github-router 0.3.31 → 0.3.32

package/dist/main.js

@@ -1,19 +1,22 @@
 #!/usr/bin/env node
-import { a as sweepRegistry, c as ensureClaudeConfigMirror, d as writeRuntimeFileSecure, i as registerExitHandlers, l as ensurePaths, n as getInstanceUuid, r as recordWorkerRepo, s as PATHS, t as WorktreeRegistry, u as removeOwnClaudeConfigMirror } from "./lifecycle-BrNqqJZH.js";
+import { c as writeRuntimeFileSecure, i as removeOwnClaudeConfigMirror, n as ensureClaudeConfigMirror, r as ensurePaths, t as PATHS } from "./paths-Cr2gfGiA.js";
+import { a as sweepRegistry, i as registerExitHandlers, n as getInstanceUuid, r as recordWorkerRepo, t as WorktreeRegistry } from "./lifecycle-3OXRVrtQ.js";
 import { createRequire } from "node:module";
 import { defineCommand, runMain } from "citty";
 import consola from "consola";
 import { createHash, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import fs, { readFile, stat } from "node:fs/promises";
-import os from "node:os";
+import os, { homedir, platform } from "node:os";
 import * as path$1 from "node:path";
 import path from "node:path";
 import process$1 from "node:process";
 import { execFile, execFileSync, spawn, spawnSync } from "node:child_process";
 import { promisify } from "node:util";
-import fs$1, { closeSync, existsSync, openSync, readFileSync, realpathSync, renameSync, statSync, unlinkSync, writeSync } from "node:fs";
+import fs$1, { chmodSync, closeSync, existsSync, mkdirSync, openSync, readFileSync, realpathSync, renameSync, statSync, unlinkSync, writeFileSync, writeSync } from "node:fs";
 import { createInterface } from "node:readline";
 import Parser from "web-tree-sitter";
+import WebSocket from "ws";
+import { fileURLToPath } from "node:url";
 import { Type } from "typebox";
 import "partial-json";
 import { Compile } from "typebox/compile";
@@ -41,6 +44,7 @@ const state = {
 	rateLimitWait: false,
 	showToken: false,
 	extendedBetas: false,
+	browseEnabled: false,
 	sessionId: randomUUID(),
 	machineId: randomBytes(32).toString("hex")
 };
@@ -2048,8 +2052,8 @@ async function runStructuralPass(opts) {
 				consola.debug(`[code_search] structural skip ${relFile} (${size} bytes > cap)`);
 				continue;
 			}
-			let cached = cacheGet(absPath, mtimeMs);
-			if (!cached) {
+			let cached$1 = cacheGet(absPath, mtimeMs);
+			if (!cached$1) {
 				let source;
 				try {
 					source = readFileSync(absPath, "utf8");
@@ -2074,23 +2078,23 @@ async function runStructuralPass(opts) {
 				} catch (err) {
 					consola.debug(`[code_search] tree-sitter parse failed for ${relFile}: ${err.message}`);
 				}
-				cached = {
+				cached$1 = {
 					mtimeMs,
 					tree,
 					source: tree ? source : null
 				};
-				cachePut(absPath, cached);
+				cachePut(absPath, cached$1);
 				filesParsed += 1;
 			}
-			if (!cached.tree || !cached.source) continue;
+			if (!cached$1.tree || !cached$1.source) continue;
 			for (const entry of entries) {
-				const lineStart = lineStartByte(cached.source, entry.hit.line);
+				const lineStart = lineStartByte(cached$1.source, entry.hit.line);
 				if (lineStart < 0) continue;
 				const matchByteStart = lineStart + entry.hit.match_start;
 				const matchByteEnd = lineStart + entry.hit.match_end;
 				let node;
 				try {
-					node = cached.tree.rootNode.descendantForIndex(matchByteStart, matchByteEnd);
+					node = cached$1.tree.rootNode.descendantForIndex(matchByteStart, matchByteEnd);
 				} catch {
 					node = null;
 				}
@@ -2468,6 +2472,1086 @@ function round4(x) {
 	return Math.round(x * 1e4) / 1e4;
 }
 
+//#endregion
+//#region src/lib/browser-mcp/browser-detect.ts
+let cached;
+function probeWindows() {
+	const found = [];
+	const probe = (subkey) => {
+		try {
+			execFileSync("reg.exe", [
+				"query",
+				`HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\${subkey}`,
+				"/ve"
+			], {
+				windowsHide: true,
+				timeout: 3e3,
+				stdio: [
+					"ignore",
+					"pipe",
+					"ignore"
+				]
+			});
+			return true;
+		} catch {
+			try {
+				execFileSync("reg.exe", [
+					"query",
+					`HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\${subkey}`,
+					"/ve"
+				], {
+					windowsHide: true,
+					timeout: 3e3,
+					stdio: [
+						"ignore",
+						"pipe",
+						"ignore"
+					]
+				});
+				return true;
+			} catch {
+				return false;
+			}
+		}
+	};
+	if (probe("chrome.exe")) found.push("chrome");
+	if (probe("msedge.exe")) found.push("edge");
+	if (!found.includes("chrome")) {
+		const localApp = process$1.env.LOCALAPPDATA;
+		const pf = process$1.env["PROGRAMFILES"];
+		const pf86 = process$1.env["PROGRAMFILES(X86)"];
+		if ([
+			localApp ? path.join(localApp, "Google", "Chrome", "Application", "chrome.exe") : void 0,
+			pf ? path.join(pf, "Google", "Chrome", "Application", "chrome.exe") : void 0,
+			pf86 ? path.join(pf86, "Google", "Chrome", "Application", "chrome.exe") : void 0
+		].filter((p) => typeof p === "string").some(existsSync)) found.push("chrome");
+	}
+	if (!found.includes("edge")) {
+		const pf86 = process$1.env["PROGRAMFILES(X86)"];
+		const pf = process$1.env["PROGRAMFILES"];
+		if ([pf86 ? path.join(pf86, "Microsoft", "Edge", "Application", "msedge.exe") : void 0, pf ? path.join(pf, "Microsoft", "Edge", "Application", "msedge.exe") : void 0].filter((p) => typeof p === "string").some(existsSync)) found.push("edge");
+	}
+	return found;
+}
+function probeMacOS() {
+	const found = [];
+	if (existsSync("/Applications/Google Chrome.app")) found.push("chrome");
+	if (existsSync("/Applications/Microsoft Edge.app")) found.push("edge");
+	return found;
+}
+function probeLinux() {
+	const found = [];
+	const which = (cmd) => {
+		try {
+			execFileSync("which", [cmd], {
+				timeout: 2e3,
+				stdio: [
+					"ignore",
+					"pipe",
+					"ignore"
+				]
+			});
+			return true;
+		} catch {
+			return false;
+		}
+	};
+	if (which("google-chrome") || which("google-chrome-stable") || which("chromium") || which("chromium-browser")) found.push("chrome");
+	if (which("microsoft-edge") || which("microsoft-edge-stable")) found.push("edge");
+	return found;
+}
+/**
+* Returns the supported browsers detected on this host. Result is
+* cached on first call; restart the proxy to re-detect after a fresh
+* install.
+*/
+function detectSupportedBrowsers() {
+	if (cached !== void 0) return cached;
+	let found;
+	switch (process$1.platform) {
+		case "win32":
+			found = probeWindows();
+			break;
+		case "darwin":
+			found = probeMacOS();
+			break;
+		default:
+			found = probeLinux();
+			break;
+	}
+	cached = Object.freeze(found);
+	return cached;
+}
+/** Convenience: true iff Chrome OR Edge is detected. */
+function hasSupportedBrowserInstalled() {
+	return detectSupportedBrowsers().length > 0;
+}
+
+//#endregion
+//#region src/lib/browser-mcp/native-host-installer.ts
+const NMH_HOST_ID = "com.githubrouter.browser";
+/**
+* Compute the deterministic 32-char chrome-extension ID from the
+* base64-DER-encoded RSA public key in the extension's manifest.json
+* `key` field. Chrome's derivation:
+*
+*   1. base64-decode the key into DER bytes.
+*   2. SHA-256 the bytes.
+*   3. Take the first 16 bytes of the digest as 32 hex chars.
+*   4. Map each hex digit VALUE (0..15) to a letter (a..p). hex value
+*      0 → 'a', 1 → 'b', …, 15 → 'p'. The result is 32 chars long.
+*
+* See https://developer.chrome.com/docs/extensions/reference/manifest/key
+* for the spec.
+*/
+function computeExtensionIdFromKey(keyB64) {
+	const der = Buffer.from(keyB64, "base64");
+	const hex = createHash("sha256").update(der).digest().subarray(0, 16).toString("hex");
+	const aCode = "a".charCodeAt(0);
+	let out = "";
+	for (let i = 0; i < hex.length; i++) out += String.fromCharCode(aCode + parseInt(hex[i], 16));
+	return out;
+}
+function readManifestKey() {
+	const candidates = [path.resolve(extensionDir(), "manifest.json")];
+	for (const candidate of candidates) try {
+		const raw = readFileSync(candidate, "utf8");
+		const parsed = JSON.parse(raw);
+		if (typeof parsed.key === "string") return parsed.key;
+	} catch {}
+	throw new Error(`native-host-installer: could not read manifest.json from ${candidates.join(", ")}`);
+}
+/**
+* Walk up from a starting directory looking for the github-router
+* package.json. Returns the package root or undefined if not found
+* within `maxHops` levels.
+*/
+function findPackageRoot(startDir, maxHops = 10) {
+	let cur = startDir;
+	for (let i = 0; i < maxHops; i++) {
+		try {
+			const pkgPath = path.join(cur, "package.json");
+			const pkg = JSON.parse(readFileSync(pkgPath, "utf8"));
+			if (pkg.name && pkg.name.includes("github-router")) return cur;
+		} catch {}
+		const parent = path.dirname(cur);
+		if (parent === cur) break;
+		cur = parent;
+	}
+}
+/**
+* Resolve the github-router package root. Uses two sources in order:
+*   1. process.argv[1] — the entrypoint script, walks up from there.
+*   2. import.meta.url of THIS module, walks up from there.
+*   3. process.cwd() as last resort.
+*
+* Robust across bun (src/main.ts) and node (dist/main.js) launch paths.
+*/
+function packageRoot() {
+	const entryPath = typeof process$1?.argv?.[1] === "string" ? process$1.argv[1] : void 0;
+	if (entryPath) {
+		const fromEntry = findPackageRoot(path.dirname(entryPath));
+		if (fromEntry) return fromEntry;
+	}
+	try {
+		const fromHere = findPackageRoot(path.dirname(fileURLToPath(import.meta.url)));
+		if (fromHere) return fromHere;
+	} catch {}
+	return process$1?.cwd?.() ?? ".";
+}
+/**
+* Absolute path to the extension's source directory. Extension is
+* plain JS / JSON (no build pipeline) so `src/browser-ext/` is the
+* canonical location whether installed via npm or running from a
+* checkout.
+*/
+function extensionDir() {
+	return path.join(packageRoot(), "src", "browser-ext");
+}
+/** Absolute path to the bundled bridge entrypoint. */
+function bridgeBundlePath() {
+	return path.join(packageRoot(), "dist", "browser-bridge", "index.js");
+}
+function appBrowserMcpDir() {
+	const dir = path.join(PATHS.APP_DIR, "browser-mcp");
+	mkdirSync(dir, { recursive: true });
+	return dir;
+}
+/**
+* Pick a runtime interpreter for the bridge. The bridge uses Node's
+* binary-stdin framing for native messaging which Bun handles
+* differently (Bun closes the bridge prematurely as soon as anything
+* unexpected lands on stdin). So prefer `node` when available;
+* fall back to `process.execPath` (which may be bun or a packaged
+* binary) only if node isn't on PATH.
+*/
+function resolveBridgeInterpreter() {
+	const probeCmd = platform() === "win32" ? "where" : "which";
+	try {
+		const out = execFileSync(probeCmd, ["node"], {
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			],
+			timeout: 2e3,
+			windowsHide: true
+		}).toString().trim().split(/\r?\n/)[0];
+		if (out) return out;
+	} catch {}
+	return process$1.execPath;
+}
+function writeLauncherShim() {
+	const dir = appBrowserMcpDir();
+	const bridgeJs = bridgeBundlePath();
+	const interp = resolveBridgeInterpreter();
+	if (platform() === "win32") {
+		const batPath = path.join(dir, "launcher.bat");
+		writeFileSync(batPath, `@echo off\r\n"${interp}" "${bridgeJs}" %*\r\n`, "utf8");
+		return batPath;
+	}
+	const shPath = path.join(dir, "launcher.sh");
+	writeFileSync(shPath, `#!/usr/bin/env bash\nexec "${interp}" "${bridgeJs}" "$@"\n`, { mode: 493 });
+	try {
+		chmodSync(shPath, 493);
+	} catch {}
+	return shPath;
+}
+function nmhPathsFor(browser) {
+	switch (platform()) {
+		case "win32": {
+			const local = process$1.env.LOCALAPPDATA;
+			const base = local ? path.join(local, "github-router", "browser-mcp") : path.join(homedir(), "AppData", "Local", "github-router", "browser-mcp");
+			mkdirSync(base, { recursive: true });
+			return {
+				manifestPath: path.join(base, `${NMH_HOST_ID}.json`),
+				registryKey: browser === "chrome" ? `HKCU\\Software\\Google\\Chrome\\NativeMessagingHosts\\${NMH_HOST_ID}` : `HKCU\\Software\\Microsoft\\Edge\\NativeMessagingHosts\\${NMH_HOST_ID}`
+			};
+		}
+		case "darwin": {
+			const base = browser === "chrome" ? path.join(homedir(), "Library", "Application Support", "Google", "Chrome", "NativeMessagingHosts") : path.join(homedir(), "Library", "Application Support", "Microsoft Edge", "NativeMessagingHosts");
+			mkdirSync(base, { recursive: true });
+			return { manifestPath: path.join(base, `${NMH_HOST_ID}.json`) };
+		}
+		default: {
+			const base = browser === "chrome" ? path.join(homedir(), ".config", "google-chrome", "NativeMessagingHosts") : path.join(homedir(), ".config", "microsoft-edge", "NativeMessagingHosts");
+			mkdirSync(base, { recursive: true });
+			return { manifestPath: path.join(base, `${NMH_HOST_ID}.json`) };
+		}
+	}
+}
+/**
+* Write the NMH manifest + (Windows) registry key for a given browser.
+* Returns the manifest path written; throws if any step fails (caller
+* surfaces as part of install_required.reason).
+*/
+function installNativeHostFor(browser) {
+	const manifest = {
+		name: NMH_HOST_ID,
+		description: "github-router browser bridge",
+		path: writeLauncherShim(),
+		type: "stdio",
+		allowed_origins: [`chrome-extension://${computeExtensionIdFromKey(readManifestKey())}/`]
+	};
+	const { manifestPath, registryKey } = nmhPathsFor(browser);
+	writeFileSync(manifestPath, JSON.stringify(manifest, null, 2), "utf8");
+	if (platform() !== "win32") try {
+		chmodSync(manifestPath, 420);
+	} catch {}
+	if (registryKey) execFileSync("reg.exe", [
+		"add",
+		registryKey,
+		"/ve",
+		"/t",
+		"REG_SZ",
+		"/d",
+		manifestPath,
+		"/f"
+	], {
+		windowsHide: true,
+		timeout: 5e3,
+		stdio: [
+			"ignore",
+			"pipe",
+			"pipe"
+		]
+	});
+	return manifestPath;
+}
+/**
+* Install the NMH manifest for every supported browser detected on
+* this host. Returns the list of (browser, manifestPath) tuples
+* actually written so the install_required response can report what
+* auto-installed.
+*/
+function installNativeHostForAll(browsers) {
+	const results = [];
+	for (const b of browsers) try {
+		const manifestPath = installNativeHostFor(b);
+		results.push({
+			browser: b,
+			manifestPath
+		});
+	} catch (err) {
+		console.warn(`[browser-mcp] failed to install NMH manifest for ${b}:`, err instanceof Error ? err.message : String(err));
+	}
+	return results;
+}
+
+//#endregion
+//#region src/lib/browser-mcp/install-check.ts
+function discoveryPath() {
+	return path.join(PATHS.APP_DIR, "browser-mcp", "bridge.json");
+}
+function readBridgeDiscovery() {
+	try {
+		const raw = readFileSync(discoveryPath(), "utf8");
+		const parsed = JSON.parse(raw);
+		if (typeof parsed.pid === "number" && typeof parsed.port === "number" && typeof parsed.token === "string" && typeof parsed.startedAt === "number") return parsed;
+	} catch {}
+}
+async function probeHealth(port, token, timeoutMs = 500) {
+	const controller = new AbortController();
+	const timer = setTimeout(() => controller.abort(), timeoutMs);
+	try {
+		const res = await fetch(`http://127.0.0.1:${port}/health`, {
+			headers: { authorization: `Bearer ${token}` },
+			signal: controller.signal
+		});
+		if (!res.ok) return void 0;
+		return await res.json();
+	} catch {
+		return;
+	} finally {
+		clearTimeout(timer);
+	}
+}
+function bridgeBundleExists() {
+	try {
+		readFileSync(bridgeBundlePath());
+		return true;
+	} catch {
+		return false;
+	}
+}
+function loadStableExtensionId() {
+	try {
+		const raw = readFileSync(path.join(extensionDir(), "manifest.json"), "utf8");
+		const parsed = JSON.parse(raw);
+		if (typeof parsed.key === "string") return computeExtensionIdFromKey(parsed.key);
+	} catch {}
+	return "unknown";
+}
+function buildInstallRequired(reason, autoInstalled) {
+	return {
+		install_required: true,
+		reason,
+		auto_installed: autoInstalled,
+		manual_steps: {
+			load_unpacked_dir: extensionDir(),
+			expected_extension_id: loadStableExtensionId(),
+			instructions: reason === "no_supported_browser" ? "No Chrome or Edge installation was detected on this host. Install one and restart the github-router proxy." : reason === "bridge_bundle_missing" ? "The bridge bundle is missing. Run `bun run build` from the github-router checkout to produce dist/browser-bridge/index.js, then retry." : "Open chrome://extensions (or edge://extensions), enable Developer Mode, click 'Load unpacked', and select the load_unpacked_dir above. Then retry this tool call."
+		}
+	};
+}
+/**
+* Full pre-flight. Returns either `{install_required: false, port,
+* token, pid}` (bridge ready, extension connected) or an
+* `install_required` payload the dispatcher hands directly to the
+* model. Side effect: when reason is `extension_not_loaded`, attempts
+* to install the NMH manifest for every detected browser so that the
+* extension can connect immediately on load.
+*/
+async function ensureBridgeReady() {
+	const browsers = detectSupportedBrowsers();
+	if (browsers.length === 0) return buildInstallRequired("no_supported_browser", []);
+	if (!bridgeBundleExists()) return buildInstallRequired("bridge_bundle_missing", []);
+	const autoInstalled = installNativeHostForAll(browsers).flatMap((r) => [`nmh_manifest_${r.browser}`]);
+	const discovery = readBridgeDiscovery();
+	if (!discovery) return buildInstallRequired("bridge_not_running", autoInstalled);
+	const health = await probeHealth(discovery.port, discovery.token);
+	if (!health || !health.ok) return buildInstallRequired("bridge_not_running", autoInstalled);
+	if (!health.extension_connected) return buildInstallRequired("extension_not_loaded", autoInstalled);
+	return {
+		install_required: false,
+		port: discovery.port,
+		token: discovery.token,
+		pid: discovery.pid
+	};
+}
+function installRequiredToolResult(payload) {
+	return {
+		content: [{
+			type: "text",
+			text: JSON.stringify(payload, null, 2)
+		}],
+		isError: true
+	};
+}
+
+//#endregion
+//#region src/lib/browser-mcp/policy.ts
+const BLOCKED_URL_RE = /^(chrome|edge|brave|opera|vivaldi):\/\/(settings|preferences|extensions|policy|management|password|flags|flag-descriptions)/i;
+const BLOCKED_VIEW_SOURCE_RE = /^view-source:(chrome|edge):\/\/(settings|extensions)/i;
+const BLOCKED_OPTIONS_HTML_RE = /^(chrome|edge)-extension:\/\/.*\/(options|popup)\.html/i;
+const FILE_URL_RE = /^file:/i;
+function checkUrlPolicy(url) {
+	if (typeof url !== "string" || url.length === 0) return { blocked: false };
+	if (BLOCKED_URL_RE.test(url) || BLOCKED_VIEW_SOURCE_RE.test(url)) return {
+		blocked: true,
+		reason: "Browser-internal pages (settings / preferences / extensions / flags / passwords) are not accessible to the browser MCP. devtools:// is allowed."
+	};
+	if (BLOCKED_OPTIONS_HTML_RE.test(url)) return {
+		blocked: true,
+		reason: "Extension options / popup pages are not accessible to the browser MCP."
+	};
+	if (FILE_URL_RE.test(url) && process.env.GH_ROUTER_BROWSER_ALLOW_FILE_URLS !== "1") return {
+		blocked: true,
+		reason: "file:// URLs are blocked by default. Set GH_ROUTER_BROWSER_ALLOW_FILE_URLS=1 to enable."
+	};
+	return { blocked: false };
+}
+/**
+* Extract URL fields from a tool call's arguments. Returns the first
+* URL that violates policy, or undefined if all clear. Currently checks
+* the `url` field (used by browser_open_tab + browser_navigate).
+*/
+function preflightUrlPolicy(toolName, args) {
+	if (toolName !== "browser_open_tab" && toolName !== "browser_navigate") return { blocked: false };
+	return checkUrlPolicy(args.url);
+}
+
+//#endregion
+//#region src/lib/browser-mcp/dispatch.ts
+const PER_TOOL_TIMEOUTS = {
+	browser_list_tabs: {
+		defaultMs: 5e3,
+		maxMs: 1e4
+	},
+	browser_open_tab: {
+		defaultMs: 3e4,
+		maxMs: 6e4
+	},
+	browser_close_tab: {
+		defaultMs: 5e3,
+		maxMs: 1e4
+	},
+	browser_navigate: {
+		defaultMs: 3e4,
+		maxMs: 6e4
+	},
+	browser_screenshot: {
+		defaultMs: 15e3,
+		maxMs: 3e4
+	},
+	browser_read_page: {
+		defaultMs: 1e4,
+		maxMs: 3e4
+	},
+	browser_click: {
+		defaultMs: 1e4,
+		maxMs: 3e4
+	},
+	browser_fill: {
+		defaultMs: 1e4,
+		maxMs: 3e4
+	},
+	browser_scroll: {
+		defaultMs: 5e3,
+		maxMs: 1e4
+	},
+	browser_keyboard: {
+		defaultMs: 5e3,
+		maxMs: 1e4
+	},
+	browser_wait: {
+		defaultMs: 1e4,
+		maxMs: 6e4
+	},
+	browser_eval_js: {
+		defaultMs: 5e3,
+		maxMs: 3e4
+	},
+	browser_download: {
+		defaultMs: 6e4,
+		maxMs: 3e5
+	},
+	browser_console_logs: {
+		defaultMs: 5e3,
+		maxMs: 1e4
+	},
+	browser_network_log: {
+		defaultMs: 5e3,
+		maxMs: 1e4
+	}
+};
+function pickTimeout(tool) {
+	if (tool in PER_TOOL_TIMEOUTS) return PER_TOOL_TIMEOUTS[tool];
+	return {
+		defaultMs: 1e4,
+		maxMs: 3e4
+	};
+}
+/**
+* Send one request to the bridge over a fresh WebSocket connection.
+* Resolves to the bridge's response envelope or rejects on timeout /
+* transport failure. Honors the caller's AbortSignal — when the MCP
+* client sends notifications/cancelled, the WS is force-closed and
+* the promise rejects so the slot releases cleanly.
+*/
+async function bridgeCall(endpoint, tool, args, timeoutMs, signal) {
+	return new Promise((resolve, reject) => {
+		const id = randomUUID();
+		const ws = new WebSocket(`ws://127.0.0.1:${endpoint.port}`, { headers: { authorization: `Bearer ${endpoint.token}` } });
+		let settled = false;
+		const finish = (fn) => {
+			if (settled) return;
+			settled = true;
+			clearTimeout(timer);
+			if (signal) signal.removeEventListener("abort", onAbort);
+			try {
+				ws.close();
+			} catch {}
+			fn();
+		};
+		const onAbort = () => finish(() => reject(/* @__PURE__ */ new Error("aborted")));
+		if (signal) {
+			if (signal.aborted) {
+				onAbort();
+				return;
+			}
+			signal.addEventListener("abort", onAbort, { once: true });
+		}
+		const timer = setTimeout(() => finish(() => reject(/* @__PURE__ */ new Error(`timeout after ${timeoutMs}ms`))), timeoutMs);
+		ws.on("open", () => {
+			ws.send(JSON.stringify({
+				id,
+				tool,
+				args
+			}));
+		});
+		ws.on("message", (raw) => {
+			try {
+				const parsed = JSON.parse(raw.toString());
+				if (parsed && parsed.id === id) finish(() => resolve(parsed));
+			} catch (err) {
+				finish(() => reject(err));
+			}
+		});
+		ws.on("error", (err) => {
+			finish(() => reject(err));
+		});
+		ws.on("close", () => {
+			finish(() => reject(/* @__PURE__ */ new Error("bridge connection closed before response")));
+		});
+	});
+}
+/**
+* Real dispatcher for any browser_* tool. Used by the entries in
+* src/lib/browser-mcp/index.ts. Returns the standard MCP tool-result
+* envelope.
+*/
+async function dispatchBrowserTool(tool, args, signal, opts = {}) {
+	const policy = preflightUrlPolicy(tool, args);
+	if (policy.blocked) return {
+		content: [{
+			type: "text",
+			text: JSON.stringify({
+				blocked: true,
+				reason: policy.reason
+			}, null, 2)
+		}],
+		isError: true
+	};
+	const ready = await ensureBridgeReady();
+	if (ready.install_required) return installRequiredToolResult(ready);
+	const { defaultMs, maxMs } = pickTimeout(tool);
+	const callerTimeout = typeof opts.timeoutMs === "number" && opts.timeoutMs > 0 ? Math.min(opts.timeoutMs, maxMs) : defaultMs;
+	try {
+		const resp = await bridgeCall({
+			port: ready.port,
+			token: ready.token
+		}, tool, args, callerTimeout, signal);
+		if (resp.ok) {
+			const text = typeof resp.data === "string" ? resp.data : JSON.stringify(resp.data, null, 2);
+			logAudit$1({
+				tool,
+				argsBytes: argsByteSize(args),
+				durationMs: 0,
+				profile: typeof args.profile === "string" ? args.profile : "isolated",
+				result: "ok"
+			});
+			return { content: [{
+				type: "text",
+				text
+			}] };
+		}
+		logAudit$1({
+			tool,
+			argsBytes: argsByteSize(args),
+			durationMs: 0,
+			profile: typeof args.profile === "string" ? args.profile : "isolated",
+			result: "bridge_error",
+			error: resp.error
+		});
+		return {
+			content: [{
+				type: "text",
+				text: `${tool} failed: ${resp.error}${resp.code ? ` (${resp.code})` : ""}`
+			}],
+			isError: true
+		};
+	} catch (err) {
+		const message = err instanceof Error ? err.message : String(err);
+		logAudit$1({
+			tool,
+			argsBytes: argsByteSize(args),
+			durationMs: 0,
+			profile: typeof args.profile === "string" ? args.profile : "isolated",
+			result: "exception",
+			error: message
+		});
+		return {
+			content: [{
+				type: "text",
+				text: `${tool} failed: ${message}`
+			}],
+			isError: true
+		};
+	}
+}
+function argsByteSize(args) {
+	try {
+		return Buffer.byteLength(JSON.stringify(args), "utf8");
+	} catch {
+		return -1;
+	}
+}
+function logAudit$1(record) {
+	if (process.env.GH_ROUTER_LOG_BROWSER_MCP !== "1") return;
+	(async () => {
+		try {
+			const fs$2 = await import("node:fs/promises");
+			const path$2 = await import("node:path");
+			const { PATHS: PATHS$1 } = await import("./paths-Cf3OVCaJ.js");
+			const dir = path$2.join(PATHS$1.APP_DIR, "browser-mcp");
+			await fs$2.mkdir(dir, { recursive: true });
+			const line = JSON.stringify({
+				ts: (/* @__PURE__ */ new Date()).toISOString(),
+				...record
+			}) + "\n";
+			await fs$2.appendFile(path$2.join(dir, "audit.log"), line, "utf8");
+		} catch {}
+	})();
+}
+
+//#endregion
+//#region src/lib/browser-mcp/index.ts
+/**
+* Browser-control MCP tools (`browser_*`). All entries route through
+* `dispatchBrowserTool()` which (1) runs the bridge-layer URL policy
+* check, (2) runs the install-check pre-flight (returning structured
+* install_required JSON when the bridge or extension isn't ready),
+* and (3) opens a WS to the bridge, sends the tool call, awaits the
+* response with a per-tool timeout.
+*
+* Each entry carries `capability: "browser"` so `browserToolsEnabled()`
+* in `src/routes/mcp/handler.ts` drops them at both list-time and
+* call-time when the operator hasn't opted in via `--browse` or
+* `GH_ROUTER_ENABLE_BROWSE=1`.
+*
+* v1 surface: 15 tools (Phases 3 + 4a + 4b).
+*/
+const BROWSER_TOOLS = Object.freeze([
+	{
+		toolNameHttp: "browser_list_tabs",
+		description: "List all open tabs across all browser windows. Returns each tab's id (used by other browser_* tools), URL, title, active flag, and window id.",
+		inputSchema: {
+			type: "object",
+			additionalProperties: false,
+			properties: {}
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_list_tabs", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_open_tab",
+		description: "Open a URL in a new browser tab and wait for the page to finish loading. Returns the new tab's id, final URL after redirects, and HTTP status. Refuses to navigate to browser-internal settings / preferences / extensions / flags pages (returns {blocked: true, reason}); devtools://* is allowed.",
+		inputSchema: {
+			type: "object",
+			required: ["url"],
+			additionalProperties: false,
+			properties: {
+				url: {
+					type: "string",
+					description: "The URL to load. Maximum 8 KB. Settings / preferences / extensions / flags pages are blocked."
+				},
+				reuseActive: {
+					type: "boolean",
+					description: "When true, navigate the currently active tab instead of opening a new one. Default false."
+				}
+			}
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_open_tab", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_close_tab",
+		description: "Close one or more tabs by tab id.",
+		inputSchema: {
+			type: "object",
+			required: ["tabIds"],
+			additionalProperties: false,
+			properties: { tabIds: {
+				type: "array",
+				items: { type: "number" },
+				description: "Array of tab ids to close (from browser_list_tabs)."
+			} }
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_close_tab", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_navigate",
+		description: "Navigate an existing tab: goto a URL, go back, go forward, or reload. Same URL-blocking policy as browser_open_tab.",
+		inputSchema: {
+			type: "object",
+			required: ["tabId", "action"],
+			additionalProperties: false,
+			properties: {
+				tabId: {
+					type: "number",
+					description: "Tab id from browser_list_tabs / browser_open_tab."
+				},
+				action: {
+					type: "string",
+					enum: [
+						"goto",
+						"back",
+						"forward",
+						"reload"
+					],
+					description: "The navigation action."
+				},
+				url: {
+					type: "string",
+					description: "Required when action=goto. Max 8 KB."
+				},
+				hard: {
+					type: "boolean",
+					description: "Reload only: bypass cache (Ctrl+Shift+R behavior). Default false."
+				}
+			}
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_navigate", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_screenshot",
+		description: "Capture a PNG screenshot of the visible area of a tab. Returns base64-encoded image bytes plus contentType. The tab must be active in its window; this tool auto-activates if needed.",
+		inputSchema: {
+			type: "object",
+			required: ["tabId"],
+			additionalProperties: false,
+			properties: {
+				tabId: {
+					type: "number",
+					description: "Tab id from browser_list_tabs / browser_open_tab."
+				},
+				format: {
+					type: "string",
+					enum: ["png", "jpeg"],
+					description: "Image format. Default 'png'."
+				}
+			}
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_screenshot", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_read_page",
+		description: "Extract rendered page text plus the list of interactive elements (refs, roles, names, bounding boxes). Element refs returned here are intended as the input to a follow-up browser_click / browser_fill / browser_scroll — preferred over CSS selectors because refs are stable across dynamic class names. Text is capped at 256 KiB.",
+		inputSchema: {
+			type: "object",
+			required: ["tabId"],
+			additionalProperties: false,
+			properties: { tabId: {
+				type: "number",
+				description: "Tab id from browser_list_tabs / browser_open_tab."
+			} }
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_read_page", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_click",
+		description: "Click an element by ref (from a prior browser_read_page) or CSS selector. Returns {ok, navigated} where navigated=true if the URL changed within ~300ms of the click.",
+		inputSchema: {
+			type: "object",
+			required: ["tabId"],
+			additionalProperties: false,
+			properties: {
+				tabId: { type: "number" },
+				ref: {
+					type: "string",
+					description: "Element ref from browser_read_page (preferred)."
+				},
+				selector: {
+					type: "string",
+					description: "CSS selector (fallback when no ref)."
+				},
+				button: {
+					type: "string",
+					enum: ["left", "right"],
+					description: "Mouse button. Default 'left'."
+				},
+				clickCount: {
+					type: "number",
+					description: "Number of times to click. Default 1."
+				}
+			}
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_click", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_fill",
+		description: "Type into an input / textarea, select from a dropdown, or toggle a checkbox / radio. Dispatches native input and change events so React-style controlled inputs see the value.",
+		inputSchema: {
+			type: "object",
+			required: ["tabId", "value"],
+			additionalProperties: false,
+			properties: {
+				tabId: { type: "number" },
+				ref: {
+					type: "string",
+					description: "Element ref from browser_read_page (preferred)."
+				},
+				selector: {
+					type: "string",
+					description: "CSS selector (fallback when no ref)."
+				},
+				value: { description: "The value to set. String for inputs / textareas / select option value. Boolean for checkbox / radio. Max 1 MB." },
+				clearFirst: {
+					type: "boolean",
+					description: "Clear the input before typing (default true). No effect on select / checkbox."
+				},
+				pressEnter: {
+					type: "boolean",
+					description: "After typing, dispatch Enter keydown / keyup and call form.requestSubmit if available. Default false."
+				}
+			}
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_fill", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_scroll",
+		description: "Scroll a tab to the top, to the bottom, by a pixel amount, or to a specific element by ref.",
+		inputSchema: {
+			type: "object",
+			required: ["tabId", "target"],
+			additionalProperties: false,
+			properties: {
+				tabId: { type: "number" },
+				target: {
+					type: "string",
+					enum: [
+						"top",
+						"bottom",
+						"pixels",
+						"element"
+					],
+					description: "Scroll target type."
+				},
+				pixels: {
+					type: "number",
+					description: "Pixel delta when target=pixels. Positive scrolls down, negative scrolls up."
+				},
+				ref: {
+					type: "string",
+					description: "Element ref when target=element. Scrolls so the element is centered in the viewport."
+				}
+			}
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_scroll", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_keyboard",
+		description: "Send a keystroke or chord to the focused element. Use 'Control+L' / 'Command+L' for browser shortcuts, single characters for typing. Uses chrome.debugger so browser-level shortcuts (Ctrl+T, Ctrl+W, etc) actually fire.",
+		inputSchema: {
+			type: "object",
+			required: ["tabId", "keys"],
+			additionalProperties: false,
+			properties: {
+				tabId: { type: "number" },
+				keys: {
+					type: "string",
+					description: "Key or chord. Modifiers (Control, Alt, Shift, Meta / Command) joined with '+'. Example: 'Control+L'."
+				}
+			}
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_keyboard", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_wait",
+		description: "Wait for an element to appear (until='selector'), the tab URL to match a regex (until='url'), or the network to go idle (until='networkIdle' - heuristic: tab status complete + 500ms quiet). Returns {ok: true, elapsedMs} on success, {ok: false, reason: 'timeout'} on miss.",
+		inputSchema: {
+			type: "object",
+			required: ["tabId", "until"],
+			additionalProperties: false,
+			properties: {
+				tabId: { type: "number" },
+				until: {
+					type: "string",
+					enum: [
+						"selector",
+						"url",
+						"networkIdle"
+					],
+					description: "What to wait for."
+				},
+				selector: {
+					type: "string",
+					description: "CSS selector when until=selector."
+				},
+				urlPattern: {
+					type: "string",
+					description: "JS regex (string form) when until=url."
+				},
+				timeoutMs: {
+					type: "number",
+					description: "Max wait. Default 10000, hard cap 60000."
+				}
+			}
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_wait", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_eval_js",
+		description: "Evaluate a JavaScript expression in the tab's main world (equivalent to typing in the DevTools console). Returns {result} or {error}. Awaits promises returned by the expression. Single narrowly-named escape hatch for behaviors the other tools don't cover.",
+		inputSchema: {
+			type: "object",
+			required: ["tabId", "expression"],
+			additionalProperties: false,
+			properties: {
+				tabId: { type: "number" },
+				expression: {
+					type: "string",
+					description: "JS expression. Max 100 KB. Top-level await NOT supported - wrap in (async () => ...)()."
+				},
+				timeoutMs: {
+					type: "number",
+					description: "Max evaluation time. Default 5000, hard cap 30000."
+				}
+			}
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_eval_js", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_download",
+		description: "Trigger a download by URL and wait for it to complete. Returns {downloadId, path, bytes, mimeType}. The file lands in Chrome's default Downloads dir unless saveAs is given.",
+		inputSchema: {
+			type: "object",
+			required: ["tabId", "url"],
+			additionalProperties: false,
+			properties: {
+				tabId: {
+					type: "number",
+					description: "Tab id is logged but the download itself is window-scoped, not tab-scoped."
+				},
+				source: {
+					type: "string",
+					enum: ["url"],
+					description: "Download source. Only 'url' supported in v1; click-then-wait awaits Phase 5."
+				},
+				url: {
+					type: "string",
+					description: "Direct URL to download. Max 8 KB."
+				},
+				saveAs: {
+					type: "string",
+					description: "Optional filename / relative subdir under Downloads. Conflicts auto-uniquify."
+				}
+			}
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_download", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_console_logs",
+		description: "Drain console messages a tab has emitted since the last call. The first call for a tab attaches chrome.debugger and starts capturing, so very-early-load messages from before the first call are missed; subsequent calls return everything since the previous drain. Buffer is capped at 1000 entries per tab.",
+		inputSchema: {
+			type: "object",
+			required: ["tabId"],
+			additionalProperties: false,
+			properties: {
+				tabId: { type: "number" },
+				level: {
+					type: "string",
+					enum: [
+						"log",
+						"info",
+						"warn",
+						"error",
+						"debug",
+						"all"
+					],
+					description: "Filter by console level. Default 'all'."
+				}
+			}
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_console_logs", args, signal);
+		}
+	},
+	{
+		toolNameHttp: "browser_network_log",
+		description: "Drain network responses a tab has received since the last call. Same lazy-attach + cap-1000 behavior as browser_console_logs. Returns request URL, method, status, mime type, and timestamp per entry.",
+		inputSchema: {
+			type: "object",
+			required: ["tabId"],
+			additionalProperties: false,
+			properties: { tabId: { type: "number" } }
+		},
+		capability: "browser",
+		async handler(args, signal) {
+			return dispatchBrowserTool("browser_network_log", args, signal);
+		}
+	}
+]);
+
 //#endregion
 //#region src/vendor/pi/ai/api-registry.ts
 const apiProviderRegistry = /* @__PURE__ */ new Map();
@@ -2711,8 +3795,8 @@ function coerceWithJsonSchema(value, schema) {
 }
 function getValidator(schema) {
 	const key = schema;
-	const cached = validatorCache.get(key);
-	if (cached) return cached;
+	const cached$1 = validatorCache.get(key);
+	if (cached$1) return cached$1;
 	const validator = Compile(schema);
 	validatorCache.set(key, validator);
 	return validator;
@@ -4405,12 +5489,12 @@ function joinTextChunks(accum, idx) {
 */
 function makeLazyTextPart(chunks) {
 	const upTo = chunks.length;
-	let cached;
+	let cached$1;
 	return {
 		type: "text",
 		get text() {
-			if (cached === void 0) cached = upTo === chunks.length ? chunks.join("") : chunks.slice(0, upTo).join("");
-			return cached;
+			if (cached$1 === void 0) cached$1 = upTo === chunks.length ? chunks.join("") : chunks.slice(0, upTo).join("");
+			return cached$1;
 		}
 	};
 }
@@ -4935,6 +6019,37 @@ function workerToolsEnabled() {
 	if (!found) return false;
 	return found.capabilities?.supports?.tool_calls === true;
 }
+/**
+* Gate for the browser-control MCP tools (`browser_*`).
+*
+* Returns true iff BOTH:
+*   1. The operator opted in via `--browse` (which sets
+*      `state.browseEnabled`) OR the equivalent env var
+*      `GH_ROUTER_ENABLE_BROWSE=1`. Default OFF — browser-control is
+*      side-effectful (mutates the user's browser session, downloads
+*      files, can navigate to phishing URLs the model was prompted with),
+*      so dormant-register is the safe default.
+*   2. At least one supported Chromium-family browser (Chrome or Edge)
+*      is detected on disk by `hasSupportedBrowserInstalled()`. No
+*      browser → nothing for the bridge to attach to → tools stay
+*      invisible rather than fail at call time. Detection is cached for
+*      the proxy lifetime; a fresh install requires a restart.
+*
+* Mirrors the defense-in-depth pattern of `workerToolsEnabled()` /
+* `standInToolEnabled()`: this same function gates BOTH the
+* `tools/list` filter in `toolEntries()` AND the call-time rejection in
+* `handleToolsCall` (returning -32601 for hard-coded tool-name
+* bypasses), so the two surfaces stay symmetric.
+*
+* The env-var check reads `process.env` directly instead of relying
+* solely on `state.browseEnabled` so a non-`setupAndServe` startup path
+* (tests, embedded use) can still flip the gate via env. The CLI flag
+* path is the canonical one for end users.
+*/
+function browserToolsEnabled() {
+	if (!(state.browseEnabled || process.env.GH_ROUTER_ENABLE_BROWSE === "1")) return false;
+	return hasSupportedBrowserInstalled();
+}
 function activePersonas() {
 	return PERSONAS_READ.filter((p) => !p.requiresGeminiCatalog || geminiAvailable());
 }
@@ -4966,6 +6081,7 @@ function toolEntries() {
 	const nonPersonaEntries = NON_PERSONA_MCP_TOOLS.filter((t) => {
 		if (t.capability === "worker") return workerToolsEnabled();
 		if (t.capability === "stand_in") return standInToolEnabled();
+		if (t.capability === "browser") return browserToolsEnabled();
 		return true;
 	}).map((t) => ({
 		name: t.toolNameHttp,
@@ -5216,6 +6332,7 @@ async function handleToolsCall(body) {
 	if (!persona && !nonPersonaTool) return rpcError(body.id, RPC_METHOD_NOT_FOUND, `tools/call: unknown tool "${name$1}"`);
 	if (nonPersonaTool && nonPersonaTool.capability === "worker" && !workerToolsEnabled()) return rpcError(body.id, RPC_METHOD_NOT_FOUND, `tools/call: unknown tool "${name$1}"`);
 	if (nonPersonaTool && nonPersonaTool.capability === "stand_in" && !standInToolEnabled()) return rpcError(body.id, RPC_METHOD_NOT_FOUND, `tools/call: unknown tool "${name$1}"`);
+	if (nonPersonaTool && nonPersonaTool.capability === "browser" && !browserToolsEnabled()) return rpcError(body.id, RPC_METHOD_NOT_FOUND, `tools/call: unknown tool "${name$1}"`);
 	let personaPrompt;
 	let personaContext;
 	let personaEffort;
@@ -8975,7 +10092,8 @@ const NON_PERSONA_MCP_TOOLS = Object.freeze([
 		async handler(args, signal) {
 			return runStandInToolCall(args, signal);
 		}
-	}
+	},
+	...BROWSER_TOOLS
 ]);
 /**
 * Shared closure body for the two worker MCP tools. Validates the
@@ -9746,7 +10864,7 @@ function initProxyFromEnv() {
 //#endregion
 //#region package.json
 var name = "github-router";
-var version = "0.3.31";
+var version = "0.3.32";
 
 //#endregion
 //#region src/lib/approval.ts
@@ -9963,8 +11081,8 @@ const calculateTokens = (messages, encoder, constants) => {
 */
 const getEncodeChatFunction = async (encoding) => {
 	if (encodingCache.has(encoding)) {
-		const cached = encodingCache.get(encoding);
-		if (cached) return cached;
+		const cached$1 = encodingCache.get(encoding);
+		if (cached$1) return cached$1;
 	}
 	const supportedEncoding = encoding;
 	if (!(supportedEncoding in ENCODING_MAP)) {
@@ -11623,6 +12741,7 @@ async function setupAndServe(options) {
 	state.rateLimitWait = options.rateLimitWait;
 	state.showToken = options.showToken;
 	state.extendedBetas = options.extendedBetas;
+	state.browseEnabled = options.browseEnabled || process.env.GH_ROUTER_ENABLE_BROWSE === "1";
 	if (process.env.COPILOT_API_URL) state.copilotApiUrl = process.env.COPILOT_API_URL;
 	await ensurePaths();
 	await cacheVSCodeVersion();
@@ -11725,6 +12844,11 @@ const sharedServerArgs = {
 		type: "boolean",
 		default: false,
 		description: "Forward extended beta headers for Claude CLI compatibility (default: VS Code-only)"
+	},
+	browse: {
+		type: "boolean",
+		default: false,
+		description: "Enable the browser-control MCP tools (browser_open_tab, browser_screenshot, browser_click, etc.) on /mcp. Requires Chrome or Edge installed; the bundled extension must be loaded on first tool call (the proxy returns install_required with Web Store URLs + a Load Unpacked fallback path). Off by default; can also be enabled with GH_ROUTER_ENABLE_BROWSE=1."
 	}
 };
 const allowedAccountTypes = new Set([
@@ -11761,7 +12885,8 @@ function parseSharedArgs(args) {
 		githubToken,
 		showToken: args["show-token"],
 		proxyEnv: args["proxy-env"],
-		extendedBetas: args["extended-betas"]
+		extendedBetas: args["extended-betas"],
+		browseEnabled: args.browse
 	};
 }
 /**
@@ -12158,8 +13283,8 @@ const debug = defineCommand({
 //#endregion
 //#region src/lib/shell.ts
 function getShell() {
-	const { platform, env } = process$1;
-	if (platform === "win32") {
+	const { platform: platform$1, env } = process$1;
+	if (platform$1 === "win32") {
 		if (env.SHELL) {
 			if (env.SHELL.endsWith("zsh")) return "zsh";
 			if (env.SHELL.endsWith("fish")) return "fish";