@kaitranntt/ccs 7.79.1-dev.17 → 7.79.1-dev.19

package/lib/mcp/ccs-browser-server.cjs

@@ -639,7 +639,7 @@ function getTools() {
             },
           },
           priority: { type: 'integer' },
-          action: { type: 'string', enum: ['continue', 'fail', 'fulfill'] },
+          action: { type: 'string', enum: getInterceptActionEnum() },
           statusCode: { type: 'integer', minimum: 100, maximum: 599 },
           responseHeaders: {
             type: 'array',
@@ -1209,7 +1209,18 @@ function getTools() {
           },
           event: {
             type: 'object',
-            description: 'Required event selector.',
+            description:
+              'Required event selector. request events require urlIncludes; download events require urlIncludes or suggestedFilenameIncludes. URLs in returned details are redacted.',
+            properties: {
+              kind: { type: 'string', enum: ['dialog', 'navigation', 'request', 'download'] },
+              dialogType: { type: 'string' },
+              messageIncludes: { type: 'string' },
+              urlIncludes: { type: 'string' },
+              method: { type: 'string' },
+              suggestedFilenameIncludes: { type: 'string' },
+            },
+            required: ['kind'],
+            additionalProperties: false,
           },
         },
         required: ['event'],
@@ -1292,9 +1303,30 @@ function parseOptionalPageId(toolArgs) {
     : '';
 }
 
+function getBrowserInterceptFulfillMode() {
+  return String(process.env.CCS_BROWSER_INTERCEPT_FULFILL_MODE || 'disabled').trim() === 'enabled'
+    ? 'enabled'
+    : 'disabled';
+}
+
+function isBrowserInterceptFulfillEnabled() {
+  return getBrowserInterceptFulfillMode() === 'enabled';
+}
+
+function getInterceptActionEnum() {
+  return isBrowserInterceptFulfillEnabled()
+    ? ['continue', 'fail', 'fulfill']
+    : ['continue', 'fail'];
+}
+
 function parseInterceptAction(value) {
+  if (value === 'fulfill' && !isBrowserInterceptFulfillEnabled()) {
+    throw new Error(
+      'action fulfill is disabled by CCS_BROWSER_INTERCEPT_FULFILL_MODE=disabled; set it to enabled only for trusted local testing'
+    );
+  }
   if (value !== 'continue' && value !== 'fail' && value !== 'fulfill') {
-    throw new Error('action must be one of: continue, fail, fulfill');
+    throw new Error(`action must be one of: ${getInterceptActionEnum().join(', ')}`);
   }
   return value;
 }
@@ -3327,24 +3359,80 @@ function parseEventCondition(value) {
     };
   }
   if (value.kind === 'request') {
+    const urlIncludes = value.urlIncludes ? String(value.urlIncludes) : undefined;
+    if (!urlIncludes) {
+      throw new Error('request events require urlIncludes to limit network metadata exposure');
+    }
     return {
       kind: 'request',
-      urlIncludes: value.urlIncludes ? String(value.urlIncludes) : undefined,
+      urlIncludes,
       method: value.method ? String(value.method) : undefined,
     };
   }
   if (value.kind === 'download') {
+    const urlIncludes = value.urlIncludes ? String(value.urlIncludes) : undefined;
+    const suggestedFilenameIncludes = value.suggestedFilenameIncludes
+      ? String(value.suggestedFilenameIncludes)
+      : undefined;
+    if (!urlIncludes && !suggestedFilenameIncludes) {
+      throw new Error(
+        'download events require urlIncludes or suggestedFilenameIncludes to limit metadata exposure'
+      );
+    }
     return {
       kind: 'download',
-      urlIncludes: value.urlIncludes ? String(value.urlIncludes) : undefined,
-      suggestedFilenameIncludes: value.suggestedFilenameIncludes
-        ? String(value.suggestedFilenameIncludes)
-        : undefined,
+      urlIncludes,
+      suggestedFilenameIncludes,
     };
   }
   throw new Error(`unknown event kind: ${String(value.kind || '')}`);
 }
 
+function redactUrlForModel(value, options = {}) {
+  const rawUrl = String(value || '');
+  if (!rawUrl) {
+    return '';
+  }
+  try {
+    const url = new URL(rawUrl);
+    if (options.originOnly) {
+      return url.origin;
+    }
+    url.username = '';
+    url.password = '';
+    url.search = '';
+    url.hash = '';
+    return url.toString();
+  } catch {
+    return '[redacted-url]';
+  }
+}
+
+function redactObservedEvent(event, observed) {
+  if (!observed || typeof observed !== 'object') {
+    return observed;
+  }
+  if (event.kind === 'request') {
+    return {
+      url: redactUrlForModel(observed.url, { originOnly: true }),
+      method: observed.method || '',
+    };
+  }
+  if (event.kind === 'download') {
+    return {
+      url: redactUrlForModel(observed.url, { originOnly: true }),
+      suggestedFilename: observed.suggestedFilename || '',
+    };
+  }
+  if (event.kind === 'navigation' && Object.prototype.hasOwnProperty.call(observed, 'url')) {
+    return {
+      ...observed,
+      url: redactUrlForModel(observed.url, { originOnly: true }),
+    };
+  }
+  return observed;
+}
+
 function matchesObservedEvent(event, observed) {
   if (event.kind === 'dialog') {
     return (
@@ -4798,7 +4886,8 @@ async function handleWaitForEvent(toolArgs) {
   );
   const event = parseEventCondition(toolArgs.event);
   const observed = await waitForMatchingEvent({ page, pageIndex, timeoutMs, event });
-  return `pageIndex: ${pageIndex}\nevent: ${event.kind}\nstatus: observed\ndetail: ${JSON.stringify(observed)}`;
+  const safeObserved = redactObservedEvent(event, observed);
+  return `pageIndex: ${pageIndex}\nevent: ${event.kind}\nstatus: observed\ndetail: ${JSON.stringify(safeObserved)}`;
 }
 
 function findInterceptRuleIndex(ruleId) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kaitranntt/ccs",
-  "version": "7.79.1-dev.17",
+  "version": "7.79.1-dev.19",
   "description": "Claude Code Switch - Instant profile switching between Claude, GLM, Kimi, and more",
   "keywords": [
     "cli",