chromeflow 0.10.25 → 0.12.0

package/bin/chromeflow.mjs

@@ -24670,7 +24670,8 @@ var WsBridge = class {
           return;
         }
         if (msg.type === "ready") {
-          console.error("[chromeflow] Extension ready");
+          const token = typeof msg.token === "string" ? msg.token : void 0;
+          console.error(`[chromeflow] Extension ready${token ? " (token presented)" : ""}`);
           const cwd = process.cwd();
           const host = process.env.CHROMEFLOW_HOST ?? (process.env.CLAUDE_PLUGIN_ROOT ? "claude" : void 0);
           ws.send(JSON.stringify({
@@ -24759,6 +24760,10 @@ var WsBridge = class {
 import { homedir } from "node:os";
 import { join, dirname } from "node:path";
 import { existsSync, mkdirSync, readFileSync, writeFileSync, renameSync } from "node:fs";
+var PROMOTE_AT_SUCCESS = 2;
+var PRUNE_AT_FAILS = 2;
+var PROVISIONAL_TTL_MS = 30 * 24 * 60 * 60 * 1e3;
+var ATOM_KEYS = ["tool", "target", "selector", "recovered_via", "signal", "fragile", "reason"];
 function originKey(url) {
   if (!url) return void 0;
   try {
@@ -24771,20 +24776,47 @@ function originKey(url) {
   }
 }
 var FRAGILE_RE = /:nth-(of-type|child)\(|>\s*\w+:nth/;
+function signatureOf(steps) {
+  return JSON.stringify(steps.map((a) => [a.tool, a.target, a.selector ?? ""]));
+}
+function sanitizeAtom(a) {
+  const out = {};
+  for (const k of ATOM_KEYS) {
+    if (a[k] !== void 0) out[k] = a[k];
+  }
+  return out;
+}
+function autoLabel(k, steps) {
+  const tools = [...new Set(steps.map((s) => s.tool.replace("_element", "")))].join("+");
+  let path2 = "/";
+  try {
+    path2 = new URL(k).pathname || "/";
+  } catch {
+  }
+  return `auto: ${tools} @ ${path2}`;
+}
 var FlowStore = class {
   path;
   data;
   version;
+  now;
   // In-memory, per-session state (never persisted):
   buffer = /* @__PURE__ */ new Map();
   // notable atoms not yet committed, by origin
   surfaced = /* @__PURE__ */ new Set();
   // origins whose recall hint already fired this session
+  recalled = /* @__PURE__ */ new Set();
+  // origins whose trusted flow was actually shown this session
   lastOrigin;
-  constructor(version2, baseDir) {
+  constructor(version2, baseDir, now = Date.now) {
     this.version = version2;
+    this.now = now;
     this.path = join(baseDir ?? join(homedir(), ".chromeflow"), "flows.json");
     this.data = this.load();
+    this.pruneExpired();
+  }
+  nowIso() {
+    return new Date(this.now()).toISOString();
   }
   load() {
     try {
@@ -24809,10 +24841,36 @@ var FlowStore = class {
     } catch {
     }
   }
-  /** Update the "current origin" from any URL chromeflow observed. */
+  /** Drop expired provisional flows and any flow already past the fail ceiling. */
+  pruneExpired() {
+    const cutoff = this.now() - PROVISIONAL_TTL_MS;
+    let changed = false;
+    for (const [k, flows] of Object.entries(this.data.origins)) {
+      const kept = flows.filter((f) => {
+        if (f.fail_count >= PRUNE_AT_FAILS) return false;
+        if (f.tier === "provisional" && Date.parse(f.last_verified) < cutoff) return false;
+        return true;
+      });
+      if (kept.length !== flows.length) {
+        changed = true;
+        if (kept.length === 0) delete this.data.origins[k];
+        else this.data.origins[k] = kept;
+      }
+    }
+    if (changed) this.persist();
+  }
+  /**
+   * Update the "current origin". Crossing to a DIFFERENT origin first autosaves
+   * the origin we are leaving — that boundary is our best server-side proxy for
+   * "a task on that site just finished".
+   */
   noteUrl(url) {
     const k = originKey(url);
-    if (k) this.lastOrigin = k;
+    if (!k) return;
+    if (this.lastOrigin && this.lastOrigin !== k && (this.buffer.get(this.lastOrigin)?.length ?? 0) > 0) {
+      this.autoCommit(this.lastOrigin);
+    }
+    this.lastOrigin = k;
   }
   /** Buffer a notable atom against an origin (defaults to last-seen origin). */
   observe(atom, url) {
@@ -24822,16 +24880,66 @@ var FlowStore = class {
     const list = this.buffer.get(k) ?? [];
     const sig = `${atom.tool}|${atom.target}|${atom.selector ?? ""}`;
     if (list.some((a) => `${a.tool}|${a.target}|${a.selector ?? ""}` === sig)) return;
-    list.push(atom);
+    list.push(sanitizeAtom(atom));
     this.buffer.set(k, list);
   }
-  /** Compact recall hint for an origin, at most once per origin per session. */
+  /** Autosave a single origin's buffer as a provisional flow (or promote a match). */
+  autoCommit(k) {
+    const buf = this.buffer.get(k);
+    if (!buf || buf.length === 0) return;
+    this.buffer.delete(k);
+    this.upsert(k, buf, null);
+    this.pruneExpired();
+    this.persist();
+  }
+  /** Flush every buffered origin. Call on shutdown and for single-origin sessions. */
+  flushAll() {
+    for (const k of [...this.buffer.keys()]) this.autoCommit(k);
+  }
+  /**
+   * Insert or reinforce a flow for an origin.
+   * label === null  → autosave: create provisional, or bump+maybe-promote a match.
+   * label is string → manual save_flow: create trusted, or promote+relabel a match.
+   */
+  upsert(k, steps, label) {
+    const now = this.nowIso();
+    const sig = signatureOf(steps);
+    const flows = this.data.origins[k] ?? [];
+    const existing = flows.find((f) => signatureOf(f.steps) === sig);
+    if (existing) {
+      existing.success_count += 1;
+      existing.last_verified = now;
+      existing.chromeflow_version = this.version;
+      if (label !== null) {
+        existing.tier = "trusted";
+        existing.task_label = label;
+      } else if (existing.success_count >= PROMOTE_AT_SUCCESS) {
+        existing.tier = "trusted";
+      }
+    } else {
+      flows.push({
+        id: `${k}#${flows.length + 1}`,
+        task_label: label ?? autoLabel(k, steps),
+        steps,
+        tier: label !== null ? "trusted" : "provisional",
+        created_at: now,
+        last_verified: now,
+        success_count: 1,
+        fail_count: 0,
+        chromeflow_version: this.version
+      });
+    }
+    this.data.origins[k] = flows;
+    return { saved: steps.length };
+  }
+  /** Compact recall hint for an origin (TRUSTED flows only), at most once per origin per session. */
   recallHint(url) {
     const k = originKey(url);
     if (!k || this.surfaced.has(k)) return "";
-    const flows = this.data.origins[k];
-    if (!flows || flows.length === 0) return "";
+    const flows = (this.data.origins[k] ?? []).filter((f) => f.tier === "trusted");
+    if (flows.length === 0) return "";
     this.surfaced.add(k);
+    this.recalled.add(k);
     const best = [...flows].sort((a, b) => b.success_count - a.success_count).slice(0, 3);
     const lines = best.map((f) => {
       const steps = f.steps.map((s, i) => {
@@ -24849,7 +24957,31 @@ ${steps}`;
 \u2139 known_flow for ${k} \u2014 prefer these proven steps over rediscovery (verify each as usual):
 ${lines.join("\n")}`;
   }
-  /** Nudge to save buffered hard-won steps, when there are uncommitted ones. */
+  /**
+   * A recalled trusted step failed on replay. Raise its fail_count; drop the flow
+   * once it crosses PRUNE_AT_FAILS. Gated on the flow having actually been recalled
+   * this session, so an unrelated failure can't ding a flow the agent never used.
+   */
+  observeFailure(url, selectorOrText) {
+    const k = originKey(url) ?? this.lastOrigin;
+    if (!k || !selectorOrText || !this.recalled.has(k)) return;
+    const flows = this.data.origins[k];
+    if (!flows) return;
+    let changed = false;
+    for (const f of flows) {
+      if (f.tier !== "trusted") continue;
+      const hit = f.steps.some((s) => s.selector === selectorOrText || s.target === selectorOrText || s.target === `selector=${selectorOrText}`);
+      if (hit) {
+        f.fail_count += 1;
+        changed = true;
+      }
+    }
+    if (changed) {
+      this.pruneExpired();
+      this.persist();
+    }
+  }
+  /** Nudge to save buffered hard-won steps — kept as the manual instant-vouch path. */
   capturableHint(url) {
     const k = originKey(url) ?? this.lastOrigin;
     if (!k) return "";
@@ -24858,9 +24990,9 @@ ${lines.join("\n")}`;
     const reasons = [...new Set(buf.map((a) => a.reason))].slice(0, 2).join("; ");
     return `
 
-\u2139 flow_capturable: ${buf.length} hard-won step(s) on ${k} not yet saved (${reasons}). Call save_flow("<task label>") to persist them so future runs skip the trial-and-error.`;
+\u2139 flow_capturable: ${buf.length} hard-won step(s) on ${k} buffered (${reasons}). They autosave on leaving the site; call save_flow("<task label>") to trust them immediately.`;
   }
-  /** Commit the buffered atoms for an origin as a named flow. */
+  /** Manual save_flow: commit the buffered atoms for an origin as a TRUSTED flow. */
   commit(taskLabel, url) {
     const k = originKey(url) ?? this.lastOrigin;
     if (!k) return { saved: 0, origin: null, message: "No origin known yet \u2014 navigate or interact with a page first." };
@@ -24868,30 +25000,16 @@ ${lines.join("\n")}`;
     if (buf.length === 0) {
       return { saved: 0, origin: k, message: `Nothing notable buffered for ${k}. Flows capture hard-won steps (a fallback fired, a verified submit, a field needing real keystrokes) \u2014 an ordinary first-try click isn't recorded.` };
     }
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const sig = JSON.stringify(buf.map((a) => [a.tool, a.target, a.selector ?? ""]));
-    const flows = this.data.origins[k] ?? [];
-    const existing = flows.find((f) => f.task_label === taskLabel && JSON.stringify(f.steps.map((a) => [a.tool, a.target, a.selector ?? ""])) === sig);
-    if (existing) {
-      existing.success_count += 1;
-      existing.last_verified = now;
-      existing.chromeflow_version = this.version;
-    } else {
-      flows.push({
-        id: `${k}#${flows.length + 1}`,
-        task_label: taskLabel,
-        steps: buf,
-        created_at: now,
-        last_verified: now,
-        success_count: 1,
-        fail_count: 0,
-        chromeflow_version: this.version
-      });
-    }
-    this.data.origins[k] = flows;
     this.buffer.delete(k);
+    const { saved } = this.upsert(k, buf, taskLabel);
+    this.pruneExpired();
     this.persist();
-    return { saved: buf.length, origin: k, message: `Saved flow "${taskLabel}" (${buf.length} steps) for ${k}.` };
+    return { saved, origin: k, message: `Saved flow "${taskLabel}" (${saved} steps) for ${k} \u2014 trusted.` };
+  }
+  /** Test-only accessor: the persisted flows for an origin. */
+  _flowsFor(url) {
+    const k = originKey(url) ?? url;
+    return this.data.origins[k] ?? [];
   }
 };
 function isFragileSelector(selector) {
@@ -25299,17 +25417,51 @@ ${lines.join("\n")}${r.warning ?? ""}${captchaLine}${oauthLine}` }] };
   );
   server.tool(
     "set_file_input",
-    "Upload a file to a file input \u2014 works even when the input is hidden behind a custom drag-and-drop zone. Returns success=true only after an observable commit (file count goes up, input gets reset, or verify_selector appears within wait_ms). See CLAUDE.md for batch-upload guidance.",
+    `Upload a file to a file input \u2014 works even when the input is hidden behind a custom drag-and-drop zone. Returns success=true only after an observable commit (file count goes up, input gets reset, or verify_selector appears within wait_ms). See CLAUDE.md for batch-upload guidance.
+
+Two ways to supply the file:
+- file_path (CDP mode): an absolute path on the machine running this server. Reaches both open AND closed shadow roots.
+- file_content + file_name (inline-content mode): base64 file bytes plus a filename, materialized into the input directly. Use this when the server has no local disk access (e.g. a remote endpoint that can't see your filesystem). Caveat: inline-content mode reaches OPEN shadow roots only \u2014 if the input lives in a closed shadow root, use file_path instead.
+
+Provide file_path OR file_content, not both.`,
     {
       hint: external_exports.string().describe("Label text, name, or surrounding text of the file input. Use empty string to target the first file input on the page."),
-      file_path: external_exports.string().describe("Absolute path to the file to upload (e.g. /Users/you/Downloads/task.zip)"),
+      file_path: external_exports.string().optional().describe("Absolute path to the file to upload (e.g. /Users/you/Downloads/task.zip). CDP mode \u2014 reaches closed shadow roots. Provide this OR file_content."),
+      file_content: external_exports.string().optional().describe("Base64-encoded file bytes (no data: prefix) for inline-content mode. Use when the server has no local disk access. Requires file_name. Reaches OPEN shadow roots only. Provide this OR file_path."),
+      file_name: external_exports.string().optional().describe('Filename to present to the page in inline-content mode (e.g. "report.pdf"). Required when file_content is set.'),
+      mime_type: external_exports.string().optional().describe('Optional MIME type for inline-content mode (e.g. "application/pdf"). Inferred from file_name when omitted.'),
       wait_ms: external_exports.number().int().min(0).optional().describe("How long to wait for an observable change after setting the file (default 3000). Increase for slow uploaders that take a moment to render thumbnails."),
       verify_selector: external_exports.string().optional().describe('Optional CSS selector that should appear after a successful upload (e.g. ".photo-thumbnail", "[data-uploaded=true]"). When matched, set_file_input returns success immediately.')
     },
-    async ({ hint, file_path, wait_ms, verify_selector }) => {
+    async ({ hint, file_path, file_content, file_name, mime_type, wait_ms, verify_selector }) => {
+      if (!file_path && !file_content) {
+        return {
+          content: [{ type: "text", text: "Failed to set file: provide either file_path or file_content." }]
+        };
+      }
+      if (file_path && file_content) {
+        return {
+          content: [{ type: "text", text: "Failed to set file: provide file_path OR file_content, not both." }]
+        };
+      }
+      if (file_content && !file_name) {
+        return {
+          content: [{ type: "text", text: "Failed to set file: file_content requires file_name." }]
+        };
+      }
       const wsTimeout = Math.max(3e4, (wait_ms ?? 3e3) + 1e4);
       const response = await bridge.request(
-        { type: "set_file_input", hint, filePath: file_path, waitMs: wait_ms, verifySelector: verify_selector },
+        {
+          type: "set_file_input",
+          hint,
+          // snake -> camel, mirroring the existing file_path -> filePath mapping.
+          filePath: file_path,
+          fileContent: file_content,
+          fileName: file_name,
+          mimeType: mime_type,
+          waitMs: wait_ms,
+          verifySelector: verify_selector
+        },
         wsTimeout
       );
       const r = response;
@@ -25327,7 +25479,7 @@ ${lines.join("\n")}${r.warning ?? ""}${captchaLine}${oauthLine}` }] };
 **Shadow-piercing helpers are pre-injected** into every script:
 - \`$deep(selector, root?)\` \u2014 querySelector that walks open shadow roots
 - \`$deepAll(selector, root?)\` \u2014 querySelectorAll equivalent, returns an array
-- \`shadowDocument\` \u2014 the open shadow root with the most interactive elements (buttons, inputs, links), or \`document\` if none. Useful when an SPA mounts ALL of its UI inside a single root shadow host (Outlier-style annotation dashboards): replace every \`document.querySelector*\` call with \`shadowDocument.querySelector*\` and the same code now reaches the SPA's content. On pages with multiple shadow roots (e.g. one for CSS theme vars, one for content), this picks the content root automatically.
+- \`shadowDocument\` \u2014 the open shadow root with the most interactive elements (buttons, inputs, links), or \`document\` if none. Useful when an SPA mounts ALL of its UI inside a single root shadow host (annotation-style dashboards that wrap the whole app in one web component): replace every \`document.querySelector*\` call with \`shadowDocument.querySelector*\` and the same code now reaches the SPA's content. On pages with multiple shadow roots (e.g. one for CSS theme vars, one for content), this picks the content root automatically.
 - \`shadowDocuments\` \u2014 array of ALL open shadow roots on the page (in DOM order). Use when you need to search across multiple shadow roots or when the automatic pick is wrong.
 
 The helpers pierce OPEN shadow roots only \u2014 MAIN world can't reach closed roots. For closed roots, use find_text / get_page_text / click_element / fill_input which pierce both kinds via chrome.dom.openOrClosedShadowRoot.
@@ -25843,7 +25995,7 @@ ANTI-BOT SUBMIT CEILING \u2014 synthetic clicks on social/auth platforms (Reddit
       try_fiber: external_exports.boolean().optional().describe(`Opt-in last-resort fallback when silently_rejected fires. After the activity probe reports zero activity, chromeflow walks the React fiber tree from the matched element (up to 12 levels), finds the nearest \`__reactProps$.onClick\` prop, and invokes it with a minimal synthetic event. Now shadow-DOM-aware: when the element is inside a shadow root, the fiber walk searches for React root containers inside that shadow root instead of walking the light DOM. Returns fiber_attempted=true in the response when the path was taken. Do NOT default to this; reserve for repeat silently_rejected on a known-safe React site.`),
       activity_timeout_ms: external_exports.number().int().min(500).optional().describe(`How long the activity probe watches for DOM mutations, focus changes, URL changes, or alert/toast/modal appearance after the click (default 1500ms). The probe returns early as soon as activity is detected, so the default adds only ~100ms on successful clicks. Increase to 2500-4000ms for buttons that trigger async API calls before producing visible DOM changes. The probe reports "silently_rejected" when zero activity is seen within this window; a higher value reduces false negatives but slows genuine rejection detection. For buttons where the click triggers a 3-5s API call with no immediate DOM change, use skip_activity_probe instead.`),
       skip_activity_probe: external_exports.boolean().optional().describe(`Skip the 1500ms activity probe AND all automatic fallbacks (tap gesture, pointer chain, DOM .click(), fiber walk) after the CDP click. The click is dispatched and success is returned immediately without verifying page activity. Use for buttons that trigger slow async API calls (3-5s+) before producing visible DOM changes, where the activity probe would falsely report "silently_rejected" and the fallback chain would double-fire. Verify state yourself via find_text or execute_script after an appropriate delay. NOTE: this is set IMPLICITLY when any until_* clause is passed, since the until-clause already provides verification. WARNING: no automatic silent-rejection detection when this is set without an until-clause.`),
-      via: external_exports.enum(["auto", "cdp", "fiber"]).optional().describe(`Click dispatch mode. "auto" (default): CDP click, then fiber fallback when try_fiber=true and the activity probe failed. "cdp": CDP click only, no fiber fallback ever. "fiber": skip the CDP bezier + activity probe entirely and invoke __reactProps$.onClick directly. Use "fiber" on React-heavy SPAs (Outlier-style dashboards) where you already know the site is fiber-only \u2014 cuts ~3 seconds of ceremony off the round trip. The fiber path is undocumented React internal access, prefer "auto" until you've confirmed the site needs it.`),
+      via: external_exports.enum(["auto", "cdp", "fiber"]).optional().describe(`Click dispatch mode. "auto" (default): CDP click, then fiber fallback when try_fiber=true and the activity probe failed. "cdp": CDP click only, no fiber fallback ever. "fiber": skip the CDP bezier + activity probe entirely and invoke __reactProps$.onClick directly. Use "fiber" on React-heavy SPAs (fiber-only annotation dashboards) where you already know the site is fiber-only \u2014 cuts ~3 seconds of ceremony off the round trip. The fiber path is undocumented React internal access, prefer "auto" until you've confirmed the site needs it.`),
       in_dialog: external_exports.boolean().optional().describe(`Scope candidate matches to the topmost open dialog (\`[role=dialog]\`, \`[role=alertdialog]\`, or \`<dialog open>\`), highest z-index wins. Use when Radix/Headless UI dialogs portal to document.body and a generic textHint like "Cancel" would otherwise match the wrong button. Returns scope_missed=true when no dialog is open.`),
       dialog_query: external_exports.string().optional().describe(`Scope candidate matches to a specific dialog by heading or aria-label substring. Use when multiple dialogs are open and in_dialog (topmost) would pick the wrong one \u2014 e.g. click_element("Confirm", dialog_query="Delete account"). Mutually exclusive with in_dialog; dialog_query wins when both are set.`),
       wait_until_enabled_ms: external_exports.number().int().min(0).optional().describe(`When the matched target is currently disabled (native disabled OR aria-disabled=true), poll for up to this many ms waiting for it to become enabled before clicking. Default 0 (do not wait \u2014 return target_disabled immediately). Use 2000-5000 for Submit-style buttons that briefly disable while an async copilot/validator/save is in flight. On timeout the response carries target_disabled=true plus a structured disabled_state snapshot (disabled, aria_disabled, pointer_events, opacity, visible) so the caller can decide between "wait more" or "field is genuinely missing \u2014 run get_form_fields(only_empty:true)".`)
@@ -25919,6 +26071,7 @@ Current URL: ${activeTab.url}`;
       const recall = flowStore.recallHint(nowUrl);
       const capturable = flowStore.capturableHint(actionUrl);
       if (!r.success) {
+        flowStore.observeFailure(actionUrl, selector ?? textHint);
         return {
           content: [
             {
@@ -25935,9 +26088,9 @@ Current URL: ${activeTab.url}`;
   );
   server.tool(
     "save_flow",
-    `Persist the hard-won interaction steps chromeflow buffered for the current site as a reusable, named flow. chromeflow auto-buffers only NOTABLE resolutions (a click that needed a fallback, a verified submit, a field that needed real keystrokes) \u2014 so you just give the task a label and it commits whatever is buffered for the current origin. Next session, those steps are surfaced back as a known_flow hint so you skip the trial-and-error.
+    `Trust the hard-won interaction steps chromeflow buffered for the current site, immediately, as a named flow. chromeflow auto-buffers only NOTABLE resolutions (a click that needed a fallback, a verified submit, a field that needed real keystrokes), and AUTOSAVES them as a provisional flow when you leave the site \u2014 so memory works even if you never call this. Provisional flows are not recalled until they have been independently re-observed, or until you vouch for them here. Calling save_flow promotes the buffered steps to TRUSTED right away (an explicit "I confirm this worked"), so they are recalled next session instead of waiting to earn it.
 
-Call this when a response shows \`flow_capturable\`. Stored locally only (~/.chromeflow/flows.json), selectors/signals only \u2014 never typed text. Guidance, not autopilot: recalled steps are still verified on replay.`,
+Call this when a response shows \`flow_capturable\` and you are confident the task genuinely succeeded. Stored locally only (~/.chromeflow/flows.json), selectors/signals only \u2014 never typed text. Guidance, not autopilot: recalled steps are still verified on replay.`,
     {
       task_label: external_exports.string().describe('Short human label for what this flow accomplishes, e.g. "submit text post", "set flair and submit", "log report time".')
     },
@@ -26259,7 +26412,7 @@ ${lines.join("\n")}${shadowSection}` }] };
 }
 
 // packages/mcp-server/src/index.ts
-var PACKAGE_VERSION = true ? "0.10.25" : "dev";
+var PACKAGE_VERSION = true ? "0.12.0" : "dev";
 main().catch((err) => {
   console.error("[chromeflow] Fatal error:", err);
   process.exit(1);
@@ -26335,6 +26488,10 @@ ${tabList}`
   await server.connect(transport);
   const exitClean = (reason) => {
     console.error(`[chromeflow] host disconnected (${reason}), exiting.`);
+    try {
+      flowStore.flushAll();
+    } catch {
+    }
     process.exit(0);
   };
   process.stdin.on("end", () => exitClean("stdin end"));

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "chromeflow",
-  "version": "0.10.25",
-  "description": "MCP server for chromeflow — lets Claude Code or Codex CLI drive your real Chrome browser with sessions intact. Plugin install recommended; npx chromeflow for manual MCP wiring.",
+  "version": "0.12.0",
+  "description": "MCP server for chromeflow \u2014 lets Claude Code or Codex CLI drive your real Chrome browser with sessions intact. Plugin install recommended; npx chromeflow for manual MCP wiring.",
   "type": "module",
   "main": "./bin/chromeflow.mjs",
   "bin": {