@mehmoodqureshi/chrome-mcp 0.3.0 → 0.4.1

package/dist/src/mcp/tools.js

@@ -12,9 +12,11 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.TOOL_HANDLERS = exports.TOOL_DEFINITIONS = void 0;
+exports.resetRateLimiter = resetRateLimiter;
 exports.dispatchToolCall = dispatchToolCall;
 exports.assertNoDrift = assertNoDrift;
 exports.registerTools = registerTools;
+const node_path_1 = require("node:path");
 const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
 const types_1 = require("../executor/types");
 const manager_1 = require("../executor/manager");
@@ -59,6 +61,7 @@ exports.TOOL_DEFINITIONS = [
     { name: 'read_as_markdown', description: 'Read the page (or subtree) as readable markdown.', inputSchema: obj({ selector: { type: 'string' }, tabId: { type: 'string' } }) },
     { name: 'fill_form', description: 'Fill multiple fields (keyed by selector) and optionally submit.', inputSchema: obj({ fields: { type: 'object' }, submitSelector: { type: 'string' }, tabId: { type: 'string' } }, ['fields']) },
     { name: 'download_file', description: 'Download a file by URL or from a link element.', inputSchema: obj({ url: { type: 'string' }, ...TARGET_PROPS, suggestedName: { type: 'string' }, tabId: { type: 'string' } }) },
+    { name: 'upload_file', description: 'Set local file(s) on a file <input> (target by selector or ref) — uploads without the OS dialog. Requires --enable-uploads. `files` are absolute local paths.', inputSchema: obj({ ...TARGET_PROPS, files: { type: 'array', items: { type: 'string' } }, tabId: { type: 'string' } }, ['files']) },
     { name: 'chrome_status', description: 'Report backend/session status.', inputSchema: obj({}) },
 ];
 /** Resolve the URL the policy should be evaluated against (the active tab). */
@@ -122,7 +125,7 @@ exports.TOOL_HANDLERS = {
     type: async (a, ctx) => {
         const t = (0, validators_1.requireTarget)(a);
         await gate(ctx, 'type');
-        return (0, envelopes_1.jsonResult)(await ctx.ex.type(t, (0, validators_1.requireString)(a, 'text'), {
+        return (0, envelopes_1.jsonResult)(await ctx.ex.type(t, (0, validators_1.requireWithinLength)((0, validators_1.requireString)(a, 'text'), 'text', validators_1.MAX_TEXT_LEN), {
             tabId: tabId(a),
             clear: (0, validators_1.optionalBoolean)(a, 'clear'),
             pressEnter: (0, validators_1.optionalBoolean)(a, 'pressEnter'),
@@ -241,6 +244,10 @@ exports.TOOL_HANDLERS = {
         if (typeof fields !== 'object' || fields === null || Array.isArray(fields)) {
             throw new validators_1.McpToolError('"fields" must be an object mapping selector -> string|boolean');
         }
+        for (const [sel, val] of Object.entries(fields)) {
+            if (typeof val === 'string')
+                (0, validators_1.requireWithinLength)(val, `fields["${sel}"]`, validators_1.MAX_TEXT_LEN);
+        }
         return (0, envelopes_1.jsonResult)(await (0, helpers_1.fillForm)(ctx.ex, {
             fields: fields,
             submitSelector: (0, validators_1.optionalString)(a, 'submitSelector'),
@@ -255,6 +262,28 @@ exports.TOOL_HANDLERS = {
             throw new validators_1.McpToolError('provide "url" or a target (selector|ref)');
         return (0, envelopes_1.jsonResult)(await ctx.ex.download({ url, target, tabId: tabId(a), suggestedName: (0, validators_1.optionalString)(a, 'suggestedName') }));
     },
+    upload_file: async (a, ctx) => {
+        const t = (0, validators_1.requireTarget)(a);
+        await gate(ctx, 'upload_file');
+        const files = (0, validators_1.optionalStringArray)(a, 'files');
+        if (!files || files.length === 0)
+            throw new validators_1.McpToolError('"files" must be a non-empty array of absolute local paths');
+        // Path restriction: uploads MUST be confined to a configured directory. Without
+        // one, any absolute path (e.g. ~/.ssh/id_rsa) could be uploaded to a page, so we
+        // refuse rather than allow unrestricted local-file access. With a dir, every file
+        // must resolve inside it (blocks `..` traversal and arbitrary-file exfiltration).
+        if (!ctx.policy.uploadsDir) {
+            throw new validators_1.McpToolError('upload denied: uploads require an --uploads-dir to be configured (refusing unrestricted local-file access)');
+        }
+        const dir = (0, node_path_1.resolve)(ctx.policy.uploadsDir);
+        for (const f of files) {
+            const abs = (0, node_path_1.resolve)(f);
+            if (abs !== dir && !abs.startsWith(dir + node_path_1.sep)) {
+                throw new validators_1.McpToolError(`upload denied: "${f}" is outside the allowed uploads dir (${dir})`);
+            }
+        }
+        return (0, envelopes_1.jsonResult)(await ctx.ex.uploadFile(t, files, { tabId: tabId(a) }));
+    },
     chrome_status: async (_a, ctx) => (0, envelopes_1.jsonResult)(ctx.ex.status()),
 };
 // ---------------------------------------------------------------------------
@@ -267,10 +296,41 @@ function errMessage(err) {
         return `internal error: ${err.message}`;
     return `internal error: ${String(err)}`;
 }
+// ---------------------------------------------------------------------------
+// Rate limiting — a sliding window over tool calls for the active session.
+// Generous by default so normal use and the test suite are unaffected; tune
+// via the constants below.
+// ---------------------------------------------------------------------------
+/** Max tool calls permitted within `RATE_WINDOW_MS`. */
+const RATE_MAX_CALLS = 600;
+/** Sliding-window length, in milliseconds. */
+const RATE_WINDOW_MS = 60_000;
+/** Timestamps (ms) of recent dispatches; older entries are evicted lazily. */
+let rateWindow = [];
+/** Reset limiter state — for tests that exercise the ceiling. */
+function resetRateLimiter() {
+    rateWindow = [];
+}
+/**
+ * Record one call and report whether it is within the ceiling. Evicts entries
+ * older than the window so the array stays bounded.
+ */
+function allowCall(now) {
+    const cutoff = now - RATE_WINDOW_MS;
+    if (rateWindow.length > 0 && rateWindow[0] <= cutoff) {
+        rateWindow = rateWindow.filter((t) => t > cutoff);
+    }
+    if (rateWindow.length >= RATE_MAX_CALLS)
+        return false;
+    rateWindow.push(now);
+    return true;
+}
 async function dispatchToolCall(name, rawArgs) {
     const handler = exports.TOOL_HANDLERS[name];
     if (!handler)
         return (0, envelopes_1.errorResult)(`unknown tool: ${name}`);
+    if (!allowCall(Date.now()))
+        return (0, envelopes_1.errorResult)('rate limit exceeded; slow down');
     try {
         const mgr = (0, manager_1.getManager)();
         const ex = await mgr.ensureReady();

package/dist/src/mcp/validators.d.ts

@@ -13,6 +13,12 @@ import type { Target } from '../executor/types';
 export declare class McpToolError extends Error {
     constructor(message: string);
 }
+/** Max length for CSS selector strings. Real selectors are tiny; cap generously. */
+export declare const MAX_SELECTOR_LEN = 2000;
+/** Max length for free-text input (type text, fill_form values). ~100KB. */
+export declare const MAX_TEXT_LEN = 100000;
+/** Throw if `value` exceeds `max` chars. `key` names the field for the message. */
+export declare function requireWithinLength(value: string, key: string, max: number): string;
 /** Coerce raw tool args into a plain object, rejecting non-objects. */
 export declare function asArgs(raw: unknown): Record<string, unknown>;
 export declare function requireString(args: Record<string, unknown>, key: string): string;

package/dist/src/mcp/validators.js

@@ -6,7 +6,8 @@
  * an actionable message (rendered as a structured `isError` result upstream).
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.McpToolError = void 0;
+exports.MAX_TEXT_LEN = exports.MAX_SELECTOR_LEN = exports.McpToolError = void 0;
+exports.requireWithinLength = requireWithinLength;
 exports.asArgs = asArgs;
 exports.requireString = requireString;
 exports.optionalString = optionalString;
@@ -27,6 +28,20 @@ class McpToolError extends Error {
     }
 }
 exports.McpToolError = McpToolError;
+// ---------------------------------------------------------------------------
+// Input size limits — defend against runaway callers passing huge strings.
+// ---------------------------------------------------------------------------
+/** Max length for CSS selector strings. Real selectors are tiny; cap generously. */
+exports.MAX_SELECTOR_LEN = 2_000;
+/** Max length for free-text input (type text, fill_form values). ~100KB. */
+exports.MAX_TEXT_LEN = 100_000;
+/** Throw if `value` exceeds `max` chars. `key` names the field for the message. */
+function requireWithinLength(value, key, max) {
+    if (value.length > max) {
+        throw new McpToolError(`"${key}" is too long (${value.length} chars; max ${max})`);
+    }
+    return value;
+}
 /** Coerce raw tool args into a plain object, rejecting non-objects. */
 function asArgs(raw) {
     if (raw === undefined || raw === null)
@@ -91,7 +106,10 @@ function requireTarget(args) {
     if (hasSel === hasRef) {
         throw new McpToolError('provide exactly one of "selector" or "ref"');
     }
-    return hasSel ? { selector: args.selector } : { ref: args.ref };
+    if (hasSel) {
+        return { selector: requireWithinLength(args.selector, 'selector', exports.MAX_SELECTOR_LEN) };
+    }
+    return { ref: requireWithinLength(args.ref, 'ref', exports.MAX_SELECTOR_LEN) };
 }
 /** Like `requireTarget` but the target is optional (whole-page reads). */
 function optionalTarget(args) {

package/dist/src/security/policy.d.ts

@@ -6,9 +6,16 @@
  * threat, so the policy:
  *   - is ON by default with a SAFE default (empty allowlist, no eval, no
  *     downloads, mutations disabled),
- *   - gates READS as well as writes (reads are the exfil payload),
- *   - is enforced at BOTH ends — the executor dispatch (server) AND the
- *     extension router — before any attach/navigate/eval/read.
+ *   - gates READS as well as writes (reads are the exfil payload).
+ *
+ * SCOPE OF ENFORCEMENT: this policy is enforced SERVER-SIDE ONLY, at the executor
+ * dispatch chokepoint (`assertUrlAllowed` in src/mcp/tools.ts). The extension does
+ * NOT independently re-check the policy, so the bridge token is the sole trust
+ * boundary for the WebSocket: any client holding the token can issue commands the
+ * extension will execute, regardless of this policy. The policy constrains the
+ * official MCP server (and thus the LLM driving it); it is not a second line of
+ * defense against a rogue token-holding client. (A future hardening would mirror
+ * this gate inside the extension router via a policy delivered in the welcome frame.)
  *
  * `assertUrlAllowed(url, method, policy)` is the single chokepoint. It throws an
  * `ExecutorError('POLICY_DENIED', …)` which the never-throw dispatch firewall
@@ -22,6 +29,10 @@ export interface Policy {
     allowEval: boolean;
     /** Allow `download_file`. */
     allowDownloads: boolean;
+    /** Allow `upload_file` (sends local files to the page — exfiltration risk). */
+    allowUploads: boolean;
+    /** If set, `upload_file` may only read files inside this directory (absolute path). */
+    uploadsDir?: string;
     /** Allow acting on / reading tabs whose URL is not in `allowDomains` is governed
      *  by `allowDomains`; this flag instead relaxes tab *management* (list/select)
      *  to all tabs regardless of their URL. Default false. */

package/dist/src/security/policy.js

@@ -7,9 +7,16 @@
  * threat, so the policy:
  *   - is ON by default with a SAFE default (empty allowlist, no eval, no
  *     downloads, mutations disabled),
- *   - gates READS as well as writes (reads are the exfil payload),
- *   - is enforced at BOTH ends — the executor dispatch (server) AND the
- *     extension router — before any attach/navigate/eval/read.
+ *   - gates READS as well as writes (reads are the exfil payload).
+ *
+ * SCOPE OF ENFORCEMENT: this policy is enforced SERVER-SIDE ONLY, at the executor
+ * dispatch chokepoint (`assertUrlAllowed` in src/mcp/tools.ts). The extension does
+ * NOT independently re-check the policy, so the bridge token is the sole trust
+ * boundary for the WebSocket: any client holding the token can issue commands the
+ * extension will execute, regardless of this policy. The policy constrains the
+ * official MCP server (and thus the LLM driving it); it is not a second line of
+ * defense against a rogue token-holding client. (A future hardening would mirror
+ * this gate inside the extension router via a policy delivered in the welcome frame.)
  *
  * `assertUrlAllowed(url, method, policy)` is the single chokepoint. It throws an
  * `ExecutorError('POLICY_DENIED', …)` which the never-throw dispatch firewall
@@ -29,6 +36,8 @@ exports.DEFAULT_POLICY = Object.freeze({
     allowDomains: [],
     allowEval: false,
     allowDownloads: false,
+    allowUploads: false,
+    uploadsDir: undefined,
     allowAllTabs: false,
     enableMutations: false,
 });
@@ -38,6 +47,8 @@ function resolvePolicy(partial) {
         allowDomains: partial?.allowDomains ?? [...exports.DEFAULT_POLICY.allowDomains],
         allowEval: partial?.allowEval ?? exports.DEFAULT_POLICY.allowEval,
         allowDownloads: partial?.allowDownloads ?? exports.DEFAULT_POLICY.allowDownloads,
+        allowUploads: partial?.allowUploads ?? exports.DEFAULT_POLICY.allowUploads,
+        uploadsDir: partial?.uploadsDir ?? exports.DEFAULT_POLICY.uploadsDir,
         allowAllTabs: partial?.allowAllTabs ?? exports.DEFAULT_POLICY.allowAllTabs,
         enableMutations: partial?.enableMutations ?? exports.DEFAULT_POLICY.enableMutations,
     };
@@ -83,7 +94,11 @@ function isMutatingMethod(method) {
 }
 /** Whether the method touches a specific URL that must be allowlisted. */
 function isUrlGated(method) {
-    return READ_CONTENT.has(method) || MUTATE_CONTENT.has(method) || NAVIGATION.has(method) || method === 'eval';
+    return (READ_CONTENT.has(method) ||
+        MUTATE_CONTENT.has(method) ||
+        NAVIGATION.has(method) ||
+        method === 'eval' ||
+        method === 'upload_file');
 }
 // ---------------------------------------------------------------------------
 // Domain matching
@@ -134,6 +149,10 @@ function assertUrlAllowed(url, method, policy) {
     if (method === 'download_file' && !policy.allowDownloads) {
         throw new types_1.ExecutorError('POLICY_DENIED', 'downloads are disabled. Pass --enable-downloads or set allowDownloads.');
     }
+    if (method === 'upload_file' && !policy.allowUploads) {
+        throw new types_1.ExecutorError('POLICY_DENIED', 'uploads are disabled (sending local files to a page is an exfiltration risk). ' +
+            'Pass --enable-uploads or set allowUploads.');
+    }
     if (isMutatingMethod(method) && !policy.enableMutations) {
         throw new types_1.ExecutorError('POLICY_DENIED', `mutating tool "${method}" is disabled (safe-mode). Pass --enable-mutations to allow it.`);
     }

package/docs/BLUEPRINT.md

@@ -64,7 +64,7 @@ takes over from CDP and vice-versa on disconnect.
 - **The 256-bit per-boot token is the ONLY security boundary.** Origin checks and the loopback bind are defense-in-depth against *browser-page* attackers, not native processes. [RESOLVED — security blockers 2 & 3]
 - **One canonical `protocol.ts`** imported by both server and extension. Four conflicting wire/port/token designs are collapsed into this single contract. [RESOLVED — integration blocker 1]
 - **Helpers (`extract_links`, `read_as_markdown`, `fill_form`) are composed server-side** from primitives. Only `download_file` is an executor/wire method. [RESOLVED — integration blocker 2]
-- **Default-deny domain policy is ON by default and gates reads too**, enforced inside the executor dispatch (both backends) AND the extension router. [RESOLVED — security major 4 & eval]
+- **Default-deny domain policy is ON by default and gates reads too**, enforced SERVER-SIDE inside the executor dispatch (both backends). NOTE: the extension router does NOT independently re-check the policy — the bridge token is the sole trust boundary for the WebSocket. Mirroring the gate into the extension router is a planned hardening. [RESOLVED — security major 4 & eval]
 
 ---
 
@@ -540,7 +540,7 @@ threat** (this tool feeds untrusted page text to an LLM that can call `eval`).
 3. **Origin is NOT a security layer.** Documented as defense-in-depth against *browser-page* attackers only (a web page cannot forge a `chrome-extension://` Origin; a native process can). The token holds independently. We never relax token strength on Origin's account. Never reject a valid-token dev connection solely on Origin mismatch. [RESOLVED — blocker 2, mv3 major Origin]
 4. **No `/connect` HTTP endpoint.** Token bootstrap is the **native-messaging trampoline** reading the 0600 file (the model/attacker can't read it), with a manual file-path-pairing fallback. No race-able network token vendor exists. [RESOLVED — blocker 3]
 5. **Token never logged.** Never on stdout or stderr; only in the 0600 file (mode verified post-write, fail-closed). Any human-readable pairing artifact is also 0600 and short-lived. `policy.test.ts` asserts the token appears on neither stream. `logErr` redacts. [RESOLVED — major 5]
-6. **Default-deny domain policy, ON by default, gating READS too.** `Policy { allowDomains: glob[]; allowEval; allowDownloads; allowAllTabs }`. Absent config → **SAFE DEFAULT**: navigate only to `about:blank` + already-open allowlisted tabs, **eval denied cross-domain, reads (`get_text`/`get_html`/`screenshot`/`eval`) denied outside the allowlist**, downloads off. `assertUrlAllowed(currentTabUrl, method)` runs in **the executor dispatch (both backends) AND the extension router** before any attach/navigate/eval/read. `--unsafe-all-domains` (= `allowDomains:['*']`) is the loud-logged escape hatch. [RESOLVED — major 4]
+6. **Default-deny domain policy, ON by default, gating READS too.** `Policy { allowDomains: glob[]; allowEval; allowDownloads; allowAllTabs }`. Absent config → **SAFE DEFAULT**: navigate only to `about:blank` + already-open allowlisted tabs, **eval denied cross-domain, reads (`get_text`/`get_html`/`screenshot`/`eval`) denied outside the allowlist**, downloads off. `assertUrlAllowed(currentTabUrl, method)` runs SERVER-SIDE in **the executor dispatch (both backends)** before any attach/navigate/eval/read. The extension router does NOT re-check the policy (token is the sole bridge boundary); a mirrored extension-side gate is a planned hardening. `--unsafe-all-domains` (= `allowDomains:['*']`) is the loud-logged escape hatch. [RESOLVED — major 4]
 7. **Safe-mode shipped in v1 (not "future").** Default disables `eval` and the entire mutating tool set; `--enable-mutations` / `--unsafe-enable-eval` opt in. `eval`'s effective target origin (the tab's current URL) is allowlist-checked before dispatch. [RESOLVED — major eval]
 8. **Narrowed manifest:** no `<all_urls>`; `host_permissions:[]` + `optional_host_permissions` requested on demand after an explicit user action-click grant before first attach. [RESOLVED — major 4]
 9. **Displacement is a security event:** superseding connects are logged loudly + surfaced in `chrome_status`; the active connection is pinned to the first `hello` ext id and won't be displaced by a different id without re-pair. [RESOLVED — minor 9]

package/extension-dist/background.js

@@ -26,6 +26,7 @@
     "eval",
     "wait_for",
     "download_file",
+    "upload_file",
     "ping_probe"
   ];
 
@@ -174,7 +175,22 @@
       const r = el.getBoundingClientRect();
       if (r.width === 0 && r.height === 0) return false;
       const s = window.getComputedStyle(el);
-      return s.visibility !== "hidden" && s.display !== "none";
+      if (s.visibility === "hidden" || s.display === "none") return false;
+      const cv = el.checkVisibility;
+      if (typeof cv === "function") {
+        try {
+          return cv.call(el, { checkOpacity: false, checkVisibilityCSS: true });
+        } catch {
+        }
+      }
+      let p = el.parentElement;
+      while (p) {
+        const ps = window.getComputedStyle(p);
+        if (ps.display === "none" || ps.visibility === "hidden") return false;
+        p = p.parentElement;
+      }
+      if (el.offsetParent === null && s.position !== "fixed") return false;
+      return true;
     };
     const accName = (el) => {
       const aria = el.getAttribute("aria-label");
@@ -210,7 +226,36 @@
       }
       return tag;
     };
-    const els = Array.from(document.querySelectorAll(sel)).filter(visible);
+    const seen = /* @__PURE__ */ new Set();
+    const candidates = [];
+    const collect = (root) => {
+      if (candidates.length >= max) return;
+      let matched;
+      try {
+        matched = Array.from(root.querySelectorAll(sel));
+      } catch {
+        matched = [];
+      }
+      for (const el of matched) {
+        if (candidates.length >= max) break;
+        if (seen.has(el)) continue;
+        seen.add(el);
+        candidates.push(el);
+      }
+      let hosts;
+      try {
+        hosts = Array.from(root.querySelectorAll("*"));
+      } catch {
+        hosts = [];
+      }
+      for (const host of hosts) {
+        if (candidates.length >= max) break;
+        const sr = host.shadowRoot;
+        if (sr) collect(sr);
+      }
+    };
+    collect(document);
+    const els = candidates.filter(visible);
     const nodes = [];
     let n = 0;
     for (const el of els) {
@@ -377,6 +422,7 @@
     "eval",
     "wait_for",
     "download_file",
+    "upload_file",
     "ping_probe"
   ]);
   var ChromeExecutor = class {
@@ -396,8 +442,19 @@
         }
         case "tab_new": {
           const url = typeof cmd.params.url === "string" ? cmd.params.url : void 0;
+          const BLANK = /^(about:blank|chrome:\/\/newtab|chrome:\/\/new-tab-page|edge:\/\/newtab)/i;
+          const blank = (await chrome.tabs.query({})).find(
+            (t2) => t2.id !== void 0 && (BLANK.test(t2.url ?? "") || (t2.url ?? "") === "" || t2.pendingUrl === "about:blank")
+          );
+          if (blank?.id !== void 0) {
+            if (url) {
+              await chrome.tabs.update(blank.id, { url });
+              await waitComplete(blank.id);
+            }
+            return { ...await tabInfo(await chrome.tabs.get(blank.id)), reused: true };
+          }
           const t = await chrome.tabs.create({ url, active: false });
-          return tabInfo(t);
+          return { ...await tabInfo(t), reused: false };
         }
         case "tab_close": {
           const id = parseTabId(String(cmd.tabId));
@@ -732,6 +789,23 @@
           const downloadId = await chrome.downloads.download({ url, filename: name });
           return { path: `(downloads)/${name}`, backend: "extension", bytes: 0, suggestedName: name };
         }
+        // -- upload: set local file(s) on a file <input> via CDP DOM.setFileInputFiles --
+        case "upload_file": {
+          const id = await targetTab(cmd);
+          const sel = requireSelector(cmd);
+          const files = Array.isArray(cmd.params.files) ? cmd.params.files.map(String) : [];
+          if (files.length === 0) throw new CmdError("BAD_ARGS", 'upload_file requires a non-empty "files" array');
+          if (!await waitForSelector(id, sel)) throw new CmdError("SELECTOR_NOT_FOUND", `no element for selector: ${sel}`);
+          await withDebugger(id, async (t) => {
+            const doc = await chrome.debugger.sendCommand(t, "DOM.getDocument", { depth: 0 });
+            const rootId = doc.root?.nodeId;
+            if (!rootId) throw new CmdError("CDP_ERROR", "could not read the document root");
+            const found = await chrome.debugger.sendCommand(t, "DOM.querySelector", { nodeId: rootId, selector: sel });
+            if (!found.nodeId) throw new CmdError("SELECTOR_NOT_FOUND", `no element for selector: ${sel}`);
+            await chrome.debugger.sendCommand(t, "DOM.setFileInputFiles", { files, nodeId: found.nodeId });
+          });
+          return { ok: true };
+        }
         default:
           throw new CmdError("UNKNOWN_METHOD", `unhandled method: ${cmd.method}`);
       }

package/extension-dist/manifest.json

@@ -1,12 +1,27 @@
 {
   "manifest_version": 3,
   "name": "Chrome MCP Bridge",
-  "version": "0.2.0",
+  "version": "0.4.1",
   "description": "Lets a local chrome-mcp server drive this browser. Pair it with the server's handshake token.",
   "minimum_chrome_version": "116",
-  "background": { "service_worker": "background.js" },
-  "permissions": ["tabs", "scripting", "activeTab", "downloads", "storage", "alarms", "cookies", "debugger"],
-  "host_permissions": ["<all_urls>"],
+  "background": {
+    "service_worker": "background.js"
+  },
+  "permissions": [
+    "tabs",
+    "scripting",
+    "activeTab",
+    "downloads",
+    "storage",
+    "alarms",
+    "cookies",
+    "debugger"
+  ],
+  "host_permissions": [
+    "<all_urls>"
+  ],
   "options_page": "options.html",
-  "action": { "default_title": "Chrome MCP — open options to pair" }
+  "action": {
+    "default_title": "Chrome MCP — open options to pair"
+  }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mehmoodqureshi/chrome-mcp",
-  "version": "0.3.0",
+  "version": "0.4.1",
   "description": "Drive a real Chrome browser over MCP. A stdio MCP server (CLI) plus an MV3 extension, behind one pluggable Executor (extension via chrome.scripting, or a Playwright CDP fallback).",
   "author": "Mehmood Ur Rehman Qureshi",
   "license": "MIT",