@trusty-squire/mcp 0.8.15 → 0.8.17

package/dist/bot/browser.js

@@ -31,10 +31,11 @@ import { startXvfb, xvfbAvailable } from "./xvfb.js";
 // the CJS modules lazily (the stealth toolchain only ships CJS) and treat
 // stealth as best-effort — a missing dep should never crash the bot.
 const require = createRequire(import.meta.url);
-// Whether the operator asked for the CDP-hardened launcher
-// (rebrowser-playwright-core, which closes the Runtime.enable leak that
-// Turnstile / reCAPTCHA-v3 score on). Flag-gated so it can be A/B'd
-// against the baseline launcher — see docs/DESIGN-antibot-hardening.md.
+// Whether the operator asked for the CDP-hardened launcher (patchright,
+// which runs evaluations in an isolated world and removes the automation
+// tells — mainWorldExecution, navigator.webdriver — that Turnstile /
+// reCAPTCHA-v3 score on). Flag-gated so it can be A/B'd against the
+// stealth baseline — see docs/DESIGN-antibot-hardening.md.
 function cdpHardeningRequested() {
     const v = process.env.BOT_CDP_HARDENED;
     return v === "1" || v === "true" || v === "on";
@@ -43,7 +44,7 @@ let cachedChromium = null;
 // The stealth profile the cached launcher actually represents. Set the
 // first time getChromium() resolves a launcher and read back via
 // BrowserController.stealthProfile for the CaptchaEvent A/B tag. A
-// rebrowser load failure degrades it to "baseline" truthfully rather
+// patchright load failure degrades it to "baseline" truthfully rather
 // than over-claiming "cdp_hardened" on a run that never got the patch.
 let activeStealthProfile = "baseline";
 function activeStealthProfileValue() {
@@ -54,39 +55,31 @@ function getChromium() {
         return cachedChromium;
     const hardened = cdpHardeningRequested();
     try {
-        const { addExtra } = require("playwright-extra");
-        const stealth = require("puppeteer-extra-plugin-stealth");
-        let baseLauncher = baseChromium;
         if (hardened) {
-            // rebrowser-playwright-core defers/isolates the Runtime.enable CDP
-            // call. Fix mode = `addBinding`, NOT `alwaysIsolated`: the latter
-            // gives the cleanest leak closure on a static page but CRASHES the
-            // bot's real flow — a live harvest run died with
-            // "Target page, context or browser has been closed" at the OAuth
-            // scan, because forcing every page.evaluate into an isolated world
-            // breaks the prewarm/multi-page juggling. `addBinding` keeps
-            // main-world evaluate (the flow works) while still avoiding the
-            // leaky Runtime.enable call — it closes the sourceUrl/UtilityScript
-            // tell but leaves mainWorldExecution detectable. That partial
-            // closure is the price of a launcher that actually completes
-            // signups. See DESIGN-antibot-hardening.md D3 (revised). Set BEFORE
-            // the require so the patch reads it; honor an operator pin.
-            if (process.env.REBROWSER_PATCHES_RUNTIME_FIX_MODE === undefined) {
-                process.env.REBROWSER_PATCHES_RUNTIME_FIX_MODE = "addBinding";
-            }
-            const rebrowser = require("rebrowser-playwright-core");
-            baseLauncher = rebrowser.chromium;
+            // patchright — a maintained Playwright fork that runs every
+            // evaluation in an ISOLATED world (so the bot's DOM probing is
+            // invisible to a page that traps DOM methods → closes the
+            // `mainWorldExecution` tell) and handles `navigator.webdriver`
+            // natively + correctly. Verified ALL-GREEN against the maintained
+            // rebrowser bot-detector (mainWorldExecution, navigatorWebdriver,
+            // viewport, runtimeEnableLeak all clean). It drives real Chrome
+            // (channel) directly — the earlier rebrowser fork couldn't, which is
+            // why the old hardened arm was forced onto bundled chromium and then
+            // crashed the OAuth flow. NO playwright-extra/stealth wrap here: the
+            // stealth plugin's manual `navigator.webdriver` defineProperty
+            // RE-ADDS a detectable property (proven counterproductive) — patchright
+            // does it right. See docs/DESIGN-antibot-hardening.md.
+            const patchright = require("patchright");
+            cachedChromium = patchright.chromium;
             activeStealthProfile = "cdp_hardened";
+            return cachedChromium;
         }
-        else {
-            activeStealthProfile = "baseline";
-        }
-        // addExtra(baseChromium) is exactly what playwright-extra's default
-        // `chromium` export already is, so the baseline path is unchanged;
-        // the hardened path swaps in the rebrowser launcher underneath the
-        // same stealth wrap (Codex review: a bare import swap would NOT
-        // repoint the stealth-wrapped launcher — it must go through addExtra).
-        const extra = addExtra(baseLauncher);
+        // Baseline: playwright-extra + stealth (unchanged). addExtra(baseChromium)
+        // is exactly what playwright-extra's default `chromium` export already is.
+        const { addExtra } = require("playwright-extra");
+        const stealth = require("puppeteer-extra-plugin-stealth");
+        activeStealthProfile = "baseline";
+        const extra = addExtra(baseChromium);
         extra.use(stealth());
         cachedChromium = extra;
     }
@@ -100,6 +93,31 @@ function getChromium() {
     }
     return cachedChromium;
 }
+// Map a cookie jar to the OAuth providers that have a LIVE logged-in session.
+// The auth cookies that mean "signed in": GitHub → `user_session`; Google →
+// any of the *SID session cookies (NID / CONSENT / 1P_JAR are set even when
+// logged out, so they are deliberately NOT signals). Host-scoped so a
+// google.com cookie can't pass for github. Cookie NAMES + presence only;
+// values are checked for non-triviality, never logged. Exported for tests.
+export function sessionProvidersFromCookies(cookies) {
+    const SIGNATURES = [
+        { provider: "github", host: /(^|\.)github\.com$/i, names: ["user_session"] },
+        {
+            provider: "google",
+            host: /(^|\.)google\.com$/i,
+            names: ["SID", "__Secure-1PSID", "__Secure-3PSID"],
+        },
+    ];
+    const live = [];
+    for (const sig of SIGNATURES) {
+        const present = cookies.some((c) => sig.host.test(c.domain.replace(/^\./, "")) &&
+            sig.names.includes(c.name) &&
+            c.value.length > 10);
+        if (present)
+            live.push(sig.provider);
+    }
+    return live;
+}
 function isCaptchaVariant(v) {
     return (v === "turnstile" ||
         v === "recaptcha_v2" ||
@@ -194,6 +212,49 @@ async function detectChromiumChannel() {
     }
     return null;
 }
+// Classify an anti-bot interstitial page from its (title + body) text.
+// `onInterstitial` matches the static Cloudflare/Turnstile challenge copy.
+// `verificationPassed` is the signal the challenge SUCCEEDED — but
+// Cloudflare leaves the static "Just a moment / Performing security
+// verification" copy ON THE PAGE even after it appends "Verification
+// successful. Waiting for…", so `onInterstitial` alone wrongly reads as
+// "still blocked" and the bot bails as anti_bot_blocked — exactly what
+// stranded codesandbox/lambda-labs once patchright started PASSING the
+// challenge. When the challenge passed, the redirect is just racing/
+// stuck; the caller should be patient + reload, not give up. Exported
+// for unit tests.
+export function classifyInterstitialText(text) {
+    const onInterstitial = /just a moment|performing security verification|verifying you are human|checking your browser|attention required/i.test(text);
+    const verificationPassed = /verification successful|you are (now )?verified|success!|challenge[- ]?(passed|complete)/i.test(text);
+    return { onInterstitial, verificationPassed };
+}
+// After a Cloudflare managed challenge PASSES, the cf_clearance cookie is
+// set but the URL still carries Cloudflare's single-use challenge token
+// (`__cf_chl_rt_tk`, `__cf_chl_tk`, `__cf_chl_f_tk`, …). Cloudflare's own
+// client-side redirect to the cleared page can stall — especially over a
+// high-latency residential tunnel, where the meta-refresh/JS hop never
+// fires inside our wait budget. Re-navigating to the SAME url with those
+// one-shot tokens stripped serves the real page directly (the clearance
+// cookie now satisfies the edge), instead of waiting on the stuck redirect.
+// Returns the cleaned URL, or null when there's no challenge token to strip
+// (nothing this can do better than a plain reload). Exported for unit tests.
+export function stripCloudflareChallengeParams(rawUrl) {
+    let u;
+    try {
+        u = new URL(rawUrl);
+    }
+    catch {
+        return null;
+    }
+    let changed = false;
+    for (const key of [...u.searchParams.keys()]) {
+        if (key.toLowerCase().startsWith("__cf_chl")) {
+            u.searchParams.delete(key);
+            changed = true;
+        }
+    }
+    return changed ? u.toString() : null;
+}
 export class BrowserController {
     // The persistent browser context. Persistent (launchPersistentContext)
     // rather than an ephemeral context so the profile carries the user's
@@ -259,8 +320,8 @@ export class BrowserController {
         return this.proxyServer;
     }
     // The stealth profile the most recent .start() launched under:
-    // "cdp_hardened" when the rebrowser launcher actually loaded
-    // (BOT_CDP_HARDENED set + fork present), else "baseline". Surfaced
+    // "cdp_hardened" when the patchright launcher actually loaded
+    // (BOT_CDP_HARDENED set + patchright present), else "baseline". Surfaced
     // for the CaptchaEvent A/B tag. Throws before .start() — same reason
     // as channel/proxied.
     get stealthProfile() {
@@ -367,30 +428,19 @@ export class BrowserController {
         // decide on executablePath below.
         const launcher = getChromium();
         const hardened = activeStealthProfileValue() === "cdp_hardened";
-        // In hardened mode, ALWAYS drive the bundled (playwright-matched)
-        // chromium via executablePath and IGNORE the real-Chrome channel.
-        // rebrowser-playwright-core's older CDP driver cannot reliably drive
-        // an arbitrary *new* real Chrome (observed: Chrome 148 →
-        // "Target page, context or browser has been closed" mid-flow), while
-        // the spike validated it against the bundled chromium revision. The
-        // bundled binary is the version the driver expects; channel +
-        // executablePath are mutually exclusive in Playwright, so we drop the
-        // channel here. (This makes the hardened arm use bundled chromium vs
-        // the baseline's real Chrome — a known A/B confound, documented in
-        // DESIGN-antibot-hardening.md.)
-        const hardenedExecutablePath = hardened ? baseChromium.executablePath() : null;
-        const effectiveChannel = hardened ? null : channel;
-        // Keep telemetry honest: report what actually launched.
-        this.launchedChannel = effectiveChannel;
+        // Both launchers drive real Chrome via `channel`: baseline through
+        // playwright+stealth, hardened through patchright. patchright closes
+        // the automation tells at the protocol layer and drives real Chrome
+        // directly — so it no longer needs the bundled-chromium pin the old
+        // rebrowser fork required (the pin is what crashed the OAuth flow and
+        // confounded the A/B). One binary for both arms.
+        this.launchedChannel = channel;
         const context = await launchWithProfileGate(this.profileDir, () => launcher.launchPersistentContext(this.profileDir, {
             headless: chromeHeadless,
             ...(chromeEnv !== undefined ? { env: chromeEnv } : {}),
             // `channel:` selects a real installed browser over the bundled
-            // binary; omitted in hardened mode and when null.
-            ...(effectiveChannel !== null ? { channel: effectiveChannel } : {}),
-            ...(hardenedExecutablePath !== null
-                ? { executablePath: hardenedExecutablePath }
-                : {}),
+            // binary (omitted when channel detection found nothing).
+            ...(channel !== null ? { channel } : {}),
             // `proxy:` routes egress through a residential proxy — only for
             // datacenter-class egress (see resolveProxy()).
             ...(proxy !== null ? { proxy } : {}),
@@ -398,9 +448,33 @@ export class BrowserController {
                 "--disable-blink-features=AutomationControlled",
                 "--no-sandbox",
                 "--disable-dev-shm-usage",
+                // Enable software WebGL on the GPU-less Xvfb host. Without this,
+                // Chrome 120+ disables WebGL entirely (getContext("webgl") → null),
+                // which MEASURED (2026-06-04) as the bot's one real fingerprint gap:
+                // a browser with NO WebGL is itself an anti-bot tell (reCAPTCHA
+                // Enterprise / device-fingerprinting weight it). SwiftShader gives a
+                // real WebGL context. MEASURED 2026-06-04: with this on, WebGL reports
+                // a Mesa/llvmpipe software renderer and the reCAPTCHA v3 score stays
+                // 1.0 — a strict improvement over "no WebGL at all", which more
+                // fingerprint libs treat as suspicious than a software renderer. The
+                // rc.33 init-script below TRIES to spoof the renderer string to a real
+                // Intel GPU, but it is INERT under patchright (hardened) — see its
+                // comment. A clean GPU-string spoof under patchright needs binary-level
+                // support; tracked as a follow-up, not blocking (score is already 1.0).
+                "--enable-unsafe-swiftshader",
+                "--ignore-gpu-blocklist",
             ],
-            viewport: { width: 1280, height: 720 },
-            userAgent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
+            // `viewport: null` makes the page use the REAL OS window size
+            // instead of a hardcoded value. The old fixed 1280×720 is exactly
+            // Playwright's device-emulation default and is flagged by anti-bot
+            // detectors as "default Playwright viewport"; the real window
+            // (sized by the Xvfb display) reads as an ordinary browser.
+            viewport: null,
+            // No `userAgent` override: a real Chrome (channel) supplies a UA
+            // that AGREES with navigator.userAgentData + the binary version.
+            // The old hardcoded "Chrome/131" string mismatched the actual
+            // binary (148) — a UA-vs-userAgentData inconsistency that is itself
+            // a fingerprint tell. Let the browser report its own coherent UA.
             // locale stays en-US deliberately: matching it to the proxy
             // country would render signup pages in that language, and the
             // Claude vision form-planner expects English.
@@ -424,33 +498,58 @@ export class BrowserController {
             ...(geo?.geolocation !== undefined ? { geolocation: geo.geolocation } : {}),
         }));
         this.context = context;
-        // Patch the navigator.webdriver flag — most anti-bot heuristics look here.
-        await context.addInitScript(() => {
-            Object.defineProperty(navigator, "webdriver", { get: () => undefined });
-        });
-        // rc.33 — spoof WebGL renderer/vendor. Under Xvfb (or any non-GPU
-        // host) Chrome falls back to SwiftShader, which reports
-        //   UNMASKED_VENDOR_WEBGL   = "Google Inc. (Google)"
-        //   UNMASKED_RENDERER_WEBGL = "ANGLE (Google, ...SwiftShader...)"
-        // Both strings are on every published anti-bot fingerprint
-        // blocklist; Cloudflare Turnstile responds with error 600010
-        // ("internal client execution error") rather than even trying to
-        // grade the click. Override the two parameter codes on both
-        // WebGL1 and WebGL2 prototypes to look like a stock Intel laptop
-        // GPU. Doesn't change actual rendering — only the strings the
-        // fingerprint probe reads back.
-        await context.addInitScript(() => {
+        // Patch navigator.webdriver — BASELINE ONLY. Measured against the
+        // rebrowser bot-detector, this manual `defineProperty` is
+        // COUNTERPRODUCTIVE under patchright: it re-adds `webdriver` as an own
+        // property the detector then flags, whereas patchright removes it
+        // correctly at the source. So in hardened mode we leave it to
+        // patchright; only the stealth baseline gets the manual patch.
+        if (!hardened) {
+            await context.addInitScript(() => {
+                Object.defineProperty(navigator, "webdriver", { get: () => undefined });
+            });
+        }
+        // rc.33 / 2026-06-04 — spoof the WebGL UNMASKED vendor+renderer toward a
+        // stock Intel GPU, so the software Mesa/llvmpipe string (--enable-unsafe-
+        // swiftshader gives us a context, but llvmpipe is itself a VM/headless
+        // tell) doesn't read through. Applied TWO ways because patchright
+        // (hardened) isolates document-start scripts from the page's main world:
+        //   • addInitScript — document-start; the effective path in the stealth
+        //     BASELINE (non-patchright).
+        //   • re-applied via page.evaluate on every navigation — the ONLY path that
+        //     reaches the MAIN world under patchright. MEASURED 2026-06-04:
+        //     addInitScript AND raw CDP Page.addScriptToEvaluateOnNewDocument both
+        //     land in patchright's isolated world (renderer stayed llvmpipe);
+        //     page.evaluate does not (renderer became Intel), and the v3 score held
+        //     at 1.0. Idempotent via a marker so the per-nav re-apply is cheap, and
+        //     getParameter.toString() is masked to the original native source so
+        //     the patch itself isn't a tell. Only strings change, not rendering.
+        const installWebglSpoof = () => {
             const VENDOR_WEBGL = 0x9245; // UNMASKED_VENDOR_WEBGL
             const RENDERER_WEBGL = 0x9246; // UNMASKED_RENDERER_WEBGL
             const spoof = (proto) => {
+                // The marker lives on the prototype so re-application is a no-op; the
+                // cast is the one typed-alternative-exhausted spot (adding an ad-hoc
+                // brand to a DOM prototype).
+                const marked = proto;
+                if (marked.__tsWebglPatched === true)
+                    return;
                 const orig = proto.getParameter;
+                const native = orig.toString();
                 proto.getParameter = function (p) {
                     if (p === VENDOR_WEBGL)
-                        return "Intel Inc.";
-                    if (p === RENDERER_WEBGL)
-                        return "Intel(R) UHD Graphics 620";
+                        return "Google Inc. (Intel)";
+                    if (p === RENDERER_WEBGL) {
+                        return "ANGLE (Intel, Mesa Intel(R) UHD Graphics 620 (KBL GT2), OpenGL 4.6)";
+                    }
                     return orig.call(this, p);
                 };
+                Object.defineProperty(proto.getParameter, "toString", {
+                    value: () => native,
+                    configurable: true,
+                    writable: true,
+                });
+                marked.__tsWebglPatched = true;
             };
             if (typeof WebGLRenderingContext !== "undefined") {
                 spoof(WebGLRenderingContext.prototype);
@@ -458,8 +557,26 @@ export class BrowserController {
             if (typeof WebGL2RenderingContext !== "undefined") {
                 spoof(WebGL2RenderingContext.prototype);
             }
-        });
+        };
+        await context.addInitScript(installWebglSpoof);
         this.page = context.pages()[0] ?? (await context.newPage());
+        // Re-apply on every navigation — the main-world reach patchright's isolated
+        // init world denies us. framenavigated fires at navigation-commit (before
+        // most page JS), so a late WebGL query (reCAPTCHA scores seconds in) sees
+        // the spoofed strings; a document-start fingerprinter could still race it.
+        const reapplyWebglSpoof = () => {
+            const pg = this.page;
+            if (pg === null)
+                return;
+            void pg.evaluate(installWebglSpoof).catch(() => {
+                // mid-navigation / closed page — the next navigation re-applies.
+            });
+        };
+        this.page.on("framenavigated", (frame) => {
+            if (this.page !== null && frame === this.page.mainFrame())
+                reapplyWebglSpoof();
+        });
+        this.page.on("load", reapplyWebglSpoof);
         // rc.33 — captcha tracing. When UNIVERSAL_BOT_CAPTCHA_TRACE=1 is
         // set, log every response from Cloudflare/Google's challenge
         // endpoints plus any console message that mentions captcha-y
@@ -878,6 +995,87 @@ export class BrowserController {
             await this.page.check(selector, { force: true });
         }
     }
+    // Deterministic pre-submit guard: tick every visible, unchecked,
+    // non-disabled REQUIRED-AGREEMENT checkbox (terms/privacy/consent),
+    // while never touching marketing/newsletter opt-ins.
+    //
+    // Why this exists separate from the LLM planner: amplitude's signup
+    // has a required TOS checkbox the planner skipped (it read the
+    // adjacent data-storage card-radios as the whole cluster being
+    // "ambiguous radios"), and amplitude does NOT disable submit when the
+    // box is unticked — so the click silently no-ops and the bot then
+    // waits forever for a verification mail that never sends. This runs on
+    // EVERY submit, not only the `submit_disabled` path in clickSubmit().
+    //
+    // Returns the labels/testids it checked (for step logging); empty when
+    // it ticked nothing.
+    async checkRequiredAgreementBoxes() {
+        if (!this.page)
+            throw new Error("Browser not started");
+        // Best-effort: a page-eval failure (navigation mid-call, detached
+        // frame) must never fail the parent submit — return nothing.
+        try {
+            return await this.page.evaluate(() => {
+                // These two regexes MUST stay byte-identical with
+                // AGREEMENT_TEXT_RE / MARKETING_TEXT_RE in this module — the
+                // page realm can't import, so they're inlined here.
+                const agreementRe = /terms|tos\b|privacy|consent|policy|i agree|agree to|acknowledge|gdpr/i;
+                const marketingRe = /newsletter|updates|offers|product tips|marketing|promotional|receive emails|opt[- ]?in to|subscribe/i;
+                const checked = [];
+                const boxes = Array.from(document.querySelectorAll('input[type="checkbox"]'));
+                for (const box of boxes) {
+                    if (box.checked || box.disabled)
+                        continue;
+                    const rect = box.getBoundingClientRect();
+                    if (rect.width <= 0 || rect.height <= 0)
+                        continue;
+                    // Associated text = attributes + a label[for=id] + nearest
+                    // ancestor <label> + the immediately following sibling text.
+                    const parts = [
+                        box.getAttribute("data-testid") ?? "",
+                        box.getAttribute("name") ?? "",
+                        box.id,
+                        box.getAttribute("aria-label") ?? "",
+                    ];
+                    if (box.id) {
+                        const forLabel = document.querySelector(`label[for="${CSS.escape(box.id)}"]`);
+                        if (forLabel)
+                            parts.push(forLabel.textContent ?? "");
+                    }
+                    const ancestorLabel = box.closest("label");
+                    if (ancestorLabel)
+                        parts.push(ancestorLabel.textContent ?? "");
+                    const sibling = box.nextSibling;
+                    if (sibling && sibling.textContent)
+                        parts.push(sibling.textContent);
+                    if (box.nextElementSibling) {
+                        parts.push(box.nextElementSibling.textContent ?? "");
+                    }
+                    const text = parts.join(" ");
+                    if (!agreementRe.test(text) || marketingRe.test(text))
+                        continue;
+                    // React/Vue controlled inputs ignore a bare `.checked = true`:
+                    // their state lives in the framework, updated only by the real
+                    // event flow. Set the property AND dispatch input/change AND a
+                    // synthetic click so the controlled binding observes the flip.
+                    box.checked = true;
+                    box.dispatchEvent(new Event("input", { bubbles: true }));
+                    box.dispatchEvent(new Event("change", { bubbles: true }));
+                    box.click();
+                    const label = box.getAttribute("data-testid") ||
+                        box.getAttribute("name") ||
+                        box.id ||
+                        box.getAttribute("aria-label") ||
+                        "agreement-checkbox";
+                    checked.push(label);
+                }
+                return checked;
+            });
+        }
+        catch {
+            return [];
+        }
+    }
     // Scroll a Terms-of-Service style modal to the bottom so the gated
     // "Accept" button enables. Railway's signup is the canonical case:
     // a modal with a virtualized ToS list watches real `scroll` /
@@ -1754,6 +1952,11 @@ export class BrowserController {
                 const recaptcha = document.querySelector('textarea[name="g-recaptcha-response"]');
                 if (recaptcha !== null && recaptcha.value.length > 0)
                     return true;
+                // hCaptcha populates its own response textarea on a passed
+                // checkbox (plausible). Same shape as reCAPTCHA's.
+                const hcaptcha = document.querySelector('textarea[name="h-captcha-response"]');
+                if (hcaptcha !== null && hcaptcha.value.length > 0)
+                    return true;
                 // Some Turnstile installs use a managed mode that emits its
                 // own attribute on the host div when solved.
                 const cfManaged = document.querySelector(".cf-turnstile[data-state='success']");
@@ -1791,6 +1994,34 @@ export class BrowserController {
     async findCaptchaWidget() {
         if (!this.page)
             throw new Error("Browser not started");
+        // An INVISIBLE reCAPTCHA (api2/anchor with size=invisible — the
+        // bottom-right badge) is score-mode: there is no checkbox to click, and
+        // its token is emitted only when the form's submit handler calls
+        // grecaptcha.execute(). It must NOT be treated as a solvable visible
+        // widget. MEASURED on amplitude (2026-06-04): the badge iframe is
+        // ~256×60, so it cleared the size filter below and got "found" + clicked;
+        // the pre-submit token-poll then timed out and the bot escalated to
+        // 2Captcha, which can't solve a score-mode widget (ERROR_CAPTCHA_
+        // UNSOLVABLE) → captcha_blocked — even though our v3 score is ~1.0 and a
+        // plain form-submit would have passed silently. Detect "invisible-only"
+        // (badge present, no visible checkbox anchor, no rendered bframe grid) and
+        // skip reCAPTCHA entirely so the signup proceeds to submit.
+        const recaptchaInvisibleOnly = await this.page
+            .evaluate(() => {
+            const q = (s) => document.querySelector(s) !== null;
+            const visibleAnchor = Array.from(document.querySelectorAll('iframe[src*="recaptcha/api2/anchor"]')).some((f) => !/size=invisible/.test(f.src));
+            const bframe = (() => {
+                const f = document.querySelector('iframe[src*="recaptcha/api2/bframe"]');
+                if (f === null)
+                    return false;
+                const r = f.getBoundingClientRect();
+                return r.width > 30 && r.height > 30;
+            })();
+            const invisiblePresent = q('iframe[src*="recaptcha/api2/anchor"][src*="size=invisible"]') ||
+                q(".grecaptcha-badge");
+            return invisiblePresent && !visibleAnchor && !bframe;
+        })
+            .catch(() => false);
         // Phase 1: widget shape with polling. page.locator (unlike the
         // querySelector in detectCaptchaVariant) pierces OPEN shadow roots,
         // so the Cloudflare iframe is reachable even on modern shadow-DOM
@@ -1803,11 +2034,19 @@ export class BrowserController {
         //   reCAPTCHA v2:         src contains "recaptcha/api2"
         const iframeCandidates = [
             { kind: "turnstile", selector: 'iframe[src*="challenges.cloudflare.com"]' },
-            { kind: "recaptcha", selector: 'iframe[src*="recaptcha/api2"]' },
+            // Visible reCAPTCHA only — the size=invisible anchor (score-mode badge)
+            // is handled by the recaptchaInvisibleOnly skip above.
+            { kind: "recaptcha", selector: 'iframe[src*="recaptcha/api2/anchor"]:not([src*="size=invisible"])' },
+            // hCaptcha's checkbox iframe (the anchor frame). Plausible and other
+            // hCaptcha sites render this; clicking it ticks the box the same way
+            // Turnstile/reCAPTCHA do.
+            { kind: "hcaptcha", selector: 'iframe[src*="hcaptcha.com"][src*="frame=checkbox"]' },
+            { kind: "hcaptcha", selector: 'iframe[src*="newassets.hcaptcha.com"]' },
             // Host-div fallbacks (light DOM) — preferred order keeps the iframe
             // first when present (more precise click target).
             { kind: "turnstile", selector: ".cf-turnstile" },
             { kind: "turnstile", selector: "#clerk-captcha" },
+            { kind: "hcaptcha", selector: ".h-captcha" },
         ];
         const iframeDeadline = Date.now() + 5000;
         while (Date.now() < iframeDeadline) {
@@ -1834,8 +2073,14 @@ export class BrowserController {
         const hostCandidates = [
             { kind: "turnstile", selector: 'input[name="cf-turnstile-response"]' },
             { kind: "recaptcha", selector: 'textarea[name="g-recaptcha-response"]' },
+            { kind: "hcaptcha", selector: 'textarea[name="h-captcha-response"]' },
         ];
         for (const { kind, selector } of hostCandidates) {
+            // The invisible reCAPTCHA's hidden g-recaptcha-response textarea lives
+            // INSIDE the .grecaptcha-badge (~256×60), so the walk-up below would
+            // return the badge box and we'd click it — the exact bug. Skip it.
+            if (kind === "recaptcha" && recaptchaInvisibleOnly)
+                continue;
             const locator = this.page.locator(selector);
             const count = await locator.count();
             if (count === 0)
@@ -1912,11 +2157,14 @@ export class BrowserController {
                 else if (present('iframe[src*="hcaptcha.com"]')) {
                     variant = "hcaptcha";
                 }
-                else if (present('iframe[src*="recaptcha/api2/anchor"]')) {
+                else if (present('iframe[src*="recaptcha/api2/anchor"]:not([src*="size=invisible"])')) {
+                    // VISIBLE checkbox anchor (size=normal) → clickable v2.
                     variant = "recaptcha_v2";
                 }
-                else if (present(".grecaptcha-badge")) {
-                    // Badge but no clickable anchor → score-mode reCAPTCHA.
+                else if (present(".grecaptcha-badge") ||
+                    present('iframe[src*="recaptcha/api2/anchor"][src*="size=invisible"]')) {
+                    // Badge / size=invisible anchor and no clickable checkbox →
+                    // score-mode reCAPTCHA (passes on submit, nothing to click).
                     variant = "recaptcha_v3";
                 }
                 return { variant, challengeRendered };
@@ -1937,25 +2185,37 @@ export class BrowserController {
     // help). Reads from the standard places sites declare it:
     //   1. <div class="g-recaptcha" data-sitekey="...">
     //   2. <iframe src="...?k=SITEKEY&...">  (api2/anchor frame)
-    //   3. <script>...sitekey: '...'...</script> via window globals
+    //
+    // CRITICAL: only ever returns a GENUINE reCAPTCHA key. hCaptcha
+    // (`.h-captcha`) and Turnstile (`.cf-turnstile`) ALSO publish a
+    // `data-sitekey` attribute, so a bare `[data-sitekey]` selector
+    // grabs the wrong provider's key and the caller ships it to
+    // 2Captcha's `userrecaptcha` endpoint → ERROR_WRONG_GOOGLEKEY (the
+    // plausible/hCaptcha case). The authoritative discriminator is the
+    // key FORMAT: reCAPTCHA public keys always start with `6L`; hCaptcha
+    // keys are UUIDs (`bc609205-…`); Turnstile keys start with `0x`. We
+    // both scope the selector away from the other widgets AND gate on
+    // the `6L` prefix, so no non-reCAPTCHA key can ever leak through.
     async extractRecaptchaSitekey() {
         if (!this.page)
             throw new Error("Browser not started");
         try {
             const sitekey = await this.page.evaluate(() => {
-                // 1. div[data-sitekey] — the standard reCAPTCHA v2 anchor.
-                const div = document.querySelector("[data-sitekey], div.g-recaptcha[data-sitekey]");
-                if (div !== null) {
-                    const k = div.getAttribute("data-sitekey");
-                    if (k !== null && k.length > 10)
+                const isRecaptchaKey = (k) => k !== null && /^6L/.test(k) && k.length > 30;
+                // 1. data-sitekey, but NOT on an hCaptcha/Turnstile widget (or
+                //    nested inside one). Those publish data-sitekey too.
+                const anchors = Array.from(document.querySelectorAll("[data-sitekey]")).filter((el) => el.closest(".h-captcha, .cf-turnstile") === null);
+                for (const el of anchors) {
+                    const k = el.getAttribute("data-sitekey");
+                    if (isRecaptchaKey(k))
                         return k;
                 }
-                // 2. The api2 iframe src carries ?k=SITEKEY.
+                // 2. The api2/enterprise iframe src carries ?k=SITEKEY.
                 const iframes = Array.from(document.querySelectorAll('iframe[src*="recaptcha/api2"], iframe[src*="recaptcha/enterprise"]'));
                 for (const ifr of iframes) {
                     const url = new URL(ifr.src);
                     const k = url.searchParams.get("k");
-                    if (k !== null && k.length > 10)
+                    if (isRecaptchaKey(k))
                         return k;
                 }
                 return null;
@@ -2029,6 +2289,161 @@ export class BrowserController {
             return false;
         }
     }
+    // Mint the score token for an INVISIBLE reCAPTCHA by calling
+    // grecaptcha.execute() ourselves, then wait for g-recaptcha-response to
+    // populate. MEASURED on amplitude (2026-06-04): an invisible reCAPTCHA's
+    // token only exists once execute() runs, and amplitude's form REQUIRES it —
+    // merely skipping the badge (not clicking it) left the textarea empty and
+    // the submit silently no-op'd. With our ~1.0 v3 score, execute() returns a
+    // passing token in ~1-3s, so the subsequent submit carries a valid token.
+    // Handles both standard (grecaptcha) and enterprise (grecaptcha.enterprise)
+    // namespaces. Returns true once a token is present. Best-effort: a missing
+    // grecaptcha or an execute() throw resolves false (the form may still mint
+    // it on its own submit handler).
+    async triggerInvisibleRecaptcha(timeoutMs = 9000) {
+        if (!this.page)
+            throw new Error("Browser not started");
+        const tokenPresent = () => this.page.evaluate(() => {
+            const ta = document.querySelector('textarea[name="g-recaptcha-response"], textarea[id^="g-recaptcha-response"]');
+            return ta !== null && ta.value.length > 0;
+        }).catch(() => false);
+        if (await tokenPresent())
+            return true;
+        const fired = await this.page
+            .evaluate(() => {
+            const w = window;
+            const g = w.grecaptcha;
+            if (g === undefined)
+                return false;
+            let any = false;
+            const ids = (() => {
+                try {
+                    return Object.keys(w.___grecaptcha_cfg?.clients ?? {});
+                }
+                catch {
+                    return [];
+                }
+            })();
+            for (const id of ids) {
+                const n = Number(id);
+                if (!Number.isFinite(n))
+                    continue;
+                try {
+                    g.enterprise?.execute?.(n);
+                    any = true;
+                }
+                catch {
+                    /* not this namespace */
+                }
+                try {
+                    g.execute?.(n);
+                    any = true;
+                }
+                catch {
+                    /* widget already executed / wrong namespace */
+                }
+            }
+            // Fallback: no enumerable clients — try the bare (first-widget) call,
+            // enterprise first (a v2-invisible page exposes plain execute()).
+            if (!any) {
+                try {
+                    if (typeof g.enterprise?.execute === "function") {
+                        g.enterprise.execute();
+                        any = true;
+                    }
+                    else if (typeof g.execute === "function") {
+                        g.execute();
+                        any = true;
+                    }
+                }
+                catch {
+                    return false;
+                }
+            }
+            return any;
+        })
+            .catch(() => false);
+        if (!fired)
+            return false;
+        const start = Date.now();
+        while (Date.now() - start < timeoutMs) {
+            await this.sleep(500);
+            if (await tokenPresent())
+                return true;
+        }
+        return false;
+    }
+    // Tier 3 hCaptcha support — extract the hCaptcha sitekey so 2Captcha
+    // can solve it. hCaptcha publishes its key on `.h-captcha[data-sitekey]`
+    // or in the checkbox iframe's `?sitekey=` query. Keys are UUIDs (the
+    // reCAPTCHA `6L` guard in extractRecaptchaSitekey deliberately rejects
+    // them, which is why hCaptcha needs its own extractor). Returns null
+    // when no hCaptcha widget is present.
+    async extractHcaptchaSitekey() {
+        if (!this.page)
+            throw new Error("Browser not started");
+        try {
+            return await this.page.evaluate(() => {
+                const div = document.querySelector(".h-captcha[data-sitekey], [data-hcaptcha-sitekey]");
+                if (div !== null) {
+                    const k = div.getAttribute("data-sitekey") ??
+                        div.getAttribute("data-hcaptcha-sitekey");
+                    if (k !== null && k.length > 10)
+                        return k;
+                }
+                const iframe = document.querySelector('iframe[src*="hcaptcha.com"]');
+                if (iframe !== null) {
+                    const k = new URL(iframe.src).searchParams.get("sitekey");
+                    if (k !== null && k.length > 10)
+                        return k;
+                }
+                return null;
+            });
+        }
+        catch {
+            return null;
+        }
+    }
+    // Inject a 2Captcha-resolved hCaptcha token into the page's
+    // h-captcha-response textarea(s) and fire the widget's data-callback
+    // if the page registered one. Mirrors injectRecaptchaToken; hCaptcha
+    // also mirrors the response token into a g-recaptcha-response textarea
+    // on some compat installs, so populate both names if present.
+    async injectHcaptchaToken(token) {
+        if (!this.page)
+            throw new Error("Browser not started");
+        try {
+            return await this.page.evaluate((tok) => {
+                const inputs = Array.from(document.querySelectorAll('textarea[name="h-captcha-response"], textarea[id^="h-captcha-response"], textarea[name="g-recaptcha-response"]'));
+                if (inputs.length === 0)
+                    return false;
+                for (const input of inputs) {
+                    input.value = tok;
+                    input.dispatchEvent(new Event("input", { bubbles: true }));
+                    input.dispatchEvent(new Event("change", { bubbles: true }));
+                }
+                // Fire the data-callback the page registered on the .h-captcha
+                // host (hCaptcha calls it by name on window). Best-effort — the
+                // populated textarea is what server-side validation reads.
+                try {
+                    const host = document.querySelector(".h-captcha[data-callback]");
+                    const name = host?.getAttribute("data-callback");
+                    if (name !== null && name !== undefined) {
+                        const fn = window[name];
+                        if (typeof fn === "function")
+                            fn(tok);
+                    }
+                }
+                catch {
+                    // no named callback — DOM injection stands.
+                }
+                return true;
+            }, token);
+        }
+        catch {
+            return false;
+        }
+    }
     // Small mouse wiggle near the current position. Used during prewarm
     // so the page sees pointer events before we navigate away.
     async jitterMouse() {
@@ -2810,35 +3225,110 @@ export class BrowserController {
     async waitForAntiBotInterstitialToClear(timeoutMs) {
         if (!this.page)
             return;
-        let detected = await this.pollUntilInterstitialClears(timeoutMs);
-        if (!detected) {
-            // We either never saw an interstitial, or we saw one and it
-            // cleared on its own. Nothing more to do.
+        const first = await this.pollUntilInterstitialClears(timeoutMs);
+        // Never saw an interstitial, or saw one and it cleared on its own —
+        // nothing more to do.
+        if (!first.detected || first.cleared)
             return;
+        // Still on the interstitial at the deadline. If Cloudflare reported
+        // the challenge PASSED ("Verification successful"), the redirect is
+        // just racing/stuck — be patient through ANOTHER full window before
+        // touching anything (a reload mid-redirect can re-arm the challenge).
+        if (first.verificationPassed) {
+            const patient = await this.pollUntilInterstitialClears(timeoutMs);
+            if (patient.cleared)
+                return;
+            // "Verification successful" but the page never advances is the
+            // signature of a STALE cf_clearance cookie — issued on a prior visit
+            // (often a different egress IP), which CF matches ("successful") but
+            // the origin then rejects, looping forever on "Waiting for the page
+            // to load." MEASURED: a clean profile clears codesandbox's challenge
+            // in ~12s; the stale cookie is what stalls the shared profile. Drop
+            // the CF cookies to force a FRESH challenge, then reload.
+            if (await this.clearCloudflareCookiesAndRetry(timeoutMs))
+                return;
+            // Or the auto-redirect simply stalled with a still-valid clearance —
+            // re-navigate past the one-shot challenge token.
+            if (await this.forceNavigatePastClearedChallenge())
+                return;
         }
-        // The interstitial outlived the wait. Cloudflare frequently shows
-        // "Verification successful. Wait" but then never fires the JS
-        // redirect — the challenge passed, but the redirect script got
-        // stuck or the cookie set is racing the navigation. A single
-        // reload, now that the cf_clearance cookie is set, often lets the
-        // real page render. (If the issue is a server-side risk-score
-        // block — fingerprint/IP — reload won't help, but the caller's
-        // inventory diagnostic will still surface the block.)
+        // Force the real page: now that the cf_clearance cookie is set, a
+        // reload often renders it. domcontentloaded (not networkidle) — the
+        // real page is usually a heavy SPA that never reaches networkidle, so
+        // waiting for it just burns the budget back into a timeout. (If it's a
+        // server-side risk-score block — fingerprint/IP — reload won't help,
+        // but the caller's inventory diagnostic will still surface the block.)
         try {
-            await this.page.reload({ waitUntil: "networkidle", timeout: 10_000 });
+            await this.page.reload({ waitUntil: "domcontentloaded", timeout: 15_000 });
         }
         catch {
             // reload failed — proceed with what's there
         }
         await this.pollUntilInterstitialClears(Math.max(5000, timeoutMs / 2));
     }
-    // One poll loop. Returns true if an interstitial was ever observed
-    // (cleared or still there at timeout), false if never seen.
-    async pollUntilInterstitialClears(timeoutMs) {
+    // Drop Cloudflare's anti-bot cookies (cf_clearance + __cf_bm) so the next
+    // request triggers a FRESH managed challenge, then reload and wait for it
+    // to clear. Scoped to cookie NAME — only CF's own cookies are removed, so
+    // an OAuth provider's session on accounts.google.com / github.com is
+    // untouched. A fresh challenge on a residential IP clears in ~12-15s, so
+    // we give it a generous window. Returns true if the interstitial is gone.
+    async clearCloudflareCookiesAndRetry(timeoutMs) {
+        if (!this.page || !this.context)
+            return false;
+        try {
+            await this.context.clearCookies({ name: "cf_clearance" });
+            await this.context.clearCookies({ name: "__cf_bm" });
+        }
+        catch {
+            // clearCookies filter unsupported / failed — nothing to retry on.
+            return false;
+        }
+        try {
+            await this.page.reload({ waitUntil: "domcontentloaded", timeout: 20_000 });
+        }
+        catch {
+            // reload failed — still give the poll a chance below.
+        }
+        const after = await this.pollUntilInterstitialClears(Math.max(20_000, timeoutMs));
+        return after.cleared || !after.detected;
+    }
+    // With a CONFIRMED Cloudflare pass, re-navigate to the current URL with
+    // the one-shot `__cf_chl_*` challenge token stripped — the cf_clearance
+    // cookie is already set, so the edge serves the real page instead of the
+    // stuck redirect. Returns true if the interstitial is gone afterwards.
+    // Returns false (caller falls back to a plain reload) when there's no
+    // token to strip or the navigation didn't clear the gate.
+    async forceNavigatePastClearedChallenge() {
         if (!this.page)
             return false;
+        const cleaned = stripCloudflareChallengeParams(this.page.url());
+        if (!cleaned)
+            return false;
+        try {
+            await this.page.goto(cleaned, {
+                waitUntil: "domcontentloaded",
+                timeout: 15_000,
+            });
+        }
+        catch {
+            return false;
+        }
+        const after = await this.pollUntilInterstitialClears(Math.max(5000, 8000));
+        // cleared = saw it then it went away; !detected = the real page rendered
+        // immediately (no interstitial on the post-nav page at all).
+        return after.cleared || !after.detected;
+    }
+    // One poll loop. `detected` = an interstitial was observed at least
+    // once; `cleared` = it was observed AND then went away (vs. still there
+    // at the deadline); `verificationPassed` = Cloudflare reported the
+    // challenge succeeded at some point during the wait (see
+    // classifyInterstitialText).
+    async pollUntilInterstitialClears(timeoutMs) {
+        if (!this.page)
+            return { detected: false, cleared: false, verificationPassed: false };
         const deadline = Date.now() + timeoutMs;
         let detected = false;
+        let verificationPassed = false;
         while (Date.now() < deadline) {
             let title = "";
             let bodyText = "";
@@ -2850,19 +3340,21 @@ export class BrowserController {
                 await new Promise((r) => setTimeout(r, 500));
                 continue;
             }
-            const onInterstitial = /just a moment|performing security verification|verifying you are human|checking your browser|attention required/i.test(title + " " + bodyText);
-            if (!onInterstitial) {
+            const c = classifyInterstitialText(title + " " + bodyText);
+            if (c.verificationPassed)
+                verificationPassed = true;
+            if (!c.onInterstitial) {
                 if (detected) {
                     // Give the freshly-revealed page a tick to hydrate before
                     // the inventory scan.
                     await new Promise((r) => setTimeout(r, 800));
                 }
-                return detected;
+                return { detected, cleared: detected, verificationPassed };
             }
             detected = true;
             await new Promise((r) => setTimeout(r, 1000));
         }
-        return detected;
+        return { detected, cleared: false, verificationPassed };
     }
     // Walk the live DOM (piercing open shadow roots) and return every
     // visible interactive element with a bot-computed selector (F3 T1).
@@ -2903,7 +3395,16 @@ export class BrowserController {
                 // whole inventory with "Cannot read properties of undefined
                 // (reading 'querySelectorAll')", failing the run before the
                 // planner ever saw the page. Skip such a node instead.
-                if (root === null || typeof root.querySelectorAll !== "function")
+                //
+                // `== null` (not `=== null`) is load-bearing: `el.shadowRoot` is
+                // typed `ShadowRoot | null`, but a detached/closed custom element
+                // can yield `undefined` at runtime. The recursion below calls
+                // `walk(el.shadowRoot)` whenever it isn't `null`, so an `undefined`
+                // shadowRoot reaches here and `typeof undefined.querySelectorAll`
+                // THROWS before the typeof guard can fire — exactly the #59
+                // redis-cloud crash, which recurred 2026-06-03 even with the
+                // null-only guard in place. The loose check covers both.
+                if (root == null || typeof root.querySelectorAll !== "function")
                     return;
                 root.querySelectorAll(SELECTOR).forEach((n) => collected.push(n));
                 root.querySelectorAll("*").forEach((el) => {
@@ -3262,16 +3763,250 @@ export class BrowserController {
             // best-effort — the agent's consent loop re-reads state regardless
         }
     }
+    // Does the page sign in with Google via Google Identity Services (GSI)
+    // rather than classic OAuth redirect? GSI renders its button in a
+    // cross-origin iframe (accounts.google.com/gsi/button) and/or exposes the
+    // `google.accounts.id` JS API; on use it raises a browser-native FedCM
+    // dialog or a popup and returns a JWT to a JS callback — there is NO
+    // redirect, so the classic startOAuth flow can't drive it. Detecting this
+    // is what lets the agent route to tryGoogleGsiLogin instead.
+    async hasGoogleGsiAffordance() {
+        if (!this.page)
+            return false;
+        try {
+            return await this.page.evaluate(() => {
+                if (document.querySelector('iframe[src*="accounts.google.com/gsi/"]') !== null) {
+                    return true;
+                }
+                // On-demand One-Tap: the page loads the GSI client script but renders
+                // no static button and may not have initialized `google.accounts.id`
+                // yet (amplitude, clerk). A plain click on the in-page "Sign in with
+                // Google" affordance never redirects, so the bot used to falsely
+                // conclude "signed in" and bounce to login. Treat the loaded client
+                // script as a GSI affordance so the agent routes through
+                // tryGoogleGsiLogin, which now raises One-Tap programmatically.
+                if (document.querySelector('script[src*="accounts.google.com/gsi/client"]') !== null) {
+                    return true;
+                }
+                const g = window.google;
+                return typeof g?.accounts?.id !== "undefined";
+            });
+        }
+        catch {
+            return false;
+        }
+    }
+    // Drive a Google Identity Services / FedCM sign-in. Two variants are
+    // handled:
+    //   - FedCM: clicking the GSI widget raises a browser-NATIVE credential
+    //     dialog (no DOM, no popup — invisible to Playwright). We enable the
+    //     CDP FedCm domain up front and auto-select the first account when
+    //     FedCm.dialogShown fires. The page's JS callback then receives the
+    //     JWT and establishes the session.
+    //   - Popup: older GSI opens a Google account-chooser window; we adopt it
+    //     like startOAuth does so the consent loop can drive it.
+    // Returns how it resolved. The caller then runs the SAME post-OAuth
+    // settle/consent/post-verify path as the redirect flow.
+    async tryGoogleGsiLogin(triggerSelector, timeoutMs = 25_000) {
+        if (!this.page || !this.context)
+            throw new Error("Browser not started");
+        this.oauthProductPage = this.page;
+        let fedcmResolved = false;
+        let cdp = null;
+        try {
+            cdp = await this.context.newCDPSession(this.page);
+            await cdp.send("FedCm.enable", { disableRejectionDelay: true });
+            cdp.on("FedCm.dialogShown", (ev) => {
+                const e = ev;
+                const dialogId = e.dialogId;
+                if (dialogId === undefined)
+                    return;
+                void (async () => {
+                    // A ConfirmIdpLogin dialog has no account list — it's the "Continue
+                    // as / sign in to Google" confirmation that precedes the account
+                    // chooser. selectAccount would error on it, so drive the confirm
+                    // button directly and skip selectAccount for this dialog type.
+                    if (e.dialogType === "ConfirmIdpLogin") {
+                        try {
+                            await cdp.send("FedCm.clickDialogButton", {
+                                dialogId,
+                                dialogButton: "ConfirmIdpLoginContinue",
+                            });
+                        }
+                        catch {
+                            // method/param may not apply to this build/dialog — non-fatal;
+                            // a subsequent AccountChooser dialog still resolves via select.
+                        }
+                        return;
+                    }
+                    try {
+                        // Pick the first account on the account-chooser dialog.
+                        await cdp.send("FedCm.selectAccount", { dialogId, accountIndex: 0 });
+                        fedcmResolved = true;
+                    }
+                    catch {
+                        // dialog dismissed or already resolved
+                    }
+                    if (!fedcmResolved) {
+                        // Some flows surface a "Continue as <name>" confirm even on the
+                        // account dialog; selectAccount alone usually completes it, but
+                        // when it didn't, try the confirm button as a fallback. Failure
+                        // is non-fatal — the popup/none path still applies.
+                        try {
+                            await cdp.send("FedCm.clickDialogButton", {
+                                dialogId,
+                                dialogButton: "ConfirmIdpLoginContinue",
+                            });
+                            fedcmResolved = true;
+                        }
+                        catch {
+                            // button absent or not applicable — degrade to popup/none
+                        }
+                    }
+                })();
+            });
+        }
+        catch {
+            cdp = null; // FedCm domain unavailable — the popup path still works
+        }
+        const popupPromise = this.context
+            .waitForEvent("page", { timeout: timeoutMs })
+            .then((p) => p)
+            .catch(() => null);
+        await this.click(triggerSelector);
+        // On-demand One-Tap: when the page loaded the GSI client but rendered no
+        // static button, the click above hits an in-page affordance that never
+        // raises a dialog on its own. If neither a FedCM dialog nor a popup has
+        // appeared shortly after the click, ask GSI to raise One-Tap itself.
+        // `google.accounts.id.prompt()` triggers the FedCM dialog our handler is
+        // already listening for. Guarded — `window.google.accounts.id` may be
+        // undefined (no-op) and any failure must degrade to the popup/none path.
+        if (cdp !== null) {
+            const promptDeadline = Date.now() + Math.min(4_000, timeoutMs);
+            while (Date.now() < promptDeadline &&
+                !fedcmResolved &&
+                this.context.pages().length <= 1) {
+                await this.sleep(250);
+            }
+            if (!fedcmResolved && this.context.pages().length <= 1) {
+                try {
+                    await this.page.evaluate(() => {
+                        const g = window.google;
+                        const id = g?.accounts?.id;
+                        if (id !== undefined && typeof id.prompt === "function") {
+                            id.prompt();
+                        }
+                    });
+                }
+                catch {
+                    // GSI not initialized / prompt unavailable — popup/none still apply
+                }
+            }
+        }
+        // Resolve when a popup opens OR FedCM completes OR we hit the deadline.
+        const fedcmWait = (async () => {
+            const deadline = Date.now() + timeoutMs;
+            while (Date.now() < deadline && !fedcmResolved) {
+                await this.sleep(250);
+            }
+            return null;
+        })();
+        const popup = await Promise.race([popupPromise, fedcmWait]);
+        if (cdp !== null) {
+            try {
+                await cdp.send("FedCm.disable");
+            }
+            catch {
+                // best-effort
+            }
+        }
+        if (popup !== null && popup !== this.page && !popup.isClosed()) {
+            this.page = popup;
+            try {
+                await this.page.waitForLoadState("domcontentloaded", { timeout: 15_000 });
+            }
+            catch {
+                // consent loop re-reads regardless
+            }
+            return { ok: true, via: "popup" };
+        }
+        if (fedcmResolved) {
+            // Credential delivered to the page's JS callback — give the app a beat
+            // to exchange it for a session and redirect.
+            try {
+                await this.page.waitForLoadState("domcontentloaded", { timeout: 10_000 });
+            }
+            catch {
+                // best-effort
+            }
+            return { ok: true, via: "fedcm" };
+        }
+        return { ok: false, via: "none" };
+    }
     // URL of the active page (the OAuth page mid-handshake, the product
     // page otherwise). Cheap — no screenshot, unlike getState().
     currentUrl() {
         return this.page !== null ? this.page.url() : "";
     }
+    // Fetch a URL's final response (following redirects) and return its
+    // status, final URL, and body text — or null on any failure.
+    //
+    // WHY the CONTEXT request API (this.context.request) and not global
+    // fetch / a fresh node http client: the context's APIRequestContext
+    // shares the BrowserContext's proxy + cookie jar, so this egresses
+    // through the SAME residential tunnel the real navigation uses. That
+    // makes a probe here representative of what the browser would actually
+    // land on (same IP reputation, same cf_clearance cookie) — and needs no
+    // separate SOCKS/HTTP-proxy plumbing. Used by the signup-URL resolver to
+    // distinguish a stale /signup that serves a login SPA from the real
+    // signup form, BEFORE committing to a ~6-minute navigation.
+    //
+    // Bounded (15s, ≤10 redirects) and non-throwing — the resolver treats
+    // null as "couldn't tell" and escalates.
+    async fetchText(url) {
+        if (this.context === null)
+            return null;
+        try {
+            const response = await this.context.request.get(url, {
+                maxRedirects: 10,
+                timeout: 15_000,
+                // We inspect 404/redirect bodies ourselves; don't let a non-2xx
+                // throw before we can classify it.
+                failOnStatusCode: false,
+            });
+            return {
+                finalUrl: response.url(),
+                status: response.status(),
+                bodyText: await response.text(),
+            };
+        }
+        catch {
+            return null;
+        }
+    }
     // True when the active OAuth page is gone — for the popup flow, the
     // popup closing IS the signal the handshake finished.
     oauthPageClosed() {
         return this.page === null || this.page.isClosed();
     }
+    // Which OAuth providers have a LIVE session in this profile's cookie jar.
+    // The logged-in-providers.json marker is a memo that drifts out of sync
+    // (a --force-relogin clears it, a misclassified run clears it, a parallel
+    // run overwrites it) — so a session that is genuinely live in the cookies
+    // can go invisible to provider selection, which is exactly how a warm
+    // GitHub session got skipped in favour of a broken Google path. The cookie
+    // jar is the ground truth: read it directly. Cookie NAMES + presence only;
+    // values are never read into logs. Best-effort — a read failure returns [].
+    async detectSessionProviders() {
+        if (this.context === null)
+            return [];
+        try {
+            return sessionProvidersFromCookies(await this.context.cookies());
+        }
+        catch {
+            return [];
+        }
+    }
     // Advance a provider's consent / account-chooser screen by one click
     // — the scope-gated auto-approve (T7/T13). Returns false when no
     // approve control is present — the agent then aborts rather than
@@ -3446,7 +4181,11 @@ export function pickClickLocator(locator, count) {
 export function collectAcrossShadowRoots(root, selector) {
     const collected = [];
     const walk = (r) => {
-        if (r === null || typeof r.querySelectorAll !== "function")
+        // `== null` (not `=== null`) covers both null and undefined — the
+        // recursion below calls walk() on any non-null shadowRoot, so an
+        // `undefined` one reaches here and `typeof undefined.querySelectorAll`
+        // would throw before the typeof guard fired (#59 redis-cloud).
+        if (r == null || typeof r.querySelectorAll !== "function")
             return;
         Array.from(r.querySelectorAll(selector)).forEach((n) => collected.push(n));
         Array.from(r.querySelectorAll("*")).forEach((el) => {
@@ -3473,6 +4212,26 @@ export function pickSubmitButtonIndex(texts) {
     });
     return bestIndex;
 }
+// ───────────── required-agreement checkbox guard ─────────────
+// Patterns shared by the pure helper below and the in-page evaluate in
+// `checkRequiredAgreementBoxes`. The evaluate runs in the page realm and
+// can't import, so the same two regexes are inlined there verbatim —
+// keep them BYTE-IDENTICAL with these.
+const AGREEMENT_TEXT_RE = /terms|tos\b|privacy|consent|policy|i agree|agree to|acknowledge|gdpr/i;
+const MARKETING_TEXT_RE = /newsletter|updates|offers|product tips|marketing|promotional|receive emails|opt[- ]?in to|subscribe/i;
+// True when a checkbox's associated text reads as a REQUIRED agreement
+// (terms/privacy/consent) and NOT as a marketing/newsletter opt-in.
+//
+// Why a deterministic check instead of trusting the LLM planner:
+// amplitude's signup renders the required TOS checkbox next to a pair of
+// data-storage-location card-radios; the planner mistook the whole
+// cluster for "ambiguous radios" and skipped the box, and amplitude's
+// submit isn't disabled when it's unticked — so the form silently
+// no-ops. We must never flip a marketing opt-in on the user's behalf,
+// hence the explicit marketing exclusion.
+export function isAgreementCheckboxText(text) {
+    return AGREEMENT_TEXT_RE.test(text) && !MARKETING_TEXT_RE.test(text);
+}
 // Parse a UNIVERSAL_BOT_PROXY_URL — e.g. "http://user:pass@host:8080" or
 // "socks5://host:1080" — into Playwright's proxy option shape. Playwright
 // wants credentials separate from `server`, so we split them out and