abu-browser-bridge 0.5.1 → 0.6.6

package/dist/index.js

@@ -17,6 +17,7 @@ import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { startWSServer, stopWSServer } from './wsServer.js';
 import { registerTools } from './tools.js';
+import { PKG_VERSION } from './version.js';
 const DEFAULT_WS_PORT = 9876;
 const DISCOVERY_PORT = 9875;
 /**
@@ -71,7 +72,7 @@ async function killStaleBridges(wsPort) {
             }
             for (const pid of pids) {
                 try {
-                    execSync(`taskkill /PID ${pid} /F`, { timeout: 3000 });
+                    process.kill(pid, 'SIGTERM');
                     console.error(`[abu-bridge] Killed stale process ${pid} (port scan)`);
                 }
                 catch { /* already dead */ }
@@ -79,8 +80,8 @@ async function killStaleBridges(wsPort) {
         }
         else {
             const { execSync } = await import('child_process');
-            const portFlags = portsToCheck.map(p => `-ti:${p}`);
-            const output = execSync(`lsof ${portFlags.join(' ')}`, { encoding: 'utf-8', timeout: 5000 }).trim();
+            const portFlags = portsToCheck.map(p => `-i:${p}`);
+            const output = execSync(`lsof -t ${portFlags.join(' ')}`, { encoding: 'utf-8', timeout: 5000 }).trim();
             if (output) {
                 const pids = new Set(output.split('\n').map(l => parseInt(l.trim(), 10)).filter(pid => pid && pid !== myPid));
                 for (const pid of pids) {
@@ -123,7 +124,7 @@ async function main() {
     // 2. Create MCP server
     const mcpServer = new McpServer({
         name: 'abu-browser-bridge',
-        version: '0.5.1',
+        version: PKG_VERSION,
     });
     // 3. Register browser tools
     registerTools(mcpServer);

package/dist/tools.js

@@ -27,6 +27,36 @@ function formatResult(response) {
     }
     return JSON.stringify(response.data, null, 2);
 }
+/**
+ * Parse and validate a JSON locator string from LLM input.
+ * Ensures the result is a plain object with at least one known locator key.
+ */
+function parseLocator(raw) {
+    const parsed = JSON.parse(raw);
+    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+        throw new Error('Locator must be a JSON object');
+    }
+    const validKeys = ['css', 'text', 'tag', 'role', 'name', 'xpath', 'testId', 'ref'];
+    const hasValidKey = Object.keys(parsed).some(k => validKeys.includes(k));
+    if (!hasValidKey) {
+        throw new Error(`Locator must contain at least one of: ${validKeys.join(', ')}`);
+    }
+    return parsed;
+}
+/**
+ * Parse and validate a JSON wait condition string from LLM input.
+ */
+function parseCondition(raw) {
+    const parsed = JSON.parse(raw);
+    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+        throw new Error('Condition must be a JSON object');
+    }
+    const validTypes = ['appear', 'disappear', 'enabled', 'textContains', 'urlContains'];
+    if (!validTypes.includes(parsed.type)) {
+        throw new Error(`Condition type must be one of: ${validTypes.join(', ')}`);
+    }
+    return parsed;
+}
 // --- Register all tools ---
 export function registerTools(server) {
     // 1. browser_get_tabs
@@ -37,7 +67,7 @@ export function registerTools(server) {
     });
     // 2. browser_snapshot
     server.tool('snapshot', `Get a structured snapshot of all interactive elements on the page (buttons, inputs, links, selects, etc.). Returns each element with a short reference ID (e.g., "e1") that can be used in subsequent actions. This is the primary way to understand what's on a page before taking action.`, {
-        tabId: z.number().describe('Tab ID from get_tabs'),
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
         selector: z.string().optional().describe('Optional CSS selector to scope the snapshot to a specific area of the page'),
     }, async ({ tabId, selector }) => {
         ensureConnected();
@@ -46,55 +76,55 @@ export function registerTools(server) {
     });
     // 3. browser_click
     server.tool('click', 'Click an element on the page. Returns the result of the click action.', {
-        tabId: z.number().describe('Tab ID from get_tabs'),
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
         locator: z.string().describe(`JSON string of element locator. ${LocatorDescription}`),
     }, async ({ tabId, locator }) => {
         ensureConnected();
-        const parsed = JSON.parse(locator);
+        const parsed = parseLocator(locator);
         const res = await sendToExtension('click', { tabId, locator: parsed });
         return { content: [{ type: 'text', text: formatResult(res) }] };
     });
     // 4. browser_fill
     server.tool('fill', 'Fill in a text input, textarea, or other editable field. Clears existing content and types the new value, triggering proper input/change events for framework compatibility (React, Vue, etc.).', {
-        tabId: z.number().describe('Tab ID from get_tabs'),
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
         locator: z.string().describe(`JSON string of element locator. ${LocatorDescription}`),
         value: z.string().describe('The text value to fill into the field'),
     }, async ({ tabId, locator, value }) => {
         ensureConnected();
-        const parsed = JSON.parse(locator);
+        const parsed = parseLocator(locator);
         const res = await sendToExtension('fill', { tabId, locator: parsed, value });
         return { content: [{ type: 'text', text: formatResult(res) }] };
     });
     // 5. browser_select
     server.tool('select', 'Select an option from a <select> dropdown element.', {
-        tabId: z.number().describe('Tab ID from get_tabs'),
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
         locator: z.string().describe(`JSON string of element locator. ${LocatorDescription}`),
         value: z.string().describe('The option value or visible text to select'),
     }, async ({ tabId, locator, value }) => {
         ensureConnected();
-        const parsed = JSON.parse(locator);
+        const parsed = parseLocator(locator);
         const res = await sendToExtension('select', { tabId, locator: parsed, value });
         return { content: [{ type: 'text', text: formatResult(res) }] };
     });
     // 6. browser_wait_for
     server.tool('wait_for', `Wait for a condition to be met on the page. Useful for waiting for elements to appear after a click, waiting for loading to complete, or waiting for page navigation. Returns when the condition is met or times out.`, {
-        tabId: z.number().describe('Tab ID from get_tabs'),
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
         condition: z.string().describe(`JSON string of wait condition. Options:
 - { "type": "appear", "locator": { "text": "成功" } } — wait for element to appear
 - { "type": "disappear", "locator": { "css": ".loading" } } — wait for element to disappear
 - { "type": "enabled", "locator": { "text": "提交" } } — wait for element to become clickable
 - { "type": "textContains", "locator": { "css": "#status" }, "text": "完成" } — wait for text content
 - { "type": "urlContains", "pattern": "/success" } — wait for URL change`),
-        timeout: z.number().optional().default(30000).describe('Maximum wait time in ms (default: 30000)'),
+        timeout: z.coerce.number().optional().default(30000).describe('Maximum wait time in ms (default: 30000)'),
     }, async ({ tabId, condition, timeout }) => {
         ensureConnected();
-        const parsed = JSON.parse(condition);
+        const parsed = parseCondition(condition);
         const res = await sendToExtension('wait_for', { tabId, condition: parsed, timeout }, timeout + 5000);
         return { content: [{ type: 'text', text: formatResult(res) }] };
     });
     // 7. browser_extract_text
     server.tool('extract_text', 'Extract text content from the page or a specific element. Useful for reading content, checking values, or verifying results.', {
-        tabId: z.number().describe('Tab ID from get_tabs'),
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
         selector: z.string().optional().describe('CSS selector to extract text from. If omitted, extracts the full page text (may be large).'),
     }, async ({ tabId, selector }) => {
         ensureConnected();
@@ -103,7 +133,7 @@ export function registerTools(server) {
     });
     // 8. browser_extract_table
     server.tool('extract_table', 'Extract structured data from an HTML table on the page. Returns headers and rows as arrays.', {
-        tabId: z.number().describe('Tab ID from get_tabs'),
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
         selector: z.string().optional().describe('CSS selector for the target table. If omitted, extracts the largest table on the page.'),
     }, async ({ tabId, selector }) => {
         ensureConnected();
@@ -112,9 +142,9 @@ export function registerTools(server) {
     });
     // 9. browser_scroll
     server.tool('scroll', 'Scroll the page or a specific element.', {
-        tabId: z.number().describe('Tab ID from get_tabs'),
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
         direction: z.enum(['up', 'down', 'left', 'right']).describe('Scroll direction'),
-        amount: z.number().optional().default(500).describe('Scroll amount in pixels (default: 500)'),
+        amount: z.coerce.number().optional().default(500).describe('Scroll amount in pixels (default: 500)'),
         selector: z.string().optional().describe('CSS selector for the scrollable element. If omitted, scrolls the whole page.'),
     }, async ({ tabId, direction, amount, selector }) => {
         ensureConnected();
@@ -123,7 +153,7 @@ export function registerTools(server) {
     });
     // 10. browser_navigate
     server.tool('navigate', 'Navigate a tab to a specific URL, or go back/forward in history.', {
-        tabId: z.number().describe('Tab ID from get_tabs'),
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
         url: z.string().optional().describe('URL to navigate to. Omit for back/forward.'),
         action: z.enum(['goto', 'back', 'forward', 'reload']).optional().default('goto').describe('Navigation action (default: goto)'),
     }, async ({ tabId, url, action }) => {
@@ -133,7 +163,7 @@ export function registerTools(server) {
     });
     // 11. browser_keyboard
     server.tool('keyboard', 'Send keyboard events to the page. Supports key combinations.', {
-        tabId: z.number().describe('Tab ID from get_tabs'),
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
         key: z.string().describe('Key to press (e.g., "Enter", "Tab", "Escape", "a", "ArrowDown")'),
         modifiers: z.array(z.enum(['ctrl', 'shift', 'alt', 'meta'])).optional().describe('Modifier keys to hold'),
     }, async ({ tabId, key, modifiers }) => {
@@ -143,7 +173,7 @@ export function registerTools(server) {
     });
     // 12. browser_execute_js
     server.tool('execute_js', 'Execute arbitrary JavaScript code in the context of the page. Use this as a fallback when other tools cannot achieve the desired result. Returns the result of the expression.', {
-        tabId: z.number().describe('Tab ID from get_tabs'),
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
         code: z.string().describe('JavaScript code to execute. The last expression value is returned.'),
     }, async ({ tabId, code }) => {
         ensureConnected();
@@ -152,7 +182,7 @@ export function registerTools(server) {
     });
     // 13. browser_screenshot
     server.tool('screenshot', 'Take a screenshot of the visible area of a tab. Returns a base64-encoded PNG image. Useful for visual confirmation of actions.', {
-        tabId: z.number().describe('Tab ID from get_tabs'),
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
     }, async ({ tabId }) => {
         ensureConnected();
         const res = await sendToExtension('screenshot', { tabId });
@@ -167,7 +197,25 @@ export function registerTools(server) {
         }
         return { content: [{ type: 'text', text: formatResult(res) }] };
     });
-    // 14. browser_connection_status
+    // 14. browser_screenshot_full_page
+    server.tool('screenshot_full_page', 'Take a full-page screenshot by scrolling and stitching the entire page content. Returns a base64-encoded PNG image of the complete page. Use this when the user asks for a "long screenshot" or wants to capture content beyond the visible viewport. This is slower than a regular screenshot.', {
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
+    }, async ({ tabId }) => {
+        ensureConnected();
+        // Full-page capture needs more time: scroll + multiple captures + stitch
+        const res = await sendToExtension('screenshot_full_page', { tabId }, 120_000);
+        if (res.success && typeof res.data === 'string') {
+            return {
+                content: [{
+                        type: 'image',
+                        data: res.data.replace(/^data:image\/png;base64,/, ''),
+                        mimeType: 'image/png',
+                    }]
+            };
+        }
+        return { content: [{ type: 'text', text: formatResult(res) }] };
+    });
+    // 15. browser_connection_status
     server.tool('connection_status', 'Check whether the Chrome Extension is connected to this bridge. Use this to verify the extension is ready before performing browser actions.', async () => {
         const connected = isExtensionConnected();
         return {
@@ -179,4 +227,26 @@ export function registerTools(server) {
                 }]
         };
     });
+    // 15. get_downloads — recent download activity
+    server.tool('get_downloads', 'Get recent file downloads from the browser. Useful for confirming that a file was downloaded after clicking a download button.', async () => {
+        ensureConnected();
+        const res = await sendToExtension('get_downloads');
+        return { content: [{ type: 'text', text: formatResult(res) }] };
+    });
+    // 16. start_recording — record user interactions
+    server.tool('start_recording', 'Start recording user interactions on a page (clicks, inputs, selects). The user performs actions manually, then call stop_recording to get a list of recorded steps that can be used as an automation template.', {
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
+    }, async ({ tabId }) => {
+        ensureConnected();
+        const res = await sendToExtension('start_recording', { tabId });
+        return { content: [{ type: 'text', text: formatResult(res) }] };
+    });
+    // 17. stop_recording — stop recording and return captured steps
+    server.tool('stop_recording', 'Stop recording user interactions and return the captured steps. Each step includes the action type, element locator, and value. Use these steps as a template to replay the automation.', {
+        tabId: z.coerce.number().describe('Tab ID from get_tabs'),
+    }, async ({ tabId }) => {
+        ensureConnected();
+        const res = await sendToExtension('stop_recording', { tabId });
+        return { content: [{ type: 'text', text: formatResult(res) }] };
+    });
 }

package/dist/version.d.ts

@@ -0,0 +1 @@
+export declare const PKG_VERSION: string;

package/dist/version.js

@@ -0,0 +1,7 @@
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, resolve } from 'path';
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const pkg = JSON.parse(readFileSync(resolve(__dirname, '../package.json'), 'utf-8'));
+export const PKG_VERSION = pkg.version;

package/dist/wsServer.d.ts

@@ -4,12 +4,15 @@
  *
  * Also exposes a lightweight HTTP discovery endpoint on a fixed port
  * so the Chrome Extension can reliably find the WS port.
+ *
+ * Security: Generates a random auth token on startup. The Chrome Extension
+ * must fetch this token from the discovery endpoint and include it as
+ * `Sec-WebSocket-Protocol` header when connecting.
  */
 import type { BridgeResponse } from './types.js';
 /**
  * Start the WebSocket server on a fixed port.
- * The caller (index.ts) is responsible for killing stale bridges first.
- * No port fallback — if the port is taken, it's a fatal error.
+ * Validates auth token from Sec-WebSocket-Protocol header on connection.
  */
 export declare function startWSServer(port?: number): Promise<number>;
 /**

package/dist/wsServer.js

@@ -4,14 +4,18 @@
  *
  * Also exposes a lightweight HTTP discovery endpoint on a fixed port
  * so the Chrome Extension can reliably find the WS port.
+ *
+ * Security: Generates a random auth token on startup. The Chrome Extension
+ * must fetch this token from the discovery endpoint and include it as
+ * `Sec-WebSocket-Protocol` header when connecting.
  */
 import { WebSocketServer, WebSocket } from 'ws';
 import { createServer } from 'http';
-import { createConnection } from 'net';
+import { randomBytes } from 'crypto';
+import { PKG_VERSION } from './version.js';
 const DEFAULT_WS_PORT = 9876;
 const DISCOVERY_PORT = 9875;
-const HEARTBEAT_INTERVAL = 15_000; // 15s — more frequent for faster disconnect detection
-const PONG_TIMEOUT = 5_000; // If no pong within 5s, consider dead
+const HEARTBEAT_INTERVAL = 15_000; // 15s
 let wss = null;
 let discoveryServer = null;
 let extensionSocket = null;
@@ -20,44 +24,40 @@ let pongReceived = true;
 const pendingRequests = new Map();
 let requestCounter = 0;
 let activePort = null;
+// Auth token — generated once per bridge process, shared via discovery endpoint
+const authToken = randomBytes(24).toString('hex');
 function generateId() {
-    return `req_${Date.now().toString(36)}_${(++requestCounter).toString(36)}`;
-}
-/**
- * Check if a port is in use by trying to connect to it.
- */
-function isPortInUse(port, host) {
-    return new Promise((resolve) => {
-        const socket = createConnection({ port, host });
-        socket.on('connect', () => {
-            socket.destroy();
-            resolve(true);
-        });
-        socket.on('error', () => {
-            socket.destroy();
-            resolve(false);
-        });
-        socket.setTimeout(1000, () => {
-            socket.destroy();
-            resolve(false);
-        });
-    });
+    const rand = randomBytes(4).toString('hex');
+    return `req_${Date.now().toString(36)}_${(++requestCounter).toString(36)}_${rand}`;
 }
 // --- HTTP Discovery Endpoint ---
 /**
  * Start the HTTP discovery server on a fixed well-known port.
- * Chrome Extension queries this to find the actual WS port.
+ * Chrome Extension queries this to find the actual WS port and auth token.
  *
- * GET /status → { wsPort, pid, extensionConnected, uptime }
+ * GET /status → { wsPort, pid, extensionConnected, uptime, version, token }
+ *
+ * CORS restricted to chrome-extension:// origins only.
  */
 function startDiscoveryServer() {
     return new Promise((resolve, reject) => {
         const startTime = Date.now();
         discoveryServer = createServer((req, res) => {
-            // CORS headers for Chrome Extension fetch
-            res.setHeader('Access-Control-Allow-Origin', '*');
+            const origin = req.headers.origin ?? '';
+            // Only allow chrome-extension:// and no-origin (direct fetch from extension background)
+            const isAllowedOrigin = !origin || origin.startsWith('chrome-extension://');
+            if (!isAllowedOrigin) {
+                res.writeHead(403);
+                res.end('Forbidden');
+                return;
+            }
+            // CORS headers for allowed origins
+            if (origin) {
+                res.setHeader('Access-Control-Allow-Origin', origin);
+            }
             res.setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS');
             res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+            res.setHeader('Vary', 'Origin');
             if (req.method === 'OPTIONS') {
                 res.writeHead(204);
                 res.end();
@@ -70,7 +70,8 @@ function startDiscoveryServer() {
                     pid: process.pid,
                     extensionConnected: isExtensionConnected(),
                     uptime: Math.round((Date.now() - startTime) / 1000),
-                    version: '0.5.1',
+                    version: PKG_VERSION,
+                    token: authToken,
                 }));
                 return;
             }
@@ -80,7 +81,7 @@ function startDiscoveryServer() {
         discoveryServer.on('error', (err) => {
             if (err.code === 'EADDRINUSE') {
                 console.error(`[abu-bridge] Discovery port ${DISCOVERY_PORT} in use — old bridge still running?`);
-                // Not fatal — extension can still fall back to port scanning
+                // Not fatal — extension can still fall back to fixed port
                 resolve();
             }
             else {
@@ -96,8 +97,7 @@ function startDiscoveryServer() {
 // --- WebSocket Server ---
 /**
  * Start the WebSocket server on a fixed port.
- * The caller (index.ts) is responsible for killing stale bridges first.
- * No port fallback — if the port is taken, it's a fatal error.
+ * Validates auth token from Sec-WebSocket-Protocol header on connection.
  */
 export async function startWSServer(port = DEFAULT_WS_PORT) {
     await startDiscoveryServer();
@@ -107,7 +107,21 @@ export async function startWSServer(port = DEFAULT_WS_PORT) {
 }
 function listenOnPort(port) {
     return new Promise((resolve, reject) => {
-        wss = new WebSocketServer({ port, host: '127.0.0.1' });
+        wss = new WebSocketServer({
+            port,
+            host: '127.0.0.1',
+            verifyClient: (info, callback) => {
+                // Validate auth token from Sec-WebSocket-Protocol header
+                const protocol = info.req.headers['sec-websocket-protocol'];
+                if (protocol === authToken) {
+                    callback(true);
+                }
+                else {
+                    console.error(`[abu-bridge] Rejected WS connection: invalid auth token`);
+                    callback(false, 401, 'Unauthorized');
+                }
+            },
+        });
         wss.on('listening', () => {
             console.error(`[abu-bridge] WS server listening on ws://127.0.0.1:${port}`);
             startHeartbeat();

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "abu-browser-bridge",
-  "version": "0.5.1",
+  "version": "0.6.6",
   "description": "MCP Server that bridges Abu AI assistant with Chrome Extension for browser automation",
   "type": "module",
-  "license": "MIT",
+  "license": "SEE LICENSE IN LICENSE",
   "author": "pm-shawn",
   "repository": {
     "type": "git",
-    "url": "https://github.com/anthropics/abu"
+    "url": "https://github.com/PM-Shawn/Abu-Cowork"
   },
   "keywords": ["mcp", "browser", "automation", "chrome-extension", "abu"],
   "bin": {