@trusty-squire/mcp 0.8.2-rc.9 → 0.8.2

package/dist/bot/replay-skill.js

@@ -45,7 +45,7 @@
 import { appendFileSync, mkdirSync } from "node:fs";
 import { join } from "node:path";
 import { loggedInProviders } from "./login-state.js";
-import { isTruncatedCapture, extractApiKeyFromText } from "./agent.js";
+import { isTruncatedCapture, extractApiKeyFromText, findOAuthButton } from "./agent.js";
 // ── Entry point ──────────────────────────────────────────────────────
 export async function replaySkill(input) {
     const { skill, browser } = input;
@@ -53,14 +53,25 @@ export async function replaySkill(input) {
     const candidatesDir = input.candidatesDir;
     const llmFallback = input.llmFallback;
     const templateValues = input.templateValues ?? {};
-    // Router-level guard: a demoted or pending-review skill is not
-    // replay-eligible. The router should have filtered these out, but
-    // we double-check at the boundary in case something hand-feeds us
-    // a skill record from a stale cache.
-    if (skill.status !== "active") {
+    // Router-level guard: a demoted, pending-review, or superseded
+    // skill is not replay-eligible for end-user provisions. The router
+    // should have filtered these out, but we double-check at the
+    // boundary in case something hand-feeds us a skill record from a
+    // stale cache.
+    //
+    // The verifier loop bypasses this guard via bypassStatusGuard=true
+    // (set by housekeeper-loop on the verifier queue) so it can gather
+    // replay outcomes that drive promote/demote transitions. Even with
+    // bypass, `superseded` stays gated — a newer version is canonical
+    // and replaying the older one is wasted effort.
+    const bypass = input.bypassStatusGuard === true;
+    const guardBlocks = skill.status === "superseded" || (!bypass && skill.status !== "active");
+    if (guardBlocks) {
         return {
             kind: "skill_demoted",
-            reason: `Skill status is ${skill.status}; replay is only valid for status=active.`,
+            reason: bypass
+                ? `Skill status is ${skill.status}; verifier replay still rejects superseded versions.`
+                : `Skill status is ${skill.status}; replay is only valid for status=active.`,
         };
     }
     // Walk the step graph. Dry mode stops before the last action that
@@ -395,7 +406,15 @@ async function preValidateStep(step, browser, templateValues) {
             const inventory = await browser.extractInteractiveElements();
             const copyButtons = inventory.filter(isCopyButton);
             if (copyButtons.length === 0) {
-                return { ok: false, reason: "No Copy button visible on page." };
+                // 0.8.2-rc.22 — pre-validation no longer hard-fails when the
+                // Copy button is missing. The executor's text-extraction
+                // fallback (extractCredentialCandidates + body-text regex +
+                // validator-blind tier) can still recover the credential when
+                // it's rendered on the page without a Copy affordance.
+                // Architecturally: pre-validation ranges over "is this step
+                // attempt-able"; the executor decides if attempt-able means
+                // "click and read" or "scan page text and validate."
+                return { ok: true };
             }
             if (copyButtons.length === 1) {
                 return { ok: true, match: copyButtons[0] };
@@ -471,13 +490,46 @@ async function preValidateStep(step, browser, templateValues) {
 }
 async function executeStep(step, browser, templateValues, skill) {
     switch (step.kind) {
-        case "navigate":
+        case "navigate": {
             await browser.goto(step.url);
             // Tiny settle for SPA-style apps that fire route handlers
             // post-DOMContentLoaded. The bot's runPrewarm waits 2s
             // post-navigate too.
             await browser.wait(2);
+            // 0.8.2-rc.22 — URL drift detection. When a skill's signup_url
+            // assumes the user is authenticated (Railway's /account/tokens
+            // captured after OAuth was done in a prior session), the
+            // unauthenticated bot lands on a login page instead. Downstream
+            // label_hint resolution then matches login-page elements that
+            // coincidentally share names with the captured page ("Name"
+            // input, "Workspace" select, "Create" button — all common on
+            // signup OR login forms), producing false-positive step
+            // successes. The replay then fails at the LAST step ("No Copy
+            // button visible") with a misleading reason. Catch the drift at
+            // step 0 so the verifier reports the real cause: this skill
+            // needs an OAuth step it doesn't have.
+            const landedUrl = browser.currentUrl();
+            const driftReason = detectNavigationDrift(landedUrl, step.url);
+            if (driftReason !== null) {
+                // 0.8.2-rc.22 — drive the OAuth handshake. Captured skills
+                // for OAuth-protected services (Railway, Sentry, etc.) often
+                // assume an authenticated session because the original capture
+                // was recorded in a profile that already had OAuth cookies.
+                // At replay time the persistent profile usually has the same
+                // cookies (subsequent OAuth round-trips through the provider
+                // auto-approve from the cached session). Click the OAuth
+                // button, wait for the round-trip to complete, re-navigate to
+                // the expected URL, and continue. Only bail to needs_login
+                // when no OAuth path is recoverable (no provider session, no
+                // OAuth button on the page).
+                const recovered = await attemptOAuthRecovery(browser, step.url);
+                if (recovered.kind === "ok") {
+                    return { kind: "navigated" };
+                }
+                return { kind: "needs_login", provider: recovered.provider };
+            }
             return { kind: "navigated" };
+        }
         case "click_oauth_button": {
             // Profile-session guard. If the user hasn't run `mcp login` for
             // this provider, the click would still happen but we'd land on
@@ -553,7 +605,16 @@ async function executeStep(step, browser, templateValues, skill) {
             // 0.8.2-rc.3 — apply near_text_hint filter when present so
             // Sentry-grid rows land on the right <select>. The original
             // `inventory.find` would unilaterally pick the first match.
-            const allMatches = inventory.filter((el) => matchesLabelHint(el, step.label_hint));
+            //
+            // 0.8.2-rc.21 — also restrict to fillable elements (input /
+            // textarea / select). Without this, a Railway-class form where
+            // a `<label for="select-X">` shares labelText with its
+            // `<select id="select-X">` would silently pick the label —
+            // and selectOption(label, …) would then route into the
+            // combobox path and fail because native selects don't reveal
+            // options via DOM patterns. Pre-validation already filters
+            // this way; the executor was lagging.
+            const allMatches = inventory.filter((el) => isFillable(el) && matchesLabelHint(el, step.label_hint));
             if (allMatches.length === 0) {
                 throw new Error(`No select matches label_hint=${step.label_hint}`);
             }
@@ -569,23 +630,64 @@ async function executeStep(step, browser, templateValues, skill) {
             return { kind: "selected" };
         }
         case "extract_via_copy_button": {
-            const inventory = await browser.extractInteractiveElements();
-            const copyButtons = inventory.filter(isCopyButton);
-            const target = copyButtons.length === 1
+            // 0.8.2-rc.22 — poll for the Copy button OR a validator-passing
+            // candidate to appear, up to 8s. The captured skill assumes the
+            // post-Create UI renders synchronously, but services like
+            // Railway take 1-3s to paint the new-token row. Pre-rc.22 the
+            // executor ran a single inventory inspection and gave up; that
+            // cost us every replay where the credential needed a beat to
+            // appear.
+            //
+            // Loop exits on whichever happens first:
+            //   (a) target Copy button materialises → break, click + run
+            //       the normal extraction tiers.
+            //   (b) a credential-shaped candidate appears in
+            //       extractCredentialCandidates that satisfies the skill's
+            //       post_extract_validator → return it directly without
+            //       needing a Copy click.
+            // If neither shows up in 8s, fall through to the existing
+            // candidate/body/clipboard/fallback chain with the LAST polled
+            // inventory + emptiness, ending in the diagnostic throw.
+            const fallbackValidatorPoll = skill.credentials[0]?.post_extract_validator;
+            const pollDeadline = Date.now() + 8000;
+            let inventory = await browser.extractInteractiveElements();
+            let copyButtons = inventory.filter(isCopyButton);
+            let target = copyButtons.length === 1
                 ? copyButtons[0]
                 : copyButtons.find((btn) => nearTextHintMatches(btn, step.near_text_hint, inventory));
-            if (target === undefined) {
-                throw new Error("Copy button disappeared between pre-validation and execution.");
+            while (target === undefined && Date.now() < pollDeadline) {
+                // Bail-on-found: a validator-passing candidate appearing first
+                // is the credential. We don't need the Copy button anymore.
+                if (fallbackValidatorPoll !== undefined) {
+                    try {
+                        const polled = await browser.extractCredentialCandidates();
+                        for (const cand of polled) {
+                            if (cand.length < fallbackValidatorPoll.min_length)
+                                continue;
+                            if (cand.length > fallbackValidatorPoll.max_length)
+                                continue;
+                            if (!/\d/.test(cand))
+                                continue;
+                            if (!/^[a-zA-Z0-9_\-]+$/.test(cand))
+                                continue;
+                            return { kind: "extract_ok", value: cand, via: "copy_button" };
+                        }
+                    }
+                    catch {
+                        // Non-fatal — fall through to next poll tick.
+                    }
+                }
+                await browser.wait(0.5);
+                inventory = await browser.extractInteractiveElements();
+                copyButtons = inventory.filter(isCopyButton);
+                target = copyButtons.length === 1
+                    ? copyButtons[0]
+                    : copyButtons.find((btn) => nearTextHintMatches(btn, step.near_text_hint, inventory));
+            }
+            if (target !== undefined) {
+                await browser.click(target.selector);
+                await browser.wait(1);
             }
-            // Click the Copy button. The bot already does this in
-            // tryCopyButtonExtraction; we mirror the contract: click, brief
-            // wait, then read navigator.clipboard.readText() via the page
-            // context. clipboardText() on BrowserController would be ideal
-            // but doesn't exist yet — we use page.evaluate via the
-            // extractCredentialCandidates pathway, falling back to text
-            // scan if clipboard access is denied.
-            await browser.click(target.selector);
-            await browser.wait(1);
             // BrowserController.extractCredentialCandidates pulls visible
             // candidates (input values + direct text); it does NOT read the
             // clipboard yet. We use it as the primary source and fall back
@@ -642,7 +744,44 @@ async function executeStep(step, browser, templateValues, skill) {
                 // Clipboard read failed (permission denied, no clipboard
                 // contents). Fall through to the canonical error.
             }
-            throw new Error("Copy button clicked but no credential matched the regex library in candidates, body text, or clipboard.");
+            // 0.8.2-rc.22 — validator-filtered candidate scan. Mirrors the
+            // identical tier in `extract_via_regex` so that copy_button
+            // steps can recover when (a) the Copy button isn't on the
+            // page at all (replay reached this step without a Copy
+            // affordance — Railway-class pages where the token renders
+            // inline) or (b) the click + clipboard contract didn't yield
+            // a recognised prefix but a credential-shaped string IS
+            // sitting on the page.
+            const fallbackValidator = skill.credentials[0]?.post_extract_validator;
+            if (fallbackValidator !== undefined) {
+                try {
+                    const cands = await browser.extractCredentialCandidates();
+                    for (const cand of cands) {
+                        if (cand.length < fallbackValidator.min_length)
+                            continue;
+                        if (cand.length > fallbackValidator.max_length)
+                            continue;
+                        if (!/\d/.test(cand))
+                            continue;
+                        if (!/^[a-zA-Z0-9_\-]+$/.test(cand))
+                            continue;
+                        return { kind: "extract_ok", value: cand, via: "copy_button" };
+                    }
+                }
+                catch {
+                    // Fall through to the canonical error below.
+                }
+            }
+            // Diagnostic context — keeps a short trail of "what did the bot
+            // see when extract failed" so we can iterate without re-running.
+            // url + inventory.length is enough to triage 90% of cases; full
+            // snapshots would require a new sink and aren't worth the
+            // complexity here.
+            const diag = ` [url=${browser.currentUrl()} inventory=${inventory.length} copyButtons=${copyButtons.length}]`;
+            const failureReason = target === undefined
+                ? `No Copy button on page and no credential-shaped string passed the validator.${diag}`
+                : `Copy button clicked but no credential matched the regex library in candidates, body text, or clipboard.${diag}`;
+            throw new Error(failureReason);
         }
         case "extract_via_regex": {
             // rc.18 — poll the page text for the credential. The previous
@@ -728,6 +867,50 @@ async function executeStep(step, browser, templateValues, skill) {
                     // Fall through to the canonical error below.
                 }
             }
+            // 0.8.2-rc.21 — validator-blind last-resort tier for uuid_token.
+            // The synthesizer's `uuid_token` is its FALLBACK pattern when no
+            // recognised prefix matches the captured HTML. inferShapeHint
+            // then sets the validator to {36, 36} if ANY uuid-shaped string
+            // appears on the page — even an unrelated request/session ID.
+            // On IPInfo's dashboard the actual API key is a bare 14-char
+            // hex string in a <code> element AND the HTML also contains
+            // an unrelated 36-char tracking UUID, so the validator above
+            // narrows to 36/36 and the real 14-char value is filtered out.
+            // This tier fires only when:
+            //   - the captured pattern was the fallback uuid_token (so we
+            //     KNOW the synthesizer guessed about the shape — never for
+            //     prefix-anchored patterns like sk-or-v1-, re_, etc.)
+            //   - every prior tier (labeled regex, UUID poll, copy-button
+            //     colocation, validator-filtered candidate scan) failed
+            // Scans structural <code>/<pre>/<kbd>/<samp>-class candidates
+            // (extractCredentialCandidates filters to these explicitly so
+            // page chrome / nav strings don't appear here) with a wider
+            // 8-128 char range, digit-required, alphanumeric-only. The
+            // registry's post_extract_validator runs downstream and rejects
+            // shapes that don't satisfy the credential's published shape,
+            // so a false-positive surfaces as a validator-reject rather
+            // than a published bad credential.
+            if (step.pattern_name === "uuid_token") {
+                try {
+                    const candidates = await browser.extractCredentialCandidates();
+                    for (const cand of candidates) {
+                        if (cand.length < 8 || cand.length > 128)
+                            continue;
+                        if (!/\d/.test(cand))
+                            continue;
+                        if (!/^[a-zA-Z0-9_\-]+$/.test(cand))
+                            continue;
+                        // Skip values that look like a URL/path/route — those
+                        // show up in <code> blocks for documentation snippets.
+                        if (cand.includes("/") || cand.includes("."))
+                            continue;
+                        return { kind: "extract_ok", value: cand, via: "regex" };
+                    }
+                }
+                catch {
+                    // Fall through to the canonical error below.
+                }
+            }
             throw new Error(`No credential matching pattern ${step.pattern_name} found on page.`);
         }
         // Multi-cred extract: mirrors the single-cred copy_button executor
@@ -1202,4 +1385,150 @@ async function preValidateAllExtractsInDryMode(steps, dryStopAt, browser, templa
     }
     return null;
 }
+// ── URL-drift detection (0.8.2-rc.22) ────────────────────────────────
+// Patterns that indicate the bot landed on a login/auth page instead
+// of the expected target. Catches:
+//   - same-domain redirects to /login, /signin, /signup, /auth/*
+//   - cross-domain redirects to known OAuth providers
+//   - Railway's specific /login pattern
+// False-positive risk is low: signup pages with "/login" in the path
+// are rare and usually intentional (e.g., the form lives at the
+// `signup_url` itself), so a redirect that ends up on a path matching
+// these patterns is overwhelmingly a real auth wall.
+const LOGIN_PATH_RE = /\/(login|signin|sign[-_]in|auth|sso)(?:[/?#]|$)/i;
+const OAUTH_PROVIDER_HOSTS = new Set([
+    "accounts.google.com",
+    "github.com",
+    "auth0.com",
+    "login.microsoftonline.com",
+]);
+// Returns null when the current URL is consistent with the requested
+// URL (same origin, no login-path redirect). Returns a short reason
+// string when drift is detected. Exported for unit tests.
+export function detectNavigationDrift(currentUrl, expectedUrl) {
+    let cur;
+    let exp;
+    try {
+        cur = new URL(currentUrl);
+        exp = new URL(expectedUrl);
+    }
+    catch {
+        // If either URL is unparseable, don't claim drift — the caller's
+        // next step will fail with a clearer error.
+        return null;
+    }
+    // Cross-domain landing on a known OAuth provider — unambiguous.
+    if (cur.hostname !== exp.hostname &&
+        OAUTH_PROVIDER_HOSTS.has(cur.hostname)) {
+        return `redirected to OAuth provider ${cur.hostname}`;
+    }
+    // Same-origin redirect to a login-shaped path — covers Railway's
+    // /login fallback when /account/tokens is hit unauthenticated.
+    if (cur.hostname === exp.hostname && cur.pathname !== exp.pathname) {
+        if (LOGIN_PATH_RE.test(cur.pathname)) {
+            return `same-origin redirect to login path ${cur.pathname}`;
+        }
+    }
+    return null;
+}
+export function inferProviderFromUrl(url) {
+    try {
+        const u = new URL(url);
+        if (/^(?:.+\.)?google\.com$/i.test(u.hostname))
+            return "google";
+        if (/^(?:.+\.)?github\.com$/i.test(u.hostname))
+            return "github";
+    }
+    catch {
+        /* ignore */
+    }
+    return null;
+}
+// ── OAuth recovery during replay (0.8.2-rc.22) ───────────────────────
+// When a navigate step lands on a login page (URL drift detected),
+// the replay engine attempts to drive the OAuth handshake using the
+// bot's persistent profile's cached session cookies. This is the
+// non-failing path for skills captured against authenticated services
+// — Railway, Sentry, Anthropic, etc. — whose synthesizer didn't emit
+// an explicit `click_oauth_button` step because the original signup
+// rode an existing browser session.
+//
+// Recovery succeeds (returns ok) when:
+//   - the current page has an OAuth button matching one of the
+//     profile's logged-in providers
+//   - clicking the button + waiting for the round-trip leaves the
+//     bot back on the expected service domain
+//   - re-navigating to the expected URL doesn't drift again
+//
+// Otherwise returns needs_login with the best-guess provider so the
+// caller surfaces a real "give the user a way to log in" signal.
+//
+// Cookie-driven OAuth typically completes in 2-5s end-to-end (provider
+// auto-approves from the cached session). 30s budget covers slower
+// providers + the rare "show the account chooser" interstitial. If the
+// provider demands real user interaction (2FA challenge, missing-scope
+// consent), the budget will tick down without resolution and we bail
+// to needs_login — that's the "laws of physics" boundary: a verifier
+// process running without a human can't complete a challenge.
+async function attemptOAuthRecovery(browser, expectedUrl) {
+    const profiles = loggedInProviders();
+    if (profiles.length === 0) {
+        return { kind: "needs_login", provider: "google" };
+    }
+    // Inventory once. Look for an OAuth button matching any provider
+    // we have a cached session for. Prefer the first match in profile
+    // order so a Google-first user doesn't end up bound to GitHub on
+    // services that offer both.
+    const inventory = await browser.extractInteractiveElements();
+    let pickedProvider = null;
+    let pickedButton = null;
+    for (const p of profiles) {
+        const btn = findOAuthButton(inventory, p);
+        if (btn !== null) {
+            pickedProvider = p;
+            pickedButton = btn;
+            break;
+        }
+    }
+    if (pickedProvider === null || pickedButton === null) {
+        // The page may genuinely be a non-OAuth login form (some services
+        // also offer password auth). The replay can't synthesize a
+        // password; surface needs_login with a guess based on the URL.
+        const guess = inferProviderFromUrl(browser.currentUrl()) ?? "google";
+        return { kind: "needs_login", provider: guess };
+    }
+    // Drive the click. startOAuth adopts whichever Chrome target
+    // catches the redirect (popup OR same-tab). After the click, poll
+    // for the round-trip to complete: either the popup closes, OR the
+    // active page's URL returns to the expected service domain.
+    await browser.startOAuth(pickedButton.selector);
+    const expectedHost = new URL(expectedUrl).hostname;
+    const deadline = Date.now() + 30_000;
+    while (Date.now() < deadline) {
+        await browser.wait(1);
+        if (browser.oauthPageClosed())
+            break;
+        let host;
+        try {
+            host = new URL(browser.currentUrl()).hostname;
+        }
+        catch {
+            continue;
+        }
+        if (host === expectedHost)
+            break;
+    }
+    // Verify we're actually back. Re-navigate to the exact expected URL
+    // so the rest of the skill executes against the page it was
+    // captured against (not, e.g., a /welcome or /dashboard landing).
+    await browser.goto(expectedUrl);
+    await browser.wait(2);
+    const drift = detectNavigationDrift(browser.currentUrl(), expectedUrl);
+    if (drift !== null) {
+        // OAuth round-trip didn't unlock the destination — likely
+        // expired cookies. The user needs to re-run `mcp login`.
+        return { kind: "needs_login", provider: pickedProvider };
+    }
+    return { kind: "ok" };
+}
 //# sourceMappingURL=replay-skill.js.map