abu-browser-bridge 0.5.0 → 0.5.2

package/dist/index.js

@@ -71,7 +71,7 @@ async function killStaleBridges(wsPort) {
             }
             for (const pid of pids) {
                 try {
-                    execSync(`taskkill /PID ${pid} /F`, { timeout: 3000 });
+                    process.kill(pid, 'SIGTERM');
                     console.error(`[abu-bridge] Killed stale process ${pid} (port scan)`);
                 }
                 catch { /* already dead */ }
@@ -79,8 +79,8 @@ async function killStaleBridges(wsPort) {
         }
         else {
             const { execSync } = await import('child_process');
-            const portFlags = portsToCheck.map(p => `-ti:${p}`);
-            const output = execSync(`lsof ${portFlags.join(' ')}`, { encoding: 'utf-8', timeout: 5000 }).trim();
+            const portFlags = portsToCheck.map(p => `-i:${p}`);
+            const output = execSync(`lsof -t ${portFlags.join(' ')}`, { encoding: 'utf-8', timeout: 5000 }).trim();
             if (output) {
                 const pids = new Set(output.split('\n').map(l => parseInt(l.trim(), 10)).filter(pid => pid && pid !== myPid));
                 for (const pid of pids) {
@@ -123,7 +123,7 @@ async function main() {
     // 2. Create MCP server
     const mcpServer = new McpServer({
         name: 'abu-browser-bridge',
-        version: '0.5.0',
+        version: '0.5.2',
     });
     // 3. Register browser tools
     registerTools(mcpServer);

package/dist/tools.js

@@ -27,10 +27,40 @@ function formatResult(response) {
     }
     return JSON.stringify(response.data, null, 2);
 }
+/**
+ * Parse and validate a JSON locator string from LLM input.
+ * Ensures the result is a plain object with at least one known locator key.
+ */
+function parseLocator(raw) {
+    const parsed = JSON.parse(raw);
+    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+        throw new Error('Locator must be a JSON object');
+    }
+    const validKeys = ['css', 'text', 'tag', 'role', 'name', 'xpath', 'testId', 'ref'];
+    const hasValidKey = Object.keys(parsed).some(k => validKeys.includes(k));
+    if (!hasValidKey) {
+        throw new Error(`Locator must contain at least one of: ${validKeys.join(', ')}`);
+    }
+    return parsed;
+}
+/**
+ * Parse and validate a JSON wait condition string from LLM input.
+ */
+function parseCondition(raw) {
+    const parsed = JSON.parse(raw);
+    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+        throw new Error('Condition must be a JSON object');
+    }
+    const validTypes = ['appear', 'disappear', 'enabled', 'textContains', 'urlContains'];
+    if (!validTypes.includes(parsed.type)) {
+        throw new Error(`Condition type must be one of: ${validTypes.join(', ')}`);
+    }
+    return parsed;
+}
 // --- Register all tools ---
 export function registerTools(server) {
     // 1. browser_get_tabs
-    server.tool('get_tabs', 'Get a list of all open browser tabs with their URLs and titles. Use this first to find the target tab.', async () => {
+    server.tool('get_tabs', 'Get all open Chrome browser tabs grouped by window. Returns a summary with the current window/tab info, plus a list of windows each containing their tabs. Use this first to find the target tab ID for other browser actions.', async () => {
         ensureConnected();
         const res = await sendToExtension('get_tabs');
         return { content: [{ type: 'text', text: formatResult(res) }] };
@@ -50,7 +80,7 @@ export function registerTools(server) {
         locator: z.string().describe(`JSON string of element locator. ${LocatorDescription}`),
     }, async ({ tabId, locator }) => {
         ensureConnected();
-        const parsed = JSON.parse(locator);
+        const parsed = parseLocator(locator);
         const res = await sendToExtension('click', { tabId, locator: parsed });
         return { content: [{ type: 'text', text: formatResult(res) }] };
     });
@@ -61,7 +91,7 @@ export function registerTools(server) {
         value: z.string().describe('The text value to fill into the field'),
     }, async ({ tabId, locator, value }) => {
         ensureConnected();
-        const parsed = JSON.parse(locator);
+        const parsed = parseLocator(locator);
         const res = await sendToExtension('fill', { tabId, locator: parsed, value });
         return { content: [{ type: 'text', text: formatResult(res) }] };
     });
@@ -72,7 +102,7 @@ export function registerTools(server) {
         value: z.string().describe('The option value or visible text to select'),
     }, async ({ tabId, locator, value }) => {
         ensureConnected();
-        const parsed = JSON.parse(locator);
+        const parsed = parseLocator(locator);
         const res = await sendToExtension('select', { tabId, locator: parsed, value });
         return { content: [{ type: 'text', text: formatResult(res) }] };
     });
@@ -88,7 +118,7 @@ export function registerTools(server) {
         timeout: z.number().optional().default(30000).describe('Maximum wait time in ms (default: 30000)'),
     }, async ({ tabId, condition, timeout }) => {
         ensureConnected();
-        const parsed = JSON.parse(condition);
+        const parsed = parseCondition(condition);
         const res = await sendToExtension('wait_for', { tabId, condition: parsed, timeout }, timeout + 5000);
         return { content: [{ type: 'text', text: formatResult(res) }] };
     });
@@ -179,4 +209,26 @@ export function registerTools(server) {
                 }]
         };
     });
+    // 15. get_downloads — recent download activity
+    server.tool('get_downloads', 'Get recent file downloads from the browser. Useful for confirming that a file was downloaded after clicking a download button.', async () => {
+        ensureConnected();
+        const res = await sendToExtension('get_downloads');
+        return { content: [{ type: 'text', text: formatResult(res) }] };
+    });
+    // 16. start_recording — record user interactions
+    server.tool('start_recording', 'Start recording user interactions on a page (clicks, inputs, selects). The user performs actions manually, then call stop_recording to get a list of recorded steps that can be used as an automation template.', {
+        tabId: z.number().describe('Tab ID from get_tabs'),
+    }, async ({ tabId }) => {
+        ensureConnected();
+        const res = await sendToExtension('start_recording', { tabId });
+        return { content: [{ type: 'text', text: formatResult(res) }] };
+    });
+    // 17. stop_recording — stop recording and return captured steps
+    server.tool('stop_recording', 'Stop recording user interactions and return the captured steps. Each step includes the action type, element locator, and value. Use these steps as a template to replay the automation.', {
+        tabId: z.number().describe('Tab ID from get_tabs'),
+    }, async ({ tabId }) => {
+        ensureConnected();
+        const res = await sendToExtension('stop_recording', { tabId });
+        return { content: [{ type: 'text', text: formatResult(res) }] };
+    });
 }

package/dist/wsServer.d.ts

@@ -4,12 +4,15 @@
  *
  * Also exposes a lightweight HTTP discovery endpoint on a fixed port
  * so the Chrome Extension can reliably find the WS port.
+ *
+ * Security: Generates a random auth token on startup. The Chrome Extension
+ * must fetch this token from the discovery endpoint and include it as
+ * `Sec-WebSocket-Protocol` header when connecting.
  */
 import type { BridgeResponse } from './types.js';
 /**
  * Start the WebSocket server on a fixed port.
- * The caller (index.ts) is responsible for killing stale bridges first.
- * No port fallback — if the port is taken, it's a fatal error.
+ * Validates auth token from Sec-WebSocket-Protocol header on connection.
  */
 export declare function startWSServer(port?: number): Promise<number>;
 /**

package/dist/wsServer.js

@@ -4,14 +4,18 @@
  *
  * Also exposes a lightweight HTTP discovery endpoint on a fixed port
  * so the Chrome Extension can reliably find the WS port.
+ *
+ * Security: Generates a random auth token on startup. The Chrome Extension
+ * must fetch this token from the discovery endpoint and include it as
+ * `Sec-WebSocket-Protocol` header when connecting.
  */
 import { WebSocketServer, WebSocket } from 'ws';
 import { createServer } from 'http';
-import { createConnection } from 'net';
+import { randomBytes } from 'crypto';
 const DEFAULT_WS_PORT = 9876;
 const DISCOVERY_PORT = 9875;
-const HEARTBEAT_INTERVAL = 15_000; // 15s — more frequent for faster disconnect detection
-const PONG_TIMEOUT = 5_000; // If no pong within 5s, consider dead
+const HEARTBEAT_INTERVAL = 15_000; // 15s
+const PONG_TIMEOUT = 5_000;
 let wss = null;
 let discoveryServer = null;
 let extensionSocket = null;
@@ -20,44 +24,40 @@ let pongReceived = true;
 const pendingRequests = new Map();
 let requestCounter = 0;
 let activePort = null;
+// Auth token — generated once per bridge process, shared via discovery endpoint
+const authToken = randomBytes(24).toString('hex');
 function generateId() {
-    return `req_${Date.now().toString(36)}_${(++requestCounter).toString(36)}`;
-}
-/**
- * Check if a port is in use by trying to connect to it.
- */
-function isPortInUse(port, host) {
-    return new Promise((resolve) => {
-        const socket = createConnection({ port, host });
-        socket.on('connect', () => {
-            socket.destroy();
-            resolve(true);
-        });
-        socket.on('error', () => {
-            socket.destroy();
-            resolve(false);
-        });
-        socket.setTimeout(1000, () => {
-            socket.destroy();
-            resolve(false);
-        });
-    });
+    const rand = randomBytes(4).toString('hex');
+    return `req_${Date.now().toString(36)}_${(++requestCounter).toString(36)}_${rand}`;
 }
 // --- HTTP Discovery Endpoint ---
 /**
  * Start the HTTP discovery server on a fixed well-known port.
- * Chrome Extension queries this to find the actual WS port.
+ * Chrome Extension queries this to find the actual WS port and auth token.
  *
- * GET /status → { wsPort, pid, extensionConnected, uptime }
+ * GET /status → { wsPort, pid, extensionConnected, uptime, version, token }
+ *
+ * CORS restricted to chrome-extension:// origins only.
  */
 function startDiscoveryServer() {
     return new Promise((resolve, reject) => {
         const startTime = Date.now();
         discoveryServer = createServer((req, res) => {
-            // CORS headers for Chrome Extension fetch
-            res.setHeader('Access-Control-Allow-Origin', '*');
+            const origin = req.headers.origin ?? '';
+            // Only allow chrome-extension:// and no-origin (direct fetch from extension background)
+            const isAllowedOrigin = !origin || origin.startsWith('chrome-extension://');
+            if (!isAllowedOrigin) {
+                res.writeHead(403);
+                res.end('Forbidden');
+                return;
+            }
+            // CORS headers for allowed origins
+            if (origin) {
+                res.setHeader('Access-Control-Allow-Origin', origin);
+            }
             res.setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS');
             res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+            res.setHeader('Vary', 'Origin');
             if (req.method === 'OPTIONS') {
                 res.writeHead(204);
                 res.end();
@@ -70,7 +70,8 @@ function startDiscoveryServer() {
                     pid: process.pid,
                     extensionConnected: isExtensionConnected(),
                     uptime: Math.round((Date.now() - startTime) / 1000),
-                    version: '0.5.0',
+                    version: '0.5.2',
+                    token: authToken,
                 }));
                 return;
             }
@@ -80,7 +81,7 @@ function startDiscoveryServer() {
         discoveryServer.on('error', (err) => {
             if (err.code === 'EADDRINUSE') {
                 console.error(`[abu-bridge] Discovery port ${DISCOVERY_PORT} in use — old bridge still running?`);
-                // Not fatal — extension can still fall back to port scanning
+                // Not fatal — extension can still fall back to fixed port
                 resolve();
             }
             else {
@@ -96,8 +97,7 @@ function startDiscoveryServer() {
 // --- WebSocket Server ---
 /**
  * Start the WebSocket server on a fixed port.
- * The caller (index.ts) is responsible for killing stale bridges first.
- * No port fallback — if the port is taken, it's a fatal error.
+ * Validates auth token from Sec-WebSocket-Protocol header on connection.
  */
 export async function startWSServer(port = DEFAULT_WS_PORT) {
     await startDiscoveryServer();
@@ -107,7 +107,21 @@ export async function startWSServer(port = DEFAULT_WS_PORT) {
 }
 function listenOnPort(port) {
     return new Promise((resolve, reject) => {
-        wss = new WebSocketServer({ port, host: '127.0.0.1' });
+        wss = new WebSocketServer({
+            port,
+            host: '127.0.0.1',
+            verifyClient: (info, callback) => {
+                // Validate auth token from Sec-WebSocket-Protocol header
+                const protocol = info.req.headers['sec-websocket-protocol'];
+                if (protocol === authToken) {
+                    callback(true);
+                }
+                else {
+                    console.error(`[abu-bridge] Rejected WS connection: invalid auth token`);
+                    callback(false, 401, 'Unauthorized');
+                }
+            },
+        });
         wss.on('listening', () => {
             console.error(`[abu-bridge] WS server listening on ws://127.0.0.1:${port}`);
             startHeartbeat();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "abu-browser-bridge",
-  "version": "0.5.0",
+  "version": "0.5.2",
   "description": "MCP Server that bridges Abu AI assistant with Chrome Extension for browser automation",
   "type": "module",
   "license": "MIT",