@trusty-squire/mcp 0.5.7 → 0.6.0

package/dist/bot/agent.js

@@ -9,6 +9,7 @@
 // prompt rather than threading service-specific logic through the agent.
 import { rankAndCapInventory, scoreSignupButton } from "./browser.js";
 import { OAUTH_PROVIDERS, extractOAuthScopes, } from "./oauth-providers.js";
+import { extractGoogleNumberMatch, scrapeGoogleScopePhrases } from "./google-login.js";
 import { loggedInProviders } from "./login-state.js";
 import { saveDebugSnapshot } from "./debug.js";
 import { captureOnboardingRound } from "./onboarding-capture.js";
@@ -84,6 +85,61 @@ export class LLMCallBudgetExceeded extends Error {
         this.name = "LLMCallBudgetExceeded";
     }
 }
+// Best-effort canonical signup URL for a service when the caller
+// didn't pass one. Most dev-SaaS targets (Resend, Postmark, Mailgun,
+// MailerSend, IPInfo, Stripe, PostHog) live at <name>.com/signup —
+// the .com default catches them. The exceptions — services on .io,
+// .ai, .dev — live in KNOWN_DOMAINS so a Sentry signup doesn't waste
+// the long Google-search fallback path looking for sentry.com (which
+// redirects weirdly to sentry.io and breaks looksLikeSignupPage).
+// Anything still wrong falls through to the search-and-find path.
+// Exported for unit testing.
+// Either a hostname (default path: /signup) or a full URL (when the
+// service's signup lives on a subdomain or uses a non-standard path —
+// e.g. Cloudflare's dash.cloudflare.com/sign-up).
+const KNOWN_DOMAINS = {
+    sentry: "sentry.io",
+    openrouter: "openrouter.ai",
+    mistral: "mistral.ai",
+    anthropic: "anthropic.com",
+    mailtrap: "mailtrap.io",
+    axiom: "axiom.co",
+    loops: "loops.so",
+    e2b: "e2b.dev",
+    railway: "railway.app",
+    supabase: "supabase.com",
+    replicate: "replicate.com",
+    modal: "modal.com",
+    // PostHog uses posthog.com but the dashboard lives at us.posthog.com /
+    // eu.posthog.com — signup is on the marketing site, .com is right.
+    posthog: "posthog.com",
+    // Cloudflare's marketing site has no signup form — it CTAs into the
+    // dashboard. Skip the redirect chase and land on the real form.
+    cloudflare: "https://dash.cloudflare.com/sign-up",
+    // Vercel: marketing /signup redirects through OAuth provider tiles
+    // but the actual email form sits on the dashboard.
+    vercel: "https://vercel.com/signup",
+};
+export function guessSignupUrl(service) {
+    const slug = service.toLowerCase().replace(/[^a-z0-9]/g, "");
+    const entry = KNOWN_DOMAINS[slug];
+    if (entry !== undefined && /^https?:\/\//i.test(entry))
+        return entry;
+    const host = entry ?? `${slug}.com`;
+    return `https://${host}/signup`;
+}
+// True when the URL is a Google search results page — used to gate
+// the prewarm + the post-load "did we land somewhere useful?" check.
+export function isGoogleSearchUrl(url) {
+    try {
+        const u = new URL(url);
+        return ((u.hostname === "www.google.com" || u.hostname === "google.com") &&
+            u.pathname.startsWith("/search"));
+    }
+    catch {
+        return false;
+    }
+}
 // The set of value_kinds the planner is allowed to emit. Kept as a
 // runtime array so validation and the exhaustive `valueFor` switch
 // share one source of truth.
@@ -259,6 +315,26 @@ export function formatInventory(inventory) {
     })
         .join("\n");
 }
+// Recognize a full-page anti-bot interstitial that's still up. Returns
+// the vendor name (for the status message) or null. Pattern matching
+// on visible text rather than markers — most vendors use the same UX
+// template, and matching the user-visible copy is robust to the actual
+// implementation underneath. Exported for unit testing.
+export function detectAntiBotBlock(html) {
+    const text = html.toLowerCase();
+    // Cloudflare "Just a moment..." / Turnstile pre-clear page. Strong
+    // signal: the literal text + the cf-* class names + the title.
+    if (/just a moment|cf-(challenge|browser-verification|turnstile)|performing security verification/i.test(text)) {
+        return "Cloudflare";
+    }
+    if (/sucuri|sucuri website firewall/i.test(text))
+        return "Sucuri";
+    if (/datadome|dd-captcha/i.test(text))
+        return "DataDome";
+    if (/incapsula|imperva/i.test(text))
+        return "Imperva";
+    return null;
+}
 // True when the page has no fillable text input AND no button that
 // reads as an email-signup option — a genuinely OAuth/SSO-only
 // service with no form to automate (F3 Issue 4).
@@ -378,7 +454,18 @@ export function parsePostVerifyStep(raw, allowedSelectors) {
         case "select": {
             const selector = requireString(obj, "selector", "post-verify select step");
             checkSelector(selector, "post-verify select step");
-            return { kind: "select", selector, reason };
+            // F11: `option_text` is optional — when present, the executor
+            // picks the option whose visible text contains it (case-
+            // insensitive substring). When absent, picks the first option.
+            const optionText = obj["option_text"];
+            return {
+                kind: "select",
+                selector,
+                reason,
+                ...(typeof optionText === "string" && optionText.length > 0
+                    ? { option_text: optionText }
+                    : {}),
+            };
         }
         case "check": {
             const selector = requireString(obj, "selector", "post-verify check step");
@@ -453,6 +540,25 @@ const EMBEDDED_KEY_PREFIXES = [
 //
 // Exported for unit testing — the regex tuning here is the load-
 // bearing logic and deserves direct coverage.
+// True when `capturedKey` is followed by a truncation marker (`...`
+// or the Unicode ellipsis `…`) in `sourceText`. That marker is the
+// signal that the visible display masked the full secret — the
+// regex captured everything up to but not including the marker, so
+// the value LOOKS valid but is short. Used by F10's
+// extract-via-Copy-button recovery path; without this check, the
+// bot accepts the truncated value, stores it, and the user discovers
+// the failure only when their next API call returns 401.
+export function isTruncatedCapture(sourceText, capturedKey) {
+    const idx = sourceText.indexOf(capturedKey);
+    if (idx < 0)
+        return false;
+    const after = sourceText.slice(idx + capturedKey.length, idx + capturedKey.length + 10);
+    // Whitespace OK between key and ellipsis (some modals render as
+    // "sk-or-v1-xxxx ..."). Three OR MORE dots; two dots are ordinary
+    // punctuation and would false-positive on e.g. "key value.." in
+    // help text.
+    return /^\s*(?:\.{3,}|…)/.test(after);
+}
 export function extractApiKeyFromText(text) {
     const prefixed = [
         /\bre_[a-zA-Z0-9_]{20,}\b/, // Resend (key body contains underscores)
@@ -468,6 +574,15 @@ export function extractApiKeyFromText(text) {
         /\bSG\.[a-zA-Z0-9_\-]{20,}\.[a-zA-Z0-9_\-]{20,}\b/, // SendGrid
         /\brnd_[a-zA-Z0-9]{20,}\b/, // Render
         /\bsntry[su]_[A-Za-z0-9_=\-]{20,}/, // Sentry org/user auth token
+        // OpenRouter, Anthropic, OpenAI — these are the dominant
+        // OAuth-completed-then-copy-needed services. Specific-prefix
+        // patterns first so a labeled-pattern fallback isn't load-
+        // bearing for them. Putting `sk-or-v1-` before `sk-` so it wins
+        // when both could match (cosmetic; both capture the same value).
+        /\bsk-or-v1-[a-zA-Z0-9_-]{20,}/, // OpenRouter (sk-or-v1-…)
+        /\bsk-ant-[a-zA-Z0-9_-]{20,}/, // Anthropic (sk-ant-…)
+        /\bsk-proj-[a-zA-Z0-9_-]{20,}/, // OpenAI project key
+        /\bsk-[a-zA-Z0-9]{40,}/, // OpenAI legacy (`sk-` + ~48 chars, no dashes)
     ];
     for (const pattern of prefixed) {
         const match = text.match(pattern);
@@ -700,6 +815,21 @@ export class SignupAgent {
                 steps.push("OAuth-first: no usable provider affordance on the page — " +
                     "falling back to form-fill");
             }
+            // Anti-bot interstitial that didn't clear (Cloudflare/Sucuri/
+            // DataDome "Just a moment..." pages that BrowserController has
+            // already attempted to wait + reload through). Detect by page
+            // text — the inventory will be tiny because the interstitial
+            // intentionally has 0 interactive elements. Surface as its own
+            // status, not as oauth_required: the latter implies "service is
+            // OAuth-only", which is wrong for Cloudflare et al.
+            if (inventory.length < 5) {
+                const block = detectAntiBotBlock(state.html);
+                if (block !== null) {
+                    steps.push(`Anti-bot block: ${block} interstitial would not clear after retries — ` +
+                        `the bot's fingerprint/IP did not pass ${block}'s server-side risk score`);
+                    return { kind: "anti_bot_blocked", vendor: block };
+                }
+            }
             // OAuth-only: no fillable input AND no button that reads as an
             // email-signup option — nothing to automate (Issue 4).
             if (isOauthOnlyChooser(inventory)) {
@@ -851,6 +981,30 @@ export class SignupAgent {
         const { inventory, buttonsDropped } = rankAndCapInventory(raw, buttonCap, oauthProviders);
         steps.push(`Inventory: ${inventory.length} element(s)` +
             (buttonsDropped > 0 ? ` (${buttonsDropped} low-ranked button(s) dropped)` : ""));
+        // Diagnostic: a suspiciously tiny inventory usually means the page
+        // either didn't finish rendering OR an anti-bot interstitial (CF
+        // Turnstile, "Just a moment...", reCAPTCHA wall) is up. Surface the
+        // page state into the step trail so the failure is debuggable from
+        // outside the bot host.
+        if (inventory.length < 5 && raw.length < 5) {
+            try {
+                const state = await this.browser.getState();
+                const text = state.html
+                    .replace(/<script[^>]*>[\s\S]*?<\/script>/gi, "")
+                    .replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "")
+                    .replace(/<[^>]+>/g, " ")
+                    .replace(/\s+/g, " ")
+                    .trim()
+                    .slice(0, 240);
+                const antiBot = /just a moment|verify you are human|attention required|cloudflare|cf-challenge|cf-turnstile|recaptcha|are you a robot/i.test(state.html);
+                steps.push(`Inventory diagnostic: title=${JSON.stringify(state.title.slice(0, 80))} ` +
+                    `url=${state.url.slice(0, 120)} text=${JSON.stringify(text)}` +
+                    (antiBot ? " ⚠ anti-bot interstitial detected" : ""));
+            }
+            catch {
+                // best-effort diagnostic; never abort on its failure
+            }
+        }
         return inventory;
     }
     // Which OAuth providers may this signup take? An explicit
@@ -1037,7 +1191,11 @@ export class SignupAgent {
     // call hung. Override the 10-minute default with
     // UNIVERSAL_BOT_RUN_TIMEOUT_MS.
     async signup(task) {
-        const steps = [];
+        // task.stepsSink lets a caller (provision-any) share the live step
+        // trail so check_provision_status can surface mid-run prompts
+        // (Google number-match etc.). Without it, the run still works —
+        // steps are just only visible in the final result.
+        const steps = task.stepsSink ?? [];
         const rawTimeout = Number(process.env.UNIVERSAL_BOT_RUN_TIMEOUT_MS);
         const timeoutMs = Number.isFinite(rawTimeout) && rawTimeout > 0 ? rawTimeout : 600_000;
         let timer;
@@ -1070,9 +1228,30 @@ export class SignupAgent {
         const password = task.generatePassword();
         const displayName = "Trusty Squire Bot";
         const username = `tsbot${Date.now().toString().slice(-7)}`;
+        // F13 diagnostic: which Chrome launch mode start() chose, and
+        // whether egress went through the configured proxy. Lets us tell
+        // from outside the box whether the bot actually got an X display
+        // surface AND whether the residential-proxy path engaged.
+        steps.push(`Browser: launched mode=${this.browser.launchMode} ` +
+            `proxy=${this.browser.proxied ?? "direct"} ` +
+            `channel=${this.browser.channel ?? "bundled-chromium"}`);
         try {
             // Step 1: Navigate to signup page
-            const signupUrl = task.signupUrl ?? `https://www.google.com/search?q=${encodeURIComponent(`${task.service} signup`)}`;
+            //
+            // When no signup_url is provided, GUESS the canonical
+            // `https://<service>.com/signup` first — most dev-SaaS targets
+            // (Resend, Postmark, Mailgun, IPInfo, MailerSend, ...) live
+            // there. Falls back to a Google search + findSignupLink only if
+            // the guess doesn't look like a usable signup page after load
+            // (404, marketing page with no inputs/OAuth, etc.). The old
+            // default ALWAYS started on Google search, which on top of
+            // being slower had its own failure mode: the search-result
+            // extractor often returned a docs URL or marketing root rather
+            // than the signup page, and the bot would bail with
+            // oauth_required when it landed on a page that didn't show the
+            // OAuth buttons until you clicked "Sign up" first.
+            const guessed = task.signupUrl ?? guessSignupUrl(task.service);
+            let signupUrl = guessed;
             // Prewarm the target origin before hitting the (often-strict) signup
             // page. Two things this buys us:
             //   1. First-party cookies on the root domain. Cloudflare's
@@ -1085,26 +1264,30 @@ export class SignupAgent {
             //      Turnstile that scores the whole session, not just the
             //      submit moment.
             //
-            // Mode selection: the heavy "referrer-chain" prewarm is what
-            // actually moves the v3 score (~30-45s of wall clock; google
-            // search → click → scroll → navigate). The light "fast" mode
-            // is dwell-only (~2s). We use the cache to decide: cold cache
-            // means do the heavy one and cache the result; warm cache means
-            // we've recently established cookies for this domain and the
-            // light version is enough.
-            //
-            // Skip entirely when the URL is a Google-search fallback (no
-            // real origin to warm) or when prewarm itself fails (don't fail
-            // the run just because the marketing site is down).
-            if (task.signupUrl !== undefined) {
+            // The prewarm runs against the guessed (or explicit) origin —
+            // skipped only when the URL is a Google-search URL itself.
+            if (!isGoogleSearchUrl(signupUrl)) {
                 await this.runPrewarm(signupUrl, steps);
             }
             steps.push(`Navigating to ${signupUrl}`);
             await this.browser.goto(signupUrl);
             await this.browser.wait(2);
-            if (task.signupUrl === undefined) {
+            // When we *guessed* (no signup_url provided) and the page after
+            // load doesn't look like a signup page — no inputs, no OAuth
+            // affordance, or an obvious 404/error title — fall back to the
+            // search-and-find-link path. This is the safety net that lets
+            // the bot recover from a wrong canonical guess (e.g. a service
+            // that uses /register or a non-`.com` TLD).
+            if (task.signupUrl === undefined && !(await this.looksLikeSignupPage())) {
+                steps.push(`${guessed} didn't look like a signup page — searching for the real one`);
+                const fallbackSearch = `https://www.google.com/search?q=${encodeURIComponent(`${task.service} signup`)}`;
+                await this.browser.goto(fallbackSearch);
+                await this.browser.wait(2);
+                signupUrl = fallbackSearch;
+            }
+            if (signupUrl !== guessed || isGoogleSearchUrl(signupUrl)) {
                 steps.push("Searching for signup page...");
-                const found = await this.findSignupLink();
+                const found = await this.findSignupLink(task.service);
                 if (found !== null) {
                     // Now that we know the real signup origin, prewarm it before
                     // the deep navigation. Same rationale as above.
@@ -1157,6 +1340,16 @@ export class SignupAgent {
                         steps,
                         ...this.resultTail(),
                     };
+                case "anti_bot_blocked":
+                    return {
+                        success: false,
+                        error: `anti_bot_blocked: ${task.service}'s ${outcome.vendor} anti-bot interstitial would ` +
+                            `not clear — the bot's IP/fingerprint did not pass ${outcome.vendor}'s server-side ` +
+                            `risk score. This is a soft block (no challenge to solve); the user should sign up ` +
+                            `manually.`,
+                        steps,
+                        ...this.resultTail(),
+                    };
                 case "oauth":
                     // T6/T7 — OAuth-first path. runOAuthFlow drives the consent
                     // handshake and post-OAuth onboarding to its own terminal
@@ -1225,6 +1418,7 @@ export class SignupAgent {
                                         credentials: { email: task.email, password },
                                         maxRounds,
                                         steps,
+                                        ...(task.scopeHint !== undefined ? { scopeHint: task.scopeHint } : {}),
                                     });
                                 }
                             }
@@ -1300,6 +1494,12 @@ export class SignupAgent {
         // Bounded consent walk — handles account-chooser → consent as two
         // steps without ever spinning. Each iteration re-reads the page.
         const MAX_OAUTH_NAV = 6;
+        // True once a clean scope-grant consent has already been
+        // auto-approved on this flow. Subsequent unreadable-scope consent
+        // pages (post-grant confirmation, account chooser routed through
+        // /consent, etc.) get the soft-advance path instead of an abort —
+        // because the scope-grant decision was already made and validated.
+        let consentAlreadyApproved = false;
         for (let i = 0; i < MAX_OAUTH_NAV; i++) {
             if (this.browser.oauthPageClosed()) {
                 steps.push(`OAuth: the ${provider.label} window closed — handshake returned to the service`);
@@ -1316,10 +1516,31 @@ export class SignupAgent {
                 continue;
             }
             const authState = provider.classifyAuthState(url, body);
-            steps.push(`OAuth: ${provider.label} auth state = ${authState}`);
+            steps.push(`OAuth: ${provider.label} auth state = ${authState} (url=${url.slice(0, 120)})`);
             if (authState === "not_provider")
                 break; // flow left the provider — back on the service
             if (authState === "challenge") {
+                // Google's number-match challenge ("Tap N on your phone") is
+                // resolvable by the user without re-running the login flow —
+                // surface the number and wait for them to complete it.
+                if (provider.id === "google") {
+                    const matchNum = extractGoogleNumberMatch(body);
+                    if (matchNum !== null) {
+                        steps.push(`Google: match the number ${matchNum} on your phone — ` +
+                            `open the Google app on your phone and tap ${matchNum}`);
+                        const cleared = await this.waitForGoogleChallenge(provider, steps);
+                        if (!cleared) {
+                            return this.oauthAbort("needs_login", `Google number-match challenge timed out after 2 minutes. ` +
+                                `Re-run \`${loginCmd}\`, complete the challenge in the window, then retry.`, steps);
+                        }
+                        steps.push("Google: challenge cleared — continuing OAuth");
+                        // Re-classify on the next iteration without burning the
+                        // OAuth-navigation budget (which assumes continuous
+                        // browser progress, not a 2-minute human pause).
+                        i--;
+                        continue;
+                    }
+                }
                 return this.oauthAbort("needs_login", `${provider.label} interrupted the sign-in with a security challenge ("verify it's you"). ` +
                     `Re-run \`${loginCmd}\`, clear the challenge in the window, then retry.`, steps);
             }
@@ -1338,15 +1559,58 @@ export class SignupAgent {
             }
             // Genuine consent screen / account chooser — scope-gate it (T7).
             const scopes = extractOAuthScopes(url);
+            // Always surface the parsed scopes so the user / debug logs see
+            // exactly what tripped the gate (or what was allowed through).
+            steps.push(`OAuth: parsed consent scopes = [${scopes === null ? "<unreadable>" : scopes.join(", ")}]`);
             if (scopes === null) {
+                // Defense-in-depth: scrape the page DOM for known scope-grant
+                // verb phrases ("See your", "Manage your contacts", "Send email
+                // on your behalf", etc.). A real scope-grant consent always
+                // lists each scope visually with one of these patterns. An
+                // intermediate page (account chooser, post-grant confirmation,
+                // safety review) does not.
+                const dangerPhrases = provider.id === "google" ? scrapeGoogleScopePhrases(body) : [];
+                if (dangerPhrases.length > 0) {
+                    return this.oauthAbort("oauth_consent_needs_review", `${provider.label} consent page (URL unparseable) lists scope-grant phrases: ` +
+                        `[${dangerPhrases.join(" | ")}]. Pausing for manual review.`, steps);
+                }
+                if (consentAlreadyApproved) {
+                    // We already validated and auto-approved a scope-grant
+                    // consent earlier in this flow. This second consent-classed
+                    // page has no parseable scopes AND no visible scope-grant
+                    // verb phrases — it's a post-grant confirmation / safety
+                    // review / account chooser routed through /consent. Soft
+                    // advance: try the approve control, and if it isn't there
+                    // the loop will re-classify on the next iteration.
+                    steps.push("OAuth: post-grant consent page (no parseable scopes, no scope phrases) — advancing");
+                    const advanced = await this.browser.advanceOAuthConsent(provider.id);
+                    if (!advanced) {
+                        steps.push("OAuth: no approve control on the post-grant page — waiting for natural navigation");
+                    }
+                    await this.browser.wait(3);
+                    continue;
+                }
                 return this.oauthAbort("oauth_consent_needs_review", `reached a ${provider.label} consent screen but could not read its requested scopes ` +
                     `from the URL — pausing for manual review rather than approving blind.`, steps);
             }
-            if (!provider.scopesAreBasic(scopes)) {
-                return this.oauthAbort("oauth_consent_needs_review", `the consent screen requests scopes beyond basic identity (${scopes.join(", ")}). ` +
-                    `Approve it manually — the bot only auto-approves basic-identity scopes.`, steps);
+            const extraAllowed = new Set(task.allowExtraOAuthScopes ?? []);
+            const nonBasic = scopes.filter((s) => !provider.scopesAreBasic([s]));
+            const unauthorized = nonBasic.filter((s) => !extraAllowed.has(s));
+            if (unauthorized.length > 0) {
+                // Encode requested scopes into the error so the MCP tool layer
+                // can extract them and show the user what to approve.
+                return this.oauthAbort("oauth_consent_needs_review", `${provider.label} consent requests non-basic scopes: [${unauthorized.join(", ")}]. ` +
+                    `All requested scopes: [${scopes.join(", ")}]. ` +
+                    `To proceed, re-run provision_any_service with allow_extra_oauth_scopes set to ` +
+                    `the scopes the user has explicitly approved.`, steps);
+            }
+            if (nonBasic.length > 0) {
+                steps.push(`OAuth: user pre-approved extra scopes [${nonBasic.join(", ")}] — auto-approving`);
+            }
+            else {
+                steps.push(`OAuth: consent scopes all basic (${scopes.join(", ")}) — auto-approving`);
             }
-            steps.push(`OAuth: consent scopes all basic (${scopes.join(", ")}) — auto-approving`);
+            consentAlreadyApproved = true;
             const advanced = await this.browser.advanceOAuthConsent(provider.id);
             if (!advanced) {
                 return this.oauthAbort("oauth_consent_needs_review", `reached a ${provider.label} consent screen but found no approve control to click — ` +
@@ -1366,6 +1630,7 @@ export class SignupAgent {
                 service: task.service,
                 maxRounds: task.postVerifyMaxRounds ?? 12,
                 steps,
+                ...(task.scopeHint !== undefined ? { scopeHint: task.scopeHint } : {}),
             });
         }
         if (credentials.api_key !== undefined) {
@@ -1408,6 +1673,32 @@ export class SignupAgent {
             ...this.resultTail(),
         };
     }
+    // Poll the provider page until the challenge clears (the user
+    // completed it on their phone) or 2 minutes elapse. Returns true on
+    // resolution, false on timeout. The 2-minute cap is enough time to
+    // unlock a phone, open the Google app, and tap a number; longer
+    // would mask a stuck/abandoned flow.
+    async waitForGoogleChallenge(provider, steps) {
+        const deadline = Date.now() + 120_000;
+        while (Date.now() < deadline) {
+            await this.browser.wait(3);
+            if (this.browser.oauthPageClosed())
+                return true;
+            const url = this.browser.currentUrl();
+            let body;
+            try {
+                body = (await this.browser.extractText()).slice(0, 4000);
+            }
+            catch {
+                continue;
+            }
+            const state = provider.classifyAuthState(url, body);
+            if (state !== "challenge")
+                return true;
+        }
+        steps.push("Google: challenge wait timed out after 2 minutes");
+        return false;
+    }
     // Backstop for the critical guarantee (D4): true when the active
     // provider page carries a credential-entry field — an expired/missing
     // session dropped the bot on a login form. A genuine consent screen
@@ -1581,6 +1872,7 @@ ${formatInventory(input.inventory)}`,
                     oauth,
                     inventory,
                     ...(hint !== undefined ? { hint } : {}),
+                    ...(args.scopeHint !== undefined ? { scopeHint: args.scopeHint } : {}),
                 });
             }
             catch (err) {
@@ -1642,7 +1934,7 @@ ${formatInventory(input.inventory)}`,
                     await this.browser.type(nextStep.selector, nextStep.value);
                 }
                 else if (nextStep.kind === "select") {
-                    await this.browser.selectOption(nextStep.selector);
+                    await this.browser.selectOption(nextStep.selector, nextStep.option_text);
                     await this.browser.wait(1);
                 }
                 else if (nextStep.kind === "check") {
@@ -1748,7 +2040,7 @@ Schema:
   {"kind":"login","reason":"the page is a login form / we were signed out"}
   {"kind":"click","selector":"<a selector= copied verbatim from the inventory>","reason":"e.g. open the API keys page"}
   {"kind":"fill","selector":"<a selector= from the inventory>","value":"value","reason":"unusual — only for a required project-name etc."}
-  {"kind":"select","selector":"<a selector= from the inventory, tag=select>","reason":"pick an option for a dropdown — region, role, country"}
+  {"kind":"select","selector":"<a selector= from the inventory>","option_text":"<visible label of the option to pick — optional>","reason":"pick an option for a dropdown — region, role, country, or a permission/scope on a token form"}
   {"kind":"check","selector":"<a selector= from the inventory, type=checkbox>","reason":"tick a terms-of-service / agreement checkbox"}
   {"kind":"navigate","url":"https://...","reason":"e.g. go directly to /settings/api-keys"}
   {"kind":"wait","seconds":N,"reason":"page is still loading"}
@@ -1775,11 +2067,16 @@ Strategy:
 ${loginGuidance}
 - If we're on a "verify your phone" / "verify email" wall, return done (we can't solve those).
 - If the page wants the user to create a project/key before showing it, fill the minimum and click create.
-- For a required dropdown (an inventory entry with tag=select — region, role, country), use {"kind":"select"} — a "click" cannot pick a <select> option, so do not click it repeatedly.
+- For ANY dropdown — native (tag=select) OR a custom combobox (role=combobox / aria-haspopup=listbox, common on modern React apps like Sentry / Stripe / Vercel) — use {"kind":"select"}. "click" on a combobox trigger opens it but does not pick an option; do not click it repeatedly.
+- When you need a SPECIFIC option from the dropdown — e.g. "Project: Read" on Sentry's permissions picker, or a specific region — include "option_text" with the visible label. The executor matches it case-insensitively as a substring. Omit "option_text" when any option is fine (a placeholder country picker).
 - A post-OAuth onboarding form (organization name, region, terms) is normal — fill/select/check its fields and click Continue to advance toward the dashboard; do not return "done" just because it is a form.
 - If a "Create"/"Continue" button is disabled, look for a required terms-of-service / agreement checkbox and tick it with {"kind":"check"} — use the checkbox's own inventory selector (an entry with type=checkbox), NOT the adjacent "Terms of Service" link. A "click" on a styled checkbox often fails to flip it; use "check".
 - Prefer the simplest credential path: a project- or organization-level API token / auth token usually needs only a name. A "personal token" with a grid of per-scope permission dropdowns is more work — choose it only if no simpler token type is offered.
-- On a token-creation form whose permission/scope dropdowns default to "No Access" / "None", you MUST use a select step to set a non-default permission on at least one dropdown BEFORE clicking the create button — creating with all-default permissions does nothing. Do not click the create button repeatedly; set a permission first.
+- On a token-creation form whose permission/scope dropdowns default to "No Access" / "None", you MUST set permissions BEFORE clicking the create button.
+- **PERMISSION SCOPE — default is MAXIMUM.** ${input.scopeHint !== undefined
+            ? `The user provided a scope hint: "${input.scopeHint}". Pick option_text values aligned with this on each permission dropdown.`
+            : `No scope hint was provided. Default to the HIGHEST available permission level on EVERY permission dropdown (Admin > Write > Read > anything lower). Most agent use-cases need write access; a read-only token will fail downstream when the agent tries to push data. Set "Admin" if offered; "Write" otherwise. Explicitly use option_text to specify — do NOT rely on first-option behavior, which often picks Read.`}
+- On a form with MULTIPLE permission rows (Sentry: Project, Team, Member, Issue, Event, Release, Organization), set EACH ONE before clicking Create. One step per turn — return to this turn-by-turn until every row is set.
 - Round ${input.round + 1} of ${input.maxRounds}. Prefer "done" if you're not making progress.`;
         const userBlocks = [
             { kind: "image", media_type: "image/png", data_base64: input.state.screenshot },
@@ -1824,22 +2121,137 @@ ${formatInventory(input.inventory)}${input.hint !== undefined ? `\n\nIMPORTANT
             },
         });
     }
-    async findSignupLink() {
+    // Pick a signup link out of the current page's HTML. Used as the
+    // fallback after a Google-search navigation.
+    //
+    // The naive version (regex /href="[^"]*signup[^"]*"/) failed badly
+    // on Google search results: it matched URLs like
+    // accounts.google.com/SignOutOptions?continue=...search?q=Sentry%20signup
+    // — Google's own nav, whose ?continue= query param leaks the
+    // original search query (with "signup" in it) and gets matched.
+    // The bot then navigated to a Google sign-out page and gave up.
+    //
+    // This version:
+    //   - parses each href as a real URL
+    //   - rejects google.com / accounts.google.com / support.google.com
+    //     and other Google nav infra (we're ON a google search page, so
+    //     any google.com href is search-nav, not the service)
+    //   - matches against host+path only — never query params
+    //   - scores candidates: hosts that contain the service name win
+    //     over generic matches. Means "sentry.io/signup" beats
+    //     "github.com/sentry/sentry/blob/...signup..." (the github
+    //     source-code result that mentions signup in a path).
+    //   - returns the highest-scoring candidate, or null.
+    async findSignupLink(serviceName) {
         const html = (await this.browser.getState()).html;
-        const re = /href="([^"]*(?:signup|register|sign-up|create-account|join)[^"]*)"/gi;
+        const serviceSlug = serviceName?.toLowerCase().replace(/[^a-z0-9]/g, "") ?? "";
+        const candidates = [];
+        const hrefRe = /href="([^"]+)"/g;
         let m;
-        while ((m = re.exec(html)) !== null) {
-            const href = m[1];
-            if (href === undefined)
+        while ((m = hrefRe.exec(html)) !== null) {
+            const raw = m[1];
+            if (raw === undefined)
+                continue;
+            let url;
+            try {
+                url = new URL(raw.startsWith("//") ? `https:${raw}` : raw);
+            }
+            catch {
+                continue;
+            }
+            if (url.protocol !== "https:" && url.protocol !== "http:")
                 continue;
-            if (href.includes("signin") || href.includes("login"))
+            // Reject Google's own navigation infrastructure — that's what
+            // tripped the naive regex on the Sentry run.
+            if (/(?:^|\.)google\.com$/.test(url.hostname))
                 continue;
-            if (href.startsWith("http"))
-                return href;
-            if (href.startsWith("//"))
-                return `https:${href}`;
+            if (/(?:^|\.)googleusercontent\.com$/.test(url.hostname))
+                continue;
+            if (/(?:^|\.)gstatic\.com$/.test(url.hostname))
+                continue;
+            // Match against host+path ONLY. Query params can carry the
+            // original search query text and would re-introduce the
+            // junk-link bug.
+            const hostPath = (url.hostname + url.pathname).toLowerCase();
+            if (!/(?:^|\.|\/)(?:signup|register|sign-up|create-account|join)\b/.test(hostPath)) {
+                continue;
+            }
+            // Negative: signin/login/logout in host+path.
+            if (/(?:^|\/)(?:signin|login|logout|sign-in|log-in)\b/.test(hostPath))
+                continue;
+            // Score: a host containing the service slug is a strong match.
+            // Without a slug to compare against, every match scores 1.
+            const hostLower = url.hostname.toLowerCase();
+            const score = serviceSlug.length > 0 && hostLower.includes(serviceSlug) ? 10 : 1;
+            candidates.push({ url: url.toString(), score });
         }
-        return null;
+        candidates.sort((a, b) => b.score - a.score);
+        return candidates[0]?.url ?? null;
+    }
+    // Heuristic: does the currently-loaded page LOOK like a real signup
+    // page? Used to decide whether the guessed canonical URL
+    // (<service>.com/signup) worked or we need to fall back to a Google
+    // search.
+    //
+    // Three signals, in order:
+    //   1. URL-path shortcut: if the page's pathname matches
+    //      /signup|register|sign-up|create-account|join/, trust it —
+    //      we navigated to a signup-shaped URL and the redirect chain
+    //      kept us on one. Catches Sentry-style cross-TLD redirects
+    //      (sentry.com → sentry.io/signup) where the inventory looks
+    //      different from a typical signup page but the URL is correct.
+    //   2. 404 guard: drop pages whose title shouts 404 / not found.
+    //   3. Content check: inventory has at least one text/email input
+    //      OR a button whose text mentions Google/GitHub (broad on
+    //      purpose — a "Continue with Google" / "Login with Google" /
+    //      icon-only Google button all count when the bot has a
+    //      provider session).
+    async looksLikeSignupPage() {
+        const state = await this.browser.getState();
+        // 1. URL-path shortcut. If we navigated to a signup-shaped path
+        //    and the browser kept us on one, that's a strong signal —
+        //    redirect chains often preserve the path across TLD changes.
+        try {
+            const path = new URL(state.url).pathname.toLowerCase();
+            if (/(?:^|\/)(?:signup|register|sign-up|create-account|join)\b/.test(path)) {
+                return true;
+            }
+        }
+        catch {
+            // Malformed state.url — skip the shortcut, fall through.
+        }
+        // 2. 404 guard.
+        const titleLower = (state.title ?? "").toLowerCase();
+        if (titleLower.includes("404") ||
+            titleLower.includes("not found") ||
+            titleLower.includes("page not found")) {
+            return false;
+        }
+        // 3. Inventory check.
+        let inventory;
+        try {
+            inventory = await this.browser.extractInteractiveElements();
+        }
+        catch {
+            return true;
+        }
+        const hasInput = inventory.some((e) => e.tag === "input" &&
+            (e.type === "email" || e.type === "text" || e.type === null || e.type === undefined));
+        if (hasInput)
+            return true;
+        // Broad OAuth-button detection: any element whose visible text or
+        // aria-label mentions "google" or "github" as a word. Covers
+        // "Continue with Google", "Login with Google", "Use Google",
+        // "Sign in with GitHub", and icon-only buttons with
+        // aria-label="Google" — all common on OAuth-only signup pages.
+        // False positives (e.g. a "Google Tag Manager" footer link)
+        // are unlikely on a real signup view and harmless: the worst
+        // case is we trust this page and the downstream planner gives
+        // up cleanly later.
+        return inventory.some((e) => {
+            const text = `${e.visibleText ?? ""} ${e.ariaLabel ?? ""}`.toLowerCase();
+            return /\b(?:google|github)\b/.test(text);
+        });
     }
     async extractCredentials() {
         // IMPORTANT: pull credentials from the *visible* page, not the raw
@@ -1847,27 +2259,132 @@ ${formatInventory(input.inventory)}${input.hint !== undefined ? `\n\nIMPORTANT
         // Turnstile, hCaptcha) whose challenge tokens look like API keys to
         // a naive regex.
         //
-        // Two visible surfaces, in priority order:
-        //   1. Discrete credential candidates — copy-input values and each
-        //      element's own direct text. A key is read whole here, un-glued
-        //      from adjacent buttons; captcha tokens (hidden inputs) are
-        //      excluded by the browser.
-        //   2. The whole visible body text — fallback for a key shown as
-        //      plain prose, accepting that body concatenation can glue
-        //      neighbours (the extractApiKeyFromText guards catch the worst).
+        // Three-pass extraction, in priority order:
+        //   1. Visible candidates — input values + each element's direct
+        //      text. A key read whole, un-glued from adjacent buttons.
+        //   2. F10: when pass 1 hits a TRUNCATED display (modal shows
+        //      "sk-or-v1-1687…" with the full secret only on the
+        //      clipboard via the Copy button), click the Copy button and
+        //      re-extract from `navigator.clipboard.readText()`. This is
+        //      the OpenRouter / Anthropic / OpenAI / Stripe modal
+        //      pattern — pass 1 would otherwise persist a truncated stub.
+        //   3. F10 fallback: walk hidden inputs. Some modals stash the
+        //      full secret in a `display:none` <input> the masked display
+        //      reads from.
         const credentials = {};
         let apiKey = null;
+        let truncatedHit = null;
         for (const candidate of await this.browser.extractCredentialCandidates()) {
-            apiKey = extractApiKeyFromText(candidate);
-            if (apiKey !== null)
-                break;
+            const hit = extractApiKeyFromText(candidate);
+            if (hit === null)
+                continue;
+            if (isTruncatedCapture(candidate, hit)) {
+                // Remember the truncated value but keep scanning — a later
+                // candidate may produce a full one (e.g. a hidden input on
+                // the same page).
+                truncatedHit = truncatedHit ?? hit;
+                continue;
+            }
+            apiKey = hit;
+            break;
         }
         if (apiKey === null) {
-            apiKey = extractApiKeyFromText(await this.browser.extractText());
+            const bodyText = await this.browser.extractText();
+            const hit = extractApiKeyFromText(bodyText);
+            if (hit !== null) {
+                if (isTruncatedCapture(bodyText, hit)) {
+                    truncatedHit = truncatedHit ?? hit;
+                }
+                else {
+                    apiKey = hit;
+                }
+            }
+        }
+        // Pass 2 — Copy-button + clipboard recovery.
+        if (apiKey === null && truncatedHit !== null) {
+            apiKey = await this.tryCopyButtonExtraction();
+        }
+        // Pass 3 — hidden-input scan. Cheap to always try as a last
+        // resort, whether or not we saw a truncated hit; a service that
+        // stashes the key in a hidden input may not display it at all.
+        if (apiKey === null) {
+            try {
+                for (const value of await this.browser.extractAllInputValues()) {
+                    const hit = extractApiKeyFromText(value);
+                    if (hit !== null && !isTruncatedCapture(value, hit)) {
+                        apiKey = hit;
+                        break;
+                    }
+                }
+            }
+            catch {
+                // Hidden-input scan failures are non-fatal; we just stay
+                // with whatever we had (or null).
+            }
+        }
+        // Last resort: if every path returned a truncated value, persist
+        // it with a `_truncated` suffix so the host agent can surface the
+        // partial result to the user (better than reporting "no key
+        // found" when the bot demonstrably reached the modal).
+        if (apiKey === null && truncatedHit !== null) {
+            credentials.api_key_truncated = truncatedHit;
+            return credentials;
         }
         if (apiKey !== null)
             credentials.api_key = apiKey;
         return credentials;
     }
+    // F10: click the page's Copy button (whose label typically reads
+    // "Copy", "Copy key", "Copy secret") and extract the secret from
+    // `navigator.clipboard.readText()`. Returns null on any failure —
+    // the caller has its own fallback paths.
+    async tryCopyButtonExtraction() {
+        let copyBtnSelector = null;
+        try {
+            const inventory = await this.browser.extractInteractiveElements();
+            const copyBtn = inventory.find((e) => {
+                const text = `${e.visibleText ?? ""} ${e.ariaLabel ?? ""}`.trim();
+                // "Copy" alone, "Copy key", "Copy API key", "Copy secret",
+                // "Copy token". Anchored so a "Don't copy this" tooltip
+                // doesn't match. Case-insensitive.
+                return /^\s*copy(?:\b|\s|$)|copy\s+(?:api\s*key|secret|token|key)\b/i.test(text);
+            });
+            if (copyBtn === undefined)
+                return null;
+            copyBtnSelector = copyBtn.selector;
+        }
+        catch {
+            return null;
+        }
+        try {
+            await this.browser.click(copyBtnSelector);
+            // Brief wait — the Copy button's onclick is usually a sync
+            // navigator.clipboard.writeText, but some modals run an async
+            // serialize step (e.g. format-the-key into "Bearer <key>"
+            // first). 1s covers both with no real cost.
+            await this.browser.wait(1);
+        }
+        catch {
+            return null;
+        }
+        let clipboardText;
+        try {
+            clipboardText = await this.browser.readClipboard();
+        }
+        catch {
+            return null;
+        }
+        if (clipboardText.trim().length === 0)
+            return null;
+        const fromClipboard = extractApiKeyFromText(clipboardText);
+        if (fromClipboard === null)
+            return null;
+        // Sanity: don't accept a clipboard hit that is ITSELF truncated
+        // (some Copy buttons copy the masked display rather than the
+        // real value — defensive against that surprising case).
+        if (isTruncatedCapture(clipboardText, fromClipboard))
+            return null;
+        return fromClipboard;
+    }
 }
 //# sourceMappingURL=agent.js.map