@jackwener/opencli 1.2.5 → 1.3.0

package/extension/src/background.ts

@@ -88,7 +88,7 @@ function scheduleReconnect(): void {
 // ─── Automation window isolation ─────────────────────────────────────
 // All opencli operations happen in a dedicated Chrome window so the
 // user's active browsing session is never touched.
-// The window auto-closes after 30s of idle (no commands).
+// The window auto-closes after 120s of idle (no commands).
 
 type AutomationSession = {
   windowId: number;
@@ -247,7 +247,6 @@ async function resolveTabId(tabId: number | undefined, workspace: string): Promi
   if (tabId !== undefined) {
     try {
       const tab = await chrome.tabs.get(tabId);
-      console.log(`[opencli] resolveTabId: explicit tabId=${tabId}, url=${tab.url}`);
       if (isDebuggableUrl(tab.url)) return tabId;
       // Tab exists but URL is not debuggable — fall through to auto-resolve
       console.warn(`[opencli] Tab ${tabId} URL is not debuggable (${tab.url}), re-resolving`);
@@ -260,42 +259,27 @@ async function resolveTabId(tabId: number | undefined, workspace: string): Promi
   // Get (or create) the automation window
   const windowId = await getAutomationWindow(workspace);
 
-  // Prefer an existing debuggable tab (about:blank, http://, https://, etc.)
+  // Prefer an existing debuggable tab
   const tabs = await chrome.tabs.query({ windowId });
   const debuggableTab = tabs.find(t => t.id && isDebuggableUrl(t.url));
-  if (debuggableTab?.id) {
-    console.log(`[opencli] resolveTabId: found debuggable tab ${debuggableTab.id} (${debuggableTab.url})`);
-    return debuggableTab.id;
-  }
-  console.warn(`[opencli] resolveTabId: no debuggable tabs found, tabs: ${tabs.map(t => `${t.id}=${t.url}`).join(', ')}`);
+  if (debuggableTab?.id) return debuggableTab.id;
 
-  // No debuggable tab found — this typically happens when a "New Tab Override"
-  // extension replaces about:blank with a chrome-extension:// page.
-  // Reuse the first existing tab by navigating it to about:blank (avoids
-  // accumulating orphan tabs if chrome.tabs.create is also intercepted).
+  // No debuggable tab — another extension may have hijacked the tab URL.
+  // Try to reuse by navigating to a data: URI (not interceptable by New Tab Override).
   const reuseTab = tabs.find(t => t.id);
   if (reuseTab?.id) {
     await chrome.tabs.update(reuseTab.id, { url: 'data:text/html,<html></html>' });
-    // Wait for the navigation to take effect
     await new Promise(resolve => setTimeout(resolve, 300));
-    // Verify the URL is actually debuggable (New Tab Override may have intercepted)
     try {
       const updated = await chrome.tabs.get(reuseTab.id);
       if (isDebuggableUrl(updated.url)) return reuseTab.id;
-      // New Tab Override intercepted about:blank — try data: URI instead
-      console.warn(`[opencli] about:blank was intercepted (${updated.url}), trying data: URI`);
-      await chrome.tabs.update(reuseTab.id, { url: 'data:text/html,<html></html>' });
-      await new Promise(resolve => setTimeout(resolve, 300));
-      const updated2 = await chrome.tabs.get(reuseTab.id);
-      if (isDebuggableUrl(updated2.url)) return reuseTab.id;
-      // data: URI also intercepted — create a brand new tab
-      console.warn(`[opencli] data: URI also intercepted, creating fresh tab`);
+      console.warn(`[opencli] data: URI was intercepted (${updated.url}), creating fresh tab`);
     } catch {
       // Tab was closed during navigation
     }
   }
 
-  // Window has no debuggable tabs — create one
+  // Fallback: create a new tab
   const newTab = await chrome.tabs.create({ windowId, url: 'data:text/html,<html></html>', active: true });
   if (!newTab.id) throw new Error('Failed to create tab in automation window');
   return newTab.id;

package/extension/src/cdp.ts

@@ -47,15 +47,18 @@ async function ensureAttached(tabId: number): Promise<void> {
     await chrome.debugger.attach({ tabId }, '1.3');
   } catch (e: unknown) {
     const msg = e instanceof Error ? e.message : String(e);
+    const hint = msg.includes('chrome-extension://')
+      ? '. Tip: another Chrome extension may be interfering — try disabling other extensions'
+      : '';
     if (msg.includes('Another debugger is already attached')) {
       try { await chrome.debugger.detach({ tabId }); } catch { /* ignore */ }
       try {
         await chrome.debugger.attach({ tabId }, '1.3');
       } catch {
-        throw new Error(`attach failed: ${msg}`);
+        throw new Error(`attach failed: ${msg}${hint}`);
       }
     } else {
-      throw new Error(`attach failed: ${msg}`);
+      throw new Error(`attach failed: ${msg}${hint}`);
     }
   }
   attached.add(tabId);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jackwener/opencli",
-  "version": "1.2.5",
+  "version": "1.3.0",
   "publishConfig": {
     "access": "public"
   },

package/src/browser/cdp.ts

@@ -20,6 +20,7 @@ import {
   scrollJs,
   autoScrollJs,
   networkRequestsJs,
+  waitForDomStableJs,
 } from './dom-helpers.js';
 
 export interface CDPTarget {
@@ -177,10 +178,11 @@ class CDPPage implements IPage {
       .catch(() => {}); // Don't fail if event times out
     await this.bridge.send('Page.navigate', { url });
     await loadPromise;
-    // Post-load settle: SPA frameworks need extra time to render after load event
+    // Smart settle: use DOM stability detection instead of fixed sleep.
+    // settleMs is now a timeout cap (default 1000ms), not a fixed wait.
     if (options?.waitUntil !== 'none') {
-      const settleMs = options?.settleMs ?? 1000;
-      await new Promise(resolve => setTimeout(resolve, settleMs));
+      const maxMs = options?.settleMs ?? 1000;
+      await this.evaluate(waitForDomStableJs(maxMs, Math.min(500, maxMs)));
     }
   }
 

package/src/browser/daemon-client.ts

@@ -44,7 +44,10 @@ export async function isDaemonRunning(): Promise<boolean> {
   try {
     const controller = new AbortController();
     const timer = setTimeout(() => controller.abort(), 2000);
-    const res = await fetch(`${DAEMON_URL}/status`, { signal: controller.signal });
+    const res = await fetch(`${DAEMON_URL}/status`, {
+      headers: { 'X-OpenCLI': '1' },
+      signal: controller.signal,
+    });
     clearTimeout(timer);
     return res.ok;
   } catch {
@@ -59,7 +62,10 @@ export async function isExtensionConnected(): Promise<boolean> {
   try {
     const controller = new AbortController();
     const timer = setTimeout(() => controller.abort(), 2000);
-    const res = await fetch(`${DAEMON_URL}/status`, { signal: controller.signal });
+    const res = await fetch(`${DAEMON_URL}/status`, {
+      headers: { 'X-OpenCLI': '1' },
+      signal: controller.signal,
+    });
     clearTimeout(timer);
     if (!res.ok) return false;
     const data = await res.json() as { extensionConnected?: boolean };
@@ -90,7 +96,7 @@ export async function sendCommand(
 
       const res = await fetch(`${DAEMON_URL}/command`, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: { 'Content-Type': 'application/json', 'X-OpenCLI': '1' },
         body: JSON.stringify(command),
         signal: controller.signal,
       });

package/src/browser/discover.ts

@@ -18,7 +18,9 @@ export async function checkDaemonStatus(): Promise<{
 }> {
   try {
     const port = parseInt(process.env.OPENCLI_DAEMON_PORT ?? '19825', 10);
-    const res = await fetch(`http://127.0.0.1:${port}/status`);
+    const res = await fetch(`http://127.0.0.1:${port}/status`, {
+      headers: { 'X-OpenCLI': '1' },
+    });
     const data = await res.json() as { ok: boolean; extensionConnected: boolean };
     return { running: true, extensionConnected: data.extensionConnected };
   } catch {

package/src/browser/dom-helpers.ts

@@ -145,3 +145,37 @@ export function networkRequestsJs(includeStatic: boolean): string {
     })()
   `;
 }
+
+/**
+ * Generate JS to wait until the DOM stabilizes (no mutations for `quietMs`),
+ * with a hard cap at `maxMs`. Uses MutationObserver in the browser.
+ *
+ * Returns as soon as the page stops changing, avoiding unnecessary fixed waits.
+ * If document.body is not available, falls back to a fixed sleep of maxMs.
+ */
+export function waitForDomStableJs(maxMs: number, quietMs: number): string {
+  return `
+    new Promise(resolve => {
+      if (!document.body) {
+        setTimeout(() => resolve('nobody'), ${maxMs});
+        return;
+      }
+      let timer = null;
+      let cap = null;
+      const done = (reason) => {
+        clearTimeout(timer);
+        clearTimeout(cap);
+        obs.disconnect();
+        resolve(reason);
+      };
+      const resetQuiet = () => {
+        clearTimeout(timer);
+        timer = setTimeout(() => done('quiet'), ${quietMs});
+      };
+      const obs = new MutationObserver(resetQuiet);
+      obs.observe(document.body, { childList: true, subtree: true, attributes: true });
+      resetQuiet();
+      cap = setTimeout(() => done('capped'), ${maxMs});
+    })
+  `;
+}

package/src/browser/page.ts

@@ -23,6 +23,7 @@ import {
   scrollJs,
   autoScrollJs,
   networkRequestsJs,
+  waitForDomStableJs,
 } from './dom-helpers.js';
 
 /**
@@ -53,11 +54,15 @@ export class Page implements IPage {
     if (result?.tabId) {
       this._tabId = result.tabId;
     }
-    // Post-load settle: the extension already waits for tab.status === 'complete',
-    // but SPA frameworks (React/Vue) need extra time to render after DOM load.
+    // Smart settle: use DOM stability detection instead of fixed sleep.
+    // settleMs is now a timeout cap (default 1000ms), not a fixed wait.
     if (options?.waitUntil !== 'none') {
-      const settleMs = options?.settleMs ?? 1000;
-      await new Promise(resolve => setTimeout(resolve, settleMs));
+      const maxMs = options?.settleMs ?? 1000;
+      await sendCommand('exec', {
+        code: waitForDomStableJs(maxMs, Math.min(500, maxMs)),
+        ...this._workspaceOpt(),
+        ...this._tabOpt(),
+      });
     }
   }
 

package/src/cli.ts

@@ -202,12 +202,12 @@ export function runCli(BUILTIN_CLIS: string, USER_CLIS: string): void {
       console.log(renderCascadeResult(result));
     });
 
-  // ── Built-in: doctor / setup / completion ─────────────────────────────────
+  // ── Built-in: doctor / completion ──────────────────────────────────────────
 
   program
     .command('doctor')
     .description('Diagnose opencli browser bridge connectivity')
-    .option('--live', 'Test browser connectivity (requires Chrome running)', false)
+    .option('--no-live', 'Skip live browser connectivity test')
     .option('--sessions', 'Show active automation sessions', false)
     .action(async (opts) => {
       const { runBrowserDoctor, renderBrowserDoctorReport } = await import('./doctor.js');
@@ -215,14 +215,6 @@ export function runCli(BUILTIN_CLIS: string, USER_CLIS: string): void {
       console.log(renderBrowserDoctorReport(report));
     });
 
-  program
-    .command('setup')
-    .description('Interactive setup: verify browser bridge connectivity')
-    .action(async () => {
-      const { runSetup } = await import('./setup.js');
-      await runSetup({ cliVersion: PKG_VERSION });
-    });
-
   program
     .command('completion')
     .description('Output shell completion script')

package/src/daemon.ts

@@ -5,6 +5,14 @@
  *   CLI → HTTP POST /command → daemon → WebSocket → Extension
  *   Extension → WebSocket result → daemon → HTTP response → CLI
  *
+ * Security (defense-in-depth against browser-based CSRF):
+ *   1. Origin check — reject HTTP/WS from non chrome-extension:// origins
+ *   2. Custom header — require X-OpenCLI header (browsers can't send it
+ *      without CORS preflight, which we deny)
+ *   3. No CORS headers — responses never include Access-Control-Allow-Origin
+ *   4. Body size limit — 1 MB max to prevent OOM
+ *   5. WebSocket verifyClient — reject upgrade before connection is established
+ *
  * Lifecycle:
  *   - Auto-spawned by opencli on first browser command
  *   - Auto-exits after 5 minutes of idle
@@ -49,25 +57,56 @@ function resetIdleTimer(): void {
 
 // ─── HTTP Server ─────────────────────────────────────────────────────
 
+const MAX_BODY = 1024 * 1024; // 1 MB — commands are tiny; this prevents OOM
+
 function readBody(req: IncomingMessage): Promise<string> {
   return new Promise((resolve, reject) => {
     const chunks: Buffer[] = [];
-    req.on('data', (c: Buffer) => chunks.push(c));
+    let size = 0;
+    req.on('data', (c: Buffer) => {
+      size += c.length;
+      if (size > MAX_BODY) { req.destroy(); reject(new Error('Body too large')); return; }
+      chunks.push(c);
+    });
     req.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
     req.on('error', reject);
   });
 }
 
 function jsonResponse(res: ServerResponse, status: number, data: unknown): void {
-  res.writeHead(status, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
+  res.writeHead(status, { 'Content-Type': 'application/json' });
   res.end(JSON.stringify(data));
 }
 
 async function handleRequest(req: IncomingMessage, res: ServerResponse): Promise<void> {
-  res.setHeader('Access-Control-Allow-Origin', '*');
-  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-  res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
-  if (req.method === 'OPTIONS') { res.writeHead(204); res.end(); return; }
+  // ─── Security: Origin & custom-header check ──────────────────────
+  // Block browser-based CSRF: browsers always send an Origin header on
+  // cross-origin requests.  Node.js CLI fetch does NOT send Origin, so
+  // legitimate CLI requests pass through.  Chrome Extension connects via
+  // WebSocket (which bypasses this HTTP handler entirely).
+  const origin = req.headers['origin'] as string | undefined;
+  if (origin && !origin.startsWith('chrome-extension://')) {
+    jsonResponse(res, 403, { ok: false, error: 'Forbidden: cross-origin request blocked' });
+    return;
+  }
+
+  // CORS: do NOT send Access-Control-Allow-Origin for normal requests.
+  // Only handle preflight so browsers get a definitive "no" answer.
+  if (req.method === 'OPTIONS') {
+    // No ACAO header → browser will block the actual request.
+    res.writeHead(204);
+    res.end();
+    return;
+  }
+
+  // Require custom header on all HTTP requests.  Browsers cannot attach
+  // custom headers in "simple" requests, and our preflight returns no
+  // Access-Control-Allow-Headers, so scripted fetch() from web pages is
+  // blocked even if Origin check is somehow bypassed.
+  if (!req.headers['x-opencli']) {
+    jsonResponse(res, 403, { ok: false, error: 'Forbidden: missing X-OpenCLI header' });
+    return;
+  }
 
   const url = req.url ?? '/';
   const pathname = url.split('?')[0];
@@ -136,7 +175,18 @@ async function handleRequest(req: IncomingMessage, res: ServerResponse): Promise
 // ─── WebSocket for Extension ─────────────────────────────────────────
 
 const httpServer = createServer((req, res) => { handleRequest(req, res).catch(() => { res.writeHead(500); res.end(); }); });
-const wss = new WebSocketServer({ server: httpServer, path: '/ext' });
+const wss = new WebSocketServer({
+  server: httpServer,
+  path: '/ext',
+  verifyClient: ({ req }: { req: IncomingMessage }) => {
+    // Block browser-originated WebSocket connections.  Browsers don't
+    // enforce CORS on WebSocket, so a malicious webpage could connect to
+    // ws://localhost:19825/ext and impersonate the Extension.  Real Chrome
+    // Extensions send origin chrome-extension://<id>.
+    const origin = req.headers['origin'] as string | undefined;
+    return !origin || origin.startsWith('chrome-extension://');
+  },
+});
 
 wss.on('connection', (ws: WebSocket) => {
   console.error('[daemon] Extension connected');

package/src/doctor.test.ts

@@ -84,36 +84,28 @@ describe('doctor report rendering', () => {
       issues: [],
     }));
 
-    expect(text).toContain('[SKIP] Connectivity: not tested (use --live)');
+    expect(text).toContain('[SKIP] Connectivity: skipped (--no-live)');
   });
 
   it('reports consistent status when live check auto-starts the daemon', async () => {
-    // With the reordered flow, checkDaemonStatus is called only ONCE — after
-    // the connectivity check that may auto-start the daemon.
-    mockCheckDaemonStatus.mockResolvedValueOnce({ running: true, extensionConnected: false });
-    mockConnect.mockRejectedValueOnce(new Error(
-      'Daemon is running but the Browser Extension is not connected.\n' +
-      'Please install and enable the opencli Browser Bridge extension in Chrome.',
-    ));
-
-    const report = await runBrowserDoctor({ live: true });
-
-    // Status reflects the post-connectivity state (daemon running)
-    expect(report.daemonRunning).toBe(true);
+    // checkDaemonStatus is called twice: once for auto-start check, once for final status.
+    // First call: daemon not running (triggers auto-start attempt)
+    mockCheckDaemonStatus.mockResolvedValueOnce({ running: false, extensionConnected: false });
+    // Auto-start attempt via BrowserBridge.connect fails
+    mockConnect.mockRejectedValueOnce(new Error('Could not start daemon'));
+    // Second call: daemon still not running after failed auto-start
+    mockCheckDaemonStatus.mockResolvedValueOnce({ running: false, extensionConnected: false });
+
+    const report = await runBrowserDoctor({ live: false });
+
+    // Status reflects daemon not running
+    expect(report.daemonRunning).toBe(false);
     expect(report.extensionConnected).toBe(false);
-    // checkDaemonStatus should only be called once
-    expect(mockCheckDaemonStatus).toHaveBeenCalledTimes(1);
-    // Should NOT report "daemon not running" since it IS running after live check
-    expect(report.issues).not.toContain(
-      expect.stringContaining('Daemon is not running'),
-    );
-    // Should report extension not connected
-    expect(report.issues).toEqual(expect.arrayContaining([
-      expect.stringContaining('Chrome extension is not connected'),
-    ]));
-    // Should report connectivity failure
+    // checkDaemonStatus called twice (initial + final)
+    expect(mockCheckDaemonStatus).toHaveBeenCalledTimes(2);
+    // Should report daemon not running
     expect(report.issues).toEqual(expect.arrayContaining([
-      expect.stringContaining('Browser connectivity test failed'),
+      expect.stringContaining('Daemon is not running'),
     ]));
   });
 });

package/src/doctor.ts

@@ -51,7 +51,19 @@ export async function checkConnectivity(opts?: { timeout?: number }): Promise<Co
 }
 
 export async function runBrowserDoctor(opts: DoctorOptions = {}): Promise<DoctorReport> {
-  // Run the live connectivity check first — it may auto-start the daemon as a
+  // Try to auto-start daemon if it's not running, so we show accurate status.
+  let initialStatus = await checkDaemonStatus();
+  if (!initialStatus.running) {
+    try {
+      const mcp = new BrowserBridge();
+      await mcp.connect({ timeout: 5 });
+      await mcp.close();
+    } catch {
+      // Auto-start failed; we'll report it below.
+    }
+  }
+
+  // Run the live connectivity check — it may also auto-start the daemon as a
   // side-effect, so we read daemon status only *after* all side-effects settle.
   let connectivity: ConnectivityResult | undefined;
   if (opts.live) {
@@ -109,7 +121,7 @@ export function renderBrowserDoctorReport(report: DoctorReport): string {
       : `failed (${report.connectivity.error ?? 'unknown'})`;
     lines.push(`${connIcon} Connectivity: ${detail}`);
   } else {
-    lines.push(`${chalk.dim('[SKIP]')} Connectivity: not tested (use --live)`);
+    lines.push(`${chalk.dim('[SKIP]')} Connectivity: skipped (--no-live)`);
   }
 
   if (report.sessions) {

package/dist/setup.d.ts

@@ -1,10 +0,0 @@
-/**
- * setup.ts — Interactive browser setup for opencli
- *
- * Simplified for daemon-based architecture. No more token management.
- * Just verifies daemon + extension connectivity.
- */
-export declare function runSetup(opts?: {
-    cliVersion?: string;
-    token?: string;
-}): Promise<void>;

package/dist/setup.js

@@ -1,66 +0,0 @@
-/**
- * setup.ts — Interactive browser setup for opencli
- *
- * Simplified for daemon-based architecture. No more token management.
- * Just verifies daemon + extension connectivity.
- */
-import chalk from 'chalk';
-import { checkDaemonStatus } from './browser/discover.js';
-import { checkConnectivity } from './doctor.js';
-import { BrowserBridge } from './browser/index.js';
-export async function runSetup(opts = {}) {
-    console.log();
-    console.log(chalk.bold('  opencli setup') + chalk.dim(' — browser bridge configuration'));
-    console.log();
-    // Step 1: Check daemon
-    console.log(chalk.dim('  Checking daemon status...'));
-    const status = await checkDaemonStatus();
-    if (status.running) {
-        console.log(`  ${chalk.green('✓')} Daemon is running on port 19825`);
-    }
-    else {
-        console.log(`  ${chalk.yellow('!')} Daemon is not running`);
-        console.log(chalk.dim('    The daemon starts automatically when you run a browser command.'));
-        console.log(chalk.dim('    Starting daemon now...'));
-        // Try to spawn daemon
-        const mcp = new BrowserBridge();
-        try {
-            await mcp.connect({ timeout: 5 });
-            await mcp.close();
-            console.log(`  ${chalk.green('✓')} Daemon started successfully`);
-        }
-        catch {
-            console.log(`  ${chalk.yellow('!')} Could not start daemon automatically`);
-        }
-    }
-    // Step 2: Check extension
-    const statusAfter = await checkDaemonStatus();
-    if (statusAfter.extensionConnected) {
-        console.log(`  ${chalk.green('✓')} Chrome extension connected`);
-    }
-    else {
-        console.log(`  ${chalk.red('✗')} Chrome extension not connected`);
-        console.log();
-        console.log(chalk.dim('  To install the opencli Browser Bridge extension:'));
-        console.log(chalk.dim('    1. Download from GitHub Releases'));
-        console.log(chalk.dim('    2. Open chrome://extensions/ → Enable Developer Mode'));
-        console.log(chalk.dim('    3. Click "Load unpacked" → select the extension folder'));
-        console.log(chalk.dim('    4. Make sure Chrome is running'));
-        console.log();
-        return;
-    }
-    // Step 3: Test connectivity
-    console.log();
-    console.log(chalk.dim('  Testing browser connectivity...'));
-    const conn = await checkConnectivity({ timeout: 5 });
-    if (conn.ok) {
-        console.log(`  ${chalk.green('✓')} Browser connected in ${(conn.durationMs / 1000).toFixed(1)}s`);
-        console.log();
-        console.log(chalk.green.bold('  ✓ Setup complete! You can now use opencli browser commands.'));
-    }
-    else {
-        console.log(`  ${chalk.yellow('!')} Connectivity test failed: ${conn.error ?? 'unknown'}`);
-        console.log(chalk.dim(`    Run ${chalk.bold('opencli doctor --live')} to diagnose.`));
-    }
-    console.log();
-}

package/src/setup.ts

@@ -1,69 +0,0 @@
-/**
- * setup.ts — Interactive browser setup for opencli
- *
- * Simplified for daemon-based architecture. No more token management.
- * Just verifies daemon + extension connectivity.
- */
-
-import chalk from 'chalk';
-import { checkDaemonStatus } from './browser/discover.js';
-import { checkConnectivity } from './doctor.js';
-import { BrowserBridge } from './browser/index.js';
-
-export async function runSetup(opts: { cliVersion?: string; token?: string } = {}) {
-  console.log();
-  console.log(chalk.bold('  opencli setup') + chalk.dim(' — browser bridge configuration'));
-  console.log();
-
-  // Step 1: Check daemon
-  console.log(chalk.dim('  Checking daemon status...'));
-  const status = await checkDaemonStatus();
-
-  if (status.running) {
-    console.log(`  ${chalk.green('✓')} Daemon is running on port 19825`);
-  } else {
-    console.log(`  ${chalk.yellow('!')} Daemon is not running`);
-    console.log(chalk.dim('    The daemon starts automatically when you run a browser command.'));
-    console.log(chalk.dim('    Starting daemon now...'));
-
-    // Try to spawn daemon
-    const mcp = new BrowserBridge();
-    try {
-      await mcp.connect({ timeout: 5 });
-      await mcp.close();
-      console.log(`  ${chalk.green('✓')} Daemon started successfully`);
-    } catch {
-      console.log(`  ${chalk.yellow('!')} Could not start daemon automatically`);
-    }
-  }
-
-  // Step 2: Check extension
-  const statusAfter = await checkDaemonStatus();
-  if (statusAfter.extensionConnected) {
-    console.log(`  ${chalk.green('✓')} Chrome extension connected`);
-  } else {
-    console.log(`  ${chalk.red('✗')} Chrome extension not connected`);
-    console.log();
-    console.log(chalk.dim('  To install the opencli Browser Bridge extension:'));
-    console.log(chalk.dim('    1. Download from GitHub Releases'));
-    console.log(chalk.dim('    2. Open chrome://extensions/ → Enable Developer Mode'));
-    console.log(chalk.dim('    3. Click "Load unpacked" → select the extension folder'));
-    console.log(chalk.dim('    4. Make sure Chrome is running'));
-    console.log();
-    return;
-  }
-
-  // Step 3: Test connectivity
-  console.log();
-  console.log(chalk.dim('  Testing browser connectivity...'));
-  const conn = await checkConnectivity({ timeout: 5 });
-  if (conn.ok) {
-    console.log(`  ${chalk.green('✓')} Browser connected in ${(conn.durationMs / 1000).toFixed(1)}s`);
-    console.log();
-    console.log(chalk.green.bold('  ✓ Setup complete! You can now use opencli browser commands.'));
-  } else {
-    console.log(`  ${chalk.yellow('!')} Connectivity test failed: ${conn.error ?? 'unknown'}`);
-    console.log(chalk.dim(`    Run ${chalk.bold('opencli doctor --live')} to diagnose.`));
-  }
-  console.log();
-}