barebrowse 0.9.0 → 0.10.0

package/CHANGELOG.md

@@ -1,5 +1,117 @@
 # Changelog
 
+## 0.10.0
+
+### Ad/tracker URL blocking + canvas-noise stealth + Chromium pgid reap fix
+
+Scrapling-inspired additions to make every snapshot quieter and every
+headless session less fingerprintable, plus a flake fix surfaced by the
+new work.
+
+- **Ad/tracker URL blocking via CDP `Network.setBlockedURLs`.** New
+  `src/blocklist.js` ships ~120 hand-curated glob patterns covering the
+  high-frequency tracker families: Google ads + analytics, Facebook
+  Pixel, Amazon ads, MS Clarity/Bing, Adobe Marketing Cloud, the
+  consumer-pixel cluster (LinkedIn/Twitter/TikTok/Snap/Pinterest), the
+  SaaS analytics stacks (Segment/Amplitude/Mixpanel/Heap/PostHog),
+  session-replay (Hotjar/FullStory/LogRocket/Crazy Egg/Mouseflow),
+  content recommendation (Criteo/Taboola/Outbrain), supply-side ad
+  networks (AppNexus/Rubicon/PubMatic/OpenX/Trade Desk), and marketing
+  automation (HubSpot/Marketo/Pardot/Intercom/Drift). Curated by traffic
+  frequency rather than pulled wholesale from Peter Lowe — CDP does
+  linear pattern matching per request, so the long tail of regional
+  networks was measurable cost (~10ms cumulative on a 100-request page)
+  for ~5% extra coverage we'd rarely hit in agent traffic. Net effect:
+  smaller ARIA snapshots and faster page loads.
+- **`opts.blockAds` and `opts.blockUrls` on `connect()` and `browse()`.**
+  `blockAds` defaults to `true` for launched browsers and `false` in
+  attach mode (would otherwise affect any tab in the user's running
+  browser). Explicit `blockAds: true` in attach mode is honored and
+  follows the session across `switchTab()`. `blockUrls` accepts extra
+  glob patterns merged with the default unless `blockAds: false`.
+- **CLI flags on `bb open`: `--no-block-ads` and `--block-urls=PATTERN`**
+  (the latter repeatable). Plumbed through `cli.js`, `src/daemon.js`
+  startDaemon args, and `runDaemon` → `connect()`. Not exposed via MCP
+  or bareagent on purpose — agents inside a session shouldn't be
+  reconfiguring infra per tool call; the decision belongs at session
+  start.
+- **Canvas fingerprint noise** in `src/stealth.js`. After WebGL
+  (already spoofed in v0.9.0), canvas `toDataURL` / `getImageData` is
+  the second-most-checked fingerprint vector — the pixel output of
+  rendered text/shapes depends on GPU, driver, and font rasterizer in
+  ways that are stable per machine but unique across machines, which
+  makes it a tracking signal that survives cookie clearing. The patch
+  XORs ~1 bit per 64-byte stride into the read pixels, with the bit
+  derived from a position-mixed hash of a per-session
+  `crypto.getRandomValues`-seeded value. Output is stable within a
+  session (so legitimate canvas use doesn't flicker) and different
+  across sessions (so fingerprinters see a fresh hash on every visit).
+  The canvas bitmap is snapshotted and restored around encoding so any
+  downstream legitimate read sees the original pixels.
+- **Pre-existing Chromium subprocess reap flake fixed.** Chromium
+  spawns renderer/GPU/network/utility subprocesses that, under
+  `--site-per-process` (v0.9.0 H2), can outlive SIGTERM on the
+  Chromium parent by seconds while still holding profile-dir file
+  handles. Without `detached: true`, all of them shared Node's process
+  group — there was no way to signal the whole Chromium tree without
+  enumerating PIDs. `src/chromium.js` now spawns with `detached: true`
+  so each Chromium becomes its own process-group leader, and
+  `cleanupBrowser` / `reapAllSync` send SIGKILL to the negative PID
+  (the whole group) before `rmSync`. Latent in `main`, but the new
+  blocklist's added CDP setup overlapped the cleanup window enough to
+  hit ~1-in-3 under parallel test load. Side effect: terminal SIGINT
+  now goes to Node's pgid only — `registerExitHandlers`' SIGINT
+  reaper is what kills Chromium under Ctrl-C and must not be removed.
+- **`startDaemon` poll deadline 15s → 30s** for cold-boot margin on
+  slower hardware (CI / older boxes) now that the blocklist adds a
+  small amount of CDP setup time to the session-startup path.
+- **Tests:** 138 total (10 new). New: 5-test unit suite for
+  `DEFAULT_BLOCKLIST` (shape/coverage drift guards, must-cover
+  tracker families, no dups); 2-test integration suite that proves
+  `Network.setBlockedURLs` actually drops the matching subresource
+  and that `blockAds:false` lets it through; 2 new canvas-noise
+  subtests (patch installed, stable within session, different across
+  sessions); 1 end-to-end `bb open --block-urls=PATTERN URL` test
+  that proves the flag survives every hop through `cli.js` →
+  `startDaemon` → daemon-internal → `connect()` → `setBlockedURLs`
+  and that the tracker server sees zero hits.
+
+## 0.9.1
+
+### Pruning — `pruneMode` reaches MCP / bareagent and `read` finally works
+
+- **`mode: 'read'` is now a real alias for `mode: 'browse'`** in `prune()`.
+  Previously, the CLI (`barebrowse snapshot --mode=read`) and the SKILL.md
+  advertised a `read` mode that did not exist — `MODE_REGIONS[mode] ||
+  MODE_REGIONS.act` silently fell back to act-mode pruning. Articles, docs,
+  and blog posts therefore came back gutted no matter which mode the agent
+  asked for, which is why Claude tended to give up and fall back to
+  WebFetch. One-line alias at the top of `prune()` fixes it; `act|browse|
+  navigate|full` still behave unchanged.
+- **MCP `browse` and `snapshot` tools gained a `pruneMode: 'act'|'read'`
+  parameter** (mcp-server.js). Before this, the MCP surface had no way to
+  ask for any mode other than `act` — `browse`'s `mode` param was browser
+  mode (headless/headed/hybrid), and `snapshot` accepted only `maxChars`.
+  Tool descriptions now tell the caller when to pick `read` (content-heavy
+  pages: articles, docs, blogs).
+- **bareagent `browse` and `snapshot` tools gained the same `pruneMode`
+  parameter** (`src/bareagent.js`) with identical semantics. The `browse`
+  handler preserves any caller-supplied default `opts.pruneMode` when the
+  tool is called without an arg (`pruneMode ? { ...opts, pruneMode } : opts`).
+- **Auto-hint when act-mode looks suspect.** When `page.snapshot()` or
+  `browse()` is called in act mode against a substantial page (raw > 5 KB)
+  and the pruned output collapses to under 500 chars AND under 5% of raw,
+  the result includes a one-line `hint: act mode dropped most of the page
+  — retry with pruneMode='read' …` directly between the stats line and the
+  tree. Thresholds are deliberately conservative: an e-commerce or
+  search-results page (many interactive elements kept) won't trigger it;
+  a paragraph-heavy article will.
+- **Regression test:** `test/unit/prune.test.js` — "aliases mode='read' to
+  browse mode" pins the alias contract by asserting `prune(tree, {mode:
+  'read'})` deep-equals `prune(tree, {mode: 'browse'})` and that paragraphs
+  survive (the act-mode-style stripping that previously masqueraded as
+  read-mode is gone).
+
 ## 0.9.0
 
 Phase B — every H1–H9 from `docs/02-features/fix-plan.md` shipped one

package/README.md

@@ -94,6 +94,8 @@ Or manually add to your config (`claude_desktop_config.json`, `.cursor/mcp.json`
 
 18 tools: `browse`, `goto`, `snapshot`, `click`, `type`, `press`, `scroll`, `hover`, `select`, `back`, `forward`, `reload`, `drag`, `upload`, `pdf`, `screenshot`, `wait_for`, `tabs`. Plus `assess` (privacy scan) if [wearehere](https://github.com/hamr0/wearehere) is installed. Plus opt-in `eval` (`BAREBROWSE_MCP_EVAL=1`) — runs JS in the authenticated session, off by default because it can read cookies/localStorage. Session runs in hybrid mode with automatic cookie injection. Per-tool timeouts (goto/reload/wait_for 60s, back/forward 30s, interactive ops 15s, pdf/screenshot/upload 45s) with auto-retry on transient failures (idempotent only — mutating tools fail loudly to avoid double-submits).
 
+`browse` and `snapshot` accept `pruneMode: 'act'|'read'` (v0.9.1). `act` (default) keeps interactive elements — best for clicking/filling. `read` keeps paragraphs, headings, and long text — best for articles, docs, and content extraction. If act-mode collapses a content-heavy page near-totally, the snapshot includes a `hint: …` line suggesting `pruneMode='read'` so the agent doesn't bail to a separate HTTP fetch.
+
 Troubleshooting MCP setup: `npx barebrowse doctor` scans every known config location and flags scope conflicts. `npx barebrowse install --force` overwrites an existing entry pointing at a different endpoint.
 
 ### 3. Library -- for agentic automation

package/barebrowse.context.md

@@ -1,7 +1,7 @@
 # barebrowse -- Integration Guide
 
 > For AI assistants and developers wiring barebrowse into a project.
-> v0.9.0 | Node.js >= 22 | 0 required deps | Apache-2.0
+> v0.9.1 | Node.js >= 22 | 0 required deps | Apache-2.0
 
 ## What this is
 
@@ -45,6 +45,8 @@ const snapshot = await browse('https://example.com', {
   prune: true,           // apply ARIA pruning (47-95% token reduction)
   pruneMode: 'act',      // 'act' (interactive elements) | 'read' (all content)
   consent: true,         // auto-dismiss cookie consent dialogs
+  blockAds: true,        // block ~120 ad/tracker URL patterns (default on for owned browsers)
+  blockUrls: [],         // extra URL globs to block (merged with the default)
   timeout: 30000,        // navigation timeout in ms
 });
 ```
@@ -91,6 +93,8 @@ const snapshot = await browse('https://example.com', {
 - `viewport: '1280x720'` — Set viewport dimensions
 - `storageState: 'file.json'` — Load cookies/localStorage from saved state
 - `downloadPath: '/abs/dir'` — Where downloads land. Default: per-session `mkdtemp` under `/tmp/barebrowse-dl-*` that gets removed on `close()`. Caller-supplied paths are not cleaned up — caller owns the lifecycle.
+- `blockAds: true|false` — CDP-level URL blocking of ~120 common ad/tracker patterns (Google ads/analytics, FB/Amazon/MS/Adobe ad+analytics, Segment/Amplitude/Mixpanel/Heap, Hotjar/FullStory/LogRocket, Criteo/Taboola/Outbrain, the consumer-pixel cluster, AppNexus/Rubicon/PubMatic supply, marketing automation). Default `true` for launched browsers, `false` in attach mode (would affect any tab in the user's running browser). Explicit `true` in attach mode is honored and follows the session across `switchTab()`. Shrinks ARIA snapshots and speeds page loads.
+- `blockUrls: ['*://foo.com/*', ...]` — Extra glob patterns (CDP `Network.setBlockedURLs` format) to block in addition to the default. Merged with the default unless `blockAds: false`.
 
 ## Snapshot format
 
@@ -161,7 +165,8 @@ barebrowse can inject cookies from the user's real browser sessions, bypassing l
 | Form submission | `press('Enter')` triggers onsubmit | Both |
 | SPA navigation | `waitForNavigation()` uses loadEventFired + frameNavigated | Both |
 | Bot detection | v0.9.0 (H9): Cloudflare-strong phrases ("Just a moment", "Attention Required", "verify you are human") fire alone; generic phrases ("access denied", "unknown error") only fire on near-empty pages — no more false-positive headed-launches on legitimate 4xx/5xx pages. `botBlocked` flag set after every `goto()`. Hybrid fallback switches to headed. Snapshot shows `[BOT CHALLENGE DETECTED]` warning. | Hybrid |
-| Stealth (headless tells) | v0.9.0 (H4): `Network.setUserAgentOverride` strips "HeadlessChrome" from UA in HTTP headers AND `navigator.userAgent`; JS patches for webdriver, plugins, languages, full `chrome.runtime` enum shape, `Notification` constructor + `permission: 'default'`, `hardwareConcurrency: 8`, `deviceMemory: 8`, WebGL `UNMASKED_VENDOR_WEBGL`/`UNMASKED_RENDERER_WEBGL` spoofed to Intel | Headless |
+| Stealth (headless tells) | v0.9.0 (H4): `Network.setUserAgentOverride` strips "HeadlessChrome" from UA in HTTP headers AND `navigator.userAgent`; JS patches for webdriver, plugins, languages, full `chrome.runtime` enum shape, `Notification` constructor + `permission: 'default'`, `hardwareConcurrency: 8`, `deviceMemory: 8`, WebGL `UNMASKED_VENDOR_WEBGL`/`UNMASKED_RENDERER_WEBGL` spoofed to Intel. v0.10.0: canvas fingerprint noise — `toDataURL`/`getImageData` XOR a per-session `crypto.getRandomValues`-seeded mask into ~1 byte per 64-byte stride (stable within a session, different across sessions; bitmap is restored after encoding so legitimate canvas use is unaffected). | Headless |
+| Ad / tracker URL blocking | v0.10.0: CDP `Network.setBlockedURLs` with ~120 curated patterns (Google/FB/Amazon/MS/Adobe ad+analytics, the major SaaS analytics + session-replay stacks, content-rec, supply-side ad networks, marketing automation). Default on for launched browsers, off in attach mode. `opts.blockUrls` extends; `opts.blockAds: false` disables. Shrinks ARIA snapshots and speeds loads. | Launched |
 | iframe / OOPIF content (Stripe, reCAPTCHA, embedded forms) | v0.9.0 (H2): `Target.setAutoAttach({flatten:true})` registers a CDP session per iframe; `ariaTree()` walks `Page.getFrameTree`, fetches each frame's AX tree on the right session, splices children under iframe placeholders via `DOM.getFrameOwner`. Refs route via `{session, backendNodeId}` so clicks dispatch in the iframe's Input domain. `--site-per-process` launch flag forces every iframe — including same-origin — into OOPIF so coords work. | Both |
 | Downloads | v0.9.0 (H7): `Browser.setDownloadBehavior({behavior:'allowAndName', downloadPath, eventsEnabled:true})` + listeners populate `page.downloads`. Files land at `savedPath` (under `--download-path` if supplied, else per-session `/tmp/barebrowse-dl-*`). | Headless + Headed (skipped in attach mode) |
 | Profile locking | Unique temp dir per headless instance | Headless |
@@ -255,6 +260,8 @@ Action tools return `'ok'` -- the agent calls `snapshot` explicitly to observe.
 
 `browse` and `snapshot` accept a `maxChars` param (default 30000). If the snapshot exceeds the limit, it's saved to `.barebrowse/page-<timestamp>.yml` and a short message with the file path is returned instead. `screenshot` always saves to `.barebrowse/screenshot-<timestamp>.{png,jpeg,webp}` and returns the file path (raw base64 in a JSON-RPC response would blow `maxChars`). `tabs` returns the JSON array, or with `switchTo: N` it switches and returns `'ok'`.
 
+`browse` and `snapshot` also accept `pruneMode: 'act'|'read'`. `act` (the default) keeps interactive elements and short labels — best for clicking/filling. `read` keeps paragraphs, headings, and long text — best for articles, docs, and content extraction. Same surface on the bareagent adapter. If act mode collapses a content-heavy page (raw > 5 KB → pruned < 500 chars AND < 5% of raw), the result includes a `hint: act mode dropped most of the page — retry with pruneMode='read' …` line between the stats and the tree so the caller knows to re-snapshot in read mode instead of bailing to a separate HTTP fetch.
+
 Session runs in hybrid mode (headless with automatic headed fallback on bot detection). `goto` injects cookies from the user's browser before navigation for authenticated access.
 
 Session tools share a singleton page, lazy-created on first use. All session tools have auto-retry on transient failures (browser crash, WebSocket close, navigation timeout) on a per-tool deadline (v0.9.0 H5): `goto`/`reload`/`wait_for` 60s, `back`/`forward` 30s, interactive ops (`click`/`type`/`press`/`scroll`/`hover`/`select`/`drag`/`snapshot`/`eval`) 15s, `tabs` 5s, heavy I/O (`pdf`/`screenshot`/`upload`) 45s — replaces the prior blanket 30s. Session resets between attempts. Idempotent tools retry once; mutating tools (`click`/`type`/`upload`/etc.) `{ retry: false }` so partial first attempts don't replay on a fresh page. Scroll accepts `direction: "up"/"down"` in addition to numeric `deltaY`. Click falls back to JS `.click()` when elements have no layout. `browse` has a 60s timeout (no retry — stateless). Assess tries headless first; if bot-blocked, retries headed. Browser OOM/crash auto-recovers (session resets, server stays alive).

package/cli.js

@@ -117,6 +117,8 @@ async function cmdOpen() {
     viewport: parseFlag('--viewport'),
     storageState: parseFlag('--storage-state'),
     downloadPath: parseFlag('--download-path'),
+    blockAds: hasFlag('--no-block-ads') ? false : undefined,
+    blockUrls: parseFlagAll('--block-urls'),
   };
 
   try {
@@ -218,6 +220,8 @@ async function runDaemonInternal() {
     viewport: parseFlag('--viewport'),
     storageState: parseFlag('--storage-state'),
     downloadPath: parseFlag('--download-path'),
+    blockAds: hasFlag('--no-block-ads') ? false : undefined,
+    blockUrls: parseFlagAll('--block-urls'),
   };
   const outputDir = parseFlag('--output-dir') || resolve('.barebrowse');
   const url = parseFlag('--url');
@@ -240,6 +244,20 @@ function hasFlag(name) {
   return args.includes(name);
 }
 
+// Collects every occurrence of a repeatable flag (--name=val or --name val).
+// Returns undefined when absent so the opts object stays sparse and callers
+// can distinguish "not provided" from "provided but empty".
+function parseFlagAll(name) {
+  const out = [];
+  for (let i = 0; i < args.length; i++) {
+    if (args[i].startsWith(name + '=')) out.push(args[i].slice(name.length + 1));
+    else if (args[i] === name && args[i + 1] && !args[i + 1].startsWith('--')) {
+      out.push(args[i + 1]); i++;
+    }
+  }
+  return out.length ? out : undefined;
+}
+
 
 // --- MCP auto-installer ---
 
@@ -467,6 +485,10 @@ Session:
     --viewport=WxH                  Viewport size (e.g. 1280x720)
     --storage-state=FILE            Load cookies/localStorage from JSON file
     --download-path=DIR             Directory for downloaded files (default: per-session temp dir)
+    --no-block-ads                  Disable the built-in ad/tracker blocklist (~120 patterns).
+                                    Default: enabled in owned-browser modes, disabled in attach mode.
+    --block-urls=PATTERN            Extra URL glob to block (repeatable, e.g. --block-urls='*://*.foo.com/*').
+                                    Use the =VALUE form when the pattern could be mistaken for a flag.
 
 Navigation:
   barebrowse goto <url>             Navigate to URL

package/mcp-server.js

@@ -150,6 +150,7 @@ export const TOOLS = [
       properties: {
         url: { type: 'string', description: 'URL to browse' },
         mode: { type: 'string', enum: ['headless', 'headed', 'hybrid'], description: 'Browser mode (default: headless)' },
+        pruneMode: { type: 'string', enum: ['act', 'read'], description: 'Pruning mode. "act" (default) keeps interactive elements and short labels — best for clicking/filling. "read" keeps paragraphs, headings, and long text — best for articles, docs, and content extraction. If the page is content-heavy and act-mode returns mostly empty, retry with "read".' },
         maxChars: { type: 'number', description: 'Max chars to return inline. Larger snapshots are saved to .barebrowse/ and a file path is returned instead. Default: 30000.' },
       },
       required: ['url'],
@@ -172,6 +173,7 @@ export const TOOLS = [
     inputSchema: {
       type: 'object',
       properties: {
+        pruneMode: { type: 'string', enum: ['act', 'read'], description: 'Pruning mode. "act" (default) keeps interactive elements and short labels — best for clicking/filling. "read" keeps paragraphs, headings, and long text — best for articles, docs, and content extraction. If a previous snapshot looked empty on a content-heavy page, retry with "read".' },
         maxChars: { type: 'number', description: 'Max chars to return inline. Larger snapshots are saved to .barebrowse/ and a file path is returned instead. Default: 30000.' },
       },
     },
@@ -374,7 +376,7 @@ async function handleToolCall(name, args) {
     case 'browse': {
       let timer;
       const text = await Promise.race([
-        browse(args.url, { mode: args.mode }),
+        browse(args.url, { mode: args.mode, pruneMode: args.pruneMode }),
         new Promise((_, rej) => { timer = setTimeout(() => rej(new Error('browse timed out after 60s')), 60000); }),
       ]);
       clearTimeout(timer);
@@ -393,7 +395,7 @@ async function handleToolCall(name, args) {
     }, TIMEOUTS.goto);
     case 'snapshot': return withRetry(async () => {
       const page = await getPage();
-      const text = await page.snapshot();
+      const text = await page.snapshot(args.pruneMode ? { mode: args.pruneMode } : undefined);
       const limit = args.maxChars ?? MAX_CHARS_DEFAULT;
       if (text.length > limit) {
         const file = saveSnapshot(text);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "barebrowse",
-  "version": "0.9.0",
+  "version": "0.10.0",
   "description": "Authenticated web browsing for autonomous agents via CDP. URL in, pruned ARIA snapshot out.",
   "type": "module",
   "main": "src/index.js",

package/src/bareagent.js

@@ -50,10 +50,11 @@ export function createBrowseTools(opts = {}) {
         type: 'object',
         properties: {
           url: { type: 'string', description: 'URL to browse' },
+          pruneMode: { type: 'string', enum: ['act', 'read'], description: '"act" (default) for interactive elements only; "read" for paragraphs and long text (articles/docs).' },
         },
         required: ['url'],
       },
-      execute: async ({ url }) => await browse(url, opts),
+      execute: async ({ url, pruneMode }) => await browse(url, pruneMode ? { ...opts, pruneMode } : opts),
     },
     {
       name: 'goto',
@@ -70,10 +71,15 @@ export function createBrowseTools(opts = {}) {
     {
       name: 'snapshot',
       description: 'Get the current ARIA snapshot. Returns a YAML-like tree with [ref=N] markers on interactive elements.',
-      parameters: { type: 'object', properties: {} },
-      execute: async () => {
+      parameters: {
+        type: 'object',
+        properties: {
+          pruneMode: { type: 'string', enum: ['act', 'read'], description: '"act" (default) for interactive elements only; "read" for paragraphs and long text (articles/docs).' },
+        },
+      },
+      execute: async ({ pruneMode } = {}) => {
         const page = await getPage();
-        return await page.snapshot();
+        return await page.snapshot(pruneMode ? { mode: pruneMode } : undefined);
       },
     },
     {

package/src/blocklist.js

@@ -0,0 +1,190 @@
+/**
+ * blocklist.js — Ad/tracker URL patterns for CDP Network.setBlockedURLs.
+ *
+ * Curated by real-world frequency, not pulled wholesale from Peter Lowe /
+ * EasyList. CDP does linear pattern matching per request, so 3,000-entry
+ * lists add ~150ms cumulative cost on a typical page for ~5% extra coverage
+ * (long-tail regional networks the agent rarely encounters). The set below
+ * is ~120 patterns covering the trackers that actually show up in agent
+ * traffic: Google/FB/Amazon/MS/Adobe ad+analytics, the major SaaS analytics
+ * stacks (Segment/Amplitude/Mixpanel/HubSpot/Hotjar/FullStory/Heap/Mouseflow),
+ * session-replay (LogRocket/Crazy Egg/Optimizely/VWO), content-recommendation
+ * (Taboola/Outbrain/Criteo), and the consumer-pixel cluster (LinkedIn/Twitter/
+ * TikTok/Snap/Pinterest/Reddit).
+ *
+ * Patterns are CDP-format globs: '*' matches any character run.
+ *
+ * To extend at runtime, pass connect({ blockUrls: [...] }) — your patterns
+ * are merged with this default. To turn the default off entirely, pass
+ * { blockAds: false }.
+ */
+
+export const DEFAULT_BLOCKLIST = [
+  // --- Google ads + analytics (the single biggest cluster) ---
+  '*://*.doubleclick.net/*',
+  '*://*.googlesyndication.com/*',
+  '*://*.googleadservices.com/*',
+  '*://*.googletagservices.com/*',
+  '*://*.googletagmanager.com/*',
+  '*://*.google-analytics.com/*',
+  '*://*.adservice.google.com/*',
+  '*://pagead2.googlesyndication.com/*',
+  '*://www.googleadservices.com/pagead/*',
+  '*://ssl.google-analytics.com/*',
+  '*://stats.g.doubleclick.net/*',
+
+  // --- Facebook / Meta ---
+  '*://connect.facebook.net/*',
+  '*://*.facebook.com/tr*',          // Pixel (matches both /tr/... and /tr?...)
+  '*://*.fbcdn.net/signals/*',
+
+  // --- Amazon ads ---
+  '*://*.amazon-adsystem.com/*',
+  '*://aax.amazon-adsystem.com/*',
+  '*://s.amazon-adsystem.com/*',
+
+  // --- Microsoft (Bing ads + Clarity) ---
+  '*://bat.bing.com/*',
+  '*://*.clarity.ms/*',
+
+  // --- Yandex ---
+  '*://mc.yandex.ru/*',
+  '*://an.yandex.ru/*',
+  '*://yandex.ru/ads/*',
+
+  // --- Adobe Marketing Cloud ---
+  '*://*.omtrdc.net/*',
+  '*://*.demdex.net/*',
+  '*://*.everesttech.net/*',
+  '*://*.2o7.net/*',
+  '*://*.adobedtm.com/*',
+
+  // --- LinkedIn ---
+  '*://px.ads.linkedin.com/*',
+  '*://snap.licdn.com/li.lms-analytics/*',
+
+  // --- Twitter/X ---
+  '*://analytics.twitter.com/*',
+  '*://static.ads-twitter.com/*',
+  '*://*.t.co/i/adsct*',
+
+  // --- TikTok ---
+  '*://analytics.tiktok.com/*',
+  '*://business-api.tiktok.com/*',
+  '*://*.tiktokcdn.com/tiktok/*',
+
+  // --- Snap ---
+  '*://tr.snapchat.com/*',
+  '*://sc-static.net/scevent.min.js*',
+
+  // --- Pinterest ---
+  '*://ct.pinterest.com/*',
+  '*://*.pinimg.com/ct/*',
+
+  // --- Reddit ---
+  '*://events.redditmedia.com/*',
+  '*://www.redditstatic.com/ads/*',
+
+  // --- Quantcast / ComScore / Chartbeat ---
+  '*://pixel.quantserve.com/*',
+  '*://*.quantcount.com/*',
+  '*://*.scorecardresearch.com/*',
+  '*://ping.chartbeat.net/*',
+  '*://static.chartbeat.com/*',
+
+  // --- Criteo / Taboola / Outbrain (content + retargeting) ---
+  '*://*.criteo.com/*',
+  '*://*.criteo.net/*',
+  '*://cdn.taboola.com/*',
+  '*://trc.taboola.com/*',
+  '*://widgets.outbrain.com/*',
+  '*://*.outbrain.com/utils/*',
+
+  // --- Tealium / Marketo / Pardot / Salesforce marketing ---
+  '*://tags.tiqcdn.com/*',
+  '*://*.tealiumiq.com/*',
+  '*://munchkin.marketo.net/*',
+  '*://*.marketo.com/munchkin*',
+  '*://pi.pardot.com/*',
+  '*://*.exacttarget.com/cdn/*',
+
+  // --- Yahoo / Verizon Media ---
+  '*://*.yahoo.com/p.gif*',
+  '*://ad.yieldmanager.com/*',
+  '*://sp.analytics.yahoo.com/*',
+
+  // --- RUM / front-end perf (debatable, but commonly noisy) ---
+  '*://rum.pingdom.net/*',
+  '*://bam.nr-data.net/*',
+  '*://bam-cell.nr-data.net/*',
+  '*://js-agent.newrelic.com/*',
+  '*://*.browser-intake-datadoghq.com/*',
+  '*://*.browser-intake-datadoghq.eu/*',
+
+  // --- Session replay + heatmaps ---
+  '*://*.hotjar.com/*',
+  '*://*.hotjar.io/*',
+  '*://*.fullstory.com/s/*',
+  '*://*.fullstory.com/rec/*',
+  '*://r.lr-ingest.io/*',
+  '*://*.logrocket.io/*',
+  '*://cdn.lr-ingest.com/*',
+  '*://script.crazyegg.com/*',
+  '*://cdn.mouseflow.com/*',
+  '*://*.mouseflow.com/projects/*',
+
+  // --- A/B testing ---
+  '*://cdn.optimizely.com/*',
+  '*://*.optimizely.com/event*',
+  '*://dev.visualwebsiteoptimizer.com/*',
+  '*://*.vwo.com/*',
+
+  // --- Product analytics ---
+  '*://api.segment.io/*',
+  '*://cdn.segment.com/*',
+  '*://*.segment.io/v1/*',
+  '*://api.amplitude.com/*',
+  '*://api2.amplitude.com/*',
+  '*://cdn.amplitude.com/*',
+  '*://api.mixpanel.com/*',
+  '*://cdn.mxpnl.com/*',
+  '*://*.heapanalytics.com/*',
+  '*://heapanalytics.com/h*',
+  '*://*.posthog.com/e/*',
+  '*://*.posthog.com/decide/*',
+
+  // --- Marketing automation ---
+  '*://track.hubspot.com/*',
+  '*://js.hs-scripts.com/*',
+  '*://js.hs-analytics.net/*',
+  '*://js.hsforms.net/*',
+
+  // --- Customer messaging (these load chat widgets that bloat ARIA) ---
+  '*://widget.intercom.io/*',
+  '*://api-iam.intercom.io/messenger/*',
+  '*://js.intercomcdn.com/*',
+  '*://js.driftt.com/*',
+  '*://event.api.drift.com/*',
+
+  // --- Error reporters (Sentry kept off — agents may want to see errors) ---
+  '*://sessions.bugsnag.com/*',
+  '*://notify.bugsnag.com/*',
+
+  // --- Misc widely-deployed ad networks ---
+  '*://*.adnxs.com/*',                // AppNexus / Xandr
+  '*://*.rubiconproject.com/*',
+  '*://*.pubmatic.com/*',
+  '*://*.openx.net/*',
+  '*://*.casalemedia.com/*',
+  '*://*.bidswitch.net/*',
+  '*://*.adsrvr.org/*',               // The Trade Desk
+  '*://*.media.net/*',
+  '*://*.mediavoice.com/*',
+  '*://*.serving-sys.com/*',          // Sizmek
+  '*://*.smartadserver.com/*',
+  '*://*.indexww.com/*',
+  '*://*.mathtag.com/*',
+  '*://*.tapad.com/*',
+  '*://*.bluekai.com/*',              // Oracle Data Cloud
+  '*://*.krxd.net/*',                 // Salesforce / Krux
+];

package/src/chromium.js

@@ -16,9 +16,12 @@ let exitHandlersRegistered = false;
 function reapAllSync() {
   const toReap = [...activeBrowsers];
   activeBrowsers.clear();
-  // Send SIGKILL to everything first so the kernel reaps in parallel
+  // Send SIGKILL to the parent AND the whole process group (detached:true
+  // gives each Chromium its own pgid, so -pid targets every renderer/GPU/
+  // network child without touching Node or its other children).
   for (const b of toReap) {
     try { if (!b.process.killed) b.process.kill('SIGKILL'); } catch {}
+    try { process.kill(-b.process.pid, 'SIGKILL'); } catch {}
   }
   // Then poll each for actual death before removing its profile dir —
   // Chromium can hold file handles briefly even after SIGKILL, which would
@@ -151,8 +154,22 @@ export async function launch(opts = {}) {
   // about:blank as initial page
   args.push('about:blank');
 
+  // detached:true makes Node call setsid() so Chromium becomes its own
+  // process-group leader. Without this, the renderer/GPU/network children
+  // it forks share the Node parent's process group — SIGTERM on the
+  // Chromium PID only signals Chromium itself and the children linger,
+  // holding profile-dir files for seconds after the parent exits. Under
+  // parallel test load that races our rmSync cleanup. With a separate
+  // pgid, cleanupBrowser can signal the whole group with process.kill(-pid).
+  //
+  // Trade-off: a terminal SIGINT (Ctrl-C) is delivered to the foreground
+  // process group, which is now Node's — Chromium will NOT receive it
+  // directly. The SIGINT handler in registerExitHandlers() that calls
+  // reapAllSync() is what actually kills Chromium under Ctrl-C now. Do not
+  // remove that handler without restoring some other path to reap children.
   const child = spawn(binary, args, {
     stdio: ['ignore', 'pipe', 'pipe'],
+    detached: true,
   });
 
   // Parse the WebSocket URL from stderr
@@ -216,20 +233,33 @@ export async function cleanupBrowser(browser) {
     });
     try { browser.process.kill(); } catch {}
     await exited;
+    // SIGKILL the whole Chromium process group. The parent may have exited
+    // already (above) but renderer/GPU/network children — separate processes
+    // under --site-per-process — can outlive it by seconds, and they hold
+    // profile-dir file handles. Because launch() spawned with detached:true,
+    // the children share Chromium's pgid (not Node's), so process.kill on a
+    // negative PID reaps the whole group without touching anything else.
+    try { process.kill(-browser.process.pid, 'SIGKILL'); } catch {
+      // ESRCH = group already gone; anything else is best-effort here.
+    }
   }
   if (browser.ownedProfileDir) {
-    // Chromium can still flush files for ~hundreds of ms after exit; with
-    // --site-per-process (added in H2) every iframe is its own renderer
-    // process, each with its own pending file handles, so the old 10×100ms
-    // window (1s) wasn't always enough under parallel test load. Now
-    // 25×100ms (2.5s) plus a polling jitter to avoid every concurrent
-    // cleanup hammering at the same tick.
-    for (let i = 0; i < 25; i++) {
+    // Chromium spawns renderer + GPU + network + utility subprocesses (one
+    // per site under --site-per-process from H2), and SIGTERM on the parent
+    // doesn't guarantee the children have closed their profile-file handles
+    // by the time the parent's exit event fires. Under parallel test load
+    // we've seen handle-release take >2.5s. Retry budget here is 60×100ms
+    // jittered (~6s+ worst case). Retry on ANY error short of ENOENT —
+    // earlier code only retried ENOTEMPTY/EBUSY but Linux also reports
+    // EPERM/EACCES transiently when an open-deleted file is still being
+    // written to. force:true already swallows ENOENT, so the catch only
+    // sees real failures.
+    for (let i = 0; i < 60; i++) {
       try {
         rmSync(browser.ownedProfileDir, { recursive: true, force: true });
         break;
       } catch (err) {
-        if (err.code !== 'ENOTEMPTY' && err.code !== 'EBUSY') break;
+        if (err.code === 'ENOENT') break; // already gone
         await new Promise((r) => setTimeout(r, 100 + Math.floor(Math.random() * 50)));
       }
     }

package/src/daemon.js

@@ -40,6 +40,10 @@ export async function startDaemon(opts, outputDir, initialUrl) {
   if (opts.viewport) args.push('--viewport', opts.viewport);
   if (opts.storageState) args.push('--storage-state', opts.storageState);
   if (opts.downloadPath) args.push('--download-path', opts.downloadPath);
+  if (opts.blockAds === false) args.push('--no-block-ads');
+  if (Array.isArray(opts.blockUrls)) {
+    for (const p of opts.blockUrls) args.push('--block-urls', p);
+  }
 
   const child = spawn(process.execPath, args, {
     detached: true,
@@ -48,8 +52,11 @@ export async function startDaemon(opts, outputDir, initialUrl) {
   });
   child.unref();
 
-  // Poll for session.json (50ms interval, 15s timeout)
-  const deadline = Date.now() + 15000;
+  // Poll for session.json (50ms interval, 30s timeout). 30s covers cold
+  // Chromium boot plus initial-URL navigation on slower CI/older hardware;
+  // the previous 15s was tight enough that the ad-blocklist's added
+  // CDP setup time pushed real boots past it on stress runs.
+  const deadline = Date.now() + 30000;
   while (Date.now() < deadline) {
     if (existsSync(sessionPath)) {
       try {
@@ -59,7 +66,7 @@ export async function startDaemon(opts, outputDir, initialUrl) {
     }
     await new Promise((r) => setTimeout(r, 50));
   }
-  throw new Error('Daemon failed to start within 15s');
+  throw new Error('Daemon failed to start within 30s');
 }
 
 /**
@@ -79,6 +86,8 @@ export async function runDaemon(opts, outputDir, initialUrl) {
     viewport: opts.viewport,
     storageState: opts.storageState,
     downloadPath: opts.downloadPath,
+    blockAds: opts.blockAds,
+    blockUrls: opts.blockUrls,
   });
 
   // Console log capture

package/src/index.js

@@ -16,6 +16,7 @@ import { prune as pruneTree } from './prune.js';
 import { click as cdpClick, type as cdpType, scroll as cdpScroll, press as cdpPress, hover as cdpHover, select as cdpSelect, drag as cdpDrag, upload as cdpUpload } from './interact.js';
 import { dismissConsent } from './consent.js';
 import { applyStealth } from './stealth.js';
+import { DEFAULT_BLOCKLIST } from './blocklist.js';
 import { waitForNetworkIdle } from './network-idle.js';
 import { join as pathJoin } from 'node:path';
 
@@ -29,6 +30,11 @@ import { join as pathJoin } from 'node:path';
  * @param {boolean} [opts.cookies=true] - Inject user's cookies (Phase 2)
  * @param {boolean} [opts.prune=true] - Apply ARIA pruning (Phase 2)
  * @param {number} [opts.timeout=30000] - Navigation timeout in ms
+ * @param {boolean} [opts.blockAds=true] - Block ~120 common ad/tracker
+ *   URL patterns via CDP. Shrinks ARIA snapshots and speeds page loads.
+ *   See src/blocklist.js for the default set. Set false to disable.
+ * @param {string[]} [opts.blockUrls] - Extra URL glob patterns to block,
+ *   merged with the default unless blockAds:false.
  * @returns {Promise<string>} ARIA snapshot text
  */
 export async function browse(url, opts = {}) {
@@ -53,7 +59,8 @@ export async function browse(url, opts = {}) {
     }
 
     // Step 2: Create a new page target and attach
-    let page = await createPage(cdp, mode !== 'headed', { viewport: opts.viewport });
+    const pageOpts = { viewport: opts.viewport, blockAds: opts.blockAds, blockUrls: opts.blockUrls };
+    let page = await createPage(cdp, mode !== 'headed', pageOpts);
 
     // Step 2.5: Suppress permission prompts
     await suppressPermissions(cdp);
@@ -87,7 +94,7 @@ export async function browse(url, opts = {}) {
       try {
         browser = await launch({ ...launchOpts, headed: true });
         cdp = await createCDP(browser.wsUrl);
-        page = await createPage(cdp, false, { viewport: opts.viewport });
+        page = await createPage(cdp, false, pageOpts);
         await suppressPermissions(cdp);
         if (opts.cookies !== false) {
           try { await authenticate(page.session, url, { browser: opts.browser }); } catch {}
@@ -110,7 +117,11 @@ export async function browse(url, opts = {}) {
       snapshot = raw;
     }
     const stats = `url: ${url}\n${raw.length.toLocaleString()} chars → ${snapshot.length.toLocaleString()} chars (${Math.round((1 - snapshot.length / raw.length) * 100)}% pruned)`;
-    snapshot = stats + '\n' + snapshot;
+    const actMode = !opts.pruneMode || opts.pruneMode === 'act';
+    const hint = (actMode && raw.length > 5000 && snapshot.length < 500 && snapshot.length < raw.length * 0.05)
+      ? `hint: act mode dropped most of the page — retry with pruneMode='read' for paragraphs and long text\n`
+      : '';
+    snapshot = stats + '\n' + hint + snapshot;
 
     // Step 7: Clean up
     await cdp.send('Target.closeTarget', { targetId: page.targetId });
@@ -135,6 +146,14 @@ export async function browse(url, opts = {}) {
  *   Default: a per-session subdirectory under the OS temp dir. Downloads
  *   land here as <guid>; check `page.downloads` for { url, suggestedFilename,
  *   savedPath, state, totalBytes, receivedBytes } per file.
+ * @param {boolean} [opts.blockAds] - Block ~120 common ad/tracker URL
+ *   patterns via CDP. Defaults to true for launched browsers, false in
+ *   attach mode (would affect any tab attached to the user's running
+ *   session). Setting blockAds:true explicitly in attach mode honors the
+ *   request — blocking applies to whichever tab the session is currently
+ *   attached to and follows the session across switchTab() until close.
+ * @param {string[]} [opts.blockUrls] - Extra URL glob patterns to block,
+ *   merged with the default unless blockAds is false.
  * @returns {Promise<object>} Page handle with goto, snapshot, close
  */
 export async function connect(opts = {}) {
@@ -165,7 +184,15 @@ export async function connect(opts = {}) {
   // (they'd persist in the user's session via addScriptToEvaluateOnNewDocument)
   // and the headed→headless rewind in goto() is gated off below.
   let currentlyHeaded = attachMode || (mode === 'headed');
-  let page = await createPage(cdp, !currentlyHeaded, { viewport: opts.viewport });
+  // Default blockAds on for owned browsers, off in attach mode (would affect
+  // any tab we attach to in the user's running session). Caller can flip with
+  // explicit blockAds:true/false.
+  const pageOpts = {
+    viewport: opts.viewport,
+    blockAds: opts.blockAds !== undefined ? opts.blockAds : !attachMode,
+    blockUrls: opts.blockUrls,
+  };
+  let page = await createPage(cdp, !currentlyHeaded, pageOpts);
   let refMap = new Map();
   let botBlocked = false;
 
@@ -300,7 +327,7 @@ export async function connect(opts = {}) {
 
         browser = await launch(launchOpts);
         cdp = await createCDP(browser.wsUrl);
-        page = await createPage(cdp, true, { viewport: opts.viewport });
+        page = await createPage(cdp, true, pageOpts);
         setupDialogHandler(page.session);
         await suppressPermissions(cdp);
         currentlyHeaded = false;
@@ -326,7 +353,7 @@ export async function connect(opts = {}) {
         try {
           browser = await launch({ ...launchOpts, headed: true });
           cdp = await createCDP(browser.wsUrl);
-          page = await createPage(cdp, false, { viewport: opts.viewport });
+          page = await createPage(cdp, false, pageOpts);
           setupDialogHandler(page.session);
           await suppressPermissions(cdp);
           await navigate(page, url, timeout);
@@ -382,10 +409,14 @@ export async function connect(opts = {}) {
       const pageUrl = entries[currentIndex]?.url || '';
       const warn = botBlocked ? '[BOT CHALLENGE DETECTED — page content may be incomplete or blocked]\n' : '';
       if (pruneOpts === false) return `url: ${pageUrl}\n` + warn + raw;
-      const pruned = pruneTree(result.tree, { mode: pruneOpts?.mode || 'act' });
+      const mode = pruneOpts?.mode || 'act';
+      const pruned = pruneTree(result.tree, { mode });
       const out = formatTree(pruned);
       const stats = `url: ${pageUrl}\n${raw.length.toLocaleString()} chars → ${out.length.toLocaleString()} chars (${Math.round((1 - out.length / raw.length) * 100)}% pruned)`;
-      return stats + '\n' + warn + out;
+      const hint = (mode === 'act' && raw.length > 5000 && out.length < 500 && out.length < raw.length * 0.05)
+        ? `hint: act mode dropped most of the page — retry with pruneMode='read' for paragraphs and long text\n`
+        : '';
+      return stats + '\n' + hint + warn + out;
     },
 
     async click(ref) {
@@ -465,7 +496,7 @@ export async function connect(opts = {}) {
       // closure handle used by every method below, so swapping it makes
       // snapshot/click/type/etc. operate on the new tab.
       const oldSessionId = page.sessionId;
-      page = await attachToExistingTarget(cdp, target.targetId);
+      page = await attachToExistingTarget(cdp, target.targetId, pageOpts);
       refMap = new Map(); // refs from the previous tab are no longer valid
       setupDialogHandler(page.session);
       try { await cdp.send('Target.detachFromTarget', { sessionId: oldSessionId }); } catch {}
@@ -553,7 +584,7 @@ export async function connect(opts = {}) {
     get cdp() { return page.session; },
 
     async createTab() {
-      const tab = await createPage(cdp, !currentlyHeaded, { viewport: opts.viewport });
+      const tab = await createPage(cdp, !currentlyHeaded, pageOpts);
       await suppressPermissions(cdp);
       setupDialogHandler(tab.session);
       let tabBotBlocked = false;
@@ -645,6 +676,12 @@ async function createPage(cdp, stealth = false, pageOpts = {}) {
     await applyStealth(session);
   }
 
+  // Ad/tracker URL blocking via CDP. Default on for owned browsers — shrinks
+  // ARIA, speeds loads. Skipped in attach mode (would affect the user's
+  // running browser globally) and skippable per-call via blockAds:false.
+  // Custom patterns in blockUrls extend the default unless blockAds is false.
+  await applyBlocklist(session, pageOpts);
+
   // Set viewport size if specified (e.g. "1280x720")
   if (pageOpts.viewport) {
     const [w, h] = pageOpts.viewport.split('x').map(Number);
@@ -710,16 +747,35 @@ async function attachFrameTracking(cdp, mainSession) {
  * Attach a CDP session to an existing target (e.g. a tab opened by window.open).
  * Enables the same domains as createPage so snapshot/click/type work uniformly.
  */
-async function attachToExistingTarget(cdp, targetId) {
+async function attachToExistingTarget(cdp, targetId, pageOpts = {}) {
   const { sessionId } = await cdp.send('Target.attachToTarget', { targetId, flatten: true });
   const session = cdp.session(sessionId);
   await session.send('Page.enable');
   await session.send('Network.enable');
   await session.send('DOM.enable');
+  await applyBlocklist(session, pageOpts);
   const framesByFrameId = await attachFrameTracking(cdp, session);
   return { session, targetId, sessionId, framesByFrameId };
 }
 
+/**
+ * Apply Network.setBlockedURLs for ad/tracker blocking on a session.
+ * Default list is on; pass blockAds:false to skip, blockUrls:[] to extend.
+ * Silent on failure — older Chrome / unusual modes shouldn't break the page.
+ */
+async function applyBlocklist(session, pageOpts) {
+  if (pageOpts.blockAds === false && !pageOpts.blockUrls) return;
+  const patterns = pageOpts.blockAds === false
+    ? (pageOpts.blockUrls || [])
+    : [...DEFAULT_BLOCKLIST, ...(pageOpts.blockUrls || [])];
+  if (!patterns.length) return;
+  try {
+    await session.send('Network.setBlockedURLs', { urls: patterns });
+  } catch {
+    // Network.setBlockedURLs unsupported on this Chrome — skip silently.
+  }
+}
+
 /**
  * Navigate to a URL and wait for the page to load.
  */

package/src/prune.js

@@ -65,7 +65,8 @@ const SKIP_ROLES = new Set([
  * @returns {object|null} Pruned tree
  */
 export function prune(tree, options = {}) {
-  const { mode = 'act', context = '' } = options;
+  let { mode = 'act', context = '' } = options;
+  if (mode === 'read') mode = 'browse';
   const allowedRegions = MODE_REGIONS[mode] || MODE_REGIONS.act;
   const isBrowse = mode === 'browse';
   const keywords = context

package/src/stealth.js

@@ -92,6 +92,75 @@ const STEALTH_SCRIPT = `
       return origGetParam2.apply(this, arguments);
     };
   }
+
+  // Canvas fingerprinting — sites render standard text/shapes, then read
+  // pixels via toDataURL or getImageData. The output is stable per machine
+  // (GPU, font rasterizer, anti-aliasing) but unique across machines, which
+  // makes it the second-most-common fingerprint after WebGL. Defense: nudge
+  // a few RGB channels by ±1 per session so the hash changes each visit
+  // while the canvas still looks identical to the human eye. The per-tab
+  // seed keeps reads stable within a session so legitimate canvas use
+  // (image processing, games) doesn't flicker.
+  // crypto.getRandomValues is guaranteed unique per browsing context; using
+  // Math.random alone can collide when two fresh V8 contexts start within
+  // microseconds of each other (real-world: parallel tests, real-world hit:
+  // we observed it). performance.now adds a wall-clock anchor as a belt-and-
+  // braces guard against contexts where crypto is somehow stubbed.
+  const _seedBuf = new Uint32Array(1);
+  crypto.getRandomValues(_seedBuf);
+  const CANVAS_SEED = (_seedBuf[0] ^ ((performance.now() * 1e6) | 0)) >>> 0;
+  function shiftPixels(data) {
+    // Touch ~1 byte per 64-byte stride. The bit we XOR with is taken from a
+    // position-dependent SLICE of a seed-mixed hash, not its low bit — a
+    // naive 'mix & 1' collapses to only two possible outputs per seed
+    // parity because every stride index is even (the position multiplier
+    // is odd, so the low bit only depends on seed parity). Indexing the
+    // hash by (i/64) mod 32 makes every stride position sample a different
+    // bit, so two distinct seeds produce different mask patterns.
+    for (let i = 0; i < data.length; i += 64) {
+      const h = ((CANVAS_SEED * 2654435761) ^ (i * 1597334677)) >>> 0;
+      const bit = (h >>> ((i >>> 6) & 31)) & 1;
+      data[i] = (data[i] ^ bit) & 0xff;
+    }
+    return data;
+  }
+  // Capture originals BEFORE replacing — toDataURL must read pixels via the
+  // native getImageData (not the patched one), otherwise the patch double-
+  // applies and the second XOR cancels the first, leaving output unchanged.
+  const origGetImageData = CanvasRenderingContext2D.prototype.getImageData;
+  const origToDataURL = HTMLCanvasElement.prototype.toDataURL;
+  HTMLCanvasElement.prototype.toDataURL = function() {
+    const ctx = this.getContext('2d');
+    if (ctx && this.width > 0 && this.height > 0) {
+      try {
+        const img = origGetImageData.call(ctx, 0, 0, this.width, this.height);
+        // Snapshot the original bytes so we can restore them after encoding.
+        // Without this, repeated toDataURL() alternates noisy/clean: call 1
+        // XORs the canvas in place, call 2 reads the noisy canvas and XORs
+        // again (self-inverse), call 3 again, etc. Same XOR-cancellation
+        // class as the earlier double-apply bug, just through canvas state
+        // rather than method composition. The restore also keeps the
+        // bitmap idempotent for any downstream legitimate canvas reads.
+        const original = new Uint8ClampedArray(img.data);
+        shiftPixels(img.data);
+        ctx.putImageData(img, 0, 0);
+        const result = origToDataURL.apply(this, arguments);
+        img.data.set(original);
+        ctx.putImageData(img, 0, 0);
+        return result;
+      } catch {
+        // Tainted canvas (cross-origin image) — can't read; skip the nudge
+        // and fall through to the original call so the page sees the
+        // expected SecurityError instead of silent corruption.
+      }
+    }
+    return origToDataURL.apply(this, arguments);
+  };
+  CanvasRenderingContext2D.prototype.getImageData = function() {
+    const img = origGetImageData.apply(this, arguments);
+    shiftPixels(img.data);
+    return img;
+  };
 `;
 
 /**