@jackwener/opencli 1.2.6 → 1.3.1

package/src/browser/dom-helpers.ts

@@ -145,3 +145,37 @@ export function networkRequestsJs(includeStatic: boolean): string {
     })()
   `;
 }
+
+/**
+ * Generate JS to wait until the DOM stabilizes (no mutations for `quietMs`),
+ * with a hard cap at `maxMs`. Uses MutationObserver in the browser.
+ *
+ * Returns as soon as the page stops changing, avoiding unnecessary fixed waits.
+ * If document.body is not available, falls back to a fixed sleep of maxMs.
+ */
+export function waitForDomStableJs(maxMs: number, quietMs: number): string {
+  return `
+    new Promise(resolve => {
+      if (!document.body) {
+        setTimeout(() => resolve('nobody'), ${maxMs});
+        return;
+      }
+      let timer = null;
+      let cap = null;
+      const done = (reason) => {
+        clearTimeout(timer);
+        clearTimeout(cap);
+        obs.disconnect();
+        resolve(reason);
+      };
+      const resetQuiet = () => {
+        clearTimeout(timer);
+        timer = setTimeout(() => done('quiet'), ${quietMs});
+      };
+      const obs = new MutationObserver(resetQuiet);
+      obs.observe(document.body, { childList: true, subtree: true, attributes: true });
+      resetQuiet();
+      cap = setTimeout(() => done('capped'), ${maxMs});
+    })
+  `;
+}

package/src/browser/page.ts

@@ -23,6 +23,7 @@ import {
   scrollJs,
   autoScrollJs,
   networkRequestsJs,
+  waitForDomStableJs,
 } from './dom-helpers.js';
 
 /**
@@ -53,11 +54,15 @@ export class Page implements IPage {
     if (result?.tabId) {
       this._tabId = result.tabId;
     }
-    // Post-load settle: the extension already waits for tab.status === 'complete',
-    // but SPA frameworks (React/Vue) need extra time to render after DOM load.
+    // Smart settle: use DOM stability detection instead of fixed sleep.
+    // settleMs is now a timeout cap (default 1000ms), not a fixed wait.
     if (options?.waitUntil !== 'none') {
-      const settleMs = options?.settleMs ?? 1000;
-      await new Promise(resolve => setTimeout(resolve, settleMs));
+      const maxMs = options?.settleMs ?? 1000;
+      await sendCommand('exec', {
+        code: waitForDomStableJs(maxMs, Math.min(500, maxMs)),
+        ...this._workspaceOpt(),
+        ...this._tabOpt(),
+      });
     }
   }
 

package/src/cli.ts

@@ -202,12 +202,12 @@ export function runCli(BUILTIN_CLIS: string, USER_CLIS: string): void {
       console.log(renderCascadeResult(result));
     });
 
-  // ── Built-in: doctor / setup / completion ─────────────────────────────────
+  // ── Built-in: doctor / completion ──────────────────────────────────────────
 
   program
     .command('doctor')
     .description('Diagnose opencli browser bridge connectivity')
-    .option('--live', 'Test browser connectivity (requires Chrome running)', false)
+    .option('--no-live', 'Skip live browser connectivity test')
     .option('--sessions', 'Show active automation sessions', false)
     .action(async (opts) => {
       const { runBrowserDoctor, renderBrowserDoctorReport } = await import('./doctor.js');
@@ -215,14 +215,6 @@ export function runCli(BUILTIN_CLIS: string, USER_CLIS: string): void {
       console.log(renderBrowserDoctorReport(report));
     });
 
-  program
-    .command('setup')
-    .description('Interactive setup: verify browser bridge connectivity')
-    .action(async () => {
-      const { runSetup } = await import('./setup.js');
-      await runSetup({ cliVersion: PKG_VERSION });
-    });
-
   program
     .command('completion')
     .description('Output shell completion script')

package/src/daemon.ts

@@ -5,6 +5,14 @@
  *   CLI → HTTP POST /command → daemon → WebSocket → Extension
  *   Extension → WebSocket result → daemon → HTTP response → CLI
  *
+ * Security (defense-in-depth against browser-based CSRF):
+ *   1. Origin check — reject HTTP/WS from non chrome-extension:// origins
+ *   2. Custom header — require X-OpenCLI header (browsers can't send it
+ *      without CORS preflight, which we deny)
+ *   3. No CORS headers — responses never include Access-Control-Allow-Origin
+ *   4. Body size limit — 1 MB max to prevent OOM
+ *   5. WebSocket verifyClient — reject upgrade before connection is established
+ *
  * Lifecycle:
  *   - Auto-spawned by opencli on first browser command
  *   - Auto-exits after 5 minutes of idle
@@ -49,25 +57,56 @@ function resetIdleTimer(): void {
 
 // ─── HTTP Server ─────────────────────────────────────────────────────
 
+const MAX_BODY = 1024 * 1024; // 1 MB — commands are tiny; this prevents OOM
+
 function readBody(req: IncomingMessage): Promise<string> {
   return new Promise((resolve, reject) => {
     const chunks: Buffer[] = [];
-    req.on('data', (c: Buffer) => chunks.push(c));
+    let size = 0;
+    req.on('data', (c: Buffer) => {
+      size += c.length;
+      if (size > MAX_BODY) { req.destroy(); reject(new Error('Body too large')); return; }
+      chunks.push(c);
+    });
     req.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
     req.on('error', reject);
   });
 }
 
 function jsonResponse(res: ServerResponse, status: number, data: unknown): void {
-  res.writeHead(status, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '*' });
+  res.writeHead(status, { 'Content-Type': 'application/json' });
   res.end(JSON.stringify(data));
 }
 
 async function handleRequest(req: IncomingMessage, res: ServerResponse): Promise<void> {
-  res.setHeader('Access-Control-Allow-Origin', '*');
-  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-  res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
-  if (req.method === 'OPTIONS') { res.writeHead(204); res.end(); return; }
+  // ─── Security: Origin & custom-header check ──────────────────────
+  // Block browser-based CSRF: browsers always send an Origin header on
+  // cross-origin requests.  Node.js CLI fetch does NOT send Origin, so
+  // legitimate CLI requests pass through.  Chrome Extension connects via
+  // WebSocket (which bypasses this HTTP handler entirely).
+  const origin = req.headers['origin'] as string | undefined;
+  if (origin && !origin.startsWith('chrome-extension://')) {
+    jsonResponse(res, 403, { ok: false, error: 'Forbidden: cross-origin request blocked' });
+    return;
+  }
+
+  // CORS: do NOT send Access-Control-Allow-Origin for normal requests.
+  // Only handle preflight so browsers get a definitive "no" answer.
+  if (req.method === 'OPTIONS') {
+    // No ACAO header → browser will block the actual request.
+    res.writeHead(204);
+    res.end();
+    return;
+  }
+
+  // Require custom header on all HTTP requests.  Browsers cannot attach
+  // custom headers in "simple" requests, and our preflight returns no
+  // Access-Control-Allow-Headers, so scripted fetch() from web pages is
+  // blocked even if Origin check is somehow bypassed.
+  if (!req.headers['x-opencli']) {
+    jsonResponse(res, 403, { ok: false, error: 'Forbidden: missing X-OpenCLI header' });
+    return;
+  }
 
   const url = req.url ?? '/';
   const pathname = url.split('?')[0];
@@ -136,7 +175,18 @@ async function handleRequest(req: IncomingMessage, res: ServerResponse): Promise
 // ─── WebSocket for Extension ─────────────────────────────────────────
 
 const httpServer = createServer((req, res) => { handleRequest(req, res).catch(() => { res.writeHead(500); res.end(); }); });
-const wss = new WebSocketServer({ server: httpServer, path: '/ext' });
+const wss = new WebSocketServer({
+  server: httpServer,
+  path: '/ext',
+  verifyClient: ({ req }: { req: IncomingMessage }) => {
+    // Block browser-originated WebSocket connections.  Browsers don't
+    // enforce CORS on WebSocket, so a malicious webpage could connect to
+    // ws://localhost:19825/ext and impersonate the Extension.  Real Chrome
+    // Extensions send origin chrome-extension://<id>.
+    const origin = req.headers['origin'] as string | undefined;
+    return !origin || origin.startsWith('chrome-extension://');
+  },
+});
 
 wss.on('connection', (ws: WebSocket) => {
   console.error('[daemon] Extension connected');

package/src/doctor.test.ts

@@ -84,36 +84,28 @@ describe('doctor report rendering', () => {
       issues: [],
     }));
 
-    expect(text).toContain('[SKIP] Connectivity: not tested (use --live)');
+    expect(text).toContain('[SKIP] Connectivity: skipped (--no-live)');
   });
 
   it('reports consistent status when live check auto-starts the daemon', async () => {
-    // With the reordered flow, checkDaemonStatus is called only ONCE — after
-    // the connectivity check that may auto-start the daemon.
-    mockCheckDaemonStatus.mockResolvedValueOnce({ running: true, extensionConnected: false });
-    mockConnect.mockRejectedValueOnce(new Error(
-      'Daemon is running but the Browser Extension is not connected.\n' +
-      'Please install and enable the opencli Browser Bridge extension in Chrome.',
-    ));
-
-    const report = await runBrowserDoctor({ live: true });
-
-    // Status reflects the post-connectivity state (daemon running)
-    expect(report.daemonRunning).toBe(true);
+    // checkDaemonStatus is called twice: once for auto-start check, once for final status.
+    // First call: daemon not running (triggers auto-start attempt)
+    mockCheckDaemonStatus.mockResolvedValueOnce({ running: false, extensionConnected: false });
+    // Auto-start attempt via BrowserBridge.connect fails
+    mockConnect.mockRejectedValueOnce(new Error('Could not start daemon'));
+    // Second call: daemon still not running after failed auto-start
+    mockCheckDaemonStatus.mockResolvedValueOnce({ running: false, extensionConnected: false });
+
+    const report = await runBrowserDoctor({ live: false });
+
+    // Status reflects daemon not running
+    expect(report.daemonRunning).toBe(false);
     expect(report.extensionConnected).toBe(false);
-    // checkDaemonStatus should only be called once
-    expect(mockCheckDaemonStatus).toHaveBeenCalledTimes(1);
-    // Should NOT report "daemon not running" since it IS running after live check
-    expect(report.issues).not.toContain(
-      expect.stringContaining('Daemon is not running'),
-    );
-    // Should report extension not connected
-    expect(report.issues).toEqual(expect.arrayContaining([
-      expect.stringContaining('Chrome extension is not connected'),
-    ]));
-    // Should report connectivity failure
+    // checkDaemonStatus called twice (initial + final)
+    expect(mockCheckDaemonStatus).toHaveBeenCalledTimes(2);
+    // Should report daemon not running
     expect(report.issues).toEqual(expect.arrayContaining([
-      expect.stringContaining('Browser connectivity test failed'),
+      expect.stringContaining('Daemon is not running'),
     ]));
   });
 });

package/src/doctor.ts

@@ -51,7 +51,19 @@ export async function checkConnectivity(opts?: { timeout?: number }): Promise<Co
 }
 
 export async function runBrowserDoctor(opts: DoctorOptions = {}): Promise<DoctorReport> {
-  // Run the live connectivity check first — it may auto-start the daemon as a
+  // Try to auto-start daemon if it's not running, so we show accurate status.
+  let initialStatus = await checkDaemonStatus();
+  if (!initialStatus.running) {
+    try {
+      const mcp = new BrowserBridge();
+      await mcp.connect({ timeout: 5 });
+      await mcp.close();
+    } catch {
+      // Auto-start failed; we'll report it below.
+    }
+  }
+
+  // Run the live connectivity check — it may also auto-start the daemon as a
   // side-effect, so we read daemon status only *after* all side-effects settle.
   let connectivity: ConnectivityResult | undefined;
   if (opts.live) {
@@ -109,7 +121,7 @@ export function renderBrowserDoctorReport(report: DoctorReport): string {
       : `failed (${report.connectivity.error ?? 'unknown'})`;
     lines.push(`${connIcon} Connectivity: ${detail}`);
   } else {
-    lines.push(`${chalk.dim('[SKIP]')} Connectivity: not tested (use --live)`);
+    lines.push(`${chalk.dim('[SKIP]')} Connectivity: skipped (--no-live)`);
   }
 
   if (report.sessions) {

package/.github/workflows/release-please.yml

@@ -1,25 +0,0 @@
-name: Release Please
-
-on:
-  push:
-    branches: [main]
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  release-please:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Ensure release-please token is configured
-        run: |
-          if [ -z "${{ secrets.RELEASE_PLEASE_TOKEN }}" ]; then
-            echo "RELEASE_PLEASE_TOKEN secret is required so release PRs can trigger downstream CI workflows." >&2
-            exit 1
-          fi
-
-      - uses: googleapis/release-please-action@v4
-        with:
-          release-type: node
-          token: ${{ secrets.RELEASE_PLEASE_TOKEN }}

package/dist/setup.d.ts

@@ -1,10 +0,0 @@
-/**
- * setup.ts — Interactive browser setup for opencli
- *
- * Simplified for daemon-based architecture. No more token management.
- * Just verifies daemon + extension connectivity.
- */
-export declare function runSetup(opts?: {
-    cliVersion?: string;
-    token?: string;
-}): Promise<void>;

package/dist/setup.js

@@ -1,66 +0,0 @@
-/**
- * setup.ts — Interactive browser setup for opencli
- *
- * Simplified for daemon-based architecture. No more token management.
- * Just verifies daemon + extension connectivity.
- */
-import chalk from 'chalk';
-import { checkDaemonStatus } from './browser/discover.js';
-import { checkConnectivity } from './doctor.js';
-import { BrowserBridge } from './browser/index.js';
-export async function runSetup(opts = {}) {
-    console.log();
-    console.log(chalk.bold('  opencli setup') + chalk.dim(' — browser bridge configuration'));
-    console.log();
-    // Step 1: Check daemon
-    console.log(chalk.dim('  Checking daemon status...'));
-    const status = await checkDaemonStatus();
-    if (status.running) {
-        console.log(`  ${chalk.green('✓')} Daemon is running on port 19825`);
-    }
-    else {
-        console.log(`  ${chalk.yellow('!')} Daemon is not running`);
-        console.log(chalk.dim('    The daemon starts automatically when you run a browser command.'));
-        console.log(chalk.dim('    Starting daemon now...'));
-        // Try to spawn daemon
-        const mcp = new BrowserBridge();
-        try {
-            await mcp.connect({ timeout: 5 });
-            await mcp.close();
-            console.log(`  ${chalk.green('✓')} Daemon started successfully`);
-        }
-        catch {
-            console.log(`  ${chalk.yellow('!')} Could not start daemon automatically`);
-        }
-    }
-    // Step 2: Check extension
-    const statusAfter = await checkDaemonStatus();
-    if (statusAfter.extensionConnected) {
-        console.log(`  ${chalk.green('✓')} Chrome extension connected`);
-    }
-    else {
-        console.log(`  ${chalk.red('✗')} Chrome extension not connected`);
-        console.log();
-        console.log(chalk.dim('  To install the opencli Browser Bridge extension:'));
-        console.log(chalk.dim('    1. Download from GitHub Releases'));
-        console.log(chalk.dim('    2. Open chrome://extensions/ → Enable Developer Mode'));
-        console.log(chalk.dim('    3. Click "Load unpacked" → select the extension folder'));
-        console.log(chalk.dim('    4. Make sure Chrome is running'));
-        console.log();
-        return;
-    }
-    // Step 3: Test connectivity
-    console.log();
-    console.log(chalk.dim('  Testing browser connectivity...'));
-    const conn = await checkConnectivity({ timeout: 5 });
-    if (conn.ok) {
-        console.log(`  ${chalk.green('✓')} Browser connected in ${(conn.durationMs / 1000).toFixed(1)}s`);
-        console.log();
-        console.log(chalk.green.bold('  ✓ Setup complete! You can now use opencli browser commands.'));
-    }
-    else {
-        console.log(`  ${chalk.yellow('!')} Connectivity test failed: ${conn.error ?? 'unknown'}`);
-        console.log(chalk.dim(`    Run ${chalk.bold('opencli doctor --live')} to diagnose.`));
-    }
-    console.log();
-}

package/src/setup.ts

@@ -1,69 +0,0 @@
-/**
- * setup.ts — Interactive browser setup for opencli
- *
- * Simplified for daemon-based architecture. No more token management.
- * Just verifies daemon + extension connectivity.
- */
-
-import chalk from 'chalk';
-import { checkDaemonStatus } from './browser/discover.js';
-import { checkConnectivity } from './doctor.js';
-import { BrowserBridge } from './browser/index.js';
-
-export async function runSetup(opts: { cliVersion?: string; token?: string } = {}) {
-  console.log();
-  console.log(chalk.bold('  opencli setup') + chalk.dim(' — browser bridge configuration'));
-  console.log();
-
-  // Step 1: Check daemon
-  console.log(chalk.dim('  Checking daemon status...'));
-  const status = await checkDaemonStatus();
-
-  if (status.running) {
-    console.log(`  ${chalk.green('✓')} Daemon is running on port 19825`);
-  } else {
-    console.log(`  ${chalk.yellow('!')} Daemon is not running`);
-    console.log(chalk.dim('    The daemon starts automatically when you run a browser command.'));
-    console.log(chalk.dim('    Starting daemon now...'));
-
-    // Try to spawn daemon
-    const mcp = new BrowserBridge();
-    try {
-      await mcp.connect({ timeout: 5 });
-      await mcp.close();
-      console.log(`  ${chalk.green('✓')} Daemon started successfully`);
-    } catch {
-      console.log(`  ${chalk.yellow('!')} Could not start daemon automatically`);
-    }
-  }
-
-  // Step 2: Check extension
-  const statusAfter = await checkDaemonStatus();
-  if (statusAfter.extensionConnected) {
-    console.log(`  ${chalk.green('✓')} Chrome extension connected`);
-  } else {
-    console.log(`  ${chalk.red('✗')} Chrome extension not connected`);
-    console.log();
-    console.log(chalk.dim('  To install the opencli Browser Bridge extension:'));
-    console.log(chalk.dim('    1. Download from GitHub Releases'));
-    console.log(chalk.dim('    2. Open chrome://extensions/ → Enable Developer Mode'));
-    console.log(chalk.dim('    3. Click "Load unpacked" → select the extension folder'));
-    console.log(chalk.dim('    4. Make sure Chrome is running'));
-    console.log();
-    return;
-  }
-
-  // Step 3: Test connectivity
-  console.log();
-  console.log(chalk.dim('  Testing browser connectivity...'));
-  const conn = await checkConnectivity({ timeout: 5 });
-  if (conn.ok) {
-    console.log(`  ${chalk.green('✓')} Browser connected in ${(conn.durationMs / 1000).toFixed(1)}s`);
-    console.log();
-    console.log(chalk.green.bold('  ✓ Setup complete! You can now use opencli browser commands.'));
-  } else {
-    console.log(`  ${chalk.yellow('!')} Connectivity test failed: ${conn.error ?? 'unknown'}`);
-    console.log(chalk.dim(`    Run ${chalk.bold('opencli doctor --live')} to diagnose.`));
-  }
-  console.log();
-}