@trusty-squire/mcp 0.9.3 → 0.9.5

package/dist/bot/agent.js

@@ -1195,6 +1195,17 @@ export function extractVerifyWallAlias(text) {
         if (/\.(?:js|mjs|css|map|png|jpe?g|svg|gif|ico|woff2?|ttf|webp)$/i.test(addr)) {
             continue;
         }
+        // Reject RFC 2606 reserved-for-documentation domains. A docs/sample email
+        // like "check amy@example.com" rendered on a dashboard is never a real
+        // verification target — polling it 404s as unknown_alias and yields a
+        // false verification_not_sent. (Anthropic's console shows amy@example.com
+        // in a sample.) Covers example.{com,net,org} + the .example/.test/
+        // .invalid/.localhost reserved suffixes.
+        const domain = addr.slice(addr.indexOf("@") + 1).toLowerCase();
+        if (/^example\.(?:com|net|org)$/.test(domain) ||
+            /\.(?:example|test|invalid|localhost)$/.test(domain)) {
+            continue;
+        }
         return addr;
     }
     return null;
@@ -2143,32 +2154,40 @@ export function findSignInAdvanceButton(inventory, providers) {
 // actually has a session for. `findFirstOAuthButton` walks this list in
 // order and uses the first provider the PAGE offers, so order = preference.
 //
-// RULE 1 — respect an explicit pin when its session is warm. The operator
-// pins a provider for a reason the bot can't see from the page: e.g.
-// northflank surfaces Google only as on-demand One-Tap (a FedCM widget the
-// redirect flow can't drive) while its GitHub button is a clean redirect, so
-// the service is pinned github. Leading with the warm pin honors that, with
-// the OTHER warm provider kept as a fallback for pages that only render it.
-// (This became safe once `login` was fixed to establish the session through
-// the bot's egress proxy — a warm GitHub session no longer dies on an IP
-// jump, so it doesn't hit the /authorize 2FA wall the way a stale one did.)
+// RULE 1 — Google leads whenever its session is warm, pin or not. Empirically
+// Google's OAuth blocks far less hard than GitHub's, which hits an UNCLEARABLE
+// forced-2FA "Verify 2FA now" wall on the /authorize step regardless of session
+// warmth or egress IP (MEASURED 2026-06-07: porter + deepinfra were pinned
+// github, hit the wall and aborted, while their own signin pages also offered a
+// clean Google button the bot should have taken). This makes the code match the
+// long-stated intent in resolveOAuthCandidates ("Google blocks less hard, so it
+// leads") — which RULE 1 previously contradicted by leading with the pin.
 //
-// RULE 2 — with NO pin, Google leads when present: empirically its OAuth
-// blocks less hard than a cold GitHub flow.
+// A `github` pin still works for its real purpose: when a service's Google is
+// One-Tap/FedCM-only (no redirect button the flow can drive — northflank),
+// findFirstOAuthButton finds no Google button and falls through to GitHub even
+// though Google leads here. So a pin only decides ORDER when Google is NOT warm.
+//
+// RULE 2 — with no warm Google session, honor an explicit pin, else whatever IS
+// warm.
 export function orderOAuthCandidates(pinned, loggedIn) {
+    if (loggedIn.includes("google")) {
+        const rest = loggedIn.filter((p) => p !== "google");
+        // A non-Google pin sits right behind Google. Keep it even when its own
+        // session is cold, as a trailing fallback so a page that only offers that
+        // provider still gets attempted (a cold attempt → needs_login, which tells
+        // the operator to log in — better than silently dropping to form-fill).
+        if (pinned !== undefined && pinned !== "google") {
+            return ["google", pinned, ...rest.filter((p) => p !== pinned)];
+        }
+        return ["google", ...rest];
+    }
     if (pinned !== undefined) {
-        if (loggedIn.includes(pinned)) {
-            const others = loggedIn
-                .filter((p) => p !== pinned)
-                .sort((a, b) => (a === "google" ? -1 : b === "google" ? 1 : 0));
-            return [pinned, ...others];
-        }
-        // Pin's session isn't warm — fall back to whatever IS (Google preferred).
-        if (pinned !== "google" && loggedIn.includes("google"))
-            return ["google", pinned];
+        if (loggedIn.includes(pinned))
+            return [pinned, ...loggedIn.filter((p) => p !== pinned)];
         return [pinned];
     }
-    return [...loggedIn].sort((a, b) => (a === "google" ? -1 : b === "google" ? 1 : 0));
+    return [...loggedIn];
 }
 // Parse a post-verify step. When `allowedSelectors` is supplied, a
 // `click`/`fill` selector that is not in the page inventory is a
@@ -2593,6 +2612,46 @@ export function isMultiCredBundle(creds) {
     }
     return false;
 }
+// DOM-label phrase → canonical credential key. Shared by
+// extractFromDomProximity (which harvests VALUES) and
+// countPresentedCredentialLabels (which counts how many distinct
+// credentials a page PRESENTS, masked included). Kept in lockstep with
+// the Phase E LABEL_ALIASES vocabulary.
+const DOM_LABEL_TO_KEY = {
+    "api key": "api_key",
+    "api token": "api_key",
+    "api secret": "api_secret",
+    "secret key": "secret_key",
+    "publishable key": "publishable_key",
+    "access key": "access_key_id",
+    "access key id": "access_key_id",
+    "access token": "access_token",
+    "bearer token": "access_token",
+    "personal access token": "access_token",
+    "auth token": "auth_token",
+    "client id": "client_id",
+    "client secret": "client_secret",
+    "client key": "client_id",
+    "cloud name": "cloud_name",
+    cloudname: "cloud_name",
+    "application id": "application_id",
+    "app id": "application_id",
+    "admin api key": "admin_api_key",
+    "search api key": "search_api_key",
+    "search-only api key": "search_api_key",
+    "monitoring api key": "monitoring_api_key",
+    "account sid": "account_sid",
+    "secret access key": "secret_access_key",
+    "consumer key": "consumer_key",
+    "consumer secret": "consumer_secret",
+    "access token secret": "access_token_secret",
+    "project api key": "project_api_key",
+    "personal api key": "personal_api_key",
+    "organization id": "org_id",
+    "org id": "org_id",
+    "app key": "app_key",
+    "app secret": "app_secret",
+};
 export function extractApiKeyFromText(text) {
     const prefixed = [
         /\bre_[a-zA-Z0-9_]{20,}\b/, // Resend (key body contains underscores)
@@ -2776,6 +2835,20 @@ export function isCredentialNoiseCandidate(candidate) {
         return true;
     return CREDENTIAL_NOISE_PREFIXES.some((p) => lower.startsWith(p));
 }
+// True when a URL is a documentation / help / reference page rather than a
+// product surface. Such pages render REALISTIC sample credentials (Anthropic's
+// platform.claude.com/docs/.../get-started shows ANTHROPIC_API_KEY='sk-ant-
+// api03-...') that match the real key shape but are NOT user credentials. A
+// real minted key lives on the console / settings, never under /docs — so the
+// extractor refuses to read a credential while on a docs page, which keeps the
+// post-verify loop navigating toward the real keys page instead of false-
+// succeeding on a sample. Exported for unit testing.
+export function isDocumentationUrl(url) {
+    const u = url.toLowerCase();
+    return (/^https?:\/\/docs?\.[^/]+/.test(u) || // docs.x.com / doc.x.com host
+        /\/docs?\//.test(u) || // /docs/ or /doc/ path
+        /\/(?:help|reference|api-reference|guides?|tutorials?)\//.test(u));
+}
 // Choose which link in a verification email to click. Scores each URL
 // by keyword and picks the best — but only if it scored positive.
 //
@@ -2839,6 +2912,60 @@ export function pickVerificationLinkFromHtml(bodyHtml) {
     }
     return best !== null && best.score > 0 ? best.url : null;
 }
+// Last-resort verification-CODE extraction from an email body, for the
+// passwordless "we emailed you a code" flow (axiom: "Axiom sign-in
+// verification code") when the inbox parser's parsed_codes came back empty.
+// Without this the bot bailed "no usable verification link" on a code-only
+// email — treating a routine code flow as a dead end. Conservative: prefers a
+// 4-8 digit run next to a code/verify keyword, then a space/dash-grouped code,
+// then a standalone 6-digit number (the most common verification length).
+// Returns null when nothing code-shaped is found so the caller still bails
+// honestly rather than typing garbage. Exported for unit testing.
+export function extractCodeFromEmailBody(email) {
+    const text = [
+        email.subject ?? "",
+        email.body_text ?? "",
+        (email.body_html ?? "").replace(/<[^>]+>/g, " "),
+    ].join("\n");
+    // 1) A code sitting next to a verification keyword — the strongest signal.
+    const kw = text.match(/(?:verification code|sign[\s-]?in code|one[\s-]?time(?:\s+(?:code|password))?|security code|your code|confirmation code|code is|enter(?:\s+this)?\s+code)\b[^0-9]{0,40}([0-9]{4,8})\b/i);
+    if (kw?.[1] !== undefined)
+        return kw[1];
+    // 2) A grouped code ("123-456" / "1234 5678").
+    const grouped = text.match(/(?<![0-9])([0-9]{3,4}[ -][0-9]{3,4})(?![0-9])/);
+    if (grouped?.[1] !== undefined)
+        return grouped[1].replace(/[ -]/g, "");
+    // 3) A standalone 6-digit number (most verification codes).
+    const six = text.match(/(?<![0-9])([0-9]{6})(?![0-9])/);
+    if (six?.[1] !== undefined)
+        return six[1];
+    return null;
+}
+// True when the page is an email verification-CODE entry gate: a single
+// code-style input (name/id/placeholder/label ~ code/token/otp/verification),
+// NO email/password/tel field still to fill, and verify/code copy in the body.
+// axiom-class passwordless ("Send Code to Email" lands here). Distinct from the
+// no-fields verification WALL: this page HAS an input, but it's a CODE field,
+// so the form-fill planner would otherwise type an empty literal into it and
+// loop. The caller returns "submitted" to route to the inbox-poll + code-entry
+// path (the code was emailed to our alias). Exported for unit testing.
+export function isVerificationCodeGate(inventory, pageText) {
+    const inputs = inventory.filter((e) => e.tag === "input" && e.visible !== false);
+    // Any email/password/tel field still present → still a signup form, not a
+    // pure code gate.
+    if (inputs.some((e) => e.type === "email" || e.type === "password" || e.type === "tel")) {
+        return false;
+    }
+    const codeRe = /\b(?:code|token|otp|verification|verify|one[\s-]?time|2fa|mfa)\b/i;
+    const hasCodeInput = inputs.some((e) => {
+        const hay = `${e.name ?? ""} ${e.id ?? ""} ${e.placeholder ?? ""} ${e.ariaLabel ?? ""} ${e.labelText ?? ""}`;
+        return codeRe.test(hay);
+    });
+    if (!hasCodeInput)
+        return false;
+    const t = pageText.toLowerCase();
+    return /verification code|enter (?:the |your )?code|code is required|verify and continue|we (?:sent|emailed)|check your email|one[\s-]?time (?:code|password)|sign[\s-]?in code/.test(t);
+}
 // Discriminates LLMPair from LLMClient. LLMPair has `primary` (an
 // LLMClient); LLMClient has `createMessage`. They're mutually exclusive
 // shapes so a structural check is reliable.
@@ -3305,8 +3432,27 @@ export class SignupAgent {
                         e.type === "password" ||
                         e.type === null) &&
                     e.visible !== false);
-                if (!hasFillableInput && expectsVerificationEmail(wallText)) {
-                    const alias = extractVerifyWallAlias(wallText);
+                // Only enter the inbox-poll flow when the named alias is one we can
+                // actually POLL — on our own inbox domain (task.email's domain, which
+                // also covers a prior run's alias). A logged-in dashboard often shows
+                // the operator's real email (e.g. a personal gmail) or a docs sample
+                // next to "check your email" copy; polling those 404s as
+                // unknown_alias and yields a false verification_not_sent. A wall that
+                // names NO address (generic "check your email") still fires and polls
+                // task.email — that's the common legitimate case. (Already-
+                // authenticated dashboards are routed straight to key extraction
+                // before the form-fill loop, so they never reach this detector.)
+                const wallAlias = extractVerifyWallAlias(wallText);
+                const ourInboxDomain = task.email
+                    .slice(task.email.indexOf("@") + 1)
+                    .toLowerCase();
+                const aliasPollable = wallAlias === null ||
+                    wallAlias.slice(wallAlias.indexOf("@") + 1).toLowerCase() ===
+                        ourInboxDomain;
+                if (!hasFillableInput &&
+                    expectsVerificationEmail(wallText) &&
+                    aliasPollable) {
+                    const alias = wallAlias;
                     this.pendingVerificationAlias = alias;
                     steps.push(`Form: email-verification wall (no fields to fill${alias !== null ? `, check ${alias}` : ""}) — ` +
                         `routing to the inbox-poll + verification-link flow.`);
@@ -3331,6 +3477,19 @@ export class SignupAgent {
                     return { kind: "submitted" };
                 }
             }
+            // Email verification-CODE gate (axiom-class passwordless). The no-fields
+            // wall above misses it because this page HAS an input — but it's a CODE
+            // field, not email/password, and the code was emailed to our alias.
+            // Return "submitted" so the post-submit inbox-poll + code-entry path
+            // (extractCodeFromEmailBody → enterEmailVerificationCode) handles it,
+            // instead of the planner typing an empty literal into the code field and
+            // looping. Gated on committedToEmailPath — a code gate only appears after
+            // the email was submitted.
+            if (committedToEmailPath && isVerificationCodeGate(inventory, state.html)) {
+                this.pendingVerificationAlias = this.pendingVerificationAlias ?? task.email;
+                steps.push("Form: email verification-CODE gate detected — routing to the inbox-poll + code-entry flow.");
+                return { kind: "submitted" };
+            }
             // OAuth-first (T6/T13 + auto-prefer): when the page carries a
             // "Sign in with <provider>" affordance for a provider the bot can
             // use, that button unconditionally outranks any form field — hand
@@ -4300,12 +4459,44 @@ export class SignupAgent {
             // would otherwise read as "other". (A promoted-skill URL is replay-
             // verified and a guessed URL that's wrong is recovered here too.)
             let needsRecovery = false;
-            if (task.signupUrl === undefined) {
+            // Set when the landing page is an already-authenticated dashboard — we
+            // then route STRAIGHT to key extraction (the already_oauth dispatch
+            // case) and skip the form-fill loop entirely. The loop's own
+            // already-signed-in check runs on a ranked+capped inventory that drops
+            // the low-ranked nav markers detectAlreadySignedIn keys on, so it
+            // unreliably misses dashboards (anthropic) and the verification-wall
+            // detector false-fires first. The full-inventory check below is the
+            // reliable signal; act on it here, not in the loop.
+            let alreadyAuthenticated = false;
+            // Before any recovery: are we ALREADY authenticated for this service?
+            // The operator's own session can be bound to the service (e.g.
+            // Anthropic, where the bot rides the operator's account), so the
+            // landing page is a dashboard with no signup CTA. Recovery would then
+            // chase a non-existent signup page — Tier B finds no CTA, the Google
+            // fallback finds no on-domain match — and bail `no_signup_link`
+            // ("the service likely doesn't have a public self-serve signup"),
+            // which is flatly wrong: we're simply logged in. Skip recovery and let
+            // planExecuteWithRetry's OAuth-first scan detect the authenticated
+            // state (already_oauth) and jump straight to key extraction — the same
+            // post-verify path runOAuthFlow uses after a successful handshake.
+            // detectAlreadySignedIn's precondition (no email/password/tel input
+            // visible) makes this safe: a real signup/login page short-circuits to
+            // false before any dashboard marker is considered.
+            const landed = await this.browser.getState();
+            const landedInventory = await this.browser.extractInteractiveElements();
+            if (detectAlreadySignedIn({
+                inventory: landedInventory,
+                url: landed.url,
+            })) {
+                steps.push(`${task.service}: already authenticated (dashboard markers, no signup CTA) — ` +
+                    `skipping signup, routing straight to key extraction`);
+                alreadyAuthenticated = true;
+            }
+            else if (task.signupUrl === undefined) {
                 needsRecovery = !(await this.looksLikeSignupPage());
             }
             else {
-                const rendered = (await this.browser.getState()).html;
-                const klass = classifySignupHtml(rendered);
+                const klass = classifySignupHtml(landed.html);
                 if (klass !== "signup" && !(await this.looksLikeSignupPage())) {
                     needsRecovery = true;
                     steps.push(`curated signup_url for ${task.service} rendered as "${klass}", not a signup form — attempting recovery`);
@@ -4394,9 +4585,12 @@ export class SignupAgent {
                     return {
                         success: false,
                         error: `no_signup_link: searched for ${task.service}'s signup page and ` +
-                            `found no on-domain candidates. The service likely doesn't have ` +
-                            `a public self-serve signup, or the bot's domain guard rejected ` +
-                            `every match. Sign up manually.`,
+                            `found no on-domain candidates. Likely causes: you already have an ` +
+                            `account and the bot landed on a logged-in dashboard with no signup ` +
+                            `CTA (the already-authenticated detector didn't recognize this ` +
+                            `dashboard's markers); the service has no public self-serve signup; ` +
+                            `or the bot's domain guard rejected every match. Sign up manually, ` +
+                            `or extract the key from the existing session.`,
                         steps,
                         ...this.resultTail(),
                     };
@@ -4422,7 +4616,14 @@ export class SignupAgent {
             // every terminal case (submitted, planning_failed, …) stays in one
             // place. Bounded to a single re-route so a service that keeps
             // bouncing can't spin here.
-            let outcome = await this.planExecuteWithRetry(task, fillValues, steps);
+            // Already authenticated (full-inventory check above): skip the form-fill
+            // loop and hand straight to the already_oauth case, which extracts /
+            // mints the key from the existing session. Going through the loop would
+            // re-detect on a capped inventory (missing the nav markers), false-fire
+            // the verification-wall detector, and never reach key extraction.
+            let outcome = alreadyAuthenticated
+                ? { kind: "already_oauth" }
+                : await this.planExecuteWithRetry(task, fillValues, steps);
             let oauthFallbackUsed = false;
             // Multi-step signup guard (amplitude: email/name step → a dedicated
             // "Create your password" step). Bounds how many continuation form steps
@@ -4735,7 +4936,17 @@ export class SignupAgent {
                                 credentials = await this.enterEmailVerificationCode(email.parsed_codes[0] ?? "", task, password, steps);
                             }
                             else {
-                                steps.push("Email had no usable verification link.");
+                                // No link and the inbox parser found no code — last-resort
+                                // scan the email body ourselves for a verification code
+                                // (passwordless "we emailed you a code" flow, e.g. axiom).
+                                const bodyCode = extractCodeFromEmailBody(email);
+                                if (bodyCode !== null) {
+                                    steps.push(`Email had no link but carried a verification code (…${bodyCode.slice(-2)}) — entering it.`);
+                                    credentials = await this.enterEmailVerificationCode(bodyCode, task, password, steps);
+                                }
+                                else {
+                                    steps.push("Email had no usable verification link or code.");
+                                }
                             }
                         }
                         else if (email.parsed_codes.length > 0) {
@@ -4886,6 +5097,21 @@ export class SignupAgent {
             steps.push(`OAuth: Google Identity Services / FedCM widget — resolved via ${gsi.via}` +
                 (gsi.ok ? "" : " (no FedCM dialog or popup appeared — the widget may need a different trigger)"));
         }
+        // OmniAuth POST-only recovery prep. Capture the affordance's href + the
+        // page's CSRF token NOW, while we're still on the signin page — the
+        // "Authentication passthru" page a GET-click lands on is bare (no token).
+        // See the typesense root-cause (2026-06-07): Rails/OmniAuth 2.0 is
+        // POST-only; the GitHub button is a GET <a href="/users/auth/github">
+        // upgraded to POST by page JS, and the bot's GET-click hit the passthru.
+        const omniauthHref = typeof this.browser.getElementAttribute === "function"
+            ? await this.browser
+                .getElementAttribute(oauthSelector, "href")
+                .catch(() => null)
+            : null;
+        const omniauthToken = typeof this.browser.getMetaCsrfToken === "function"
+            ? await this.browser.getMetaCsrfToken().catch(() => null)
+            : null;
+        let omniauthPostTried = false;
         if (!gsiHandled) {
             await this.browser.startOAuth(oauthSelector);
         }
@@ -4932,8 +5158,37 @@ export class SignupAgent {
             }
             const authState = provider.classifyAuthState(url, body);
             steps.push(`OAuth: ${provider.label} auth state = ${authState} (url=${url.slice(0, 120)})`);
-            if (authState === "not_provider")
+            if (authState === "not_provider") {
+                // OmniAuth 2.0 POST-only recovery. The provider button can be a GET
+                // <a href="/.../auth/<provider>"> that page-JS upgrades to a POST; if
+                // the bot's click hit the default GET, Rails/OmniAuth answers
+                // "Not found. Authentication passthru." and OAuth never started — the
+                // bot then misreads it as "signed in" and bails. Detect that bare
+                // passthru page and re-initiate via POST with the signin page's CSRF
+                // token (proven to 302 to the provider). MEASURED 2026-06-07: typesense.
+                const onOmniAuthPassthru = /authentication passthru|not found/i.test(body) &&
+                    /\/auth\/[a-z0-9_-]+\/?$/i.test(url);
+                if (onOmniAuthPassthru &&
+                    !omniauthPostTried &&
+                    omniauthToken !== null &&
+                    omniauthHref !== null) {
+                    omniauthPostTried = true;
+                    const action = new URL(omniauthHref, url).toString();
+                    steps.push(`OAuth: ${provider.label} endpoint is POST-only (OmniAuth GET passthru) — ` +
+                        `re-initiating via POST with the page CSRF token`);
+                    try {
+                        await this.browser.submitPostForm(action, {
+                            authenticity_token: omniauthToken,
+                        });
+                        await this.browser.wait(3);
+                        continue; // re-read state — should now be on the provider's page
+                    }
+                    catch (err) {
+                        steps.push(`OAuth: OmniAuth POST recovery failed (${err instanceof Error ? err.message : String(err)})`);
+                    }
+                }
                 break; // flow left the provider — back on the service
+            }
             if (authState === "challenge") {
                 // rc.26 — always capture forensic state at the moment the
                 // challenge is detected. Before this, snapshots fired only at
@@ -6081,41 +6336,7 @@ ${formatInventory(input.inventory)}`,
     async extractFromDomProximity() {
         // Vocabulary matches the LABEL_ALIASES used by Phase E so the
         // canonical keys stay consistent across paths.
-        const LABEL_TO_KEY = {
-            "api key": "api_key",
-            "api token": "api_key",
-            "api secret": "api_secret",
-            "secret key": "secret_key",
-            "publishable key": "publishable_key",
-            "access key": "access_key_id",
-            "access key id": "access_key_id",
-            "access token": "access_token",
-            "bearer token": "access_token",
-            "personal access token": "access_token",
-            "auth token": "auth_token",
-            "client id": "client_id",
-            "client secret": "client_secret",
-            "client key": "client_id",
-            "cloud name": "cloud_name",
-            "cloudname": "cloud_name",
-            "application id": "application_id",
-            "app id": "application_id",
-            "admin api key": "admin_api_key",
-            "search api key": "search_api_key",
-            "search-only api key": "search_api_key",
-            "monitoring api key": "monitoring_api_key",
-            "account sid": "account_sid",
-            "secret access key": "secret_access_key",
-            "consumer key": "consumer_key",
-            "consumer secret": "consumer_secret",
-            "access token secret": "access_token_secret",
-            "project api key": "project_api_key",
-            "personal api key": "personal_api_key",
-            "organization id": "org_id",
-            "org id": "org_id",
-            "app key": "app_key",
-            "app secret": "app_secret",
-        };
+        const LABEL_TO_KEY = DOM_LABEL_TO_KEY;
         let labeled = [];
         try {
             labeled = await this.browser.extractLabeledCredentialCandidates();
@@ -6142,6 +6363,30 @@ ${formatInventory(input.inventory)}`,
         }
         return out;
     }
+    // Count the DISTINCT credentials the current page PRESENTS — masked
+    // ones included. This detects a multi-cred page BEFORE every value is
+    // captured, so the post-verify loop can stay open to harvest the 2nd/
+    // 3rd key instead of exiting the moment the first surfaces ("stops at
+    // one"). Uses the DOM-proximity harvester's labels (which fire even on
+    // masked/bullet'd values) mapped to canonical keys; values are NOT read
+    // here, only the label set. Best-effort → 0 on any browser error.
+    async countPresentedCredentialLabels() {
+        try {
+            const cands = await this.browser.extractLabeledCredentialCandidates();
+            const canon = new Set();
+            for (const c of cands) {
+                if (c.label === null)
+                    continue;
+                const key = DOM_LABEL_TO_KEY[c.label];
+                if (key !== undefined)
+                    canon.add(key);
+            }
+            return canon.size;
+        }
+        catch {
+            return 0;
+        }
+    }
     // Run every visible-credential extraction tier the post-verify loop
     // uses (legacy regex/clipboard/hidden-input + DOM-proximity labeled),
     // merging first-wins into a single bundle. Used by attemptMintNewKey
@@ -6433,6 +6678,16 @@ ${formatInventory(input.inventory)}`,
         // and inject a forced "no-progress" hint on the second repeat.
         let prevSignature = null;
         let prevInventorySize = -1;
+        // Selectors the planner has CLICKED while the inventory count has held
+        // steady. A multi-step onboarding wizard (axiom: role → company-size →
+        // plan) advances by clicking distinct radio-style cards that flip an
+        // aria-checked but add/remove no elements, so inventory.length never
+        // moves — and the kind-level stuck detector below would false-positive
+        // on the 2nd DISTINCT selection. We exempt a brand-new selector (wizard
+        // progress) and only call it stuck once a selector REPEATS (the Railway
+        // Create→Focus→Create cycle). Reset whenever the inventory count changes
+        // (genuine page mutation → fresh wizard step / new page).
+        let clickSelectorsSinceInventoryChange = new Set();
         // rc.39 — wait-loop tracker. Turso's GitHub OAuth handshake
         // succeeds, then the SSO-callback page stays empty (0 elements)
         // while a Cloudflare verification widget runs that never clears
@@ -6479,6 +6734,13 @@ ${formatInventory(input.inventory)}`,
         let stuckFiresAtUrl = 0;
         let lastStuckFireUrl = null;
         const triedFallbackUrls = new Set();
+        // Premature-done guard budget. When the planner gives up (`done`)
+        // with zero credentials captured, we navigate to an unvisited
+        // canonical keys URL and re-plan — bounded so a service that
+        // genuinely has no self-serve key doesn't burn the whole run budget
+        // walking every fallback path.
+        let prematureDoneFallbacks = 0;
+        const MAX_PREMATURE_DONE_FALLBACKS = 3;
         // Dead-URL memory. The planner guesses credential-page URLs
         // (e.g. /user/personal_access_tokens/new) that 404; without memory it
         // re-guesses the same dead URL round after round — xata and fly each
@@ -6523,6 +6785,15 @@ ${formatInventory(input.inventory)}`,
         // surveyed the labeled credentials surface.
         const seedHadCredential = credentials.api_key !== undefined || credentials.username !== undefined;
         let plannerExtractEmitted = false;
+        // 2026-06-07 — "stops at one" fix. The legacy loop-exit treated a run
+        // as single-cred based on what was ALREADY captured (isMultiCredBundle),
+        // so a page with 3 credentials whose 1st surfaced first — siblings still
+        // masked or missed on the first harvest pass — exited before the rest
+        // were caught. Set once the page is observed to PRESENT >=2 distinct
+        // credentials (masked included); the loop-exit then holds open (bounded
+        // by roundsSinceLastNewCredential) so the reveal pass + DOM harvest get
+        // more rounds to capture the siblings.
+        let pageOffersMultiCred = false;
         // Gate URLs we've already polled the operator's gmail for, so a
         // multi-round wait on the same email-OTP page doesn't re-poll.
         const otpPolledUrls = new Set();
@@ -6547,7 +6818,7 @@ ${formatInventory(input.inventory)}`,
             // when the api_key came from the pre-loop seed and the
             // planner hasn't yet emitted an explicit extract step. In
             // that case we let the planner run until extract fires.
-            const inMultiCredMode = isMultiCredBundle(credentials);
+            const inMultiCredMode = isMultiCredBundle(credentials) || pageOffersMultiCred;
             const haveOnlySeedCredentials = seedHadCredential && !plannerExtractEmitted;
             if (!inMultiCredMode &&
                 (credentials.api_key !== undefined || credentials.username !== undefined) &&
@@ -6586,6 +6857,24 @@ ${formatInventory(input.inventory)}`,
             // widened (the "API Keys"/"Settings" links must survive ranking).
             // Reading state can still race a navigation — a transient throw
             // burns the round rather than crashing the whole run.
+            // Dismiss any cookie/consent banner BEFORE reading the page or
+            // planning a click. A consent overlay (Google "Accept all", GDPR
+            // banners) intercepts pointer events, so the planner's clicks land
+            // on the banner instead of the dashboard and the loop stalls / loops /
+            // times out. MEASURED 2026-06-07: meilisearch reached /settings/keys
+            // but sat behind an Accept-All overlay and ran out the 600s clock.
+            // The form-fill loop already dismisses banners every round; the
+            // post-verify loop never did. Best-effort — a dismiss failure must
+            // not burn the round.
+            try {
+                const dismissed = await this.browser.dismissConsentBanner();
+                if (dismissed !== null) {
+                    args.steps.push(`Post-verify round ${round}: dismissed consent banner ("${dismissed}")`);
+                }
+            }
+            catch {
+                // best-effort
+            }
             let state;
             let inventory;
             try {
@@ -6952,6 +7241,13 @@ ${formatInventory(input.inventory)}`,
             // the same selector AND the inventory size matches the prior
             // round's — strong evidence the previous step did nothing.
             const repeatableKinds = new Set(["click", "fill", "select", "check", "scroll"]);
+            // An inventory-count change means the page genuinely mutated — a fresh
+            // wizard step or a new page. Reset the per-stable-run click-selector
+            // memory so distinct clicks on the NEW state aren't judged against the
+            // old one.
+            if (inventory.length !== prevInventorySize) {
+                clickSelectorsSinceInventoryChange = new Set();
+            }
             if (repeatableKinds.has(nextStep.kind)) {
                 const sel = "selector" in nextStep ? (nextStep.selector ?? "<none>") : "<none>";
                 const signature = `${nextStep.kind}|${sel}`;
@@ -6962,10 +7258,21 @@ ${formatInventory(input.inventory)}`,
                 // (planner cycles through Create, Focus-input, Create again,
                 // …). When that happens, force a non-click action.
                 const sameSelector = signature === prevSignature && inventory.length === prevInventorySize;
+                // A brand-new click selector (never clicked since the inventory last
+                // changed) is wizard PROGRESS, not a cycle — selecting role, then
+                // company-size, then a plan flips aria-checked without moving the
+                // element count (axiom). Only treat repeated clicks as stuck: the
+                // selector has already been clicked in this stable-inventory run.
+                const clickSelectorIsRepeat = nextStep.kind === "click" &&
+                    clickSelectorsSinceInventoryChange.has(sel);
                 const stuckOnKind = nextStep.kind === "click" &&
                     prevSignature !== null &&
                     prevSignature.startsWith("click|") &&
-                    inventory.length === prevInventorySize;
+                    inventory.length === prevInventorySize &&
+                    clickSelectorIsRepeat;
+                if (nextStep.kind === "click") {
+                    clickSelectorsSinceInventoryChange.add(sel);
+                }
                 if (sameSelector || stuckOnKind) {
                     const emptyInputs = inventory
                         .filter((e) => (e.tag === "input" || e.tag === "textarea") &&
@@ -7044,8 +7351,16 @@ ${formatInventory(input.inventory)}`,
                     // Mistral's TOS, GitHub-app sign-up, many onboarding forms
                     // gate submit on a checkbox that isn't yet ticked.
                     const uncheckedBoxes = inventory
-                        .filter((e) => e.tag === "input" &&
-                        e.type === "checkbox" &&
+                        .filter((e) => 
+                    // Native <input type=checkbox> OR a custom ARIA checkbox
+                    // (<button role="checkbox">, <div role="checkbox">). The
+                    // input-only filter missed meilisearch's required agreement,
+                    // which renders as <button role="checkbox"> — so the planner
+                    // was never told to tick it and "Next" stayed disabled. The
+                    // check() executor already handles role=checkbox (it clicks +
+                    // verifies aria-checked).
+                    ((e.tag === "input" && e.type === "checkbox") ||
+                        e.role === "checkbox") &&
                         // We can't read the actual `checked` from the inventory
                         // shape, but interactedThisRun is set after a successful
                         // `check` step. Show checkboxes the bot hasn't touched.
@@ -7229,6 +7544,34 @@ ${formatInventory(input.inventory)}`,
                     // read see the post-challenge dashboard.
                     continue;
                 }
+                // Premature-done guard. The planner sometimes concludes "nothing
+                // to extract" on an authenticated dashboard whose API keys live on
+                // a settings/API-keys page it never visited — render's case: an
+                // empty SERVICES list ("no services created yet") is NOT the same
+                // as "no API keys", which sit under Account Settings. Before
+                // accepting `done` with zero credentials captured, navigate to an
+                // unvisited canonical keys URL (same fallback list the stuck-loop
+                // escalation uses). Bounded by triedFallbackUrls — once every
+                // candidate is exhausted, `done` is honored.
+                const capturedCredCount = Object.keys(credentials).filter((k) => !NON_CREDENTIAL_KEYS.has(k)).length;
+                if (capturedCredCount === 0 && prematureDoneFallbacks < MAX_PREMATURE_DONE_FALLBACKS) {
+                    const fallback = pickStuckLoopFallbackUrl(state.url, triedFallbackUrls, args.service);
+                    if (fallback !== null) {
+                        prematureDoneFallbacks += 1;
+                        triedFallbackUrls.add(fallback);
+                        args.steps.push(`Post-verify: planner emitted done with no credential captured — ` +
+                            `navigating to an unvisited API-keys URL before giving up: ${fallback}`);
+                        try {
+                            await this.browser.goto(fallback);
+                            await this.browser.waitForInteractiveDom(5, 15_000);
+                        }
+                        catch (err) {
+                            args.steps.push(`Post-verify: premature-done fallback navigate failed (${err instanceof Error ? err.message : String(err)}) — continuing.`);
+                        }
+                        hint = undefined;
+                        continue;
+                    }
+                }
                 this.lastPostVerifyDoneReason = nextStep.reason;
                 break;
             }
@@ -7358,6 +7701,18 @@ ${formatInventory(input.inventory)}`,
                         // best-effort; never abort an extract pass on DOM-proximity
                         // failure (page mid-navigation etc).
                     }
+                    // "Stops at one" guard: does THIS page present >=2 distinct
+                    // credentials (masked included)? If so, hold the loop open past
+                    // the first key so the reveal pass + DOM harvest get more rounds
+                    // to capture the siblings — even when only one value is in hand
+                    // right now. Bounded downstream by roundsSinceLastNewCredential.
+                    if (!pageOffersMultiCred) {
+                        const presented = await this.countPresentedCredentialLabels();
+                        if (presented >= 2) {
+                            pageOffersMultiCred = true;
+                            args.steps.push(`Post-verify ${round + 1}/${args.maxRounds}: page presents ${presented} distinct credentials — holding the loop open to harvest all (not just the first).`);
+                        }
+                    }
                     // Anything found across all tiers? hasMultiCredCredentials
                     // also catches non-api_key labels (cloud_name, application_id).
                     if (hasAnyExtractedCredential(credentials)) {
@@ -8250,6 +8605,16 @@ ${formatInventory(input.inventory)}${input.hint !== undefined ? `\n\nIMPORTANT
         const credentials = {};
         let apiKey = null;
         let truncatedHit = null;
+        // Never trust a credential read off a documentation page — it's a
+        // realistic SAMPLE (Anthropic's /docs get-started shows a shape-valid
+        // sk-ant-api03-... example). Returning empty keeps the post-verify loop
+        // navigating to the real keys console instead of false-succeeding here.
+        const curUrl = typeof this.browser.currentUrl === "function"
+            ? this.browser.currentUrl()
+            : "";
+        if (typeof curUrl === "string" && isDocumentationUrl(curUrl)) {
+            return credentials;
+        }
         for (const candidate of await this.browser.extractCredentialCandidates()) {
             const hit = extractApiKeyFromText(candidate);
             if (hit === null)