@syrin/iris 0.4.0 → 0.6.10

package/dist/index.js

@@ -2,6 +2,31 @@
 var IRIS_DEFAULT_PORT = 4400;
 var IRIS_WS_PATH = "/iris";
 var IRIS_PROTOCOL_VERSION = 1;
+var TRANSPORT_LIMITS = {
+  MAX_MESSAGE_BYTES: 1024 * 1024,
+  MAX_MESSAGES_PER_SECOND: 1e3,
+  MAX_SESSIONS: 32,
+  MAX_PENDING_CONNECTIONS: 16,
+  HELLO_TIMEOUT_MS: 5e3,
+  MAX_BUFFER_BYTES: 8 * 1024 * 1024,
+  MAX_SESSION_ID_LENGTH: 128,
+  MAX_URL_LENGTH: 4096,
+  MAX_TITLE_LENGTH: 512,
+  MAX_ADAPTERS: 32,
+  MAX_ADAPTER_NAME_LENGTH: 128,
+  MAX_TOKEN_LENGTH: 512,
+  MAX_COMMAND_ID_LENGTH: 128,
+  MAX_COMMAND_NAME_LENGTH: 128,
+  MAX_REF_LENGTH: 128,
+  MAX_ERROR_LENGTH: 4096,
+  MAX_SERIALIZE_DEPTH: 8,
+  MAX_COLLECTION_ITEMS: 200,
+  MAX_OBJECT_KEYS: 200,
+  MAX_STRING_LENGTH: 64 * 1024
+};
+var REDACTED_VALUE = "[REDACTED]";
+var DANGEROUS_ACTION_CONFIRM_ARG = "confirmDangerous";
+var UpdateCheckIntervalMs = 24 * 60 * 60 * 1e3;
 var RunKind = {
   FLOW_REPLAY: "flow_replay",
   // auto-recorded by iris_flow_replay
@@ -42,6 +67,11 @@ var RecorderPhase = {
   ANNOTATING: "annotating"
   // recording paused, awaiting an annotation target/kind
 };
+var RING_BUFFER_DEFAULTS = {
+  MAX_EVENTS: 2e3,
+  MAX_AGE_MS: 6e4,
+  MAX_BYTES: TRANSPORT_LIMITS.MAX_BUFFER_BYTES
+};
 var EventType = {
   DOM_ADDED: "dom.added",
   DOM_REMOVED: "dom.removed",
@@ -206,136 +236,209 @@ var MessageKind = {
   EVENT: "event"
 };
 
-// ../protocol/dist/types.js
+// ../protocol/dist/messages.js
 import { z } from "zod";
-var ElementQuerySchema = z.object({
-  by: z.nativeEnum(QueryBy).optional(),
-  value: z.string().optional(),
-  role: z.string().optional(),
-  name: z.string().optional(),
-  text: z.string().optional(),
-  label: z.string().optional(),
-  placeholder: z.string().optional(),
-  testid: z.string().optional(),
-  alt: z.string().optional(),
+var sessionIdSchema = z.string().min(1).max(TRANSPORT_LIMITS.MAX_SESSION_ID_LENGTH);
+var refSchema = z.string().max(TRANSPORT_LIMITS.MAX_REF_LENGTH);
+var HumanControlDataSchema = z.object({
+  kind: z.nativeEnum(HumanControlKind),
+  text: z.string().optional()
+});
+var IrisEventSchema = z.object({
+  t: z.number(),
+  type: z.nativeEnum(EventType),
+  sessionId: sessionIdSchema,
+  /** Stable element reference this event concerns, when applicable (e.g. "e7"). */
+  ref: refSchema.optional(),
+  /** Event-type-specific payload. Kept open here; refined per observer at the edges. */
+  data: z.record(z.unknown()).default({})
+});
+var HelloMessageSchema = z.object({
+  kind: z.literal(MessageKind.HELLO),
+  protocolVersion: z.literal(IRIS_PROTOCOL_VERSION),
+  sessionId: sessionIdSchema,
+  url: z.string().max(TRANSPORT_LIMITS.MAX_URL_LENGTH),
+  title: z.string().max(TRANSPORT_LIMITS.MAX_TITLE_LENGTH),
+  adapters: z.array(z.string().max(TRANSPORT_LIMITS.MAX_ADAPTER_NAME_LENGTH)).max(TRANSPORT_LIMITS.MAX_ADAPTERS),
+  /** Optional browser/bridge pairing token. Required when the bridge configures one. */
+  token: z.string().max(TRANSPORT_LIMITS.MAX_TOKEN_LENGTH).optional(),
+  /** Whether the app has advertised a capability registry (iris.describe). */
+  hasCapabilities: z.boolean().optional()
+});
+var CommandMessageSchema = z.object({
+  kind: z.literal(MessageKind.COMMAND),
+  id: z.string().min(1).max(TRANSPORT_LIMITS.MAX_COMMAND_ID_LENGTH),
+  sessionId: sessionIdSchema.optional(),
+  name: z.string().min(1).max(TRANSPORT_LIMITS.MAX_COMMAND_NAME_LENGTH),
+  args: z.record(z.unknown()).default({})
+});
+var CommandResultSchema = z.object({
+  kind: z.literal(MessageKind.COMMAND_RESULT),
+  id: z.string().min(1).max(TRANSPORT_LIMITS.MAX_COMMAND_ID_LENGTH),
+  ok: z.boolean(),
+  result: z.unknown().optional(),
+  error: z.string().max(TRANSPORT_LIMITS.MAX_ERROR_LENGTH).optional()
+});
+var EventMessageSchema = z.object({
+  kind: z.literal(MessageKind.EVENT),
+  event: IrisEventSchema
+});
+var IrisMessageSchema = z.discriminatedUnion("kind", [
+  HelloMessageSchema,
+  CommandMessageSchema,
+  CommandResultSchema,
+  EventMessageSchema
+]);
+
+// ../protocol/dist/security.js
+var DANGEROUS_ACTION = /\b(delete|remove|destroy|erase|drop|terminate|revoke|reset|logout|log out|sign out|close account|cancel subscription|purchase|buy|pay|place order|confirm order|deploy|publish|send|transfer|withdraw|refund)\b/i;
+function isLoopbackHostname(hostname) {
+  const normalized = hostname.toLowerCase().replace(/^\[|\]$/g, "");
+  if (normalized === "localhost" || normalized === "::1" || normalized === "0:0:0:0:0:0:0:1") {
+    return true;
+  }
+  const octets = normalized.split(".");
+  return octets.length === 4 && octets[0] === "127" && octets.every((octet) => {
+    if (!/^\d{1,3}$/.test(octet))
+      return false;
+    const value = Number(octet);
+    return value >= 0 && value <= 255;
+  });
+}
+function isDangerousActionText(text) {
+  return DANGEROUS_ACTION.test(text.replace(/[_-]+/g, " "));
+}
+
+// ../protocol/dist/types.js
+import { z as z2 } from "zod";
+var ElementQuerySchema = z2.object({
+  by: z2.nativeEnum(QueryBy).optional(),
+  value: z2.string().optional(),
+  role: z2.string().optional(),
+  name: z2.string().optional(),
+  text: z2.string().optional(),
+  label: z2.string().optional(),
+  placeholder: z2.string().optional(),
+  testid: z2.string().optional(),
+  alt: z2.string().optional(),
   /** CSS selector or ref to scope the search. */
-  scope: z.string().optional()
+  scope: z2.string().optional()
 });
-var CapabilityFlowSchema = z.object({
-  name: z.string(),
-  steps: z.array(z.string())
+var CapabilityFlowSchema = z2.object({
+  name: z2.string(),
+  steps: z2.array(z2.string())
 });
-var CapabilitiesSchema = z.object({
-  testids: z.array(z.string()),
-  signals: z.array(z.string()),
-  stores: z.array(z.string()),
-  flows: z.array(CapabilityFlowSchema)
+var CapabilitiesSchema = z2.object({
+  testids: z2.array(z2.string()),
+  signals: z2.array(z2.string()),
+  stores: z2.array(z2.string()),
+  flows: z2.array(CapabilityFlowSchema)
 });
-var ContractFileSchema = z.object({
-  version: z.number(),
-  generatedAt: z.number(),
+var ContractFileSchema = z2.object({
+  version: z2.number(),
+  generatedAt: z2.number(),
   capabilities: CapabilitiesSchema
 });
-var RunEvidenceSchema = z.object({
-  consoleErrors: z.number().optional(),
-  networkErrors: z.number().optional(),
-  driftSteps: z.number().optional()
+var RunEvidenceSchema = z2.object({
+  consoleErrors: z2.number().optional(),
+  networkErrors: z2.number().optional(),
+  driftSteps: z2.number().optional()
 });
-var RunRecordSchema = z.object({
-  kind: z.nativeEnum(RunKind),
-  name: z.string(),
-  status: z.nativeEnum(RunStatus),
-  at: z.number(),
-  summary: z.string().optional(),
+var RunRecordSchema = z2.object({
+  kind: z2.nativeEnum(RunKind),
+  name: z2.string(),
+  status: z2.nativeEnum(RunStatus),
+  at: z2.number(),
+  summary: z2.string().optional(),
   evidence: RunEvidenceSchema.optional(),
-  durationMs: z.number().optional()
+  durationMs: z2.number().optional()
 });
-var ProjectLearnedSchema = z.object({
-  flows: z.array(z.string()).optional(),
-  routes: z.array(z.string()).optional()
+var ProjectLearnedSchema = z2.object({
+  flows: z2.array(z2.string()).optional(),
+  routes: z2.array(z2.string()).optional()
 });
-var ProjectFileSchema = z.object({
-  version: z.number(),
+var ProjectFileSchema = z2.object({
+  version: z2.number(),
   learned: ProjectLearnedSchema.optional(),
-  runs: z.array(RunRecordSchema)
+  runs: z2.array(RunRecordSchema)
 });
-var FlowAnchorSchema = z.discriminatedUnion("kind", [
-  z.object({ kind: z.literal(AnchorKind.TESTID), value: z.string().min(1) }),
-  z.object({
-    kind: z.literal(AnchorKind.ROLE),
-    role: z.string().min(1),
-    name: z.string().optional()
+var FlowAnchorSchema = z2.discriminatedUnion("kind", [
+  z2.object({ kind: z2.literal(AnchorKind.TESTID), value: z2.string().min(1) }),
+  z2.object({
+    kind: z2.literal(AnchorKind.ROLE),
+    role: z2.string().min(1),
+    name: z2.string().optional()
   }),
-  z.object({ kind: z.literal(AnchorKind.SIGNAL), name: z.string().min(1) })
+  z2.object({ kind: z2.literal(AnchorKind.SIGNAL), name: z2.string().min(1) })
 ]);
-var FlowExpectSchema = z.object({
-  signal: z.string().optional(),
+var FlowExpectSchema = z2.object({
+  signal: z2.string().optional(),
   /**
    * Optional payload shape an `assert-signal` annotation requires the signal
    * to match (the predicate DSL's signal.dataMatches). Additive/optional — a flow file with a
    * bare `signal` still parses, and the on-disk version stays FLOW_FILE_VERSION 1.
    */
-  signalData: z.record(z.unknown()).optional(),
-  net: z.object({
-    method: z.string().optional(),
-    urlContains: z.string().optional(),
-    status: z.number().optional()
+  signalData: z2.record(z2.unknown()).optional(),
+  net: z2.object({
+    method: z2.string().optional(),
+    urlContains: z2.string().optional(),
+    status: z2.number().optional()
   }).optional(),
-  element: z.object({
-    testid: z.string().optional(),
-    role: z.string().optional(),
-    name: z.string().optional()
+  element: z2.object({
+    testid: z2.string().optional(),
+    role: z2.string().optional(),
+    name: z2.string().optional()
   }).optional()
 });
-var baseFlowStep = z.object({
-  tool: z.string(),
+var baseFlowStep = z2.object({
+  tool: z2.string(),
   anchor: FlowAnchorSchema,
-  action: z.nativeEnum(ActionType).optional(),
-  args: z.record(z.unknown()).optional(),
+  action: z2.nativeEnum(ActionType).optional(),
+  args: z2.record(z2.unknown()).optional(),
   expect: FlowExpectSchema.optional(),
-  degraded: z.boolean().optional()
+  degraded: z2.boolean().optional()
 });
 var FlowStepSchema = baseFlowStep.extend({
-  steps: z.lazy(() => z.array(FlowStepSchema).optional())
+  steps: z2.lazy(() => z2.array(FlowStepSchema).optional())
 });
-var FlowFileSchema = z.object({
-  version: z.literal(FLOW_FILE_VERSION),
-  name: z.string(),
+var FlowFileSchema = z2.object({
+  version: z2.literal(FLOW_FILE_VERSION),
+  name: z2.string(),
   // FUTURE: fixtures/preconditions — schema slot reserved, unpopulated this cut. The recorder
   // never writes it and no fixture runner exists.
-  fixture: z.string().optional(),
+  fixture: z2.string().optional(),
   /** From the injected clock (ms) — deterministic in tests, byte-stable on disk. */
-  createdAt: z.number(),
-  steps: z.array(FlowStepSchema),
+  createdAt: z2.number(),
+  steps: z2.array(FlowStepSchema),
   success: FlowExpectSchema.optional(),
   /**
    * Anchors whose CONTENT must not be asserted (e.g. LLM output). Replay asserts
    * presence, not words. Compiled from a `mark-dynamic` annotation.
    */
-  dynamic: z.array(FlowAnchorSchema).optional()
+  dynamic: z2.array(FlowAnchorSchema).optional()
 });
-var RecordedFlowSchema = z.object({
-  name: z.string(),
+var RecordedFlowSchema = z2.object({
+  name: z2.string(),
   flow: FlowFileSchema
 });
-var AnnotationSchema = z.discriminatedUnion("kind", [
-  z.object({
-    kind: z.literal(AnnotationKind.ASSERT_SIGNAL),
-    name: z.string().min(1),
-    dataMatches: z.record(z.unknown()).optional()
+var AnnotationSchema = z2.discriminatedUnion("kind", [
+  z2.object({
+    kind: z2.literal(AnnotationKind.ASSERT_SIGNAL),
+    name: z2.string().min(1),
+    dataMatches: z2.record(z2.unknown()).optional()
   }),
-  z.object({
-    kind: z.literal(AnnotationKind.ASSERT_VISIBLE),
-    testid: z.string().min(1)
+  z2.object({
+    kind: z2.literal(AnnotationKind.ASSERT_VISIBLE),
+    testid: z2.string().min(1)
   }),
-  z.object({
-    kind: z.literal(AnnotationKind.MARK_DYNAMIC),
-    testid: z.string().min(1)
+  z2.object({
+    kind: z2.literal(AnnotationKind.MARK_DYNAMIC),
+    testid: z2.string().min(1)
   }),
-  z.object({
-    kind: z.literal(AnnotationKind.SUCCESS_STATE),
-    signal: z.string().min(1).optional(),
-    testid: z.string().min(1).optional()
+  z2.object({
+    kind: z2.literal(AnnotationKind.SUCCESS_STATE),
+    signal: z2.string().min(1).optional(),
+    testid: z2.string().min(1).optional()
   })
 ]);
 
@@ -370,6 +473,96 @@ var RefRegistry = class {
 };
 var refs = new RefRegistry();
 
+// ../browser/dist/security/serialization.js
+var TRUNCATED_VALUE = "[TRUNCATED]";
+var UNSERIALIZABLE_VALUE = "[UNSERIALIZABLE]";
+var OMIT_VALUE = /* @__PURE__ */ Symbol("omit");
+var MAX_KEY_LENGTH = 256;
+var MAX_TOTAL_CHARACTERS = Math.floor(TRANSPORT_LIMITS.MAX_MESSAGE_BYTES / 8);
+var MAX_TOTAL_NODES = TRANSPORT_LIMITS.MAX_COLLECTION_ITEMS * 5;
+var SENSITIVE_KEY = /password|passwd|passcode|secret|token|authorization|api[-_]?key|access[-_]?key|private[-_]?key|client[-_]?secret|credit[-_]?card|card[-_]?number|cvv|cvc|ssn/i;
+function isSensitiveKey(key) {
+  return SENSITIVE_KEY.test(key);
+}
+function boundedString(value, state, max) {
+  const allowed = Math.max(0, Math.min(max, state.remainingCharacters));
+  if (value.length <= allowed) {
+    state.remainingCharacters -= value.length;
+    return value;
+  }
+  const truncated = allowed <= TRUNCATED_VALUE.length ? TRUNCATED_VALUE.slice(0, allowed) : `${value.slice(0, allowed - TRUNCATED_VALUE.length)}${TRUNCATED_VALUE}`;
+  state.remainingCharacters -= truncated.length;
+  return truncated;
+}
+function sanitize(value, state, depth, key) {
+  if (key !== void 0 && isSensitiveKey(key))
+    return REDACTED_VALUE;
+  if (depth > TRANSPORT_LIMITS.MAX_SERIALIZE_DEPTH || state.nodes >= MAX_TOTAL_NODES) {
+    return TRUNCATED_VALUE;
+  }
+  state.nodes += 1;
+  if (value === null || typeof value === "boolean")
+    return value;
+  if (typeof value === "string") {
+    return boundedString(value, state, key?.toLowerCase() === "error" ? TRANSPORT_LIMITS.MAX_ERROR_LENGTH : TRANSPORT_LIMITS.MAX_STRING_LENGTH);
+  }
+  if (typeof value === "number")
+    return Number.isFinite(value) ? value : null;
+  if (typeof value === "bigint")
+    return value.toString();
+  if (typeof value === "undefined" || typeof value === "function" || typeof value === "symbol") {
+    return OMIT_VALUE;
+  }
+  if (value instanceof Date)
+    return value.toISOString();
+  if (value instanceof Error) {
+    return {
+      name: boundedString(value.name, state, 256),
+      message: boundedString(value.message, state, TRANSPORT_LIMITS.MAX_ERROR_LENGTH)
+    };
+  }
+  if (state.seen.has(value))
+    return "[CIRCULAR]";
+  state.seen.add(value);
+  try {
+    if (Array.isArray(value)) {
+      return value.slice(0, TRANSPORT_LIMITS.MAX_COLLECTION_ITEMS).map((item) => {
+        const sanitized = sanitize(item, state, depth + 1);
+        return sanitized === OMIT_VALUE ? null : sanitized;
+      });
+    }
+    const out = /* @__PURE__ */ Object.create(null);
+    for (const rawKey of Object.keys(value).slice(0, TRANSPORT_LIMITS.MAX_OBJECT_KEYS)) {
+      const safeKey = boundedString(rawKey, state, MAX_KEY_LENGTH);
+      try {
+        const sanitized = sanitize(value[rawKey], state, depth + 1, rawKey);
+        if (sanitized !== OMIT_VALUE)
+          out[safeKey] = sanitized;
+      } catch {
+        out[safeKey] = UNSERIALIZABLE_VALUE;
+      }
+    }
+    return out;
+  } finally {
+    state.seen.delete(value);
+  }
+}
+function sanitizeForTransport(value) {
+  const sanitized = sanitize(value, {
+    seen: /* @__PURE__ */ new WeakSet(),
+    remainingCharacters: MAX_TOTAL_CHARACTERS,
+    nodes: 0
+  }, 0);
+  return sanitized === OMIT_VALUE ? null : sanitized;
+}
+function safeStringify(value) {
+  try {
+    return JSON.stringify(sanitizeForTransport(value));
+  } catch {
+    return JSON.stringify(UNSERIALIZABLE_VALUE);
+  }
+}
+
 // ../browser/dist/dom/a11y.js
 var NAME_FROM_CONTENT = /* @__PURE__ */ new Set([
   "button",
@@ -536,6 +729,17 @@ function getStates(el) {
 }
 function getValue(el) {
   if (el instanceof HTMLInputElement || el instanceof HTMLTextAreaElement || el instanceof HTMLSelectElement) {
+    const autocomplete = el.getAttribute("autocomplete") ?? "";
+    const identifiers = [
+      el.getAttribute("name") ?? "",
+      el.id,
+      el.getAttribute("data-testid") ?? "",
+      el.getAttribute("aria-label") ?? ""
+    ];
+    const sensitiveAutocomplete = /current-password|new-password|cc-number|cc-csc|one-time-code/i.test(autocomplete);
+    if (el instanceof HTMLInputElement && el.type.toLowerCase() === "password" || sensitiveAutocomplete || identifiers.some(isSensitiveKey)) {
+      return REDACTED_VALUE;
+    }
     return el.value;
   }
   const valueNow = el.getAttribute("aria-valuenow");
@@ -1040,6 +1244,30 @@ var result = (ref, action, effect, settled, settleReason, warning) => {
 var FILL_LIKE = /* @__PURE__ */ new Set([ActionType.FILL, ActionType.TYPE, ActionType.CLEAR]);
 var isFillLike = (action) => FILL_LIKE.has(action);
 var CLICK_LIKE = /* @__PURE__ */ new Set([ActionType.CLICK, ActionType.DBLCLICK]);
+function dangerousActionContext(el) {
+  const form = el.closest("form");
+  return [
+    getAccessibleName(el),
+    el.textContent ?? "",
+    el.getAttribute("value") ?? "",
+    el.getAttribute("title") ?? "",
+    el.getAttribute("aria-label") ?? "",
+    el.getAttribute("href") ?? "",
+    form?.getAttribute("action") ?? "",
+    form?.textContent ?? ""
+  ].join(" ");
+}
+function requiresDangerousConfirmation(text) {
+  return isDangerousActionText(text);
+}
+function assertActionAllowed(el, action, args) {
+  const canTrigger = action === ActionType.CLICK || action === ActionType.DBLCLICK || action === ActionType.DRAG || action === ActionType.SUBMIT || action === ActionType.PRESS && asString(args["key"], "Enter") === "Enter";
+  const dragTarget = action === ActionType.DRAG ? refs.resolve(asString(args["toRef"])) : null;
+  const context = dragTarget instanceof HTMLElement ? `${dangerousActionContext(el)} ${dangerousActionContext(dragTarget)}` : dangerousActionContext(el);
+  if (canTrigger && requiresDangerousConfirmation(context) && args[DANGEROUS_ACTION_CONFIRM_ARG] !== true) {
+    throw new Error(`potentially destructive action blocked; retry with args.${DANGEROUS_ACTION_CONFIRM_ARG}=true`);
+  }
+}
 var NO_GEOMETRY = { occluded: false, occludedBy: null, scrolledIntoView: false };
 function fireClickSequence(el) {
   const doc = el.ownerDocument;
@@ -1206,6 +1434,7 @@ async function dispatchFor(el, action, args) {
 }
 async function executeAction(ref, action, args = {}) {
   const el = requireElement(ref);
+  assertActionAllowed(el, action, args);
   const visible = isVisible(el);
   const enabled = enabledOf(el);
   const prevFocus = activeRef(el);
@@ -1312,7 +1541,10 @@ async function dragElement(source, target, data) {
   }
   return dropPrevented;
 }
-async function dispatchWebMcp(tool, params) {
+async function dispatchWebMcp(tool, params, confirmDangerous = false) {
+  if (requiresDangerousConfirmation(tool) && !confirmDangerous) {
+    throw new Error(`potentially destructive WebMCP tool blocked; retry with ${DANGEROUS_ACTION_CONFIRM_ARG}=true`);
+  }
   const mc = navigator.modelContext;
   if (mc === void 0 || typeof mc.callTool !== "function") {
     throw new Error("WebMCP (navigator.modelContext) not available on this page");
@@ -1359,7 +1591,7 @@ function readStores(only) {
     if (only !== void 0 && name !== only)
       continue;
     try {
-      out[name] = getter();
+      out[name] = sanitizeForTransport(getter());
     } catch (error) {
       out[name] = { __error: error instanceof Error ? error.message : String(error) };
     }
@@ -1508,6 +1740,9 @@ function inspect(ref) {
   return {
     ...describe(el),
     tag: el.tagName.toLowerCase(),
+    href: el.getAttribute("href") ?? void 0,
+    formAction: el instanceof HTMLButtonElement || el instanceof HTMLInputElement ? el.form?.getAttribute("action") ?? void 0 : void 0,
+    formText: el instanceof HTMLButtonElement || el instanceof HTMLInputElement ? el.form?.textContent ?? void 0 : void 0,
     box: { x: rect.x, y: rect.y, width: rect.width, height: rect.height },
     styles,
     component
@@ -1552,6 +1787,16 @@ function listAnimations() {
   });
   return { animations };
 }
+function resolveNavigationUrl(rawUrl, baseUrl) {
+  if (rawUrl.length === 0 || rawUrl.length > TRANSPORT_LIMITS.MAX_URL_LENGTH)
+    return null;
+  try {
+    const url = new URL(rawUrl, baseUrl);
+    return url.protocol === "http:" || url.protocol === "https:" ? url.toString() : null;
+  } catch {
+    return null;
+  }
+}
 function createCommandRegistry() {
   const reg = /* @__PURE__ */ new Map();
   reg.set(IrisCommand.SNAPSHOT, (args) => buildSnapshot({
@@ -1564,7 +1809,7 @@ function createCommandRegistry() {
     const action = str(args["action"]) ?? "";
     if (action === ActionType.WEBMCP) {
       const inner = record(args["args"]);
-      return dispatchWebMcp(str(inner["tool"]) ?? "", record(inner["params"]));
+      return dispatchWebMcp(str(inner["tool"]) ?? "", record(inner["params"]), inner[DANGEROUS_ACTION_CONFIRM_ARG] === true);
     }
     return executeAction(str(args["ref"]) ?? "", action, record(args["args"]));
   });
@@ -1591,9 +1836,12 @@ function createCommandRegistry() {
     return scrollContainer(str(args["ref"]), typeof dy === "number" ? dy : void 0, typeof fraction === "number" ? fraction : void 0);
   });
   reg.set(IrisCommand.NAVIGATE, (args) => {
-    const url = str(args["url"]);
-    if (url === void 0 || url.length === 0)
+    const rawUrl = str(args["url"]);
+    if (rawUrl === void 0 || rawUrl.length === 0)
       return { ok: false, reason: "url required" };
+    const url = resolveNavigationUrl(rawUrl, window.location.href);
+    if (url === null)
+      return { ok: false, reason: "only http(s) navigation is allowed" };
     window.location.assign(url);
     return { ok: true, url };
   });
@@ -1644,6 +1892,7 @@ var Transport = class {
       for (const msg of this.#queue)
         ws.send(msg);
       this.#queue = [];
+      this.#deps.onConnected?.();
     };
     ws.onmessage = (event) => {
       const data = event.data;
@@ -1685,12 +1934,23 @@ var Transport = class {
     } catch {
       return;
     }
-    const msg = parsed;
-    if (msg.kind !== MessageKind.COMMAND)
+    const result2 = CommandMessageSchema.safeParse(parsed);
+    if (!result2.success)
+      return;
+    const command = result2.data;
+    const currentSessionId = this.#deps.hello().sessionId;
+    if (command.sessionId !== void 0 && command.sessionId !== currentSessionId)
       return;
-    const command = parsed;
-    const outcome = await this.#deps.handleCommand(command);
-    this.#sendRaw(JSON.stringify({
+    let outcome;
+    try {
+      outcome = await this.#deps.handleCommand(command);
+    } catch (error) {
+      outcome = {
+        ok: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+    }
+    this.#sendRaw(safeStringify({
       kind: MessageKind.COMMAND_RESULT,
       id: command.id,
       ok: outcome.ok,
@@ -1699,7 +1959,7 @@ var Transport = class {
     }));
   }
   sendEvent(event) {
-    this.#sendRaw(JSON.stringify({ kind: MessageKind.EVENT, event }));
+    this.#sendRaw(safeStringify({ kind: MessageKind.EVENT, event }));
   }
   #sendRaw(text) {
     if (this.#ws !== void 0 && this.#ws.readyState === WebSocket.OPEN) {
@@ -1818,13 +2078,14 @@ function methodOf(input, init) {
   return "GET";
 }
 function installNetwork(emit) {
-  const origFetch = window.fetch.bind(window);
+  const origFetch = window.fetch;
+  const callFetch = origFetch.bind(window);
   window.fetch = async (input, init) => {
     const start = performance.now();
     const method = methodOf(input, init);
     const url = urlOf(input);
     try {
-      const res = await origFetch(input, init);
+      const res = await callFetch(input, init);
       emit(EventType.NET_REQUEST, {
         method,
         url,
@@ -1890,8 +2151,10 @@ function snapshotLocation() {
   };
 }
 function installRoute(emit) {
-  const origPush = history.pushState.bind(history);
-  const origReplace = history.replaceState.bind(history);
+  const origPush = history.pushState;
+  const origReplace = history.replaceState;
+  const callPush = origPush.bind(history);
+  const callReplace = origReplace.bind(history);
   const fire = (from) => {
     const to = snapshotLocation();
     if (to.href === from)
@@ -1906,12 +2169,12 @@ function installRoute(emit) {
   };
   history.pushState = (data, unused, url) => {
     const from = location.href;
-    origPush(data, unused, url ?? null);
+    callPush(data, unused, url ?? null);
     fire(from);
   };
   history.replaceState = (data, unused, url) => {
     const from = location.href;
-    origReplace(data, unused, url ?? null);
+    callReplace(data, unused, url ?? null);
     fire(from);
   };
   let lastHref = location.href;
@@ -1941,22 +2204,19 @@ function stringifyArgs(args) {
       return a;
     if (a instanceof Error)
       return a.message;
-    try {
-      return JSON.stringify(a);
-    } catch {
-      return String(a);
-    }
+    return safeStringify(a);
   }).join(" ");
 }
 function installConsole(emit) {
   const methods = ["log", "warn", "error"];
   const originals2 = /* @__PURE__ */ new Map();
   for (const method of methods) {
-    const original = console[method].bind(console);
+    const original = console[method];
     originals2.set(method, original);
+    const callOriginal = original.bind(console);
     console[method] = (...args) => {
       emit(METHOD_EVENT[method], { message: stringifyArgs(args) });
-      original(...args);
+      callOriginal(...args);
     };
   }
   const onError = (event) => {
@@ -3461,6 +3721,40 @@ function installRecorder(deps) {
 }
 
 // ../browser/dist/iris.js
+function connectionPolicy(pageHostname, bridgeUrl, allowNonLocalhost, token) {
+  let bridge;
+  try {
+    bridge = new URL(bridgeUrl);
+  } catch {
+    return { allowed: false, reason: "invalid Iris bridge URL" };
+  }
+  if (bridge.protocol !== "ws:" && bridge.protocol !== "wss:") {
+    return { allowed: false, reason: "Iris bridge URL must use ws:// or wss://" };
+  }
+  if ((token?.length ?? 0) > TRANSPORT_LIMITS.MAX_TOKEN_LENGTH) {
+    return {
+      allowed: false,
+      reason: `Iris pairing token exceeds ${String(TRANSPORT_LIMITS.MAX_TOKEN_LENGTH)} characters`
+    };
+  }
+  const remoteBridge = !isLoopbackHostname(bridge.hostname);
+  if (remoteBridge && bridge.protocol !== "wss:") {
+    return { allowed: false, reason: "a non-local Iris bridge must use wss://" };
+  }
+  const remote = !isLoopbackHostname(pageHostname) || remoteBridge;
+  if (!remote)
+    return { allowed: true };
+  if (!allowNonLocalhost) {
+    return {
+      allowed: false,
+      reason: "Iris is disabled outside localhost unless allowNonLocalhost is explicitly enabled"
+    };
+  }
+  if (token === void 0 || token.length === 0) {
+    return { allowed: false, reason: "a pairing token is required outside localhost" };
+  }
+  return { allowed: true };
+}
 function str2(value, fallback = "") {
   return typeof value === "string" ? value : fallback;
 }
@@ -3489,6 +3783,7 @@ var Iris = class {
   #presenter;
   #recorder;
   #eventCount = 0;
+  #token;
   /** Act-row log handle for the in-flight act/act_sequence, so its outcome stamps the right row. */
   #actHandle;
   connect(options = {}) {
@@ -3496,14 +3791,23 @@ var Iris = class {
       return;
     if (typeof window === "undefined" || typeof document === "undefined")
       return;
-    this.#session = resolveSessionLabel(options.session, () => `s${Date.now().toString(36)}`);
+    const url = options.url ?? `ws://localhost:${String(IRIS_DEFAULT_PORT)}${IRIS_WS_PATH}`;
+    const policy = connectionPolicy(window.location.hostname, url, options.allowNonLocalhost === true, options.token);
+    if (!policy.allowed) {
+      globalThis.console.warn(`[Iris] ${policy.reason ?? "connection blocked"}`);
+      return;
+    }
+    this.#session = resolveSessionLabel(options.session, () => typeof globalThis.crypto?.randomUUID === "function" ? `s${globalThis.crypto.randomUUID()}` : `s${Date.now().toString(36)}`);
+    this.#token = options.token !== void 0 && options.token.length > 0 ? options.token : void 0;
     this.#start = performance.now();
     this.#registry = createCommandRegistry();
-    const url = options.url ?? `ws://localhost:${String(IRIS_DEFAULT_PORT)}${IRIS_WS_PATH}`;
     this.#transport = new Transport({
       url,
       hello: () => this.#hello(),
       handleCommand: (command) => this.#handleCommand(command),
+      // Show the presenter HUD as soon as the agent bridge connects — the user immediately sees
+      // the glow border and narration panel, even before the first tool call lands.
+      onConnected: () => this.#presenter?.sessionStart(),
       // Liveness fallback: if the bridge stays unreachable (the agent killed the server process),
       // no server-pushed end can arrive — so end the run we're presenting ourselves. A returning
       // agent revives it via the normal sessionStart() path on its next command.
@@ -3613,6 +3917,7 @@ var Iris = class {
       url: location.href,
       title: document.title,
       adapters: adapterNames(),
+      ...this.#token === void 0 ? {} : { token: this.#token },
       hasCapabilities: hasCapabilities()
     };
   }