@yusufffararatt/dombridge-mcp 2.7.5

package/src/tools/execute-js.js

@@ -0,0 +1,284 @@
+/**
+ * Tool: execute_js
+ * Execute custom JavaScript code in the active Chrome tab's page context
+ *
+ * Phase 2.4: Refactored from (args, extensionData, httpPort) to (args, bridgeClient).
+ * All state access goes through BridgeClient HTTP calls.
+ */
+
+import { StateValidator } from '../utils/state-validator.js';
+import { RateLimiter } from '../utils/rate-limiter.js';
+import { validatePrerequisites, formatHardGuard } from '../utils/workflow-helper.js';
+
+function analyzeCodeForInsights(code, domain) {
+  if (!domain || domain === 'localhost' || domain === '127.0.0.1') return null;
+  const selectorRegex = /querySelector(?:All)?\s*\(\s*['"`]([^'"`]+)['"`]/g;
+  const selectors = [];
+  let m;
+  while ((m = selectorRegex.exec(code)) !== null) {
+    if (!selectors.includes(m[1])) selectors.push(m[1]);
+  }
+  if (selectors.length === 0) return null;
+  const hasDisambiguation = /\.filter\s*\(|\.closest\s*\(|\.find\s*\(/.test(code);
+  return { selectors, hasDisambiguation, domain };
+}
+
+export const executeJsTool = {
+  name: 'execute_js',
+  description: `Execute custom JavaScript code in a Chrome tab's page context.
+
+WORKFLOW POSITION: 🔴 Advanced - Use with caution
+
+PREREQUISITES:
+- ✅ Extension must be connected
+- Chrome tab must be open (active tab used by default)
+
+MULTI-TAB: Call debug_mcp_state() first to get tab IDs, then pass tabId to target a specific tab.
+Example: execute_js({ code: "document.title", tabId: 142 })
+
+SECURITY & LIMITS:
+- ⚠️  Code runs in page context (full page access)
+- ⚠️  Max code size: 10KB
+- ⚠️  Timeout: 5-30 seconds (configurable)
+- ❌ 'ev' + 'al()' and 'Function()' blocked
+- ❌ No setInterval (memory leak risk)
+- ⚠️  cspBypass: true reloads the tab — all SPA state is LOST (open modals, form inputs, navigation history, React/Vue component state). Only use after a confirmed CSP error, never as default.
+
+PARAMETERS:
+- code: JavaScript code to execute (required)
+- timeout: Execution timeout in ms (default: 5000, max: 30000)
+- tabId: Target a specific tab by ID (optional — omit to use active tab)
+- context: 'page' (default) or 'background'. Use 'background' to run in the extension service worker — bypasses CORS, no DOM access, can use fetch with credentials.
+
+WORKFLOW:
+1. execute_js (Automatically waits for result)
+
+EXAMPLE:
+execute_js({ code: "document.querySelectorAll('a').length" })
+
+Use this for advanced DOM queries, data extraction, or page manipulation.
+Note: This tool is BLOCKING. It will wait up to 10s for the result from Chrome.`,
+
+  inputSchema: {
+    type: 'object',
+    properties: {
+      code: {
+        type: 'string',
+        description: 'JavaScript code to execute'
+      },
+      timeout: {
+        type: 'number',
+        description: 'Execution timeout in ms (default: 5000, max: 30000)',
+        default: 5000
+      },
+      waitResult: {
+        type: 'boolean',
+        description: 'Whether to wait for results (default: true)',
+        default: true
+      },
+      tabId: {
+        type: 'number',
+        description: 'Target tab ID (optional). Omit to use active tab. Get IDs from debug_mcp_state().'
+      },
+      context: {
+        type: 'string',
+        enum: ['page', 'background'],
+        description: "Execution context. 'page' (default): runs in page via content script, has DOM access, subject to CORS. 'background': runs in extension service worker, no DOM access, no CORS restrictions, has access to fetch/chrome.cookies/chrome.tabs."
+      },
+      cspBypass: {
+        type: 'boolean',
+        description: "Enable domain-specific CSP bypass when execute_js fails with CSP/unsafe-eval errors. Reloads the tab ONCE and strips CSP headers for that domain only. WARNING: tab reload resets SPA state. Only use after a CSP error — do not set by default.",
+        default: false
+      }
+    },
+    required: ['code']
+  },
+
+  handler: async (args, bridgeClient) => {
+    // CRITICAL: Check for pending execution FIRST
+    const noPendingValidation = StateValidator.validateNoPendingExecution(bridgeClient);
+    if (!noPendingValidation.valid) {
+      return StateValidator.formatValidationError(noPendingValidation);
+    }
+
+    // Hard guard: block if dependency check fails
+    const prereqValidation = validatePrerequisites('execute_js', bridgeClient);
+    if (!prereqValidation.valid) {
+      return formatHardGuard('execute_js', prereqValidation);
+    }
+
+    return await RateLimiter.executeWithRetry(
+      'execute_js',
+      async () => {
+        const { code, timeout = 5000, waitResult = true, tabId, context = 'page', cspBypass = false } = args || {};
+
+        // Validate input
+        if (!code || typeof code !== 'string') {
+          return {
+            isError: true,
+            content: [{
+              type: 'text',
+              text: 'Error: Code parameter required (must be a string)\n\nExample: execute_js({ code: "document.title" })'
+            }]
+          };
+        }
+
+        // Security: Code size limit
+        if (code.length > 10000) {
+          return {
+            isError: true,
+            content: [{
+              type: 'text',
+              text: `Error: Code too large (${code.length} bytes, max 10KB)\n\nTIP: Break complex operations into smaller chunks`
+            }]
+          };
+        }
+
+        // Security: Block eval and Function constructor
+        if (code.includes('ev' + 'al(') || code.includes('Function(')) {
+          return {
+            isError: true,
+            content: [{
+              type: 'text',
+              text: 'Security Error: ev' + 'al() and Function() constructor are not allowed\n\nUse direct JavaScript instead'
+            }]
+          };
+        }
+
+        // Security: Block infinite loops
+        if (/while\s*\(\s*true\s*\)/i.test(code) || /for\s*\(\s*;\s*;\s*\)/.test(code)) {
+          return {
+            isError: true,
+            content: [{
+              type: 'text',
+              text: 'Security Error: Infinite loop detected (while(true) / for(;;)) — not allowed\n\nUse a bounded loop with a counter or break condition instead'
+            }]
+          };
+        }
+
+        // Security: Warn about setInterval
+        if (code.includes('setInterval')) {
+          return {
+            content: [{
+              type: 'text',
+              text: 'Warning: setInterval detected (memory leak risk)\n\nUse setTimeout for one-time delayed execution instead'
+            }]
+          };
+        }
+
+        // Validate timeout
+        const validTimeout = Math.min(Math.max(timeout, 1000), 30000); // 1s-30s
+
+        // Validate connection
+        const connValidation = StateValidator.validateConnection(bridgeClient);
+        if (!connValidation.valid) {
+          return StateValidator.formatValidationError(connValidation);
+        }
+
+        try {
+          // Queue execution request via bridge daemon
+          const requestId = `js-${Date.now()}`;
+          await bridgeClient.queueRequest('execute-js', {
+            code,
+            timeout: validTimeout,
+            id: requestId,
+            timestamp: new Date().toISOString(),
+            context,
+            cspBypass,
+            ...(tabId ? { tabId } : {})
+          });
+
+          // If not waiting, just return the queue message
+          if (!waitResult) {
+            return {
+              content: [{
+                type: 'text',
+                text: `## JS Execution Sent\n\nRequest ID: ${requestId}\nCommand sent to browser (Fire-and-forget). No result will be returned.`
+              }]
+            };
+          }
+
+          // BLOCKING WAIT: Poll bridge daemon for result
+          // Wait longer than code timeout to allow for overhead (max 15s or code timeout + 2s)
+          const waitTimeout = Math.min(validTimeout + 2000, 15000);
+          const record = await bridgeClient.waitForResult('js-execution', requestId, waitTimeout);
+
+          if (record) {
+            // CSP bypass banner: when cspBypass:true is used, the page is reloaded
+            // to strip CSP headers. SPA state (modals, form inputs, navigation
+            // history, React/Vue component state) is LOST. Make this explicit so
+            // users don't wonder why the DOM looks "different" after execution.
+            let cspBanner = '';
+            if (record._cspBypassed || cspBypass) {
+              cspBanner = `⚠️  **CSP bypass active for \`${record._cspBypassed || domain || 'this domain'}\`** — the tab was reloaded to strip CSP headers. SPA state (modals, form inputs, navigation history, component state) was lost.\n\n`;
+            }
+
+            let output = cspBanner + '## JS Execution Success\n\n';
+            if (record.result?.error) {
+              output = cspBanner + '## JS Execution Error\n\n';
+              output += `\`\`\`\n${record.result.error}\n\`\`\`\n`;
+            } else {
+              const resultStr = JSON.stringify(record.result, null, 2);
+              if (record.result === null && resultStr === 'null') {
+                const typeHint = record.__typeHint;
+                output += `Result:\n\`\`\`json\nnull\n\`\`\`\n`;
+                if (typeHint) {
+                  output += `\n🔍 **Type diagnostic:** The code returned a \`${typeHint}\` value. `;
+                  if (typeHint === 'undefined') {
+                    output += `Add an explicit \`return\` statement to return a value.\n`;
+                  } else if (typeHint === 'function') {
+                    output += `Functions cannot be serialized. Call the function or return its result instead.\n`;
+                  } else if (typeHint === 'Promise (await or return the resolved value)') {
+                    output += `Use \`await\` or \`.then()\` to resolve the Promise, or mark the code as async.\n`;
+                  } else {
+                    output += `This type cannot be serialized to JSON. Use \`JSON.stringify()\` or extract primitive values.\n`;
+                  }
+                } else {
+                  output += `\n💡 Tip: \`null\` means the code returned \`undefined\` or a non-serializable value. `;
+                  output += `Add an explicit \`return\` or wrap in \`JSON.stringify()\` to inspect complex objects.\n`;
+                }
+              } else if (resultStr.length > 3000) {
+                output += `Result (truncated):\n\`\`\`json\n${resultStr.substring(0, 3000)}...\n\`\`\`\n`;
+              } else {
+                output += `Result:\n\`\`\`json\n${resultStr}\n\`\`\`\n`;
+              }
+            }
+            // Insight prompt: disambiguation pattern detected → save_site_profile reminder
+            const domain = bridgeClient.activeTabUrl
+              ? (() => { try { return new URL(bridgeClient.activeTabUrl).hostname; } catch { return null; } })()
+              : null;
+            const insight = analyzeCodeForInsights(code, domain);
+            if (insight && insight.hasDisambiguation) {
+              await bridgeClient.incrementInsight(insight.domain);
+              output += `\n\n💡 **Insight fırsatı** — \`${insight.domain}\` üzerinde çalıştın.\n`;
+              output += `Keşfedilen selector'lar: ${insight.selectors.map(s => `\`${s}\``).join(', ')}\n`;
+              output += `Disambiguation pattern tespit edildi (.filter / .closest / .find kullanıldı)\n`;
+              output += `→ Öğrendiğin varsa kaydet: \`manage_site_profile({ action: 'save', domain: "${insight.domain}", notes: "...", stableSelectors: [...] })\``;
+            }
+            return { content: [{ type: 'text', text: output }] };
+          } else {
+            // FALLBACK: Timeout — the request has been consumed by waitForResult
+            return {
+              isError: true,
+              content: [{
+                type: 'text',
+                text: `## JS Execution Timeout\n\nNo response from Chrome within ${waitTimeout}ms. The request has been cleared.\nRequest ID: ${requestId}\n\n💡 Your code may be slow on this heavy DOM page. Alternatives:\n1. Lower timeout: execute_js({ code: "...", timeout: 3000 })\n2. Use background context: execute_js({ code: "...", context: "background" })\n3. Simplify code: break complex queries into steps`
+              }]
+            };
+          }
+        } catch (error) {
+          return {
+            isError: true,
+            content: [{
+              type: 'text',
+              text: `Error during execution: ${error.message}\n\nREQUIRED STEPS:\n1. Verify browser connection in debug_mcp_state()\n2. Check code syntax and context compatibility`
+            }]
+          };
+        }
+      },
+      {
+        maxRetries: 2
+      }
+    );
+  }
+};

package/src/tools/export-session.js

@@ -0,0 +1,171 @@
+/**
+ * Export Session Tool
+ * Aktif browser'daki cookie'leri, localStorage/sessionStorage token'larını export eder.
+ * Playwright instance'ına aktarmak için kullanılır.
+ */
+
+export const exportSessionTool = {
+    name: 'export_session',
+    description: `This is a tool from the dombridge MCP server.
+Exports the active browser session: cookies, auth tokens, and storage data from the current page's domain.
+
+WORKFLOW POSITION: 🔐 Auth Export — call after login, before Playwright handoff. Requires active browser session.
+
+USE CASE: Export session once → hand it to a Playwright instance → headless scraping without re-login.
+
+RETURNS:
+- cookies: All cookies for the domain (name, value, domain, path, secure, httpOnly, expiry)
+- localStorage: Auth/token related keys (filtered for security)
+- sessionStorage: Auth/token related keys (filtered for security)
+- domain: The domain the session was exported from
+- exportedAt: ISO timestamp
+
+SECURITY NOTE:
+- Only reads the current active tab's domain
+- localStorage/sessionStorage filtered to auth-related keys only (token, auth, session, jwt, etc.)
+- Data is returned directly to you — never stored on disk by this tool
+
+MULTI-TAB: Call debug_mcp_state() first to get tab IDs, then pass tabId to export a specific tab's session.
+Example: export_session({ tabId: 142 })
+
+WORKFLOW:
+1. Log in to target site in browser (Trendyol, etc.)
+2. Navigate to any page on that site
+3. Call export_session() → get cookies + tokens
+4. Pass the exported data to Playwright to continue headless
+`,
+    inputSchema: {
+        type: 'object',
+        properties: {
+            tabId: {
+                type: 'number',
+                description: 'Target tab ID (optional). Omit to use active tab. Get IDs from debug_mcp_state().'
+            }
+        }
+    },
+    handler: async (args, bridgeClient) => {
+        if (!bridgeClient.isConnected) {
+            return {
+                content: [{
+                    type: 'text',
+                    text: `❌ Error: Extension not connected.\nREQUIRED STEPS:\n1. Reload webpage\n2. Ensure the Chrome extension is active`
+                }],
+                isError: true
+            };
+        }
+
+        const { tabId } = args || {};
+        const requestId = `export-session-${Date.now()}-${Math.floor(Math.random() * 1000)}`;
+
+        try {
+            await bridgeClient.queueRequest('export-session', { id: requestId, ...(tabId ? { tabId } : {}) });
+
+            const resultItem = await bridgeClient.waitForResult('export-session', requestId, 15000);
+
+            if (!resultItem) {
+                return {
+                    content: [{ type: 'text', text: `❌ Timeout: export_session did not complete within 15000ms.` }],
+                    isError: true
+                };
+            }
+
+            if (resultItem.error) {
+                return {
+                    content: [{ type: 'text', text: `❌ export_session failed: ${resultItem.error}` }],
+                    isError: true
+                };
+            }
+
+            const r = resultItem.result;
+            if (!r) {
+                return {
+                    content: [{ type: 'text', text: `❌ export_session returned no data.` }],
+                    isError: true
+                };
+            }
+
+            const lines = [
+                `🔐 **Session Export: ${r.domain}**`,
+                `Exported at: ${r.exportedAt}`,
+                `URL: ${r.url}`,
+                ''
+            ];
+
+            // Cookies
+            lines.push(`**🍪 Cookies: ${r.cookieCount} found**`);
+            if (r.cookies.length > 0) {
+                // Auth cookie'leri vurgula (analytics cookie'leri hariç)
+                const ANALYTICS_COOKIE_PREFIXES = ['_ym_', '_ga', '_gid', '_fbp', '_fbc', '_clck', '_clsk', '_hjid'];
+                const isAnalyticsCookie = (name) => ANALYTICS_COOKIE_PREFIXES.some(p => name.startsWith(p));
+                const authCookies = r.cookies.filter(c =>
+                    !isAnalyticsCookie(c.name) &&
+                    /token|auth|session|jwt|bearer|access|refresh|login|sid|uid/i.test(c.name)
+                );
+                const otherCookies = r.cookies.filter(c =>
+                    isAnalyticsCookie(c.name) ||
+                    !/token|auth|session|jwt|bearer|access|refresh|login|sid|uid/i.test(c.name)
+                );
+
+                if (authCookies.length > 0) {
+                    lines.push(`\n_Auth cookies (${authCookies.length}):_`);
+                    authCookies.forEach(c => {
+                        const expiry = c.expirationDate
+                            ? ` | expires: ${new Date(c.expirationDate * 1000).toISOString().split('T')[0]}`
+                            : ' | session';
+                        lines.push(`  - \`${c.name}\` = \`${c.value.substring(0, 40)}${c.value.length > 40 ? '…' : ''}\`${expiry}`);
+                    });
+                }
+
+                if (otherCookies.length > 0) {
+                    lines.push(`\n_Other cookies (${otherCookies.length}):_`);
+                    otherCookies.slice(0, 5).forEach(c => {
+                        lines.push(`  - \`${c.name}\``);
+                    });
+                    if (otherCookies.length > 5) {
+                        lines.push(`  - _... ${otherCookies.length - 5} more_`);
+                    }
+                }
+            } else {
+                lines.push('  _(no cookies found — are you logged in?)_');
+            }
+
+            // localStorage
+            const lsKeys = Object.keys(r.localStorage);
+            if (lsKeys.length > 0) {
+                lines.push(`\n**🗄️ localStorage (${lsKeys.length} auth keys):**`);
+                lsKeys.forEach(k => {
+                    const val = r.localStorage[k];
+                    lines.push(`  - \`${k}\` = \`${val.substring(0, 60)}${val.length > 60 ? '…' : ''}\``);
+                });
+            }
+
+            // sessionStorage
+            const ssKeys = Object.keys(r.sessionStorage);
+            if (ssKeys.length > 0) {
+                lines.push(`\n**🗃️ sessionStorage (${ssKeys.length} auth keys):**`);
+                ssKeys.forEach(k => {
+                    const val = r.sessionStorage[k];
+                    lines.push(`  - \`${k}\` = \`${val.substring(0, 60)}${val.length > 60 ? '…' : ''}\``);
+                });
+            }
+
+            lines.push('');
+            lines.push('---');
+            lines.push('💡 **Playwright usage:**');
+            lines.push('```js');
+            lines.push('await context.addCookies(session.cookies);');
+            lines.push('await page.evaluate(ls => Object.entries(ls).forEach(([k,v]) => localStorage.setItem(k,v)), session.localStorage);');
+            lines.push('```');
+
+            return {
+                content: [{ type: 'text', text: lines.join('\n') }]
+            };
+
+        } catch (e) {
+            return {
+                content: [{ type: 'text', text: `❌ Error: ${e.message}` }],
+                isError: true
+            };
+        }
+    }
+};