bunite-core 0.12.0 → 0.14.0

package/src/native/win-webview2/bunite_webview2_ffi.cpp

@@ -1,6 +1,7 @@
 #include "webview2_internal.h"
 
 #include <cstring>
+#include <wincrypt.h>  // CryptBinaryToStringA — base64 encoding for screenshot payload.
 
 using namespace bunite_webview2;
 
@@ -11,7 +12,7 @@ void setViewInputPassthrough(ViewHost* v, bool passthrough);
 
 extern "C" {
 
-BUNITE_EXPORT int32_t bunite_abi_version(void) { return 5; }
+BUNITE_EXPORT int32_t bunite_abi_version(void) { return 9; }
 
 BUNITE_EXPORT void bunite_set_log_level(int32_t level) {
   if (level < 0) level = 0;
@@ -164,9 +165,21 @@ BUNITE_EXPORT void bunite_view_evaluate(uint32_t view_id, uint32_t request_id, c
     emitWebviewEvent(view_id, "evaluate-result", payload);
     return;
   }
+  // Wrap user script in a JS try/catch envelope: WebView2 ExecuteScript
+  // returns "null" when the script throws (HRESULT success), so without this
+  // wrapper a thrown error is indistinguishable from a literal `null`. The
+  // wrapper surfaces throws as `{__bunite_err: <message>}` for CEF-parity.
+  std::string wrapped =
+      "(function(){try{return JSON.stringify({__bunite_ok:true,value:("
+      + std::string(script) +
+      ")})}catch(e){var c=(e&&e.name===\"SecurityError\")?\"cross_origin\":\"runtime_error\";"
+      "return JSON.stringify({__bunite_ok:false,code:c,"
+      "message:(e&&e.message)?e.message:String(e),"
+      "name:(e&&e.name)||\"\"})}})()";
+
   auto lifetime = g_runtime.lifetime;
   v->webview->ExecuteScript(
-      utf8ToWide(script).c_str(),
+      utf8ToWide(wrapped).c_str(),
       Microsoft::WRL::Callback<ICoreWebView2ExecuteScriptCompletedHandler>(
           [lifetime, view_id, request_id](HRESULT hr, LPCWSTR raw) -> HRESULT {
             if (!lifetime || !lifetime->alive.load()) return S_OK;
@@ -178,13 +191,79 @@ BUNITE_EXPORT void bunite_view_evaluate(uint32_t view_id, uint32_t request_id, c
                         [hr]() { char b[16]; snprintf(b, sizeof(b), "%08x", static_cast<unsigned>(hr)); return std::string(b); }() +
                         "\"}";
             } else {
-              // WebView2 returns JSON-encoded result. Embed as a JSON string so
-              // the JS-side parses it as a string and re-JSON.parses to get the
-              // value back (the `value` field of the envelope is a raw JSON
-              // string per the FFI contract).
-              std::string value = wideToUtf8(raw);
-              payload = "{\"requestId\":" + std::to_string(request_id) +
-                        ",\"ok\":true,\"value\":\"" + escapeJsonString(value) + "\"}";
+              // `raw` is a JSON-encoded string. After WebView2's outer
+              // JSON.stringify, the wrapper's return value (itself a JSON
+              // string) arrives as a JSON-quoted JSON string — parse the outer
+              // quotes via simple unescape into the inner JSON envelope.
+              std::string outer = wideToUtf8(raw);
+              // outer looks like: "\"{\\\"__bunite_ok\\\":true,...}\""
+              // We need the inner JSON. Walk-and-decode minimally.
+              std::string inner;
+              if (outer.size() >= 2 && outer.front() == '"' && outer.back() == '"') {
+                inner.reserve(outer.size());
+                for (size_t i = 1; i + 1 < outer.size(); ++i) {
+                  if (outer[i] == '\\' && i + 2 < outer.size()) {
+                    char nxt = outer[i + 1];
+                    switch (nxt) {
+                      case '"': inner += '"'; ++i; break;
+                      case '\\': inner += '\\'; ++i; break;
+                      case 'n': inner += '\n'; ++i; break;
+                      case 'r': inner += '\r'; ++i; break;
+                      case 't': inner += '\t'; ++i; break;
+                      case '/': inner += '/'; ++i; break;
+                      default: inner += outer[i]; break;
+                    }
+                  } else {
+                    inner += outer[i];
+                  }
+                }
+              }
+              if (inner.empty()) {
+                // Wrapper didn't produce a string — script failure before catch
+                // (e.g. parse error). Surface as runtime_error.
+                payload = "{\"requestId\":" + std::to_string(request_id) +
+                          ",\"ok\":false,\"code\":\"runtime_error\","
+                          "\"message\":\"script returned non-string from wrapper\"}";
+              } else if (inner.find("\"__bunite_ok\":true") != std::string::npos) {
+                // Re-parse to find `value:`. Strip the prefix/suffix manually —
+                // the wrapper always emits {"__bunite_ok":true,"value":<JSON>}.
+                static const std::string prefix = "{\"__bunite_ok\":true,\"value\":";
+                static const std::string suffix = "}";
+                std::string value_json = "null";
+                if (inner.compare(0, prefix.size(), prefix) == 0 &&
+                    inner.size() > prefix.size() + suffix.size()) {
+                  value_json = inner.substr(prefix.size(), inner.size() - prefix.size() - 1);
+                }
+                payload = "{\"requestId\":" + std::to_string(request_id) +
+                          ",\"ok\":true,\"value\":\"" + escapeJsonString(value_json) + "\"}";
+              } else {
+                // __bunite_ok:false branch. Anchor extraction at fixed prefix —
+                // user-controlled e.message could otherwise inject a fake "code".
+                static const std::string codePrefix = "{\"__bunite_ok\":false,\"code\":\"";
+                std::string code = "runtime_error";
+                std::string msg = "script threw";
+                if (inner.compare(0, codePrefix.size(), codePrefix) == 0) {
+                  size_t start = codePrefix.size();
+                  size_t end = start;
+                  while (end < inner.size() && inner[end] != '"') ++end;
+                  if (end > start) code = inner.substr(start, end - start);
+                  // message key follows immediately after `","` separator.
+                  static const std::string msgKey = "\",\"message\":\"";
+                  if (end + msgKey.size() <= inner.size() &&
+                      inner.compare(end, msgKey.size(), msgKey) == 0) {
+                    size_t mstart = end + msgKey.size();
+                    size_t mend = mstart;
+                    while (mend < inner.size()) {
+                      if (inner[mend] == '"' && (mend == mstart || inner[mend - 1] != '\\')) break;
+                      ++mend;
+                    }
+                    if (mend > mstart) msg = inner.substr(mstart, mend - mstart);
+                  }
+                }
+                payload = "{\"requestId\":" + std::to_string(request_id) +
+                          ",\"ok\":false,\"code\":\"" + escapeJsonString(code) + "\","
+                          "\"message\":\"" + msg + "\"}";
+              }
             }
             emitWebviewEvent(view_id, "evaluate-result", payload);
             return S_OK;
@@ -299,6 +378,221 @@ BUNITE_EXPORT void bunite_view_reload(uint32_t view_id) {
 
 BUNITE_EXPORT void bunite_view_remove(uint32_t view_id) { destroyView(view_id); }
 
+// Input dispatch — CDP via CallDevToolsProtocolMethod (Playwright pattern).
+// MouseEvent.isTrusted is false (CDP-synthesized); capability honest.
+namespace {
+
+const char* cdpMouseButton(int32_t b) {
+  switch (b) { case 1: return "middle"; case 2: return "right"; default: return "left"; }
+}
+
+void cdpCall(ViewHost* v, const wchar_t* method, const std::string& json) {
+  if (!v || !v->webview) return;
+  v->webview->CallDevToolsProtocolMethod(
+      method, utf8ToWide(json).c_str(), nullptr);
+}
+
+}  // namespace
+
+BUNITE_EXPORT void bunite_view_click(uint32_t view_id, double x, double y,
+                                      int32_t button, int32_t click_count, uint32_t modifiers) {
+  ViewHost* v = getView(view_id);
+  if (!v) return;
+  if (click_count < 1) click_count = 1;
+  // Multi-click → repeated pairs with increasing clickCount so the page sees
+  // a dblclick (Playwright convention).
+  for (int i = 1; i <= click_count; ++i) {
+    std::string base = "\"x\":" + std::to_string(x) + ",\"y\":" + std::to_string(y) +
+                       ",\"button\":\"" + cdpMouseButton(button) + "\","
+                       "\"clickCount\":" + std::to_string(i) +
+                       ",\"modifiers\":" + std::to_string(modifiers);
+    cdpCall(v, L"Input.dispatchMouseEvent", "{\"type\":\"mousePressed\"," + base + "}");
+    cdpCall(v, L"Input.dispatchMouseEvent", "{\"type\":\"mouseReleased\"," + base + "}");
+  }
+}
+
+BUNITE_EXPORT void bunite_view_type(uint32_t view_id, const char* text) {
+  ViewHost* v = getView(view_id);
+  if (!v || !text) return;
+  std::string json = "{\"text\":\"" + escapeJsonString(text) + "\"}";
+  cdpCall(v, L"Input.insertText", json);
+}
+
+BUNITE_EXPORT void bunite_view_press(uint32_t view_id, int32_t windows_vk_code,
+                                      int32_t /*mac_key_code*/, const char* key, const char* code,
+                                      const char* character, uint32_t modifiers,
+                                      int32_t action, bool /*extended*/, int32_t location) {
+  ViewHost* v = getView(view_id);
+  if (!v) return;
+  std::string char_str = character ? character : "";
+  std::string key_str = key ? key : "";
+  std::string code_str = code ? code : "";
+
+  auto buildPart = [&](const char* type, bool include_text) {
+    std::string out = "{\"type\":\"";
+    out += type;
+    out += "\",\"modifiers\":" + std::to_string(modifiers);
+    if (windows_vk_code != 0) out += ",\"windowsVirtualKeyCode\":" + std::to_string(windows_vk_code);
+    if (!key_str.empty())  out += ",\"key\":\""  + escapeJsonString(key_str)  + "\"";
+    if (!code_str.empty()) out += ",\"code\":\"" + escapeJsonString(code_str) + "\"";
+    // CDP `location`: 0 standard, 1 left mod, 2 right mod, 3 numpad.
+    if (location > 0) out += ",\"location\":" + std::to_string(location);
+    if (include_text && !char_str.empty())
+      out += ",\"text\":\"" + escapeJsonString(char_str) + "\"";
+    out += "}";
+    return out;
+  };
+
+  // Playwright convention: CHAR `text` rides with keyDown for printable keys.
+  if (action != 1) cdpCall(v, L"Input.dispatchKeyEvent", buildPart("keyDown", /*include_text=*/true));
+  if (action != 0) cdpCall(v, L"Input.dispatchKeyEvent", buildPart("keyUp",   /*include_text=*/false));
+}
+
+}  // extern "C" — temporarily exit so C++ helpers below can return std::string.
+
+namespace {
+
+// Win CryptoAPI base64 — `bytes` → printable string (no line breaks).
+std::string base64Encode(const BYTE* bytes, DWORD len) {
+  DWORD out_len = 0;
+  if (!CryptBinaryToStringA(bytes, len, CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, nullptr, &out_len)) return {};
+  std::string out(out_len, '\0');
+  if (!CryptBinaryToStringA(bytes, len, CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, out.data(), &out_len)) return {};
+  out.resize(out_len);  // CryptBinaryToString writes including trailing null on some configs; trim.
+  while (!out.empty() && out.back() == '\0') out.pop_back();
+  return out;
+}
+
+void emitScreenshotError(uint32_t view_id, uint32_t request_id, const char* code, const std::string& message) {
+  std::string payload = "{\"requestId\":" + std::to_string(request_id) +
+                        ",\"ok\":false,\"code\":\"" + code + "\","
+                        "\"message\":\"" + escapeJsonString(message) + "\"}";
+  emitWebviewEvent(view_id, "screenshot-result", payload);
+}
+
+}  // namespace
+
+extern "C" {
+
+BUNITE_EXPORT uint32_t bunite_view_capabilities(uint32_t view_id) {
+  // WebView2 — CDP input path. Empirically dispatchMouseEvent /
+  // dispatchKeyEvent / insertText produce events with `isTrusted=true` on
+  // the page (Edge runtime injects below DevTools surface; differs from
+  // browser-process CDP where isTrusted=false).
+  ViewHost* v = getView(view_id);
+  if (!v) return 0;
+  return BUNITE_CAP_EVALUATE | BUNITE_CAP_SURFACE_EVENTS |
+         BUNITE_CAP_NATIVE_INPUT_TRUSTED |
+         BUNITE_CAP_CLICK | BUNITE_CAP_TYPE | BUNITE_CAP_PRESS | BUNITE_CAP_SCROLL |
+         BUNITE_CAP_MOUSE | BUNITE_CAP_DIALOGS | BUNITE_CAP_CONSOLE |
+         BUNITE_CAP_SCREENSHOT | BUNITE_CAP_FORMAT_PNG | BUNITE_CAP_FORMAT_JPEG;
+}
+
+BUNITE_EXPORT void bunite_view_screenshot(uint32_t view_id, uint32_t request_id,
+                                            const char* format, int32_t /*quality*/) {
+  ViewHost* v = getView(view_id);
+  if (!v || !v->webview) {
+    emitScreenshotError(view_id, request_id, "not_supported", "view not ready");
+    return;
+  }
+  std::string fmt = format ? format : "png";
+  COREWEBVIEW2_CAPTURE_PREVIEW_IMAGE_FORMAT cwv_fmt;
+  std::string mime;
+  if (fmt == "jpeg" || fmt == "jpg") {
+    cwv_fmt = COREWEBVIEW2_CAPTURE_PREVIEW_IMAGE_FORMAT_JPEG;
+    fmt = "jpeg"; mime = "image/jpeg";
+  } else {
+    cwv_fmt = COREWEBVIEW2_CAPTURE_PREVIEW_IMAGE_FORMAT_PNG;
+    fmt = "png"; mime = "image/png";
+  }
+  ComPtr<IStream> stream;
+  HRESULT hr = CreateStreamOnHGlobal(nullptr, TRUE, &stream);
+  if (FAILED(hr) || !stream) {
+    emitScreenshotError(view_id, request_id, "runtime_error", "CreateStreamOnHGlobal failed");
+    return;
+  }
+  auto lifetime = g_runtime.lifetime;
+  v->webview->CapturePreview(
+      cwv_fmt, stream.Get(),
+      Microsoft::WRL::Callback<ICoreWebView2CapturePreviewCompletedHandler>(
+          [lifetime, view_id, request_id, fmt, mime, stream](HRESULT hr2) -> HRESULT {
+            if (!lifetime || !lifetime->alive.load()) return S_OK;
+            if (FAILED(hr2)) {
+              emitScreenshotError(view_id, request_id, "runtime_error", "CapturePreview failed");
+              return S_OK;
+            }
+            HGLOBAL hg = nullptr;
+            if (FAILED(GetHGlobalFromStream(stream.Get(), &hg)) || !hg) {
+              emitScreenshotError(view_id, request_id, "runtime_error", "GetHGlobalFromStream failed");
+              return S_OK;
+            }
+            const SIZE_T size = GlobalSize(hg);
+            void* ptr = GlobalLock(hg);
+            std::string b64 = ptr ? base64Encode(static_cast<const BYTE*>(ptr), static_cast<DWORD>(size)) : std::string{};
+            if (ptr) GlobalUnlock(hg);
+            if (b64.empty()) {
+              emitScreenshotError(view_id, request_id, "runtime_error", "base64 encode failed");
+              return S_OK;
+            }
+            std::string payload = "{\"requestId\":" + std::to_string(request_id) +
+                                  ",\"ok\":true,\"format\":\"" + fmt +
+                                  "\",\"mime\":\"" + mime +
+                                  "\",\"dataBase64\":\"" + b64 + "\"}";
+            emitWebviewEvent(view_id, "screenshot-result", payload);
+            return S_OK;
+          }).Get());
+}
+
+BUNITE_EXPORT void bunite_view_scroll(uint32_t view_id, double dx, double dy,
+                                       double x, double y, uint32_t modifiers) {
+  ViewHost* v = getView(view_id);
+  if (!v) return;
+  std::string json = "{\"type\":\"mouseWheel\",\"x\":" + std::to_string(x) +
+                     ",\"y\":" + std::to_string(y) +
+                     ",\"deltaX\":" + std::to_string(dx) +
+                     ",\"deltaY\":" + std::to_string(dy) +
+                     ",\"modifiers\":" + std::to_string(modifiers) + "}";
+  cdpCall(v, L"Input.dispatchMouseEvent", json);
+}
+
+BUNITE_EXPORT void bunite_view_mouse(uint32_t view_id, int32_t action,
+                                      double x, double y, int32_t button,
+                                      uint32_t modifiers) {
+  ViewHost* v = getView(view_id);
+  if (!v) return;
+  // CDP mouseMoved / mousePressed / mouseReleased. WV2 produces isTrusted=true
+  // on the page for these (Edge runtime injects below DevTools surface).
+  const char* type = (action == 0) ? "mouseMoved"
+                   : (action == 1) ? "mousePressed" : "mouseReleased";
+  std::string json = "{\"type\":\"" + std::string(type) +
+                     "\",\"x\":" + std::to_string(x) +
+                     ",\"y\":" + std::to_string(y) +
+                     ",\"modifiers\":" + std::to_string(modifiers);
+  if (action != 0) {
+    const char* btn = (button == 2) ? "right" : (button == 1) ? "middle" : "left";
+    json += ",\"button\":\"" + std::string(btn) + "\",\"clickCount\":1";
+  }
+  json += "}";
+  cdpCall(v, L"Input.dispatchMouseEvent", json);
+}
+
+BUNITE_EXPORT void bunite_view_respond_dialog(uint32_t view_id, uint32_t request_id,
+                                               bool accept, const char* text) {
+  ViewHost* v = getView(view_id);
+  if (!v) return;
+  auto it = v->pending_dialogs.find(request_id);
+  if (it == v->pending_dialogs.end()) return;
+  ViewHost::PendingDialog entry = std::move(it->second);
+  v->pending_dialogs.erase(it);
+  if (entry.args && accept) {
+    // prompt: feed user text. WV2 ignores put_ResultText for non-prompt kinds.
+    if (text && *text) entry.args->put_ResultText(utf8ToWide(text).c_str());
+    entry.args->Accept();
+  }
+  // accept=false → no Accept() call → WV2 treats as dismiss (default behavior).
+  if (entry.deferral) entry.deferral->Complete();
+}
+
 BUNITE_EXPORT void bunite_view_open_devtools(uint32_t view_id) {
   ViewHost* v = getView(view_id);
   if (v && v->webview) v->webview->OpenDevToolsWindow();

package/src/native/win-webview2/webview2_internal.h

@@ -17,6 +17,7 @@
 #include <fstream>
 #include <functional>
 #include <map>
+#include <unordered_map>
 #include <memory>
 #include <mutex>
 #include <optional>
@@ -86,6 +87,15 @@ struct ViewHost {
 
   std::atomic<bool> ready{false};
   std::atomic<bool> closing{false};
+
+  // Pending page-initiated dialogs (alert/confirm/prompt/beforeunload).
+  // ScriptDialogOpening hands us a `Deferral` we Complete() on host response.
+  struct PendingDialog {
+    ComPtr<ICoreWebView2ScriptDialogOpeningEventArgs> args;
+    ComPtr<ICoreWebView2Deferral> deferral;
+  };
+  std::unordered_map<uint32_t, PendingDialog> pending_dialogs;
+  uint32_t next_dialog_request_id = 1;
 };
 
 struct WindowHost {
@@ -205,6 +215,7 @@ std::wstring exeDir();
 uint32_t permissionKindToBuniteBit(COREWEBVIEW2_PERMISSION_KIND kind);
 COREWEBVIEW2_PERMISSION_STATE buniteStateToWebView2(uint32_t state);
 
+bool shouldAlwaysAllowNavigationUrl(const std::string& url);
 bool shouldAllowNavigation(const ViewHost* view, const std::string& url);
 
 }  // namespace bunite_webview2

package/src/native/win-webview2/webview2_runtime.cpp

@@ -1,6 +1,7 @@
 #include "webview2_internal.h"
 
 #include <algorithm>
+#include <unordered_map>
 
 using Microsoft::WRL::Callback;
 using Microsoft::WRL::ComPtr;
@@ -10,6 +11,14 @@ namespace bunite_webview2 {
 
 RuntimeState g_runtime;
 
+// Pending nav URI by (view_id, nav_id) — NavigationCompleted's get_Source()
+// returns the previous committed URL on provisional failure, so we stash the
+// URI at NavigationStarting and look it up on completion.
+static std::unordered_map<uint64_t, std::string> g_nav_uris;
+static uint64_t navKey(uint32_t view_id, uint64_t nav_id) {
+  return (static_cast<uint64_t>(view_id) << 56) ^ nav_id;
+}
+
 static HINSTANCE g_module = nullptr;
 static bool g_co_initialized = false;
 
@@ -121,7 +130,19 @@ bool registerWindowClasses() {
                                               0, 0, 0, 0, 0,
                                               HWND_MESSAGE, nullptr,
                                               getCurrentModuleHandle(), nullptr);
-  return g_runtime.message_window != nullptr;
+  if (!g_runtime.message_window) return false;
+
+  // `bun run` passes STARTF_USESHOWWINDOW + SW_HIDE; Win documented behavior
+  // is for the first ShowWindow call to use STARTUPINFO.wShowWindow instead
+  // of the requested nCmdShow. Consume it here on the message window so the
+  // first user-visible window's ShowWindow honors its argument.
+  STARTUPINFOW si{};
+  si.cb = sizeof(si);
+  GetStartupInfoW(&si);
+  if ((si.dwFlags & STARTF_USESHOWWINDOW) && si.wShowWindow == SW_HIDE) {
+    ShowWindow(g_runtime.message_window, SW_HIDE);
+  }
+  return true;
 }
 
 // ---- environment bootstrap -----------------------------------------------
@@ -282,6 +303,19 @@ LRESULT CALLBACK messageProc(HWND hwnd, UINT msg, WPARAM wp, LPARAM lp) {
 
 // ---- init / shutdown ----------------------------------------------------
 
+// KILL_ON_JOB_CLOSE — Edge helpers die with bun.exe instead of holding the
+// UDF SingletonLock. Handle leaked intentionally (kernel closes on exit).
+static void reapChildrenOnExit() {
+  HANDLE job = CreateJobObjectW(nullptr, nullptr);
+  if (!job) return;
+  JOBOBJECT_EXTENDED_LIMIT_INFORMATION info{};
+  info.BasicLimitInformation.LimitFlags = JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;
+  if (!SetInformationJobObject(job, JobObjectExtendedLimitInformation, &info, sizeof(info)) ||
+      !AssignProcessToJobObject(job, GetCurrentProcess())) {
+    CloseHandle(job);  // already in a non-nestable job, etc — give up.
+  }
+}
+
 bool initRuntime(const char* engine_dir, bool /*hide_console*/,
                  bool popup_blocking, const char* engine_config_json) {
   buniteApplyEnvLogLevel();
@@ -289,6 +323,8 @@ bool initRuntime(const char* engine_dir, bool /*hide_console*/,
               (engine_dir && *engine_dir) ? engine_dir : "(null)");
   if (g_runtime.initialized.load()) return true;
 
+  reapChildrenOnExit();
+
   HRESULT co = CoInitializeEx(nullptr, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE);
   if (SUCCEEDED(co)) g_co_initialized = true;
   else if (co != RPC_E_CHANGED_MODE) {
@@ -766,9 +802,13 @@ static void attachControllerCallbacks(ViewHost* view) {
   if (!view->webview) return;
   auto lifetime = g_runtime.lifetime;
   uint32_t view_id = view->id;
+  // Token reuse OK — controller->Close() releases all add_* handlers.
   EventRegistrationToken tok;
 
-  // NavigationStarting — enforce navigation rules, emit "will-navigate" event.
+  // NavigationStarting — emit "will-navigate" (parity with CEF/mac/linux,
+  // which fire regardless of allow), then cancel if nav rules say block.
+  // Also emit "load-start" for the surfaceEvents stream + stash URI for
+  // NavigationCompleted lookup (failure case: get_Source() returns prior URL).
   view->webview->add_NavigationStarting(
       Callback<ICoreWebView2NavigationStartingEventHandler>(
           [lifetime, view_id](ICoreWebView2*, ICoreWebView2NavigationStartingEventArgs* args) -> HRESULT {
@@ -779,34 +819,110 @@ static void attachControllerCallbacks(ViewHost* view) {
             args->get_Uri(&uri_raw);
             std::string url = wideToUtf8(uri_raw);
             if (uri_raw) CoTaskMemFree(uri_raw);
+            emitWebviewEvent(v->id, "will-navigate", url);
             if (!shouldAllowNavigation(v, url)) {
               args->put_Cancel(TRUE);
               return S_OK;
             }
-            emitWebviewEvent(v->id, "will-navigate", url);
+            UINT64 nav_id = 0;
+            args->get_NavigationId(&nav_id);
+            g_nav_uris[navKey(view_id, nav_id)] = url;
+            emitWebviewEvent(v->id, "load-start", url);
             return S_OK;
           }).Get(),
       &tok);
 
-  // NavigationCompleted — surfaced as did-navigate + dom-ready (CEF parity).
-  view->webview->add_NavigationCompleted(
-      Callback<ICoreWebView2NavigationCompletedEventHandler>(
-          [lifetime, view_id](ICoreWebView2* wv, ICoreWebView2NavigationCompletedEventArgs* args) -> HRESULT {
+  // SourceChanged — URL commit point; map to did-navigate (surfaceEvents
+  // `navigate` arm). Distinct from NavigationCompleted which fires later.
+  view->webview->add_SourceChanged(
+      Callback<ICoreWebView2SourceChangedEventHandler>(
+          [lifetime, view_id](ICoreWebView2* wv, ICoreWebView2SourceChangedEventArgs*) -> HRESULT {
             if (!lifetime || !lifetime->alive.load()) return S_OK;
-            BOOL ok = FALSE;
-            args->get_IsSuccess(&ok);
-            if (!ok) return S_OK;
             LPWSTR src_raw = nullptr;
             if (wv) wv->get_Source(&src_raw);
             std::string url = wideToUtf8(src_raw);
             if (src_raw) CoTaskMemFree(src_raw);
             emitWebviewEvent(view_id, "did-navigate", url);
-            emitWebviewEvent(view_id, "dom-ready", url);
             return S_OK;
           }).Get(),
       &tok);
 
-  // DocumentTitleChanged — surface for automation `titleChanged` stream.
+  // NavigationCompleted — load lifecycle terminator. Success → load-finish
+  // + dom-ready; failure → load-fail with WebErrorStatus as reason. Use the
+  // URI we stashed at NavigationStarting — get_Source() returns the prior
+  // committed URL on provisional-navigation failure.
+  view->webview->add_NavigationCompleted(
+      Callback<ICoreWebView2NavigationCompletedEventHandler>(
+          [lifetime, view_id](ICoreWebView2* wv, ICoreWebView2NavigationCompletedEventArgs* args) -> HRESULT {
+            if (!lifetime || !lifetime->alive.load()) return S_OK;
+            BOOL ok = FALSE;
+            args->get_IsSuccess(&ok);
+            UINT64 nav_id = 0;
+            args->get_NavigationId(&nav_id);
+            std::string url;
+            auto it = g_nav_uris.find(navKey(view_id, nav_id));
+            if (it != g_nav_uris.end()) {
+              url = std::move(it->second);
+              g_nav_uris.erase(it);
+            } else {
+              LPWSTR src_raw = nullptr;
+              if (wv) wv->get_Source(&src_raw);
+              url = wideToUtf8(src_raw);
+              if (src_raw) CoTaskMemFree(src_raw);
+            }
+            if (ok) {
+              emitWebviewEvent(view_id, "load-finish", url);
+              emitWebviewEvent(view_id, "dom-ready", url);
+            } else {
+              COREWEBVIEW2_WEB_ERROR_STATUS status = COREWEBVIEW2_WEB_ERROR_STATUS_UNKNOWN;
+              args->get_WebErrorStatus(&status);
+              std::string payload = "{\"url\":\"" + escapeJsonString(url) +
+                                    "\",\"reason\":\"WebErrorStatus_" + std::to_string(static_cast<int>(status)) + "\"}";
+              emitWebviewEvent(view_id, "load-fail", payload);
+            }
+            return S_OK;
+          }).Get(),
+      &tok);
+
+  // ScriptDialogOpening — alert / confirm / prompt / beforeunload. Defer the
+  // event so host can decide via `respondToDialog`.
+  view->webview->add_ScriptDialogOpening(
+      Callback<ICoreWebView2ScriptDialogOpeningEventHandler>(
+          [lifetime, view_id](ICoreWebView2*, ICoreWebView2ScriptDialogOpeningEventArgs* args) -> HRESULT {
+            if (!lifetime || !lifetime->alive.load()) return S_OK;
+            ViewHost* v = getView(view_id);
+            if (!v) return S_OK;
+            ComPtr<ICoreWebView2Deferral> deferral;
+            args->GetDeferral(&deferral);
+            COREWEBVIEW2_SCRIPT_DIALOG_KIND kind = COREWEBVIEW2_SCRIPT_DIALOG_KIND_ALERT;
+            args->get_Kind(&kind);
+            LPWSTR msg_raw = nullptr;
+            args->get_Message(&msg_raw);
+            std::string message = wideToUtf8(msg_raw);
+            if (msg_raw) CoTaskMemFree(msg_raw);
+            LPWSTR def_raw = nullptr;
+            args->get_DefaultText(&def_raw);
+            std::string default_prompt = wideToUtf8(def_raw);
+            if (def_raw) CoTaskMemFree(def_raw);
+            const char* kind_str = (kind == COREWEBVIEW2_SCRIPT_DIALOG_KIND_CONFIRM) ? "confirm"
+                                 : (kind == COREWEBVIEW2_SCRIPT_DIALOG_KIND_PROMPT) ? "prompt"
+                                 : (kind == COREWEBVIEW2_SCRIPT_DIALOG_KIND_BEFOREUNLOAD) ? "beforeunload"
+                                 : "alert";
+            const uint32_t rid = v->next_dialog_request_id++;
+            v->pending_dialogs[rid] = ViewHost::PendingDialog{ args, std::move(deferral) };
+            std::string payload = "{\"requestId\":" + std::to_string(rid) +
+                                  ",\"kind\":\"" + kind_str +
+                                  "\",\"message\":\"" + escapeJsonString(message) + "\"";
+            if (kind == COREWEBVIEW2_SCRIPT_DIALOG_KIND_PROMPT) {
+              payload += ",\"defaultPrompt\":\"" + escapeJsonString(default_prompt) + "\"";
+            }
+            payload += "}";
+            emitWebviewEvent(view_id, "dialog", payload);
+            return S_OK;
+          }).Get(),
+      &tok);
+
+  // DocumentTitleChanged — surface for automation surfaceEvents title-change arm.
   view->webview->add_DocumentTitleChanged(
       Callback<ICoreWebView2DocumentTitleChangedEventHandler>(
           [lifetime, view_id](ICoreWebView2* wv, IUnknown*) -> HRESULT {

package/src/native/win-webview2/webview2_utils.cpp

@@ -50,14 +50,14 @@ std::string escapeJsonString(const std::string& s) {
   return out;
 }
 
+// Wildcard semantics shared with CEF/mac/linux backends: `*` only (no `?`),
+// locale-respecting std::tolower. Keeping the 4 impls in lockstep is the rule.
 bool globMatchCaseInsensitive(const std::string& pattern, const std::string& value) {
-  auto lower = [](char c) -> char {
-    return (c >= 'A' && c <= 'Z') ? static_cast<char>(c + 32) : c;
-  };
   size_t pi = 0, vi = 0, star = std::string::npos, match = 0;
   while (vi < value.size()) {
-    if (pi < pattern.size() && (pattern[pi] == '?' ||
-                                lower(pattern[pi]) == lower(value[vi]))) {
+    if (pi < pattern.size() &&
+        std::tolower(static_cast<unsigned char>(pattern[pi])) ==
+          std::tolower(static_cast<unsigned char>(value[vi]))) {
       pi++; vi++;
     } else if (pi < pattern.size() && pattern[pi] == '*') {
       star = pi++; match = vi;
@@ -201,6 +201,10 @@ std::wstring exeDir() {
 }
 
 std::string defaultUserDataFolder() {
+  // Per-app via BUNITE_USER_DATA_DIR — shared path is a SingletonLock.
+  if (const char* env = std::getenv("BUNITE_USER_DATA_DIR"); env && *env) {
+    return std::string(env) + "\\WebView2";
+  }
   wchar_t* base = nullptr;
   if (SHGetKnownFolderPath(FOLDERID_LocalAppData, 0, nullptr, &base) != S_OK || !base) {
     if (base) CoTaskMemFree(base);
@@ -232,15 +236,29 @@ COREWEBVIEW2_PERMISSION_STATE buniteStateToWebView2(uint32_t state) {
   }
 }
 
+// Whitelist must be exact-match — prefix would let `../../evil` style paths
+// bypass nav-rule scrutiny (the appres scheme handler still blocks file
+// access, but the navigation decision itself should be honest).
+bool shouldAlwaysAllowNavigationUrl(const std::string& url) {
+  return url == "about:blank" ||
+         url == "appres://app.internal/internal/index.html";
+}
+
+// Same semantics as CEF / mac / linux: `^` prefix = block, last-match-wins,
+// default-allow. The shared shouldAlwaysAllowNavigationUrl whitelist guards
+// about:blank + appres internal routes from being denied by user rules.
 bool shouldAllowNavigation(const ViewHost* view, const std::string& url) {
-  if (!view || view->navigation_rules.empty()) return true;
-  for (const auto& rule : view->navigation_rules) {
-    if (rule.empty()) continue;
-    bool allow = (rule[0] != '!');
-    const std::string& pat = allow ? rule : rule.substr(1);
-    if (globMatchCaseInsensitive(pat, url)) return allow;
+  if (!view || shouldAlwaysAllowNavigationUrl(url) || view->navigation_rules.empty()) {
+    return true;
+  }
+  bool allowed = true;
+  for (const auto& raw : view->navigation_rules) {
+    const bool block = !raw.empty() && raw.front() == '^';
+    const std::string pattern = block ? raw.substr(1) : raw;
+    if (pattern.empty()) continue;
+    if (globMatchCaseInsensitive(pattern, url)) allowed = !block;
   }
-  return true;
+  return allowed;
 }
 
 }  // namespace bunite_webview2