@trusty-squire/mcp 0.1.18 → 0.2.1

package/dist/bot/browser.js

@@ -24,6 +24,7 @@
 import { chromium as baseChromium } from "playwright";
 import { createRequire } from "node:module";
 import { detectAsn } from "./asn.js";
+import { CHROME_PROFILE_DIR } from "./profile.js";
 // Lazy registration: installing the plugin mutates the chromium singleton
 // from playwright-extra so we only do it once per process. We require()
 // the CJS modules lazily (the stealth toolchain only ships CJS) and treat
@@ -142,7 +143,10 @@ async function detectChromiumChannel() {
     return null;
 }
 export class BrowserController {
-    browser = null;
+    // The persistent browser context. Persistent (launchPersistentContext)
+    // rather than an ephemeral context so the profile carries the user's
+    // Google session across runs — see profile.ts / google-login.ts.
+    context = null;
     page = null;
     humanize;
     // Tracks the simulated mouse position so successive clicks can move
@@ -160,15 +164,22 @@ export class BrowserController {
     // a captcha failure behind a residential proxy is materially
     // different signal from the same failure on a raw datacenter IP.
     proxyServer = null;
+    profileDir;
+    // T6/T7 — OAuth handshake bookkeeping. When startOAuth() adopts a
+    // popup window as the active page, the original product page is
+    // parked here so settleAfterOAuth() can switch back to it once the
+    // Google handshake completes.
+    oauthProductPage = null;
     constructor(opts = {}) {
         this.humanize = opts.humanize ?? true;
+        this.profileDir = opts.profileDir ?? CHROME_PROFILE_DIR;
     }
     // Which browser channel the most recent .start() actually used.
     // `null` means bundled Chromium; a string like "chrome" means a
     // real installed browser of that channel. Throws if .start() hasn't
     // been called yet — there's no sensible default to return.
     get channel() {
-        if (this.browser === null) {
+        if (this.context === null) {
             throw new Error("BrowserController.channel read before .start()");
         }
         return this.launchedChannel;
@@ -177,7 +188,7 @@ export class BrowserController {
     // or null for a direct connection. Useful telemetry alongside
     // `channel`. Throws if .start() hasn't run — same reason as channel.
     get proxied() {
-        if (this.browser === null) {
+        if (this.context === null) {
             throw new Error("BrowserController.proxied read before .start()");
         }
         return this.proxyServer;
@@ -191,87 +202,87 @@ export class BrowserController {
         // module's existing logging convention).
         console.error(`[universal-bot] launching browser channel=${channel ?? "bundled-chromium"} ` +
             `proxy=${proxy?.server ?? "direct"}`);
-        this.browser = await getChromium().launch({
+        // T3.1: probe where this run's traffic actually exits so the
+        // browser's declared timezone matches its egress IP (a US-timezone
+        // browser on a foreign proxy IP is itself an anti-bot signal).
+        // Done before the real launch: launchPersistentContext bakes the
+        // timezone in at creation, with no way to set it afterward.
+        const geo = await this.probeEgressGeo(channel, proxy);
+        if (geo !== null) {
+            console.error(`[universal-bot] egress geo: timezone=${geo.timezoneId}` +
+                (geo.geolocation !== undefined
+                    ? ` loc=${geo.geolocation.latitude},${geo.geolocation.longitude}`
+                    : ""));
+        }
+        // T3: a PERSISTENT context. The profile dir carries the user's
+        // Google session (established by `mcp login` — see google-login.ts),
+        // so the OAuth-first signup path reuses it instead of starting
+        // logged-out. launchPersistentContext takes launch + context
+        // options in one call.
+        const context = await getChromium().launchPersistentContext(this.profileDir, {
             headless: process.env.UNIVERSAL_BOT_HEADLESS !== "false",
-            // `channel:` is a Playwright launch option that tells it to use a
-            // real installed browser instead of the bundled binary. When null
-            // we omit the key entirely so Playwright falls back to default.
+            // `channel:` selects a real installed browser over the bundled
+            // binary; omitted entirely when null.
             ...(channel !== null ? { channel } : {}),
-            // `proxy:` routes all egress through a residential proxy. Omitted
-            // (direct connection) for the ~80% of users on residential
-            // networks — see resolveProxy().
+            // `proxy:` routes egress through a residential proxy — only for
+            // datacenter-class egress (see resolveProxy()).
             ...(proxy !== null ? { proxy } : {}),
             args: [
                 "--disable-blink-features=AutomationControlled",
                 "--no-sandbox",
                 "--disable-dev-shm-usage",
             ],
-        });
-        // T3.1: learn where this run's traffic actually exits (the proxy
-        // exit when proxied, the machine otherwise) so the browser's
-        // declared timezone matches its egress IP. A US-timezone browser
-        // on a foreign proxy IP is itself an anti-bot signal.
-        const geo = await this.probeEgressGeo();
-        if (geo !== null) {
-            console.error(`[universal-bot] egress geo: timezone=${geo.timezoneId}` +
-                (geo.geolocation !== undefined
-                    ? ` loc=${geo.geolocation.latitude},${geo.geolocation.longitude}`
-                    : ""));
-        }
-        const context = await this.browser.newContext({
             viewport: { width: 1280, height: 720 },
             userAgent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
             // locale stays en-US deliberately: matching it to the proxy
             // country would render signup pages in that language, and the
-            // Claude vision form-planner expects English. timezone is the
-            // dominant IP-geo-mismatch signal; an English browser abroad is
-            // unremarkable, so locale is left as the weak, safe choice.
+            // Claude vision form-planner expects English.
             locale: "en-US",
-            // timezone + geolocation track the real egress (T3.1). Falls
-            // back to a fixed default when the probe fails — no worse than
-            // the pre-T3.1 hardcoded value.
+            // timezone + geolocation track the real egress (T3.1); a fixed
+            // default when the probe failed.
             timezoneId: geo?.timezoneId ?? "America/New_York",
             ...(geo?.geolocation !== undefined
                 ? { geolocation: geo.geolocation, permissions: ["geolocation"] }
                 : {}),
         });
+        this.context = context;
         // Patch the navigator.webdriver flag — most anti-bot heuristics look here.
         await context.addInitScript(() => {
             Object.defineProperty(navigator, "webdriver", { get: () => undefined });
         });
-        this.page = await context.newPage();
+        this.page = context.pages()[0] ?? (await context.newPage());
     }
-    // Probe the run's actual egress geo by loading ipinfo.io through a
-    // throwaway context. The proxy (when active) is set at launch level,
-    // so every context inherits it — this reports the *proxy exit* geo,
-    // not the machine's. Best-effort: any failure returns null and
-    // start() keeps a default timezone. Adds one short navigation to
-    // run start-up.
-    async probeEgressGeo() {
-        if (!this.browser)
-            return null;
-        const browser = this.browser;
-        let ctx;
-        let geo = null;
+    // Probe the run's actual egress geo by loading ipinfo.io. Launches a
+    // throwaway browser: the persistent context isn't up yet, and its
+    // timezone has to be known before it is. The throwaway inherits the
+    // same channel + proxy so it reports the real egress. Best-effort —
+    // any failure returns null and start() keeps a default timezone.
+    async probeEgressGeo(channel, proxy) {
+        let probe;
         try {
-            ctx = await browser.newContext();
-            const page = await ctx.newPage();
+            probe = await getChromium().launch({
+                headless: process.env.UNIVERSAL_BOT_HEADLESS !== "false",
+                ...(channel !== null ? { channel } : {}),
+                ...(proxy !== null ? { proxy } : {}),
+                args: ["--no-sandbox", "--disable-dev-shm-usage"],
+            });
+            const page = await probe.newPage();
             await page.goto("https://ipinfo.io/json", {
                 timeout: 10000,
                 waitUntil: "domcontentloaded",
             });
             const body = await page.evaluate(() => document.body.innerText);
-            geo = parseEgressGeo(body);
+            return parseEgressGeo(body);
         }
         catch (err) {
             console.error(`[universal-bot] egress geo probe failed — using default ` +
                 `timezone: ${err instanceof Error ? err.message : String(err)}`);
+            return null;
         }
         finally {
-            if (ctx !== undefined)
-                await ctx.close();
+            if (probe !== undefined)
+                await probe.close();
         }
-        return geo;
     }
     // Decide whether this run egresses through a residential proxy, and
     // return Playwright's proxy settings or null for a direct connection.
@@ -604,6 +615,14 @@ export class BrowserController {
         if (!this.page)
             throw new Error("Browser not started");
         await locator.waitFor({ state: "visible", timeout: 10000 });
+        // Scroll the element into the viewport BEFORE measuring it. A
+        // humanized click is a raw page.mouse.click(x, y) at viewport
+        // coordinates — boundingBox() of a below-the-fold element returns
+        // an off-screen y, and the click then lands on nothing (it was
+        // why a Sentry OAuth button below the fold never navigated). The
+        // regular .click() path auto-scrolls; the humanized path must too
+        // — same fix check() already carries.
+        await locator.scrollIntoViewIfNeeded({ timeout: 5000 }).catch(() => { });
         const box = await locator.boundingBox();
         if (box === null) {
             // Element exists but isn't in the layout (e.g., display:none).
@@ -869,6 +888,58 @@ export class BrowserController {
             throw new Error("Browser not started");
         return await this.page.textContent("body") || "";
     }
+    // Discrete strings an API key might occupy — for credential
+    // extraction. Gathered so a key is read WHOLE and un-glued from its
+    // neighbours: extractText() concatenates the whole <body>, which
+    // fuses a key to an adjacent "Copy"/"Done" button with no separator.
+    //
+    // Two surfaces:
+    //   1. input/textarea VALUES — a copy-to-clipboard key field. An
+    //      input's value is not in textContent at all. Hidden and
+    //      password fields are excluded (captcha tokens / the signup
+    //      password), keeping this a clean credential surface.
+    //   2. Each element's OWN direct text — the text nodes that are its
+    //      immediate children, excluding descendants. A key in a
+    //      <code>/<span>/<div> yields its clean value here even when a
+    //      sibling button shares the same parent.
+    async extractCredentialCandidates() {
+        if (!this.page)
+            throw new Error("Browser not started");
+        return await this.page.evaluate(() => {
+            const out = [];
+            const isVisible = (el) => {
+                const r = el.getBoundingClientRect();
+                return r.width > 2 && r.height > 2;
+            };
+            document.querySelectorAll("input, textarea").forEach((el) => {
+                if (el instanceof HTMLInputElement &&
+                    (el.type === "hidden" || el.type === "password")) {
+                    return;
+                }
+                const value = el instanceof HTMLInputElement || el instanceof HTMLTextAreaElement
+                    ? el.value
+                    : "";
+                if (value.trim().length > 0 && isVisible(el))
+                    out.push(value.trim());
+            });
+            document.querySelectorAll("body *").forEach((el) => {
+                if (el.tagName === "SCRIPT" || el.tagName === "STYLE")
+                    return;
+                if (!isVisible(el))
+                    return;
+                let direct = "";
+                el.childNodes.forEach((n) => {
+                    if (n.nodeType === Node.TEXT_NODE)
+                        direct += n.textContent ?? "";
+                });
+                direct = direct.trim();
+                // A real key is short; a long blob is a paragraph, not a key.
+                if (direct.length > 0 && direct.length <= 256)
+                    out.push(direct);
+            });
+            return out;
+        });
+    }
     // Wait for the signup form to actually render before the planner
     // screenshots the page (F1). SPA and two-stage signup pages render
     // the form after JS executes; planning against a pre-render
@@ -949,6 +1020,30 @@ export class BrowserController {
                 return anc !== null ? clean(anc.textContent) : null;
             };
             const inConsent = (el) => el.closest('[class*="osano"],[id*="onetrust"],[id*="cookie"],[class*="cookie-consent"],[class*="cookie-banner"],[class*="cookieConsent"]') !== null;
+            // Accessible label of a descendant icon — an icon-only "Sign in
+            // with Google" button carries no text, but its <img alt>, its
+            // <svg><title>, or a descendant [aria-label] names the provider.
+            const iconLabelFor = (el) => {
+                const img = el.querySelector("img[alt]");
+                if (img !== null) {
+                    const alt = clean(img.getAttribute("alt"));
+                    if (alt !== null)
+                        return alt;
+                }
+                const svgTitle = el.querySelector("svg title");
+                if (svgTitle !== null) {
+                    const t = clean(svgTitle.textContent);
+                    if (t !== null)
+                        return t;
+                }
+                const labelled = el.querySelector("[aria-label]");
+                if (labelled !== null) {
+                    const l = clean(labelled.getAttribute("aria-label"));
+                    if (l !== null)
+                        return l;
+                }
+                return null;
+            };
             const selectorFor = (el) => {
                 const tag = el.tagName.toLowerCase();
                 let base;
@@ -1023,6 +1118,8 @@ export class BrowserController {
                         r.bottom <= window.innerHeight &&
                         r.right <= window.innerWidth,
                     inConsentWidget: inConsent(el),
+                    href: (el.getAttribute("href") ?? "").slice(0, 300) || null,
+                    iconLabel: iconLabelFor(el),
                 });
             }
             return out;
@@ -1054,11 +1151,126 @@ export class BrowserController {
             return { count: 0, tag: null, id: null, name: null };
         }
     }
+    // ───────────── OAuth handshake (T6/T7) ─────────────
+    // Click an OAuth provider button and adopt whichever page now
+    // carries the handshake. Google OAuth either redirects the current
+    // tab or opens a popup window; this normalizes both so the agent's
+    // consent loop can treat `this.page` as "the page showing Google's
+    // screens" without caring which transport the service chose.
+    // settleAfterOAuth() restores the product page afterwards.
+    async startOAuth(selector) {
+        if (!this.page || !this.context)
+            throw new Error("Browser not started");
+        this.oauthProductPage = this.page;
+        // Race a popup `page` event against the click. context-level
+        // "page" fires for both window.open popups and target=_blank.
+        const popupPromise = this.context
+            .waitForEvent("page", { timeout: 8000 })
+            .catch(() => null);
+        await this.click(selector);
+        const popup = await popupPromise;
+        if (popup !== null && popup !== this.page && !popup.isClosed()) {
+            this.page = popup;
+        }
+        try {
+            await this.page.waitForLoadState("domcontentloaded", { timeout: 30000 });
+        }
+        catch {
+            // best-effort — the agent's consent loop re-reads state regardless
+        }
+    }
+    // URL of the active page (the OAuth page mid-handshake, the product
+    // page otherwise). Cheap — no screenshot, unlike getState().
+    currentUrl() {
+        return this.page !== null ? this.page.url() : "";
+    }
+    // True when the active OAuth page is gone — for the popup flow, the
+    // popup closing IS the signal the handshake finished.
+    oauthPageClosed() {
+        return this.page === null || this.page.isClosed();
+    }
+    // Advance a provider's consent / account-chooser screen by one click
+    // — the scope-gated auto-approve (T7/T13). Returns false when no
+    // approve control is present — the agent then aborts rather than
+    // hang. Clicks only; never types (the critical guarantee holds here).
+    async advanceOAuthConsent(provider) {
+        if (!this.page)
+            throw new Error("Browser not started");
+        if (provider === "github") {
+            // GitHub's authorize screen: a single green "Authorize <app>"
+            // button. The accessible name starts with "Authorize".
+            const authorize = this.page
+                .getByRole("button", { name: /^authorize\b/i })
+                .first();
+            if ((await authorize.count().catch(() => 0)) > 0) {
+                try {
+                    await authorize.click({ timeout: 8000 });
+                    return true;
+                }
+                catch {
+                    return false;
+                }
+            }
+            return false;
+        }
+        // Google. Account chooser: Google renders each account with a
+        // stable data-identifier attribute (the account email).
+        const tile = this.page.locator("[data-identifier]").first();
+        if ((await tile.count().catch(() => 0)) > 0) {
+            try {
+                await tile.click({ timeout: 8000 });
+                return true;
+            }
+            catch {
+                // fall through to the approve-button path
+            }
+        }
+        // Consent screen: the approve control's accessible name is
+        // "Continue" or "Allow". A full-match regex excludes "Cancel".
+        const approve = this.page
+            .getByRole("button", { name: /^(continue|allow)$/i })
+            .first();
+        if ((await approve.count().catch(() => 0)) > 0) {
+            try {
+                await approve.click({ timeout: 8000 });
+                return true;
+            }
+            catch {
+                return false;
+            }
+        }
+        return false;
+    }
+    // Restore the product page once the OAuth handshake completes. A
+    // no-op for the same-tab redirect flow (the active page already IS
+    // the product page); for the popup flow, waits briefly for the popup
+    // to close, then switches `this.page` back to the product tab.
+    async settleAfterOAuth() {
+        const product = this.oauthProductPage;
+        this.oauthProductPage = null;
+        if (product === null || product === this.page)
+            return; // same-tab
+        for (let i = 0; i < 12 && this.page !== null && !this.page.isClosed(); i++) {
+            await this.sleep(1000);
+        }
+        if (this.page !== null && !this.page.isClosed()) {
+            await this.page.close().catch(() => undefined);
+        }
+        this.page = product;
+        await this.page.bringToFront().catch(() => undefined);
+        try {
+            await this.page.waitForLoadState("domcontentloaded", { timeout: 30000 });
+        }
+        catch {
+            // best-effort
+        }
+    }
     async close() {
         if (this.page)
             await this.page.close();
-        if (this.browser)
-            await this.browser.close();
+        // Closing the persistent context shuts the browser down too.
+        if (this.context)
+            await this.context.close();
     }
 }
 // Random integer in [min, max]. We use Math.random() (not crypto)
@@ -1172,7 +1384,15 @@ export function parseEgressGeo(text) {
 // chooser pick, and inventory button-ranking — one keyword set, no
 // drift (F3 Issue 8). OAuth provider names go firmly negative so the
 // bot never wanders into a Google/GitHub login dead end.
-export function scoreSignupButton(text) {
+//
+// `oauthProvider` (T6/T13) inverts that for the requested provider:
+// when an OAuth-first signup is requested, the "Sign in with
+// <provider>" affordance is the PRIMARY target, not a dead end — so it
+// must score positive enough to survive inventory ranking/capping.
+// Stated as a rule, not arithmetic (spec refinement): under OAuth-first
+// the provider's button outranks any form field. Only the REQUESTED
+// provider flips positive; the others stay negative.
+export function scoreSignupButton(text, oauthProvider) {
     const t = text.toLowerCase();
     let score = 0;
     if (t.includes("create account") || t.includes("create your account"))
@@ -1192,9 +1412,14 @@ export function scoreSignupButton(text) {
     // forms; it should beat nothing but lose to OAuth markers.
     if (t.includes("continue"))
         score += 2;
-    // OAuth / SSO buttons are submit-typed too — the provider name is
-    // the reliable discriminator, so drive those firmly negative.
-    if (/\b(google|github|gitlab|microsoft|apple|facebook|okta|sso|saml)\b/.test(t)) {
+    if (oauthProvider !== undefined && new RegExp(`\\b${oauthProvider}\\b`).test(t)) {
+        // OAuth-first: the requested provider's button is the goal. Score
+        // it above every form-field-class button so ranking never caps it out.
+        score += 50;
+    }
+    else if (/\b(google|github|gitlab|microsoft|apple|facebook|okta|sso|saml)\b/.test(t)) {
+        // OAuth / SSO buttons are submit-typed too — the provider name is
+        // the reliable discriminator, so drive those firmly negative.
         score -= 20;
     }
     if (t.includes("sign in") || t.includes("log in") || t.includes("login"))
@@ -1208,7 +1433,7 @@ export function scoreSignupButton(text) {
 // carries dozens of nav/footer buttons (F3 Issue 3 + Tension 2: a
 // flat cap could truncate the real email field). Re-indexes the kept
 // set and reports how many buttons were dropped.
-export function rankAndCapInventory(elements, buttonCap = 25) {
+export function rankAndCapInventory(elements, buttonCap = 25, oauthProvider) {
     const isButtonish = (e) => e.tag === "button" ||
         e.tag === "a" ||
         e.type === "submit" ||
@@ -1219,7 +1444,7 @@ export function rankAndCapInventory(elements, buttonCap = 25) {
         .filter(isButtonish)
         .map((e) => ({
         e,
-        score: scoreSignupButton(`${e.visibleText ?? ""} ${e.ariaLabel ?? ""} ${e.labelText ?? ""}`),
+        score: scoreSignupButton(`${e.visibleText ?? ""} ${e.ariaLabel ?? ""} ${e.labelText ?? ""}`, oauthProvider),
     }))
         .sort((a, b) => b.score - a.score);
     const keptButtons = ranked.slice(0, buttonCap).map((x) => x.e);