compares a new sweep against the existing config and surfaces new or removed assets, giving publishers ongoing visibility into their third-party JS footprint.
+
+**Implementation:** Claude Code plugin at `packages/js-asset-auditor/` containing a standalone Playwright CLI, a processing library, and a skill definition. No Rust, no compiled code. Can also be run directly without Claude Code.
+
+---
+
+## Command Interface
+
+```bash
+# Via Claude Code plugin skill
+/js-asset-auditor:audit-js-assets https://www.publisher.com                # init, generate js-assets.toml
+/js-asset-auditor:audit-js-assets https://www.publisher.com --diff         # diff, compare against existing file
+/js-asset-auditor:audit-js-assets https://www.publisher.com --settle 15000 # longer settle for ad-tech-heavy pages
+/js-asset-auditor:audit-js-assets https://www.publisher.com --no-filter    # bypass heuristic filtering
+/js-asset-auditor:audit-js-assets https://www.publisher.com --headless       # headless mode for CI/automation
+/js-asset-auditor:audit-js-assets https://www.publisher.com --config       # also generate trusted-server.toml
+
+# Direct CLI invocation (no Claude Code required)
+node packages/js-asset-auditor/lib/audit.mjs https://www.publisher.com
+node packages/js-asset-auditor/lib/audit.mjs https://www.publisher.com --domain publisher.com
+node packages/js-asset-auditor/lib/audit.mjs https://www.publisher.com --diff --output js-assets.toml
+node packages/js-asset-auditor/lib/audit.mjs https://www.publisher.com --config my-config.toml
+```
+
+---
+
+## Sweep Protocol
+
+The CLI (`packages/js-asset-auditor/lib/audit.mjs`) performs the full sweep:
+
+1. Resolve publisher domain: `--domain` flag then `trusted-server.toml` then infer from target URL
+2. Launch Chromium via Playwright (headed by default to avoid bot detection; `--headless` for CI)
+3. Register a response listener for `resourceType() === 'script'` to capture all script network requests
+4. Navigate to target URL (`page.goto`, 30s timeout, follows redirects transparently)
+5. Wait for page load settle: `page.waitForTimeout(SETTLE_MS)` where `SETTLE_MS` defaults to 6000 (configurable via `--settle <ms>`)
+6. Evaluate `document.head.querySelectorAll('script[src]')` to collect head-loaded script URLs
+7. Close browser
+8. Pass collected URLs to `processAssets()` from `lib/process.mjs`, applies URL normalization, first-party filtering, heuristic filtering, wildcard detection, slug generation
+9. Write `js-assets.toml` output (init or diff mode)
+10. Print JSON summary to stdout (progress lines go to stderr)
+
+**`inject_in_head` semantics:** The DOM snapshot in step 6 captures the final state of `<head>` after the settle window. Scripts that were briefly inserted and then removed by a loader will not appear. This is intentional, `inject_in_head = true` means "the script is present in `<head>` at page-stable state." If a loader removes it before the snapshot, the proxy should not re-inject it.
+
+---
+
+## URL Processing
+
+### First-party boundary
+
+A network request is **first-party** if the request URL's host, after stripping a leading `www.`, matches the publisher domain after the same stripping. Matching is exact on the resulting strings.
+
+**Domain resolution order:** `--domain <host>` flag then `publisher.domain` from `trusted-server.toml` then inferred from the target URL's hostname. This makes the tool usable in any project, `trusted-server.toml` is not required.
+
+**Auto-detection:** The target URL's hostname is automatically included as first-party, in addition to the resolved publisher domain. This ensures that auditing `https://golf.com` when `publisher.domain = "test-publisher.com"` correctly excludes `golf.com` scripts without requiring `--first-party golf.com`.
+
+Publisher-owned CDN subdomains (e.g., `cdn.publisher.com`, `static.publisher.com`) are treated as third-party by default. If the publisher wants to exclude them, they can be added via `--first-party cdn.publisher.com`.
+
+### URL normalization
+
+Applied to every captured script URL before slug generation and before persisting `origin_url`:
+
+1. Strip fragment (`#...`)
+2. Strip all query parameters, cache-busters (`?v=123`, `?cb=timestamp`), consent params, and session tokens all live in query strings. JS asset versioning uses path segments, not query params.
+3. Strip trailing slash from the path
+
+The normalized URL is what gets stored in `origin_url` and fed into the slug hash.
+
+---
+
+## Heuristic Filter
+
+The following origin categories are excluded silently. The terminal summary reports what was filtered and why so operators can manually add entries if needed.
+
+**Matching:** Filter entries match if the request URL's host ends with the filter entry, with a dot-boundary check. For example, `googletagmanager.com` in the filter matches `www.googletagmanager.com` but not `evil-googletagmanager.com`.
+
+| Category            | Excluded origins                                                               |
+| ------------------- | ------------------------------------------------------------------------------ |
+| Framework CDNs      | `cdnjs.cloudflare.com`, `ajax.googleapis.com`, `cdn.jsdelivr.net`, `unpkg.com` |
+| Error tracking      | `sentry.io`, `bugsnag.com`, `rollbar.com`                                      |
+| Font services       | `fonts.googleapis.com`, `fonts.gstatic.com`                                    |
+| Social embeds       | `platform.twitter.com`, `platform.x.com`, `connect.facebook.net`               |
+| Google ad rendering | `pagead2.googlesyndication.com`, `tpc.googlesyndication.com`, `s0.2mdn.net`,   |
+|                     | `googleads.g.doubleclick.net`, `www.googleadservices.com`                      |
+| Ad fraud detection  | `adtrafficquality.google`                                                      |
+| Ad verification     | `adsafeprotected.com`, `moatads.com`, `doubleverify.com`                       |
+| reCAPTCHA           | `recaptcha.net`, `www.google.com/recaptcha/*`, `www.gstatic.com/recaptcha/*`   |
+
+**Path-prefix matching:** Some hosts (e.g., `www.google.com`) serve both filterable and non-filterable resources. Entries with a path suffix (e.g., `www.google.com/recaptcha/*`) match only when the URL's path begins with the specified prefix. Plain host entries use dot-boundary suffix matching as before.
+
+**`googletagmanager.com` is not filtered**, GTM is ad tech and should be proxied.
+
+**`securepubads.g.doubleclick.net` is not filtered**, this is the GPT ad server SDK. Publishers deliberately place this tag. Its sub-resources (e.g., `pubads_impl.js`) are also intentional. The filter targets ad-rendering infrastructure (iframes, creatives, verification), not ad-serving SDKs.
+
+**`--no-filter`** bypasses heuristic filtering entirely, surfacing all non-first-party scripts. First-party filtering always applies.
+
+Everything else surfaces for operator review.
+
+---
+
+## Asset Entry Generation
+
+| Field            | Derivation                                                                                          |
+| ---------------- | --------------------------------------------------------------------------------------------------- |
+| `slug`           | `{publisher_prefix}:{asset_stem}`, see slug algorithm below                                         |
+| `path`           | Fixed: `/js-assets/{publisher_prefix}/{asset_stem}.js`. Wildcard: `/js-assets/{publisher_prefix}/*` |
+| `origin_url`     | Normalized URL (see URL Processing), with wildcard substitution applied if versioned                |
+| `ttl_sec`        | Omitted, proxy defaults to 1800 (wildcard) or 3600 (fixed)                                          |
+| `stale_ttl_sec`  | Omitted, proxy defaults to 86400 (24h)                                                              |
+| `inject_in_head` | `true` if URL appeared in head script list from DOM evaluation, else `false`                        |
+
+### Slug algorithm
+
+```
+publisher_prefix = first_8_chars(base62(sha256(publisher.domain + "|" + origin_url)))
+asset_stem       = filename_without_extension(origin_url)
+slug             = "{publisher_prefix}:{asset_stem}"
+```
+
+The pipe (`|`) separator is required, it cannot appear in domain names or at the start of a URL, so the hash input is unambiguous. The `origin_url` fed into the hash must be the normalized URL (see URL Processing).
+
+**base62 charset:** `0-9A-Za-z` (digits first, then uppercase, then lowercase). This matches the `base62` crate convention.
+
+**Rationale:** Fully opaque and hash-derived, no human naming required, no ambiguity for cryptic vendor filenames. The KV metadata (`origin_url`, `content_type`, `asset_slug`) serves as the lookup table. Operators can query `js-asset:{slug}` in the KV store to retrieve full provenance. The terminal summary also prints slug then origin_url at generation time.
+
+**Important:** This algorithm must produce identical output to the Proxy's KV key derivation. The canonical implementation lives in `packages/js-asset-auditor/lib/process.mjs`. The standalone CLIs in `packages/js-asset-auditor/lib/slug.mjs` and `scripts/js-asset-slug.mjs` import from that shared implementation to avoid drift. Any proxy-side implementation must stay aligned with this logic.
+
+### Wildcard detection
+
+Path segments matching any of these patterns are replaced with `*`:
+
+- Semver: `\d+\.\d+[\.\d\w-]*` (e.g., `1.19.8-hcskhn`)
+- Hex hash: `[a-f0-9]{8,}` between path separators (lowercase hex, minimum 8 characters)
+- Mixed alphanumeric hash: `[A-Za-z0-9]{8,}` between path separators, **must contain at least one digit and at least one letter**, this excludes pure-alpha dictionary words like `analytics` or `bootstrap`
+
+The original URL is preserved as a comment above the generated entry so operators can verify the wildcard substitution is correct.
+
+---
+
+## Init Mode Output
+
+### `js-assets.toml` (written to repo root)
+
+```toml
+# Generated by /audit-js-assets on 2026-04-01
+# Publisher: publisher.com
+# Source URL: https://www.publisher.com
+
+[[js_assets]]
+# https://web.prebidwrapper.com/golf-WnLmpLyEjL/default-v2/prebid-load.js
+slug = "aB3kR7mN:prebid-load"
+path = "/js-assets/aB3kR7mN/prebid-load.js"
+origin_url = "https://web.prebidwrapper.com/golf-WnLmpLyEjL/default-v2/prebid-load.js"
+inject_in_head = true
+
+[[js_assets]]
+# https://raven-static.vendor.io/prod/1.19.8-hcskhn/raven.js (wildcard detected)
+slug = "xQ9pL2wY:raven"
+path = "/js-assets/xQ9pL2wY/*"
+origin_url = "https://raven-static.vendor.io/prod/*/raven.js"
+inject_in_head = false
+```
+
+### Terminal summary
+
+```
+JS Asset Audit, publisher.com
+--------------------------------
+Detected:  8 third-party JS requests
+Filtered:  3 (cdnjs.cloudflare.com ×2, sentry.io ×1)
+Surfaced:  5 assets then js-assets.toml
+
+  aB3kR7mN  inject_in_head=true   web.prebidwrapper.com/.../prebid-load.js
+  xQ9pL2wY  inject_in_head=false  raven-static.vendor.io/prod/*/raven.js  [wildcard]
+  zM4nK8vP  inject_in_head=true   googletagmanager.com/gtm.js
+  ...
+
+Review inject_in_head values and commit js-assets.toml when ready.
+Diff mode: /audit-js-assets <url> --diff
+```
+
+---
+
+## Diff Mode Output
+
+Compares sweep results against the existing `js-assets.toml`.
+
+| Condition                   | Behavior                                                                       |
+| --------------------------- | ------------------------------------------------------------------------------ |
+| Asset in sweep, not in file | **New**, appended to `js-assets.toml` as a commented-out block                 |
+| Asset in file, not in sweep | **Missing**, flagged in terminal summary with `(warning)`. Never auto-removed. |
+| Asset in both               | **Confirmed**, listed as present                                               |
+
+New entries are appended as TOML comments so the file stays valid and nothing is activated without the operator explicitly uncommenting.
+
+### `js-assets.toml` (new entry appended as comment)
+
+```toml
+# --- NEW (detected by /audit-js-assets --diff on 2026-04-01, uncomment to activate) ---
+# [[js_assets]]
+# # https://googletagmanager.com/gtm.js
+# slug = "zM4nK8vP:gtm"
+# path = "/js-assets/zM4nK8vP/gtm.js"
+# origin_url = "https://googletagmanager.com/gtm.js"
+# inject_in_head = true
+```
+
+### Terminal summary (diff mode)
+
+```
+JS Asset Audit (diff), publisher.com
+--------------------------------
+Confirmed:  4 assets still present on page
+New:        1 asset detected (appended as comment to js-assets.toml)
+Missing:    1 asset no longer seen on page (warning)
+
+  NEW      zM4nK8vP  googletagmanager.com/gtm.js  then review in js-assets.toml
+  MISSING  xQ9pL2wY  raven-static.vendor.io/...   then may have been removed or renamed
+```
+
+---
+
+## Integration Detection & Config Generation
+
+When invoked with `--config [path]`, the CLI also detects known integrations from the swept URLs and generates a `trusted-server.toml` with appropriate `[integrations.*]` sections.
+
+### Detection patterns
+
+Integration detection runs on raw URLs (before normalization) to preserve query parameters needed for field extraction.
+
+| URL Pattern                                      | Integration          | Extracted Fields                           |
+| ------------------------------------------------ | -------------------- | ------------------------------------------ |
+| `securepubads.g.doubleclick.net/tag/js/gpt*`     | `gpt`                | `script_url`                               |
+| `www.googletagmanager.com/gtm.js?id=GTM-XXX`     | `google_tag_manager` | `container_id` from `?id=`                 |
+| `sdk.privacy-center.org`                         | `didomi`             | (defaults)                                 |
+| `js.datadome.co`                                 | `datadome`           | (defaults)                                 |
+| `aim.loc.kr/*identity-lockr*.js`                 | `lockr`              | `sdk_url`                                  |
+| `*.edge.permutive.app/*-web.js`                  | `permutive`          | `organization_id`, `workspace_id` from URL |
+| `*/prebid.js`, `*/prebidjs.js` (+ .min variants) | `prebid`             | (detect only)                              |
+| `c.amazon-adsystem.com/aax2/apstag*`             | `aps`                | (detect only)                              |
+
+### Field categories
+
+- **Full**, all config fields have defaults or are auto-extracted. Config section is ready to use.
+- **Partial**, some fields auto-extracted, others need manual input (marked with `# TODO:`).
+- **Detect only**, integration detected but key fields (e.g., `server_url`, `pub_id`) require manual input.
+
+### Config output
+
+```toml
+# Generated by js-asset-auditor on 2026-04-13
+# Source URL: https://www.publisher.com
+
+[publisher]
+domain = "publisher.com"
+# cookie_domain = ".publisher.com"
+# origin_url = "https://origin.publisher.com"
+# proxy_secret = "change-me"
+
+[integrations.gpt]
+enabled = true
+script_url = "https://securepubads.g.doubleclick.net/tag/js/gpt.js"  # auto-detected
+# cache_ttl_seconds = 3600
+# rewrite_script = true
+
+[integrations.google_tag_manager]
+enabled = true
+container_id = "GTM-TRCJMD6"  # auto-detected
+
+[integrations.lockr]
+enabled = false
+sdk_url = "https://aim.loc.kr/identity-lockr-trust-server.js"  # auto-detected
+# app_id = ""  # TODO: set your Lockr Identity app_id
+# api_endpoint = "https://identity.loc.kr"
+```
+
+If the target file already exists, the CLI errors unless `--force` is passed.
+
+---
+
+## Implementation
+
+The Auditor is packaged as a Claude Code plugin at `packages/js-asset-auditor/` with three components:
+
+```
+packages/js-asset-auditor/
+- .claude-plugin/plugin.json       # Plugin manifest
+- skills/audit-js-assets/SKILL.md  # Skill definition
+- bin/audit-js-assets              # Executable (added to PATH by Claude Code)
+- lib/
+  - audit.mjs                      # Playwright CLI, browser automation + orchestration
+  - detect.mjs                     # Integration detection engine + config generation
+  - process.mjs                    # Processing library, normalization, filtering, slugs, TOML
+  - slug.mjs                       # Standalone slug generator
+- package.json                     # playwright dependency
+- settings.json                    # Auto-grants Bash(audit-js-assets:*) permission
+```
+
+1. **Playwright CLI** (`lib/audit.mjs`), Launches Chromium (headed by default), navigates to the target URL, collects script network requests and head script DOM state, then calls `processAssets()`. Outputs TOML file + JSON summary. Can be run directly without Claude Code.
+2. **Processing library** (`lib/process.mjs`), Pure Node.js module (no external dependencies) that exports `processAssets()` and individual utility functions. Handles URL normalization, first-party filtering, heuristic filtering, wildcard detection, slug generation, and TOML formatting.
+3. **Claude Code skill** (`skills/audit-js-assets/SKILL.md`), Thin wrapper that invokes the CLI via the `bin/audit-js-assets` executable and formats the JSON summary.
+
+**Plugin installation:**
+
+```bash
+# Local testing (loads for one session)
+claude --plugin-dir packages/js-asset-auditor
+
+# Via marketplace (permanent installation)
+/plugin marketplace add <org>/<repo>
+/plugin install js-asset-auditor
+```
+
+**Setup (one-time after install):**
+
+```bash
+cd packages/js-asset-auditor && npm install && npx playwright install chromium
+```
+
+**Standalone utilities:**
+
+- `scripts/js-asset-slug.mjs`, Standalone slug generator for individual URLs (kept outside the plugin for backward compatibility)
+
+---
+
+## Delivery Order
+
+The Auditor should be delivered **after Proxy Phase 1** (so `js-assets.toml` schema is defined) and **before Proxy Phase 2** (so engineering has real populated entries to test the cache pipeline against actual vendor origins).
+
+See [delivery order in the Proxy spec](2026-04-01-js-asset-proxy-design.md) (on `js-asset-proxy-spec` branch until merged).
+
+---
+
+## Verification
+
+- Run `node packages/js-asset-auditor/lib/audit.mjs https://www.publisher.com` against a known test publisher page
+- Verify generated entries match actual third-party JS observed on the page (cross-check in browser DevTools)
+- Verify `inject_in_head = true` only for scripts that appear in `<head>` (not `<body>`)
+- Verify wildcard detection fires for versioned path segments (e.g., `1.19.13-0fnlww`) and not for stable paths
+- Verify GTM (`googletagmanager.com`) is captured and not filtered
+- Verify Google ad rendering infra (`pagead2.googlesyndication.com`, `s0.2mdn.net` etc.) is filtered with reason in summary
+- Verify `securepubads.g.doubleclick.net` (GPT) is **not** filtered
+- Verify first-party auto-detection: auditing `golf.com` with `publisher.domain = "test-publisher.com"` excludes `golf.com` scripts
+- Run `--diff` against an unchanged page then all entries confirmed, no new/missing
+- Run `--diff` after adding a new vendor script to the page then appears as `NEW` in summary
+- Run `--diff` after removing a script then appears as `MISSING (warning)` in summary, file unchanged
+- Run `/js-asset-auditor:audit-js-assets <url>` via Claude Code plugin then identical results to direct CLI invocation
+- Run CLI without `trusted-server.toml` (using `--domain` or domain inference) then works in any project
+- Run with `--config` then generates `trusted-server.toml` with detected integrations
+- Verify GTM `container_id` is auto-extracted from `?id=GTM-XXXXX` query param
+- Verify integrations with TODO fields are marked with `# TODO:` comments
+- Verify `--config` without `--force` errors when target file exists
+- Verify JSON summary includes `integrations` array when `--config` is used
diff --git a/packages/js-asset-auditor/.claude-plugin/plugin.json b/packages/js-asset-auditor/.claude-plugin/plugin.json
new file mode 100644
index 000000000..b6be8d858
--- /dev/null
+++ b/packages/js-asset-auditor/.claude-plugin/plugin.json
@@ -0,0 +1,10 @@
+{
+  "name": "js-asset-auditor",
+  "version": "1.0.0",
+  "description": "Audit publisher pages for third-party JS assets and generate js-assets.toml entries using Playwright",
+  "author": {
+    "name": "StackPop"
+  },
+  "license": "MIT",
+  "keywords": ["js-assets", "audit", "playwright", "ad-tech", "proxy"]
+}
diff --git a/packages/js-asset-auditor/bin/audit-js-assets b/packages/js-asset-auditor/bin/audit-js-assets
new file mode 100755
index 000000000..cdff67ef9
--- /dev/null
+++ b/packages/js-asset-auditor/bin/audit-js-assets
@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+
+// Plugin bin/ wrapper — resolves lib/audit.mjs relative to plugin root,
+// not the user's working directory.
+
+import { fileURLToPath } from "node:url";
+import { dirname, resolve } from "node:path";
+
+const pluginRoot = resolve(dirname(fileURLToPath(import.meta.url)), "..");
+const { main } = await import(resolve(pluginRoot, "lib/audit.mjs"));
+main();
diff --git a/packages/js-asset-auditor/lib/audit.mjs b/packages/js-asset-auditor/lib/audit.mjs
new file mode 100644
index 000000000..232c68905
--- /dev/null
+++ b/packages/js-asset-auditor/lib/audit.mjs
@@ -0,0 +1,364 @@
+#!/usr/bin/env node
+
+// JS Asset Auditor CLI
+//
+// Standalone Playwright-based tool that sweeps a publisher page for third-party
+// JS assets and generates js-assets.toml entries.
+//
+// Usage:
+//   node packages/js-asset-auditor/lib/audit.mjs https://www.publisher.com [options]
+//   audit-js-assets https://www.publisher.com [options]  (when plugin bin/ is in PATH)
+//
+// Options:
+//   --diff              Compare against existing js-assets.toml
+//   --domain <domain>   Override publisher domain used for slug generation
+//   --settle <ms>       Settle window after page load (default: 6000)
+//   --first-party <h>   Additional first-party hosts (comma-separated)
+//   --no-filter         Bypass heuristic filtering
+//   --headless          Run browser headlessly
+//   --output <path>     Output file path (default: js-assets.toml)
+//   --config [path]     Generate trusted-server.toml (default path: trusted-server.generated.toml)
+//   --force             Overwrite existing output/config files
+//
+// Prerequisites:
+//   cd packages/js-asset-auditor && npm install && npx playwright install chromium
+
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { resolve } from "node:path";
+import { processAssets } from "./process.mjs";
+
+const DEFAULT_GENERATED_CONFIG_PATH = "trusted-server.generated.toml";
+
+const USAGE =
+  "Usage: audit-js-assets <url> [--diff] [--domain <domain>] [--settle <ms>] [--first-party <hosts>] [--no-filter] [--headless] [--output <path>] [--config [path]] [--force]";
+
+// ---------------------------------------------------------------------------
+// Config reading
+// ---------------------------------------------------------------------------
+
+export function readPublisherDomain(repoRoot, configPath = "trusted-server.toml") {
+  const resolvedPath = resolve(repoRoot, configPath);
+  const content = readFileSync(resolvedPath, "utf-8");
+  const lines = content.split("\n");
+  let inPublisher = false;
+
+  for (const line of lines) {
+    if (/^\[publisher\]/.test(line)) {
+      inPublisher = true;
+      continue;
+    }
+    if (/^\[/.test(line)) {
+      inPublisher = false;
+      continue;
+    }
+    if (inPublisher) {
+      const match = line.match(/^domain\s*=\s*"([^"]+)"/);
+      if (match) return match[1];
+    }
+  }
+
+  throw new Error(
+    `Could not find [publisher].domain in ${configPath}`,
+  );
+}
+
+function inferDomainFromTarget(target) {
+  try {
+    const host = new URL(target).hostname;
+    return host.startsWith("www.") ? host.slice(4) : host;
+  } catch {
+    return target;
+  }
+}
+
+function exitWithUsage(message) {
+  console.error(message);
+  console.error(USAGE);
+  process.exit(1);
+}
+
+function requireFlagValue(argv, index, flag) {
+  const value = argv[index + 1];
+  if (!value || value.startsWith("--")) {
+    exitWithUsage(`${flag} requires a value`);
+  }
+  return value;
+}
+
+function normalizeFirstPartyHost(value) {
+  const trimmed = value.trim();
+  if (!trimmed) return null;
+
+  try {
+    const parsed = new URL(trimmed.includes("://") ? trimmed : `https://${trimmed}`);
+    if (!parsed.hostname) {
+      exitWithUsage(`--first-party value is not a valid host: ${value}`);
+    }
+    return parsed.hostname;
+  } catch {
+    exitWithUsage(`--first-party value is not a valid host: ${value}`);
+  }
+}
+
+export function fail(message) {
+  console.error(message);
+  process.exit(1);
+}
+
+export function resolvePublisherDomain(args, repoRoot) {
+  if (args.domain) {
+    console.error(
+      `Using publisher domain from --domain: ${args.domain}`,
+    );
+    return args.domain;
+  }
+
+  try {
+    const domain = readPublisherDomain(repoRoot);
+    console.error(
+      `Using publisher domain from trusted-server.toml: ${domain}`,
+    );
+    return domain;
+  } catch (error) {
+    if (error?.code === "ENOENT") {
+      const domain = inferDomainFromTarget(args.url);
+      console.error(
+        `No trusted-server.toml found, inferring publisher domain from target URL: ${domain}`,
+      );
+      return domain;
+    }
+
+    fail(
+      `Failed to read publisher domain from trusted-server.toml: ${error.message}`,
+    );
+  }
+}
+
+export function ensurePathWritable(path, force) {
+  if (existsSync(path) && !force) {
+    fail(`${path} already exists. Use --force to overwrite.`);
+  }
+}
+
+export const ensureConfigPathWritable = ensurePathWritable;
+
+// ---------------------------------------------------------------------------
+// CLI argument parsing
+// ---------------------------------------------------------------------------
+
+export function parseArgs(argv) {
+  const args = {
+    url: null,
+    domain: null,
+    diff: false,
+    settle: 6000,
+    firstParty: [],
+    noFilter: false,
+    headless: false,
+    output: "js-assets.toml",
+    config: null,
+    force: false,
+  };
+
+  for (let i = 2; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg === "--domain") {
+      args.domain = requireFlagValue(argv, i, "--domain");
+      i += 1;
+    } else if (arg === "--diff") {
+      args.diff = true;
+    } else if (arg === "--settle") {
+      const settleValue = requireFlagValue(argv, i, "--settle");
+      const parsedSettle = Number.parseInt(settleValue, 10);
+      if (!Number.isFinite(parsedSettle) || parsedSettle < 0) {
+        exitWithUsage("--settle requires a non-negative integer value");
+      }
+      args.settle = parsedSettle;
+      i += 1;
+    } else if (arg === "--first-party") {
+      const firstPartyValue = requireFlagValue(argv, i, "--first-party");
+      args.firstParty = firstPartyValue
+        .split(",")
+        .map(normalizeFirstPartyHost)
+        .filter(Boolean);
+      i += 1;
+    } else if (arg === "--no-filter") {
+      args.noFilter = true;
+    } else if (arg === "--headless") {
+      args.headless = true;
+    } else if (arg === "--output") {
+      args.output = requireFlagValue(argv, i, "--output");
+      i += 1;
+    } else if (arg === "--config") {
+      const next = argv[i + 1];
+      if (next && !next.startsWith("--")) {
+        args.config = next;
+        i += 1;
+      } else {
+        args.config = DEFAULT_GENERATED_CONFIG_PATH;
+      }
+    } else if (arg === "--force") {
+      args.force = true;
+    } else if (!arg.startsWith("--") && !args.url) {
+      args.url = arg.startsWith("http") ? arg : `https://${arg}`;
+    } else {
+      exitWithUsage(`Unknown argument: ${arg}`);
+    }
+  }
+
+  if (!args.url) {
+    exitWithUsage("Missing required <url> argument");
+  }
+
+  return args;
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+export async function main() {
+  const args = parseArgs(process.argv);
+  const repoRoot = process.cwd();
+
+  const domain = resolvePublisherDomain(args, repoRoot);
+
+  let chromium;
+  try {
+    ({ chromium } = await import("playwright"));
+  } catch {
+    console.error(
+      "Playwright not installed. Run:\n  cd packages/js-asset-auditor && npm install",
+    );
+    process.exit(1);
+  }
+
+  console.error("Launching browser...");
+  let browser;
+  try {
+    browser = await chromium.launch({ headless: args.headless });
+  } catch (error) {
+    if (error.message.includes("Executable doesn't exist")) {
+      console.error(
+        "Chromium not installed. Run:\n  cd packages/js-asset-auditor && npx playwright install chromium",
+      );
+      process.exit(1);
+    }
+    throw error;
+  }
+
+  try {
+    const context = await browser.newContext();
+    const page = await context.newPage();
+
+    const scriptUrls = [];
+    page.on("response", (response) => {
+      const request = response.request();
+      if (request.resourceType() === "script") {
+        scriptUrls.push(request.url());
+      }
+    });
+
+    console.error(`Navigating to ${args.url}...`);
+    await page.goto(args.url, { waitUntil: "load", timeout: 30000 });
+
+    console.error(`Waiting ${args.settle}ms for page to settle...`);
+    await page.waitForTimeout(args.settle);
+
+    const headScriptUrls = await page.evaluate(() =>
+      Array.from(document.head.querySelectorAll("script[src]")).map(
+        (script) => script.src,
+      ),
+    );
+
+    const runtimeSignals = await page.evaluate(() => {
+      const prebidBidders = new Set();
+      for (const adUnit of window.pbjs?.adUnits ?? []) {
+        for (const bid of adUnit.bids ?? []) {
+          if (typeof bid.bidder === "string" && bid.bidder.length > 0) {
+            prebidBidders.add(bid.bidder);
+          }
+        }
+      }
+
+      return {
+        prebidBidders: Array.from(prebidBidders).sort(),
+      };
+    });
+
+    console.error(
+      `Found ${scriptUrls.length} network scripts, ${headScriptUrls.length} head scripts`,
+    );
+    if (runtimeSignals.prebidBidders.length > 0) {
+      console.error(
+        `Detected Prebid bidders: ${runtimeSignals.prebidBidders.join(", ")}`,
+      );
+    }
+
+    console.error("Processing assets...");
+    const result = processAssets(
+      { networkUrls: scriptUrls, headUrls: headScriptUrls },
+      {
+        domain,
+        target: args.url,
+        output: args.output,
+        diff: args.diff,
+        firstParty: args.firstParty,
+        noFilter: args.noFilter,
+      },
+    );
+
+    if (result.error) {
+      console.error(result.error);
+      process.exit(1);
+    }
+
+    if (!args.diff) {
+      ensurePathWritable(args.output, args.force);
+    }
+    writeFileSync(args.output, result.toml);
+    const count =
+      result.summary.mode === "init"
+        ? result.summary.surfaced
+        : result.summary.new.length;
+    console.error(`Wrote ${args.output} (${count} entries)`);
+
+    if (args.config) {
+      const { detectIntegrations, generateConfig } = await import("./detect.mjs");
+      const detection = detectIntegrations(scriptUrls, runtimeSignals);
+
+      if (detection.integrations.length > 0) {
+        ensurePathWritable(args.config, args.force);
+        const configToml = generateConfig(domain, args.url, detection);
+        writeFileSync(args.config, configToml);
+        console.error(
+          `Wrote ${args.config} (${detection.integrations.length} integrations detected)`,
+        );
+      } else {
+        console.error("No integrations detected — skipping config generation");
+      }
+
+      result.summary.integrations = detection.integrations.map((integration) => ({
+        id: integration.id,
+        label: integration.label,
+        category: integration.category,
+        extracted: integration.extracted,
+        todos: integration.todos,
+      }));
+    }
+
+    console.log(JSON.stringify(result.summary));
+  } finally {
+    if (browser?.isConnected()) {
+      await browser.close();
+    }
+  }
+}
+
+const isDirectExecution =
+  process.argv[1] &&
+  new URL(process.argv[1], "file://").href === import.meta.url;
+
+if (isDirectExecution) {
+  main();
+}
diff --git a/packages/js-asset-auditor/lib/detect.mjs b/packages/js-asset-auditor/lib/detect.mjs
new file mode 100644
index 000000000..106764b98
--- /dev/null
+++ b/packages/js-asset-auditor/lib/detect.mjs
@@ -0,0 +1,305 @@
+// JS Asset Auditor — Integration Detection & Config Generation
+//
+// Detects known integrations from raw script URLs captured during a page sweep,
+// then generates a trusted-server.toml with appropriate [integrations.*] sections.
+//
+// Integration patterns are derived from the Rust source in
+// crates/trusted-server-core/src/integrations/.
+
+// ---------------------------------------------------------------------------
+// Integration pattern registry
+// ---------------------------------------------------------------------------
+
+const PREBID_SUFFIXES = [
+  "/prebid.js",
+  "/prebid.min.js",
+  "/prebid-loader.js",
+  "/prebid-load.js",
+  "/prebid-wrapper.js",
+  "/prebidjs.js",
+  "/prebidjs.min.js",
+];
+
+function matchesHostOrSubdomain(hostname, baseHost) {
+  return hostname === baseHost || hostname.endsWith(`.${baseHost}`);
+}
+
+const INTEGRATION_PATTERNS = [
+  {
+    id: "gpt",
+    label: "Google Publisher Tags",
+    match: (url) =>
+      url.hostname === "securepubads.g.doubleclick.net" &&
+      url.pathname.startsWith("/tag/js/gpt"),
+    extract: (url) => ({
+      script_url: `${url.origin}${url.pathname}`,
+    }),
+    defaults: {
+      cache_ttl_seconds: 3600,
+      rewrite_script: true,
+    },
+    todos: [],
+    category: "full",
+  },
+  {
+    id: "google_tag_manager",
+    label: "Google Tag Manager",
+    match: (url) =>
+      url.hostname === "www.googletagmanager.com" &&
+      url.pathname.endsWith("/gtm.js"),
+    extract: (url) => {
+      const containerId = url.searchParams.get("id");
+      return containerId ? { container_id: containerId } : {};
+    },
+    defaults: {},
+    todos: (extracted) => (extracted.container_id ? [] : ["container_id"]),
+    category: "partial",
+  },
+  {
+    id: "didomi",
+    label: "Didomi Consent",
+    match: (url) =>
+      url.hostname === "sdk.privacy-center.org" ||
+      url.hostname === "api.privacy-center.org",
+    extract: () => ({}),
+    defaults: {
+      sdk_origin: "https://sdk.privacy-center.org",
+      api_origin: "https://api.privacy-center.org",
+    },
+    todos: [],
+    category: "full",
+  },
+  {
+    id: "datadome",
+    label: "DataDome Bot Protection",
+    match: (url) =>
+      url.hostname === "js.datadome.co" ||
+      url.hostname === "api-js.datadome.co",
+    extract: () => ({}),
+    defaults: {
+      sdk_origin: "https://js.datadome.co",
+      api_origin: "https://api-js.datadome.co",
+      cache_ttl_seconds: 3600,
+      rewrite_sdk: true,
+    },
+    todos: [],
+    category: "full",
+  },
+  {
+    id: "lockr",
+    label: "Lockr Identity",
+    match: (url) => {
+      const hostMatch =
+        matchesHostOrSubdomain(url.hostname, "aim.loc.kr") ||
+        matchesHostOrSubdomain(url.hostname, "identity.loc.kr");
+      if (!hostMatch) return false;
+      const href = url.href.toLowerCase();
+      return href.includes("identity-lockr") && href.endsWith(".js");
+    },
+    extract: (url) => ({
+      sdk_url: url.href,
+    }),
+    defaults: {
+      api_endpoint: "https://identity.loc.kr",
+      cache_ttl_seconds: 3600,
+      rewrite_sdk: true,
+    },
+    todos: ["app_id"],
+    category: "partial",
+  },
+  {
+    id: "permutive",
+    label: "Permutive DMP",
+    match: (url) =>
+      (url.hostname.endsWith(".edge.permutive.app") ||
+        url.hostname === "cdn.permutive.com") &&
+      url.pathname.endsWith("-web.js"),
+    extract: (url) => {
+      const result = {};
+      if (url.hostname.endsWith(".edge.permutive.app")) {
+        result.organization_id = url.hostname.replace(".edge.permutive.app", "");
+      }
+      const filename = url.pathname.split("/").pop() || "";
+      const workspaceMatch = filename.match(/^(.+)-web\.js$/);
+      if (workspaceMatch) {
+        result.workspace_id = workspaceMatch[1];
+      }
+      return result;
+    },
+    defaults: {
+      api_endpoint: "https://api.permutive.com",
+      secure_signals_endpoint: "https://secure-signals.permutive.app",
+      cache_ttl_seconds: 3600,
+      rewrite_sdk: true,
+    },
+    todos: (extracted) => {
+      const missing = [];
+      if (!extracted.organization_id) missing.push("organization_id");
+      if (!extracted.workspace_id) missing.push("workspace_id");
+      return missing;
+    },
+    category: "partial",
+  },
+  {
+    id: "prebid",
+    label: "Prebid Header Bidding",
+    match: (url) => {
+      const lowerPathname = url.pathname.toLowerCase();
+      return PREBID_SUFFIXES.some((suffix) => lowerPathname.endsWith(suffix));
+    },
+    extract: () => ({}),
+    applyRuntimeSignals: (entry, runtimeSignals) => {
+      const bidders = runtimeSignals?.prebidBidders ?? [];
+      if (bidders.length > 0 && !("bidders" in entry.extracted)) {
+        entry.extracted.bidders = bidders;
+      }
+    },
+    defaults: {
+      timeout_ms: 1000,
+      debug: false,
+    },
+    todos: (extracted) => {
+      const missing = ["server_url"];
+      if (!Array.isArray(extracted.bidders) || extracted.bidders.length === 0) {
+        missing.push("bidders");
+      }
+      return missing;
+    },
+    category: "detect_only",
+  },
+  {
+    id: "aps",
+    label: "Amazon Publisher Services",
+    match: (url) =>
+      url.hostname === "c.amazon-adsystem.com" &&
+      url.pathname.startsWith("/aax2/apstag"),
+    extract: () => ({}),
+    defaults: {
+      endpoint: "https://aax.amazon-adsystem.com/e/dtb/bid",
+      timeout_ms: 1000,
+    },
+    todos: ["pub_id"],
+    category: "detect_only",
+  },
+];
+
+// ---------------------------------------------------------------------------
+// Detection
+// ---------------------------------------------------------------------------
+
+export function detectIntegrations(rawUrls, runtimeSignals = {}) {
+  const detected = new Map();
+
+  for (const rawUrl of rawUrls) {
+    let url;
+    try {
+      url = new URL(rawUrl);
+    } catch {
+      continue;
+    }
+
+    for (const pattern of INTEGRATION_PATTERNS) {
+      if (!pattern.match(url)) continue;
+
+      if (detected.has(pattern.id)) {
+        const existing = detected.get(pattern.id);
+        existing.sourceUrls.push(rawUrl);
+        const newExtracted = pattern.extract(url);
+        for (const [key, value] of Object.entries(newExtracted)) {
+          if (!(key in existing.extracted)) existing.extracted[key] = value;
+        }
+      } else {
+        const extracted = pattern.extract(url);
+        const todos = [];
+
+        detected.set(pattern.id, {
+          id: pattern.id,
+          label: pattern.label,
+          category: pattern.category,
+          extracted,
+          defaults: { ...pattern.defaults },
+          todos,
+          sourceUrls: [rawUrl],
+        });
+      }
+
+      break;
+    }
+  }
+
+  for (const [id, entry] of detected) {
+    const pattern = INTEGRATION_PATTERNS.find((candidate) => candidate.id === id);
+    if (pattern?.applyRuntimeSignals) {
+      pattern.applyRuntimeSignals(entry, runtimeSignals);
+    }
+    entry.todos =
+      typeof pattern?.todos === "function"
+        ? pattern.todos(entry.extracted)
+        : [...(pattern?.todos ?? [])];
+  }
+
+  return {
+    integrations: [...detected.values()],
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Config generation
+// ---------------------------------------------------------------------------
+
+function formatTomlString(value) {
+  return JSON.stringify(value);
+}
+
+function formatTomlValue(value) {
+  if (typeof value === "string") return formatTomlString(value);
+  if (typeof value === "boolean") return value ? "true" : "false";
+  if (typeof value === "number") return String(value);
+  if (Array.isArray(value)) {
+    return `[${value.map((entry) => formatTomlString(entry)).join(", ")}]`;
+  }
+  return String(value);
+}
+
+function isIntegrationConfigComplete(integration) {
+  return integration.category === "full" || integration.todos.length === 0;
+}
+
+export function generateConfig(domain, targetUrl, detectionResult) {
+  const today = new Date().toISOString().slice(0, 10);
+  let toml = "";
+
+  toml += `# Generated by js-asset-auditor on ${today}\n`;
+  toml += `# Source URL: ${targetUrl}\n`;
+  toml += `#\n`;
+  toml += `# Review all values before deploying. Fields marked TODO need manual input.\n`;
+  toml += `# Commented-out fields show defaults — uncomment to override.\n`;
+  toml += `\n`;
+
+  toml += `[publisher]\n`;
+  toml += `domain = ${formatTomlString(domain)}\n`;
+  toml += `# cookie_domain = ${formatTomlString(`.${domain}`)}\n`;
+  toml += `# origin_url = ${formatTomlString(`https://origin.${domain}`)}\n`;
+  toml += `# proxy_secret = ${formatTomlString("change-me")}\n`;
+
+  for (const integration of detectionResult.integrations) {
+    toml += `\n`;
+    toml += `[integrations.${integration.id}]\n`;
+    toml += `enabled = ${isIntegrationConfigComplete(integration)}\n`;
+
+    for (const [key, value] of Object.entries(integration.extracted)) {
+      toml += `${key} = ${formatTomlValue(value)}  # auto-detected\n`;
+    }
+
+    for (const field of integration.todos) {
+      toml += `# ${field} = ${formatTomlString("")}  # TODO: set your ${integration.label} ${field}\n`;
+    }
+
+    for (const [key, value] of Object.entries(integration.defaults)) {
+      if (key in integration.extracted) continue;
+      toml += `# ${key} = ${formatTomlValue(value)}\n`;
+    }
+  }
+
+  return toml;
+}
diff --git a/packages/js-asset-auditor/lib/process.mjs b/packages/js-asset-auditor/lib/process.mjs
new file mode 100644
index 000000000..849ea102d
--- /dev/null
+++ b/packages/js-asset-auditor/lib/process.mjs
@@ -0,0 +1,455 @@
+// JS Asset Auditor — Processing Library
+//
+// Pure processing functions for URL normalization, filtering, wildcard
+// detection, slug generation, and TOML formatting. No external dependencies.
+//
+// This file is the canonical slug-generation implementation. Standalone CLIs
+// import from here to avoid drift.
+
+import { createHash } from "node:crypto";
+import { posix } from "node:path";
+import { readFileSync } from "node:fs";
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+const BASE62_CHARSET =
+  "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+export const HEURISTIC_FILTERS = {
+  "Framework CDNs": ["cdnjs.cloudflare.com", "ajax.googleapis.com", "cdn.jsdelivr.net", "unpkg.com"],
+  "Error tracking": ["sentry.io", "bugsnag.com", "rollbar.com"],
+  "Font services": ["fonts.googleapis.com", "fonts.gstatic.com"],
+  "Social embeds": ["platform.twitter.com", "platform.x.com", "connect.facebook.net"],
+  "Google ad rendering": [
+    "pagead2.googlesyndication.com",
+    "tpc.googlesyndication.com",
+    "s0.2mdn.net",
+    "googleads.g.doubleclick.net",
+    "www.googleadservices.com",
+  ],
+  "Ad fraud detection": ["adtrafficquality.google"],
+  "Ad verification": ["adsafeprotected.com", "moatads.com", "doubleverify.com"],
+  reCAPTCHA: [
+    "recaptcha.net",
+    { host: "www.google.com", pathPrefix: "/recaptcha/" },
+    { host: "www.gstatic.com", pathPrefix: "/recaptcha/" },
+  ],
+};
+
+const SEMVER_RE = /^\d+\.\d+[\.\d\w-]*$/;
+const HEX_HASH_RE = /^[a-f0-9]{8,}$/;
+const MIXED_HASH_RE = /^[A-Za-z0-9]{8,}$/;
+
+// ---------------------------------------------------------------------------
+// Slug generation
+// ---------------------------------------------------------------------------
+
+function bufferToBase62(buffer) {
+  let num = 0n;
+  for (const byte of buffer) {
+    num = (num << 8n) | BigInt(byte);
+  }
+  if (num === 0n) return "0";
+  const chars = [];
+  while (num > 0n) {
+    chars.push(BASE62_CHARSET[Number(num % 62n)]);
+    num = num / 62n;
+  }
+  return chars.reverse().join("");
+}
+
+export function extractAssetStem(originUrl) {
+  let pathname;
+  try {
+    pathname = new URL(originUrl).pathname;
+  } catch {
+    pathname = originUrl;
+  }
+  if (pathname.endsWith("/")) pathname = pathname.slice(0, -1);
+  const basename = posix.basename(pathname);
+  if (!basename || basename === "/") {
+    const segments = pathname.split("/").filter(Boolean);
+    const last = segments.at(-1) || "unknown";
+    const dot = last.lastIndexOf(".");
+    return dot > 0 ? last.slice(0, dot) : last;
+  }
+  const dot = basename.lastIndexOf(".");
+  return dot > 0 ? basename.slice(0, dot) : basename;
+}
+
+export function generateSlug(publisherDomain, originUrl) {
+  const input = `${publisherDomain}|${originUrl}`;
+  const digest = createHash("sha256").update(input).digest();
+  const base62 = bufferToBase62(digest);
+  const publisherPrefix = base62.slice(0, 8);
+  const assetStem = extractAssetStem(originUrl);
+  return `${publisherPrefix}:${assetStem}`;
+}
+
+// ---------------------------------------------------------------------------
+// URL processing
+// ---------------------------------------------------------------------------
+
+export function normalizeUrl(raw) {
+  let url = raw;
+  if (url.startsWith("//")) url = "https:" + url;
+  const hashIdx = url.indexOf("#");
+  if (hashIdx !== -1) url = url.slice(0, hashIdx);
+  const qIdx = url.indexOf("?");
+  if (qIdx !== -1) url = url.slice(0, qIdx);
+  if (url.endsWith("/")) url = url.slice(0, -1);
+  return url;
+}
+
+function stripWww(host) {
+  return host.startsWith("www.") ? host.slice(4) : host;
+}
+
+export function isFirstParty(hostname, publisherDomain, targetHost, extraHosts) {
+  const stripped = stripWww(hostname);
+  if (stripped === stripWww(publisherDomain)) return true;
+  if (stripped === stripWww(targetHost)) return true;
+  for (const h of extraHosts) {
+    if (stripped === stripWww(h)) return true;
+  }
+  return false;
+}
+
+function dotBoundaryMatch(hostname, filterEntry) {
+  return hostname === filterEntry || hostname.endsWith("." + filterEntry);
+}
+
+export function matchesHeuristicFilter(hostname, pathname) {
+  for (const [category, entries] of Object.entries(HEURISTIC_FILTERS)) {
+    for (const entry of entries) {
+      if (typeof entry === "string") {
+        if (dotBoundaryMatch(hostname, entry)) {
+          return { category, entry };
+        }
+      } else {
+        if (
+          dotBoundaryMatch(hostname, entry.host) &&
+          pathname.startsWith(entry.pathPrefix)
+        ) {
+          return { category, entry: `${entry.host}${entry.pathPrefix}*` };
+        }
+      }
+    }
+  }
+  return null;
+}
+
+// ---------------------------------------------------------------------------
+// Wildcard detection
+// ---------------------------------------------------------------------------
+
+export function applyWildcards(url) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return { wildcarded: url, original: null, hasWildcard: false };
+  }
+  const segments = parsed.pathname.split("/");
+  let hasWildcard = false;
+  const newSegments = segments.map((seg) => {
+    if (!seg) return seg;
+    if (SEMVER_RE.test(seg)) {
+      hasWildcard = true;
+      return "*";
+    }
+    if (HEX_HASH_RE.test(seg)) {
+      hasWildcard = true;
+      return "*";
+    }
+    if (
+      MIXED_HASH_RE.test(seg) &&
+      /\d/.test(seg) &&
+      /[a-zA-Z]/.test(seg)
+    ) {
+      hasWildcard = true;
+      return "*";
+    }
+    return seg;
+  });
+  const wildcarded = parsed.origin + newSegments.join("/");
+  return { wildcarded, original: hasWildcard ? url : null, hasWildcard };
+}
+
+// ---------------------------------------------------------------------------
+// TOML formatting
+// ---------------------------------------------------------------------------
+
+function formatTomlString(value) {
+  return JSON.stringify(value);
+}
+
+export function formatTomlEntry(asset, commented = false) {
+  const pfx = commented ? "# " : "";
+  let block = "";
+  if (asset.hasWildcard && asset.originalUrl) {
+    block += `${pfx}# ${asset.originalUrl} (wildcard detected)\n`;
+  }
+  block += `${pfx}slug = ${formatTomlString(asset.slug)}\n`;
+  block += `${pfx}path = ${formatTomlString(asset.path)}\n`;
+  block += `${pfx}origin_url = ${formatTomlString(asset.originUrl)}\n`;
+  block += `${pfx}inject_in_head = ${asset.injectInHead}\n`;
+  return block;
+}
+
+export function shortenUrl(url) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return url;
+  }
+  const parts = parsed.pathname.split("/").filter(Boolean);
+  const filename = parts.at(-1) || parsed.pathname;
+  return `${parsed.hostname}/.../` + filename;
+}
+
+// ---------------------------------------------------------------------------
+// Diff mode: parse existing TOML
+// ---------------------------------------------------------------------------
+
+export function parseExistingToml(content) {
+  const entries = [];
+  const lines = content.split("\n");
+  let currentBlock = null;
+
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed === "[[js_assets]]" || trimmed === "# [[js_assets]]") {
+      if (currentBlock?.originUrl) {
+        entries.push(currentBlock);
+      }
+      currentBlock = { originUrl: "", slug: "" };
+      continue;
+    }
+
+    if (!currentBlock) {
+      continue;
+    }
+
+    const slugMatch = trimmed.match(/^#?\s*slug\s*=\s*"([^"]+)"$/);
+    if (slugMatch) {
+      currentBlock.slug = slugMatch[1];
+      continue;
+    }
+
+    const originMatch = trimmed.match(/^#?\s*origin_url\s*=\s*"([^"]+)"$/);
+    if (originMatch) {
+      currentBlock.originUrl = originMatch[1];
+    }
+  }
+
+  if (currentBlock?.originUrl) {
+    entries.push(currentBlock);
+  }
+
+  return entries;
+}
+
+// ---------------------------------------------------------------------------
+// Core processing pipeline
+// ---------------------------------------------------------------------------
+
+export function processAssets(input, args) {
+  const { networkUrls: rawNetworkUrls, headUrls: rawHeadUrls } = input;
+
+  let targetHost = "";
+  try {
+    targetHost = new URL(args.target).hostname;
+  } catch {
+    targetHost = args.target;
+  }
+
+  const normalizedNetwork = [...new Set(rawNetworkUrls.map(normalizeUrl))];
+  const normalizedHead = new Set(rawHeadUrls.map(normalizeUrl));
+  const wildcardedHead = new Set();
+  for (const headUrl of normalizedHead) {
+    let parsedHead;
+    try {
+      parsedHead = new URL(headUrl);
+    } catch {
+      continue;
+    }
+    if (parsedHead.protocol !== "http:" && parsedHead.protocol !== "https:") {
+      continue;
+    }
+    wildcardedHead.add(applyWildcards(headUrl).wildcarded);
+  }
+
+  const firstPartyFiltered = [];
+  const thirdPartyUrls = [];
+
+  for (const url of normalizedNetwork) {
+    let hostname;
+    try {
+      hostname = new URL(url).hostname;
+    } catch {
+      continue;
+    }
+    if (isFirstParty(hostname, args.domain, targetHost, args.firstParty || [])) {
+      firstPartyFiltered.push({ url, host: hostname });
+    } else {
+      thirdPartyUrls.push(url);
+    }
+  }
+
+  const heuristicFiltered = [];
+  const survivingUrls = [];
+
+  for (const url of thirdPartyUrls) {
+    let hostname, pathname;
+    try {
+      const parsed = new URL(url);
+      hostname = parsed.hostname;
+      pathname = parsed.pathname;
+    } catch {
+      survivingUrls.push(url);
+      continue;
+    }
+
+    if (args.noFilter) {
+      survivingUrls.push(url);
+      continue;
+    }
+
+    const match = matchesHeuristicFilter(hostname, pathname);
+    if (match) {
+      heuristicFiltered.push({ url, host: hostname, ...match });
+    } else {
+      survivingUrls.push(url);
+    }
+  }
+
+  const filterCounts = {};
+  for (const f of heuristicFiltered) {
+    filterCounts[f.host] = (filterCounts[f.host] || 0) + 1;
+  }
+
+  const assets = [];
+  const seenOrigins = new Set();
+
+  for (const url of survivingUrls) {
+    let parsed;
+    try {
+      parsed = new URL(url);
+    } catch {
+      continue;
+    }
+
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      continue;
+    }
+
+    const { wildcarded, original, hasWildcard } = applyWildcards(url);
+
+    if (seenOrigins.has(wildcarded)) continue;
+    seenOrigins.add(wildcarded);
+
+    const slug = generateSlug(args.domain, wildcarded);
+    const prefix = slug.split(":")[0];
+    const injectInHead = wildcardedHead.has(wildcarded);
+
+    let path;
+    if (hasWildcard) {
+      path = `/js-assets/${prefix}/*`;
+    } else {
+      const stem = extractAssetStem(wildcarded);
+      path = `/js-assets/${prefix}/${stem}.js`;
+    }
+
+    const hostname = parsed.hostname;
+
+    assets.push({
+      slug,
+      prefix,
+      path,
+      originUrl: wildcarded,
+      originalUrl: original,
+      injectInHead,
+      hasWildcard,
+      host: hostname,
+      shortUrl: shortenUrl(wildcarded),
+    });
+  }
+
+  const today = new Date().toISOString().slice(0, 10);
+
+  if (args.diff) {
+    let existingContent;
+    try {
+      existingContent = readFileSync(args.output, "utf-8");
+    } catch {
+      return { error: `Cannot read ${args.output} for diff mode` };
+    }
+
+    const existingEntries = parseExistingToml(existingContent);
+    const existingOrigins = new Set(existingEntries.map((e) => e.originUrl));
+    const sweepOrigins = new Set(assets.map((a) => a.originUrl));
+
+    const confirmed = existingEntries.filter((e) => sweepOrigins.has(e.originUrl));
+    const missing = existingEntries.filter((e) => !sweepOrigins.has(e.originUrl));
+    const newAssets = assets.filter((a) => !existingOrigins.has(a.originUrl));
+
+    let appendBlock = "";
+    if (newAssets.length > 0) {
+      appendBlock = `\n# --- NEW (detected by /audit-js-assets --diff on ${today}, uncomment to activate) ---\n`;
+      for (const a of newAssets) {
+        appendBlock += `\n# [[js_assets]]\n`;
+        appendBlock += formatTomlEntry(a, true);
+      }
+    }
+
+    return {
+      toml: existingContent + appendBlock,
+      summary: {
+        mode: "diff",
+        publisherDomain: args.domain,
+        targetUrl: args.target,
+        confirmed: confirmed.map((e) => ({ slug: e.slug, originUrl: e.originUrl })),
+        new: newAssets.map((a) => ({ slug: a.slug, prefix: a.prefix, shortUrl: a.shortUrl, originUrl: a.originUrl })),
+        missing: missing.map((e) => ({ slug: e.slug, originUrl: e.originUrl })),
+        outputFile: args.output,
+      },
+    };
+  }
+
+  let toml = `# Generated by /audit-js-assets on ${today}\n`;
+  toml += `# Publisher: ${args.domain}\n`;
+  toml += `# Source URL: ${args.target}\n`;
+
+  for (const a of assets) {
+    toml += `\n[[js_assets]]\n`;
+    toml += formatTomlEntry(a);
+  }
+
+  const filterSummary = Object.entries(filterCounts).map(([host, count]) => ({ host, count }));
+
+  return {
+    toml,
+    summary: {
+      mode: "init",
+      publisherDomain: args.domain,
+      targetUrl: args.target,
+      totalDetected: thirdPartyUrls.length,
+      firstPartyFiltered: firstPartyFiltered.length,
+      firstPartyHost: targetHost,
+      heuristicFiltered: filterSummary,
+      heuristicFilteredTotal: heuristicFiltered.length,
+      surfaced: assets.length,
+      assets: assets.map((a) => ({
+        prefix: a.prefix,
+        injectInHead: a.injectInHead,
+        shortUrl: a.shortUrl,
+        wildcard: a.hasWildcard,
+      })),
+      outputFile: args.output,
+    },
+  };
+}
diff --git a/packages/js-asset-auditor/lib/slug.mjs b/packages/js-asset-auditor/lib/slug.mjs
new file mode 100644
index 000000000..fcc0c7c0a
--- /dev/null
+++ b/packages/js-asset-auditor/lib/slug.mjs
@@ -0,0 +1,27 @@
+#!/usr/bin/env node
+
+// JS Asset Slug Generator
+//
+// Shared utility for generating deterministic slugs for js-assets.toml entries.
+// Must produce identical output to the Rust proxy's KV key derivation.
+//
+// Algorithm:
+//   publisher_prefix = first_8_chars(base62(sha256(domain + "|" + url)))
+//   asset_stem       = filename_without_extension(url)
+//   slug             = "{publisher_prefix}:{asset_stem}"
+//
+// Usage:
+//   node packages/js-asset-auditor/lib/slug.mjs <publisher_domain> <origin_url>
+
+import { generateSlug } from "./process.mjs";
+
+const [publisherDomain, originUrl] = process.argv.slice(2);
+
+if (!publisherDomain || !originUrl) {
+  console.error(
+    "Usage: node packages/js-asset-auditor/lib/slug.mjs <publisher_domain> <origin_url>",
+  );
+  process.exit(1);
+}
+
+console.log(generateSlug(publisherDomain, originUrl));
diff --git a/packages/js-asset-auditor/package-lock.json b/packages/js-asset-auditor/package-lock.json
new file mode 100644
index 000000000..080a7ad90
--- /dev/null
+++ b/packages/js-asset-auditor/package-lock.json
@@ -0,0 +1,62 @@
+{
+  "name": "js-asset-auditor",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "js-asset-auditor",
+      "version": "1.0.0",
+      "dependencies": {
+        "playwright": "^1.58.0"
+      },
+      "bin": {
+        "audit-js-assets": "bin/audit-js-assets"
+      }
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/playwright": {
+      "version": "1.59.1",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.59.1.tgz",
+      "integrity": "sha512-C8oWjPR3F81yljW9o5OxcWzfh6avkVwDD2VYdwIGqTkl+OGFISgypqzfu7dOe4QNLL2aqcWBmI3PMtLIK233lw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "playwright-core": "1.59.1"
+      },
+      "bin": {
+        "playwright": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "fsevents": "2.3.2"
+      }
+    },
+    "node_modules/playwright-core": {
+      "version": "1.59.1",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.59.1.tgz",
+      "integrity": "sha512-HBV/RJg81z5BiiZ9yPzIiClYV/QMsDCKUyogwH9p3MCP6IYjUFu/MActgYAvK0oWyV9NlwM3GLBjADyWgydVyg==",
+      "license": "Apache-2.0",
+      "bin": {
+        "playwright-core": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    }
+  }
+}
diff --git a/packages/js-asset-auditor/package.json b/packages/js-asset-auditor/package.json
new file mode 100644
index 000000000..9f96c7197
--- /dev/null
+++ b/packages/js-asset-auditor/package.json
@@ -0,0 +1,15 @@
+{
+  "name": "js-asset-auditor",
+  "version": "1.0.0",
+  "private": true,
+  "type": "module",
+  "bin": {
+    "audit-js-assets": "./bin/audit-js-assets"
+  },
+  "scripts": {
+    "test": "node --test ./test/*.test.mjs"
+  },
+  "dependencies": {
+    "playwright": "^1.58.0"
+  }
+}
diff --git a/packages/js-asset-auditor/settings.json b/packages/js-asset-auditor/settings.json
new file mode 100644
index 000000000..c17ba006c
--- /dev/null
+++ b/packages/js-asset-auditor/settings.json
@@ -0,0 +1,7 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(audit-js-assets:*)"
+    ]
+  }
+}
diff --git a/packages/js-asset-auditor/skills/audit-js-assets/SKILL.md b/packages/js-asset-auditor/skills/audit-js-assets/SKILL.md
new file mode 100644
index 000000000..e5609a93a
--- /dev/null
+++ b/packages/js-asset-auditor/skills/audit-js-assets/SKILL.md
@@ -0,0 +1,79 @@
+---
+name: audit-js-assets
+description: Audit a publisher page for third-party JavaScript assets. Use when analyzing external scripts, generating js-assets.toml entries, or monitoring changes to a publisher's JS footprint.
+---
+
+Audit a publisher page for third-party JS assets and generate `js-assets.toml` entries.
+
+Usage: /js-asset-auditor:audit-js-assets $ARGUMENTS
+
+`$ARGUMENTS`: `<url> [--diff] [--domain <domain>] [--settle <ms>] [--first-party <host>,...] [--no-filter] [--headless] [--config [path]] [--force]`
+
+---
+
+Follow these steps exactly. Stop and report if any step fails.
+
+## 1. Run the auditor
+
+Run the Playwright CLI via Bash, forwarding all arguments from `$ARGUMENTS`:
+
+```bash
+audit-js-assets $ARGUMENTS
+```
+
+The CLI resolves the publisher domain from `--domain`, then `trusted-server.toml`, then the target URL if no config file exists. It opens a headed browser by default (use `--headless` to disable the UI), collects script URLs, processes them, and writes `js-assets.toml`. Progress lines appear on stderr; a JSON summary prints to stdout.
+
+If the command fails with "Playwright not installed" or "Chromium not installed", tell the user to run:
+
+```bash
+cd packages/js-asset-auditor && npm install && npx playwright install chromium
+```
+
+## 2. Show results
+
+Parse the JSON summary from stdout and print a formatted report.
+
+### Init mode
+
+```
+JS Asset Audit — {publisherDomain}
+────────────────────────────────
+Detected:  {totalDetected} third-party JS requests
+Filtered:  {heuristicFilteredTotal} ({host} x{count}, ...)
+Surfaced:  {surfaced} assets → js-assets.toml
+
+  {prefix}  inject_in_head={true|false}  {shortUrl}
+  {prefix}  inject_in_head={true|false}  {shortUrl}  [wildcard]
+  ...
+
+Review inject_in_head values and commit js-assets.toml when ready.
+Diff mode: /js-asset-auditor:audit-js-assets <url> --diff
+```
+
+### Diff mode
+
+```
+JS Asset Audit (diff) — {publisherDomain}
+────────────────────────────────
+Confirmed:  {confirmed.length} assets still present on page
+New:        {new.length} asset(s) detected (appended as comment to js-assets.toml)
+Missing:    {missing.length} asset(s) no longer seen on page ⚠
+
+  NEW      {prefix}  {shortUrl}  → review in js-assets.toml
+  MISSING  {slug}    {originUrl} → may have been removed or renamed
+```
+
+### Integration detection (when --config is used)
+
+If the JSON summary includes an `integrations` array, append:
+
+```
+Detected Integrations:
+  {id}  ✓ fully configured
+  {id}  ✓ {field}={value} (auto-detected)
+  {id}  ⚠ {field} needs manual input
+
+→ {config path} generated with {count} integrations
+```
+
+Use ✓ for `full` category and integrations with no TODOs. Use ⚠ for integrations with TODO fields.
diff --git a/packages/js-asset-auditor/test/audit.test.mjs b/packages/js-asset-auditor/test/audit.test.mjs
new file mode 100644
index 000000000..d73855aed
--- /dev/null
+++ b/packages/js-asset-auditor/test/audit.test.mjs
@@ -0,0 +1,187 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { mkdtempSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+import {
+  ensureConfigPathWritable,
+  ensurePathWritable,
+  parseArgs,
+  readPublisherDomain,
+  resolvePublisherDomain,
+} from "../lib/audit.mjs";
+
+function captureExit(fn) {
+  const originalExit = process.exit;
+  const originalError = console.error;
+  const calls = [];
+
+  process.exit = (code) => {
+    const error = new Error(`process.exit:${code}`);
+    error.code = code;
+    throw error;
+  };
+  console.error = (...args) => {
+    calls.push(args.join(" "));
+  };
+
+  try {
+    fn();
+    assert.fail("Expected process.exit to be called");
+  } catch (error) {
+    assert.match(error.message, /^process\.exit:/);
+    return { error, stderr: calls.join("\n") };
+  } finally {
+    process.exit = originalExit;
+    console.error = originalError;
+  }
+}
+
+test("parseArgs rejects missing values instead of swallowing the next flag", () => {
+  const result = captureExit(() =>
+    parseArgs([
+      "node",
+      "audit.mjs",
+      "https://example.com",
+      "--first-party",
+      "--diff",
+    ]),
+  );
+
+  assert.equal(result.error.code, 1);
+  assert.match(result.stderr, /--first-party requires a value/);
+  assert.match(result.stderr, /Usage: audit-js-assets/);
+});
+
+test("parseArgs normalizes --first-party URL values to hostnames", () => {
+  const args = parseArgs([
+    "node",
+    "audit.mjs",
+    "example.com",
+    "--first-party",
+    "https://www.example.com/path, cdn.example.com ",
+  ]);
+
+  assert.deepEqual(args.firstParty, ["www.example.com", "cdn.example.com"]);
+});
+
+test("parseArgs rejects invalid --first-party values", () => {
+  const result = captureExit(() =>
+    parseArgs([
+      "node",
+      "audit.mjs",
+      "example.com",
+      "--first-party",
+      "not a host",
+    ]),
+  );
+
+  assert.equal(result.error.code, 1);
+  assert.match(result.stderr, /--first-party value is not a valid host/);
+});
+
+test("parseArgs keeps optional --config path semantics", () => {
+  const args = parseArgs([
+    "node",
+    "audit.mjs",
+    "example.com",
+    "--config",
+    "--diff",
+  ]);
+
+  assert.equal(args.url, "https://example.com");
+  assert.equal(args.config, "trusted-server.generated.toml");
+  assert.equal(args.diff, true);
+});
+
+test("parseArgs validates --settle as a non-negative integer", () => {
+  const result = captureExit(() =>
+    parseArgs([
+      "node",
+      "audit.mjs",
+      "https://example.com",
+      "--settle",
+      "abc",
+    ]),
+  );
+
+  assert.match(result.stderr, /--settle requires a non-negative integer value/);
+});
+
+test("readPublisherDomain reads a valid config and fails on malformed content", () => {
+  const repoRoot = mkdtempSync(join(tmpdir(), "js-asset-auditor-"));
+  writeFileSync(
+    join(repoRoot, "trusted-server.toml"),
+    "[publisher]\ndomain = \"publisher.com\"\n",
+  );
+
+  assert.equal(readPublisherDomain(repoRoot), "publisher.com");
+
+  writeFileSync(
+    join(repoRoot, "trusted-server.toml"),
+    "[publisher]\ndomain = 'publisher.com'\n",
+  );
+
+  assert.throws(
+    () => readPublisherDomain(repoRoot),
+    /Could not find \[publisher\]\.domain/,
+  );
+});
+
+test("resolvePublisherDomain reports the selected source", () => {
+  const repoRoot = mkdtempSync(join(tmpdir(), "js-asset-auditor-"));
+  writeFileSync(
+    join(repoRoot, "trusted-server.toml"),
+    "[publisher]\ndomain = \"config-domain.test\"\n",
+  );
+
+  const originalError = console.error;
+  const calls = [];
+  console.error = (...args) => {
+    calls.push(args.join(" "));
+  };
+
+  try {
+    const fromFlag = resolvePublisherDomain(
+      { domain: "flag-domain.test", url: "https://example.com" },
+      repoRoot,
+    );
+    const fromConfig = resolvePublisherDomain(
+      { domain: null, url: "https://example.com" },
+      repoRoot,
+    );
+
+    assert.equal(fromFlag, "flag-domain.test");
+    assert.equal(fromConfig, "config-domain.test");
+    assert.match(calls[0], /Using publisher domain from --domain: flag-domain\.test/);
+    assert.match(
+      calls[1],
+      /Using publisher domain from trusted-server\.toml: config-domain\.test/,
+    );
+  } finally {
+    console.error = originalError;
+  }
+});
+
+test("ensurePathWritable exits when a target already exists without --force", () => {
+  const repoRoot = mkdtempSync(join(tmpdir(), "js-asset-auditor-"));
+  const outputPath = join(repoRoot, "js-assets.toml");
+  writeFileSync(outputPath, "[[js_assets]]\n");
+
+  const result = captureExit(() => ensurePathWritable(outputPath, false));
+
+  assert.equal(result.error.code, 1);
+  assert.match(result.stderr, /already exists\. Use --force to overwrite\./);
+});
+
+test("ensureConfigPathWritable exits when config already exists without --force", () => {
+  const repoRoot = mkdtempSync(join(tmpdir(), "js-asset-auditor-"));
+  const configPath = join(repoRoot, "trusted-server.generated.toml");
+  writeFileSync(configPath, "[publisher]\n");
+
+  const result = captureExit(() => ensureConfigPathWritable(configPath, false));
+
+  assert.equal(result.error.code, 1);
+  assert.match(result.stderr, /already exists\. Use --force to overwrite\./);
+});
diff --git a/packages/js-asset-auditor/test/detect.test.mjs b/packages/js-asset-auditor/test/detect.test.mjs
new file mode 100644
index 000000000..36c82b0e6
--- /dev/null
+++ b/packages/js-asset-auditor/test/detect.test.mjs
@@ -0,0 +1,187 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+
+import { detectIntegrations, generateConfig } from "../lib/detect.mjs";
+
+test("detectIntegrations matches GTM script path exactly", () => {
+  const detection = detectIntegrations([
+    "https://www.googletagmanager.com/gtm.js?id=GTM-TEST",
+    "https://www.googletagmanager.com/foo/gtm.js.bak?id=GTM-WRONG",
+  ]);
+
+  assert.equal(detection.integrations.length, 1);
+  assert.equal(detection.integrations[0].id, "google_tag_manager");
+  assert.deepEqual(detection.integrations[0].extracted, {
+    container_id: "GTM-TEST",
+  });
+});
+
+test("detectIntegrations matches APS documented path prefix", () => {
+  const detection = detectIntegrations([
+    "https://c.amazon-adsystem.com/aax2/apstag.js",
+    "https://c.amazon-adsystem.com/foo/apstag/bar.js",
+  ]);
+
+  assert.equal(detection.integrations.length, 1);
+  assert.equal(detection.integrations[0].id, "aps");
+});
+
+test("detectIntegrations matches Lockr only on exact hosts or subdomains", () => {
+  const detection = detectIntegrations([
+    "https://aim.loc.kr/identity-lockr-trust-server.js",
+    "https://sub.aim.loc.kr/identity-lockr-trust-server.js",
+    "https://identity.loc.kr/identity-lockr-trust-server.js",
+    "https://notaim.loc.kr/identity-lockr-trust-server.js",
+    "https://aim.loc.kr.attacker.com/identity-lockr-trust-server.js",
+  ]);
+
+  assert.equal(detection.integrations.length, 1);
+  assert.equal(detection.integrations[0].id, "lockr");
+  assert.deepEqual(detection.integrations[0].sourceUrls, [
+    "https://aim.loc.kr/identity-lockr-trust-server.js",
+    "https://sub.aim.loc.kr/identity-lockr-trust-server.js",
+    "https://identity.loc.kr/identity-lockr-trust-server.js",
+  ]);
+});
+
+test("detectIntegrations picks up prebid wrapper/load script names", () => {
+  const detection = detectIntegrations([
+    "https://web.prebidwrapper.com/golf-WnLmpLyEjL/default-v2/prebid-load.js",
+    "https://cdn.vendor.test/prebid.min.js",
+  ]);
+
+  const prebid = detection.integrations.find((entry) => entry.id === "prebid");
+  assert.equal(prebid.todos.includes("server_url"), true);
+  assert.equal(prebid.todos.includes("bidders"), true);
+});
+
+test("detectIntegrations adds runtime Prebid bidders when available", () => {
+  const detection = detectIntegrations(
+    ["https://web.prebidwrapper.com/golf-WnLmpLyEjL/default-v2/prebid-load.js"],
+    { prebidBidders: ["ix", "kargo", "rubicon"] },
+  );
+
+  const prebid = detection.integrations.find((entry) => entry.id === "prebid");
+  assert.deepEqual(prebid.extracted.bidders, ["ix", "kargo", "rubicon"]);
+  assert.equal(prebid.todos.includes("server_url"), true);
+  assert.equal(prebid.todos.includes("bidders"), false);
+});
+
+test("generateConfig comments TODO fields so Prebid config stays parseable", () => {
+  const detection = detectIntegrations([
+    "https://cdn.vendor.test/prebid.min.js",
+    "https://aim.loc.kr/identity-lockr-trust-server.js",
+  ]);
+  const config = generateConfig(
+    "publisher.com",
+    "https://www.publisher.com",
+    detection,
+  );
+
+  assert.match(
+    config,
+    /\[integrations\.prebid\][\s\S]*# server_url = ""  # TODO: set your Prebid Header Bidding server_url/,
+  );
+  assert.match(
+    config,
+    /\[integrations\.prebid\][\s\S]*# bidders = ""  # TODO: set your Prebid Header Bidding bidders/,
+  );
+  assert.doesNotMatch(config, /^bidders = ""/m);
+  assert.match(
+    config,
+    /\[integrations\.lockr\][\s\S]*# app_id = ""  # TODO: set your Lockr Identity app_id/,
+  );
+});
+
+test("generateConfig writes auto-detected Prebid bidders", () => {
+  const detection = detectIntegrations(
+    ["https://web.prebidwrapper.com/golf-WnLmpLyEjL/default-v2/prebid-load.js"],
+    { prebidBidders: ["ix", "kargo"] },
+  );
+
+  const config = generateConfig(
+    "publisher.com",
+    "https://www.publisher.com",
+    detection,
+  );
+
+  assert.match(config, /\[integrations\.prebid\]\nenabled = false/);
+  assert.match(config, /bidders = \["ix", "kargo"\]  # auto-detected/);
+  assert.match(
+    config,
+    /# server_url = ""  # TODO: set your Prebid Header Bidding server_url/,
+  );
+  assert.doesNotMatch(config, /# bidders = ""/);
+});
+
+test("generateConfig only auto-enables fully configured integrations", () => {
+  const config = generateConfig("publisher.com", "https://www.publisher.com", {
+    integrations: [
+      {
+        id: "gpt",
+        label: "Google Publisher Tags",
+        category: "full",
+        extracted: { script_url: "https://securepubads.g.doubleclick.net/tag/js/gpt.js" },
+        defaults: {},
+        todos: [],
+      },
+      {
+        id: "google_tag_manager",
+        label: "Google Tag Manager",
+        category: "partial",
+        extracted: {},
+        defaults: {},
+        todos: ["container_id"],
+      },
+      {
+        id: "prebid",
+        label: "Prebid Header Bidding",
+        category: "detect_only",
+        extracted: {},
+        defaults: { timeout_ms: 1000 },
+        todos: ["server_url", "bidders"],
+      },
+    ],
+  });
+
+  assert.match(config, /\[integrations\.gpt\]\nenabled = true/);
+  assert.match(config, /\[integrations\.google_tag_manager\]\nenabled = false/);
+  assert.match(config, /\[integrations\.prebid\]\nenabled = false/);
+});
+
+test("generateConfig includes Permutive override defaults", () => {
+  const detection = detectIntegrations([
+    "https://myorg.edge.permutive.app/workspace-web.js",
+  ]);
+  const config = generateConfig(
+    "publisher.com",
+    "https://www.publisher.com",
+    detection,
+  );
+
+  assert.match(config, /# cache_ttl_seconds = 3600/);
+  assert.match(config, /# rewrite_sdk = true/);
+});
+
+test("generateConfig escapes TOML strings safely", () => {
+  const config = generateConfig("pub\\domain.com", 'https://example.com/?q="quoted"', {
+    integrations: [
+      {
+        id: "gpt",
+        label: "Google Publisher Tags",
+        category: "full",
+        extracted: {
+          script_url: 'https://cdn.example.com/tag/"quoted"\\path.js',
+        },
+        defaults: {},
+        todos: [],
+      },
+    ],
+  });
+
+  assert.match(config, /domain = "pub\\\\domain\.com"/);
+  assert.match(
+    config,
+    /script_url = "https:\/\/cdn\.example\.com\/tag\/\\"quoted\\"\\\\path\.js"  # auto-detected/,
+  );
+});
diff --git a/packages/js-asset-auditor/test/process.test.mjs b/packages/js-asset-auditor/test/process.test.mjs
new file mode 100644
index 000000000..5d8fd20ee
--- /dev/null
+++ b/packages/js-asset-auditor/test/process.test.mjs
@@ -0,0 +1,178 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { mkdtempSync, readFileSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+import {
+  formatTomlEntry,
+  parseExistingToml,
+  processAssets,
+} from "../lib/process.mjs";
+
+test("processAssets skips non-http script URLs", () => {
+  const result = processAssets(
+    {
+      networkUrls: [
+        "data:text/javascript,console.log(1)",
+        "blob:https://example.com/abc-123",
+        "https://cdn.vendor.test/loader.js",
+      ],
+      headUrls: [
+        "data:text/javascript,console.log(1)",
+        "blob:https://example.com/abc-123",
+        "https://cdn.vendor.test/loader.js",
+      ],
+    },
+    {
+      domain: "publisher.com",
+      target: "https://www.publisher.com",
+      output: "js-assets.toml",
+      diff: false,
+      firstParty: [],
+      noFilter: true,
+    },
+  );
+
+  assert.equal(result.summary.surfaced, 1);
+  assert.match(result.toml, /origin_url = "https:\/\/cdn\.vendor\.test\/loader\.js"/);
+  assert.doesNotMatch(result.toml, /origin_url = "null/);
+  assert.doesNotMatch(result.toml, /blob:/);
+  assert.doesNotMatch(result.toml, /https:\/\/example\.comhttps:\/\/example\.com/);
+});
+
+test("processAssets marks wildcarded assets as head-injected when any original is in head", () => {
+  const result = processAssets(
+    {
+      networkUrls: [
+        "https://cdn.vendor.test/prod/1.19.8/raven.js",
+        "https://cdn.vendor.test/prod/1.19.9/raven.js",
+      ],
+      headUrls: ["https://cdn.vendor.test/prod/1.19.9/raven.js"],
+    },
+    {
+      domain: "publisher.com",
+      target: "https://www.publisher.com",
+      output: "js-assets.toml",
+      diff: false,
+      firstParty: [],
+      noFilter: true,
+    },
+  );
+
+  assert.equal(result.summary.surfaced, 1);
+  assert.match(result.toml, /origin_url = "https:\/\/cdn\.vendor\.test\/prod\/\*\/raven\.js"/);
+  assert.equal(result.summary.assets[0].injectInHead, true);
+  assert.match(result.toml, /inject_in_head = true/);
+});
+
+test("processAssets leaves wildcarded assets body-only when no original is in head", () => {
+  const result = processAssets(
+    {
+      networkUrls: [
+        "https://cdn.vendor.test/prod/1.19.8/raven.js",
+        "https://cdn.vendor.test/prod/1.19.9/raven.js",
+      ],
+      headUrls: [],
+    },
+    {
+      domain: "publisher.com",
+      target: "https://www.publisher.com",
+      output: "js-assets.toml",
+      diff: false,
+      firstParty: [],
+      noFilter: true,
+    },
+  );
+
+  assert.equal(result.summary.surfaced, 1);
+  assert.equal(result.summary.assets[0].injectInHead, false);
+  assert.match(result.toml, /inject_in_head = false/);
+});
+
+test("formatTomlEntry escapes TOML strings", () => {
+  const toml = formatTomlEntry({
+    slug: 'prefix:quote"slash\\asset',
+    path: '/js-assets/prefix/quote"slash\\asset.js',
+    originUrl: 'https://cdn.example.com/quote"slash\\asset.js',
+    injectInHead: true,
+    hasWildcard: false,
+  });
+
+  assert.match(toml, /slug = "prefix:quote\\"slash\\\\asset"/);
+  assert.match(toml, /path = "\/js-assets\/prefix\/quote\\"slash\\\\asset\.js"/);
+  assert.match(
+    toml,
+    /origin_url = "https:\/\/cdn\.example\.com\/quote\\"slash\\\\asset\.js"/,
+  );
+});
+
+test("parseExistingToml includes commented diff suggestions", () => {
+  const content = `[[js_assets]]
+slug = "live:asset"
+origin_url = "https://cdn.example.com/live.js"
+
+# [[js_assets]]
+# slug = "pending:asset"
+# origin_url = "https://cdn.example.com/pending.js"
+`;
+
+  assert.deepEqual(parseExistingToml(content), [
+    {
+      slug: "live:asset",
+      originUrl: "https://cdn.example.com/live.js",
+    },
+    {
+      slug: "pending:asset",
+      originUrl: "https://cdn.example.com/pending.js",
+    },
+  ]);
+});
+
+test("processAssets diff mode is idempotent across repeated runs", () => {
+  const outputDir = mkdtempSync(join(tmpdir(), "js-asset-auditor-"));
+  const outputPath = join(outputDir, "js-assets.toml");
+
+  writeFileSync(
+    outputPath,
+    `[[js_assets]]
+slug = "existing:asset"
+path = "/js-assets/existing/loader.js"
+origin_url = "https://cdn.example.com/existing.js"
+inject_in_head = true
+`,
+  );
+
+  const input = {
+    networkUrls: [
+      "https://cdn.example.com/existing.js",
+      "https://cdn.vendor.test/new-loader.js",
+    ],
+    headUrls: [
+      "https://cdn.example.com/existing.js",
+      "https://cdn.vendor.test/new-loader.js",
+    ],
+  };
+
+  const args = {
+    domain: "publisher.com",
+    target: "https://www.publisher.com",
+    output: outputPath,
+    diff: true,
+    firstParty: [],
+    noFilter: true,
+  };
+
+  const firstRun = processAssets(input, args);
+  assert.equal(firstRun.summary.new.length, 1);
+  writeFileSync(outputPath, firstRun.toml);
+
+  const secondRun = processAssets(input, args);
+  assert.equal(secondRun.summary.new.length, 0);
+  assert.equal(secondRun.summary.confirmed.length, 2);
+  assert.equal(secondRun.summary.missing.length, 0);
+  assert.equal(
+    readFileSync(outputPath, "utf8").match(/# \[\[js_assets\]\]/g)?.length,
+    1,
+  );
+});
diff --git a/packages/js-asset-auditor/test/slug.test.mjs b/packages/js-asset-auditor/test/slug.test.mjs
new file mode 100644
index 000000000..ea5050466
--- /dev/null
+++ b/packages/js-asset-auditor/test/slug.test.mjs
@@ -0,0 +1,22 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { execFileSync } from "node:child_process";
+import { fileURLToPath } from "node:url";
+
+import { generateSlug } from "../lib/process.mjs";
+
+const repoRoot = fileURLToPath(new URL("../../..", import.meta.url));
+
+test("scripts/js-asset-slug.mjs reuses the shared slug implementation", () => {
+  const publisherDomain = "test-publisher.com";
+  const originUrl = "https://vendor.io/sdk/loader.js";
+
+  const direct = generateSlug(publisherDomain, originUrl);
+  const fromScript = execFileSync(
+    process.execPath,
+    ["scripts/js-asset-slug.mjs", publisherDomain, originUrl],
+    { cwd: repoRoot, encoding: "utf8" },
+  ).trim();
+
+  assert.equal(fromScript, direct);
+});
diff --git a/scripts/js-asset-slug.mjs b/scripts/js-asset-slug.mjs
new file mode 100755
index 000000000..f22757596
--- /dev/null
+++ b/scripts/js-asset-slug.mjs
@@ -0,0 +1,32 @@
+#!/usr/bin/env node
+
+// JS Asset Slug Generator
+//
+// Shared utility for generating deterministic slugs for js-assets.toml entries.
+// Used by the /audit-js-assets command and must produce identical output to the
+// Rust proxy's KV key derivation.
+//
+// Algorithm:
+//   publisher_prefix = first_8_chars(base62(sha256(domain + "|" + url)))
+//   asset_stem       = filename_without_extension(url)
+//   slug             = "{publisher_prefix}:{asset_stem}"
+//
+// base62 charset: 0-9A-Za-z (digits first, then uppercase, then lowercase)
+//
+// Usage:
+//   node scripts/js-asset-slug.mjs <publisher_domain> <origin_url>
+//   node scripts/js-asset-slug.mjs test-publisher.com https://vendor.io/sdk/loader.js
+//   # Output: <8-char-prefix>:loader
+
+import { generateSlug } from "../packages/js-asset-auditor/lib/process.mjs";
+
+const [publisherDomain, originUrl] = process.argv.slice(2);
+
+if (!publisherDomain || !originUrl) {
+  console.error(
+    "Usage: node scripts/js-asset-slug.mjs <publisher_domain> <origin_url>",
+  );
+  process.exit(1);
+}
+
+console.log(generateSlug(publisherDomain, originUrl));