iframer-cli 1.0.0

package/bun.lock

@@ -0,0 +1,195 @@
+{
+  "lockfileVersion": 1,
+  "configVersion": 1,
+  "workspaces": {
+    "": {
+      "name": "agentic-browser-mcp",
+      "dependencies": {
+        "@modelcontextprotocol/sdk": "^1.12.0",
+      },
+    },
+  },
+  "packages": {
+    "@hono/node-server": ["@hono/node-server@1.19.11", "", { "peerDependencies": { "hono": "^4" } }, "sha512-dr8/3zEaB+p0D2n/IUrlPF1HZm586qgJNXK1a9fhg/PzdtkK7Ksd5l312tJX2yBuALqDYBlG20QEbayqPyxn+g=="],
+
+    "@modelcontextprotocol/sdk": ["@modelcontextprotocol/sdk@1.28.0", "", { "dependencies": { "@hono/node-server": "^1.19.9", "ajv": "^8.17.1", "ajv-formats": "^3.0.1", "content-type": "^1.0.5", "cors": "^2.8.5", "cross-spawn": "^7.0.5", "eventsource": "^3.0.2", "eventsource-parser": "^3.0.0", "express": "^5.2.1", "express-rate-limit": "^8.2.1", "hono": "^4.11.4", "jose": "^6.1.3", "json-schema-typed": "^8.0.2", "pkce-challenge": "^5.0.0", "raw-body": "^3.0.0", "zod": "^3.25 || ^4.0", "zod-to-json-schema": "^3.25.1" }, "peerDependencies": { "@cfworker/json-schema": "^4.1.1" }, "optionalPeers": ["@cfworker/json-schema"] }, "sha512-gmloF+i+flI8ouQK7MWW4mOwuMh4RePBuPFAEPC6+pdqyWOUMDOixb6qZ69owLJpz6XmyllCouc4t8YWO+E2Nw=="],
+
+    "accepts": ["accepts@2.0.0", "", { "dependencies": { "mime-types": "^3.0.0", "negotiator": "^1.0.0" } }, "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng=="],
+
+    "ajv": ["ajv@8.18.0", "", { "dependencies": { "fast-deep-equal": "^3.1.3", "fast-uri": "^3.0.1", "json-schema-traverse": "^1.0.0", "require-from-string": "^2.0.2" } }, "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A=="],
+
+    "ajv-formats": ["ajv-formats@3.0.1", "", { "dependencies": { "ajv": "^8.0.0" } }, "sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ=="],
+
+    "body-parser": ["body-parser@2.2.2", "", { "dependencies": { "bytes": "^3.1.2", "content-type": "^1.0.5", "debug": "^4.4.3", "http-errors": "^2.0.0", "iconv-lite": "^0.7.0", "on-finished": "^2.4.1", "qs": "^6.14.1", "raw-body": "^3.0.1", "type-is": "^2.0.1" } }, "sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA=="],
+
+    "bytes": ["bytes@3.1.2", "", {}, "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg=="],
+
+    "call-bind-apply-helpers": ["call-bind-apply-helpers@1.0.2", "", { "dependencies": { "es-errors": "^1.3.0", "function-bind": "^1.1.2" } }, "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ=="],
+
+    "call-bound": ["call-bound@1.0.4", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.2", "get-intrinsic": "^1.3.0" } }, "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg=="],
+
+    "content-disposition": ["content-disposition@1.0.1", "", {}, "sha512-oIXISMynqSqm241k6kcQ5UwttDILMK4BiurCfGEREw6+X9jkkpEe5T9FZaApyLGGOnFuyMWZpdolTXMtvEJ08Q=="],
+
+    "content-type": ["content-type@1.0.5", "", {}, "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA=="],
+
+    "cookie": ["cookie@0.7.2", "", {}, "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w=="],
+
+    "cookie-signature": ["cookie-signature@1.2.2", "", {}, "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg=="],
+
+    "cors": ["cors@2.8.6", "", { "dependencies": { "object-assign": "^4", "vary": "^1" } }, "sha512-tJtZBBHA6vjIAaF6EnIaq6laBBP9aq/Y3ouVJjEfoHbRBcHBAHYcMh/w8LDrk2PvIMMq8gmopa5D4V8RmbrxGw=="],
+
+    "cross-spawn": ["cross-spawn@7.0.6", "", { "dependencies": { "path-key": "^3.1.0", "shebang-command": "^2.0.0", "which": "^2.0.1" } }, "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA=="],
+
+    "debug": ["debug@4.4.3", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA=="],
+
+    "depd": ["depd@2.0.0", "", {}, "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw=="],
+
+    "dunder-proto": ["dunder-proto@1.0.1", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.1", "es-errors": "^1.3.0", "gopd": "^1.2.0" } }, "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A=="],
+
+    "ee-first": ["ee-first@1.1.1", "", {}, "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow=="],
+
+    "encodeurl": ["encodeurl@2.0.0", "", {}, "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg=="],
+
+    "es-define-property": ["es-define-property@1.0.1", "", {}, "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g=="],
+
+    "es-errors": ["es-errors@1.3.0", "", {}, "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw=="],
+
+    "es-object-atoms": ["es-object-atoms@1.1.1", "", { "dependencies": { "es-errors": "^1.3.0" } }, "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA=="],
+
+    "escape-html": ["escape-html@1.0.3", "", {}, "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow=="],
+
+    "etag": ["etag@1.8.1", "", {}, "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg=="],
+
+    "eventsource": ["eventsource@3.0.7", "", { "dependencies": { "eventsource-parser": "^3.0.1" } }, "sha512-CRT1WTyuQoD771GW56XEZFQ/ZoSfWid1alKGDYMmkt2yl8UXrVR4pspqWNEcqKvVIzg6PAltWjxcSSPrboA4iA=="],
+
+    "eventsource-parser": ["eventsource-parser@3.0.6", "", {}, "sha512-Vo1ab+QXPzZ4tCa8SwIHJFaSzy4R6SHf7BY79rFBDf0idraZWAkYrDjDj8uWaSm3S2TK+hJ7/t1CEmZ7jXw+pg=="],
+
+    "express": ["express@5.2.1", "", { "dependencies": { "accepts": "^2.0.0", "body-parser": "^2.2.1", "content-disposition": "^1.0.0", "content-type": "^1.0.5", "cookie": "^0.7.1", "cookie-signature": "^1.2.1", "debug": "^4.4.0", "depd": "^2.0.0", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "finalhandler": "^2.1.0", "fresh": "^2.0.0", "http-errors": "^2.0.0", "merge-descriptors": "^2.0.0", "mime-types": "^3.0.0", "on-finished": "^2.4.1", "once": "^1.4.0", "parseurl": "^1.3.3", "proxy-addr": "^2.0.7", "qs": "^6.14.0", "range-parser": "^1.2.1", "router": "^2.2.0", "send": "^1.1.0", "serve-static": "^2.2.0", "statuses": "^2.0.1", "type-is": "^2.0.1", "vary": "^1.1.2" } }, "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw=="],
+
+    "express-rate-limit": ["express-rate-limit@8.3.1", "", { "dependencies": { "ip-address": "10.1.0" }, "peerDependencies": { "express": ">= 4.11" } }, "sha512-D1dKN+cmyPWuvB+G2SREQDzPY1agpBIcTa9sJxOPMCNeH3gwzhqJRDWCXW3gg0y//+LQ/8j52JbMROWyrKdMdw=="],
+
+    "fast-deep-equal": ["fast-deep-equal@3.1.3", "", {}, "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q=="],
+
+    "fast-uri": ["fast-uri@3.1.0", "", {}, "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA=="],
+
+    "finalhandler": ["finalhandler@2.1.1", "", { "dependencies": { "debug": "^4.4.0", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "on-finished": "^2.4.1", "parseurl": "^1.3.3", "statuses": "^2.0.1" } }, "sha512-S8KoZgRZN+a5rNwqTxlZZePjT/4cnm0ROV70LedRHZ0p8u9fRID0hJUZQpkKLzro8LfmC8sx23bY6tVNxv8pQA=="],
+
+    "forwarded": ["forwarded@0.2.0", "", {}, "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow=="],
+
+    "fresh": ["fresh@2.0.0", "", {}, "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A=="],
+
+    "function-bind": ["function-bind@1.1.2", "", {}, "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA=="],
+
+    "get-intrinsic": ["get-intrinsic@1.3.0", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.2", "es-define-property": "^1.0.1", "es-errors": "^1.3.0", "es-object-atoms": "^1.1.1", "function-bind": "^1.1.2", "get-proto": "^1.0.1", "gopd": "^1.2.0", "has-symbols": "^1.1.0", "hasown": "^2.0.2", "math-intrinsics": "^1.1.0" } }, "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ=="],
+
+    "get-proto": ["get-proto@1.0.1", "", { "dependencies": { "dunder-proto": "^1.0.1", "es-object-atoms": "^1.0.0" } }, "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g=="],
+
+    "gopd": ["gopd@1.2.0", "", {}, "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg=="],
+
+    "has-symbols": ["has-symbols@1.1.0", "", {}, "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ=="],
+
+    "hasown": ["hasown@2.0.2", "", { "dependencies": { "function-bind": "^1.1.2" } }, "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ=="],
+
+    "hono": ["hono@4.12.9", "", {}, "sha512-wy3T8Zm2bsEvxKZM5w21VdHDDcwVS1yUFFY6i8UobSsKfFceT7TOwhbhfKsDyx7tYQlmRM5FLpIuYvNFyjctiA=="],
+
+    "http-errors": ["http-errors@2.0.1", "", { "dependencies": { "depd": "~2.0.0", "inherits": "~2.0.4", "setprototypeof": "~1.2.0", "statuses": "~2.0.2", "toidentifier": "~1.0.1" } }, "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ=="],
+
+    "iconv-lite": ["iconv-lite@0.7.2", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw=="],
+
+    "inherits": ["inherits@2.0.4", "", {}, "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="],
+
+    "ip-address": ["ip-address@10.1.0", "", {}, "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q=="],
+
+    "ipaddr.js": ["ipaddr.js@1.9.1", "", {}, "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g=="],
+
+    "is-promise": ["is-promise@4.0.0", "", {}, "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ=="],
+
+    "isexe": ["isexe@2.0.0", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="],
+
+    "jose": ["jose@6.2.2", "", {}, "sha512-d7kPDd34KO/YnzaDOlikGpOurfF0ByC2sEV4cANCtdqLlTfBlw2p14O/5d/zv40gJPbIQxfES3nSx1/oYNyuZQ=="],
+
+    "json-schema-traverse": ["json-schema-traverse@1.0.0", "", {}, "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug=="],
+
+    "json-schema-typed": ["json-schema-typed@8.0.2", "", {}, "sha512-fQhoXdcvc3V28x7C7BMs4P5+kNlgUURe2jmUT1T//oBRMDrqy1QPelJimwZGo7Hg9VPV3EQV5Bnq4hbFy2vetA=="],
+
+    "math-intrinsics": ["math-intrinsics@1.1.0", "", {}, "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g=="],
+
+    "media-typer": ["media-typer@1.1.0", "", {}, "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw=="],
+
+    "merge-descriptors": ["merge-descriptors@2.0.0", "", {}, "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g=="],
+
+    "mime-db": ["mime-db@1.54.0", "", {}, "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ=="],
+
+    "mime-types": ["mime-types@3.0.2", "", { "dependencies": { "mime-db": "^1.54.0" } }, "sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A=="],
+
+    "ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
+
+    "negotiator": ["negotiator@1.0.0", "", {}, "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg=="],
+
+    "object-assign": ["object-assign@4.1.1", "", {}, "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg=="],
+
+    "object-inspect": ["object-inspect@1.13.4", "", {}, "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew=="],
+
+    "on-finished": ["on-finished@2.4.1", "", { "dependencies": { "ee-first": "1.1.1" } }, "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg=="],
+
+    "once": ["once@1.4.0", "", { "dependencies": { "wrappy": "1" } }, "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w=="],
+
+    "parseurl": ["parseurl@1.3.3", "", {}, "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ=="],
+
+    "path-key": ["path-key@3.1.1", "", {}, "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q=="],
+
+    "path-to-regexp": ["path-to-regexp@8.4.0", "", {}, "sha512-PuseHIvAnz3bjrM2rGJtSgo1zjgxapTLZ7x2pjhzWwlp4SJQgK3f3iZIQwkpEnBaKz6seKBADpM4B4ySkuYypg=="],
+
+    "pkce-challenge": ["pkce-challenge@5.0.1", "", {}, "sha512-wQ0b/W4Fr01qtpHlqSqspcj3EhBvimsdh0KlHhH8HRZnMsEa0ea2fTULOXOS9ccQr3om+GcGRk4e+isrZWV8qQ=="],
+
+    "proxy-addr": ["proxy-addr@2.0.7", "", { "dependencies": { "forwarded": "0.2.0", "ipaddr.js": "1.9.1" } }, "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg=="],
+
+    "qs": ["qs@6.15.0", "", { "dependencies": { "side-channel": "^1.1.0" } }, "sha512-mAZTtNCeetKMH+pSjrb76NAM8V9a05I9aBZOHztWy/UqcJdQYNsf59vrRKWnojAT9Y+GbIvoTBC++CPHqpDBhQ=="],
+
+    "range-parser": ["range-parser@1.2.1", "", {}, "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg=="],
+
+    "raw-body": ["raw-body@3.0.2", "", { "dependencies": { "bytes": "~3.1.2", "http-errors": "~2.0.1", "iconv-lite": "~0.7.0", "unpipe": "~1.0.0" } }, "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA=="],
+
+    "require-from-string": ["require-from-string@2.0.2", "", {}, "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw=="],
+
+    "router": ["router@2.2.0", "", { "dependencies": { "debug": "^4.4.0", "depd": "^2.0.0", "is-promise": "^4.0.0", "parseurl": "^1.3.3", "path-to-regexp": "^8.0.0" } }, "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ=="],
+
+    "safer-buffer": ["safer-buffer@2.1.2", "", {}, "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="],
+
+    "send": ["send@1.2.1", "", { "dependencies": { "debug": "^4.4.3", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "fresh": "^2.0.0", "http-errors": "^2.0.1", "mime-types": "^3.0.2", "ms": "^2.1.3", "on-finished": "^2.4.1", "range-parser": "^1.2.1", "statuses": "^2.0.2" } }, "sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ=="],
+
+    "serve-static": ["serve-static@2.2.1", "", { "dependencies": { "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "parseurl": "^1.3.3", "send": "^1.2.0" } }, "sha512-xRXBn0pPqQTVQiC8wyQrKs2MOlX24zQ0POGaj0kultvoOCstBQM5yvOhAVSUwOMjQtTvsPWoNCHfPGwaaQJhTw=="],
+
+    "setprototypeof": ["setprototypeof@1.2.0", "", {}, "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw=="],
+
+    "shebang-command": ["shebang-command@2.0.0", "", { "dependencies": { "shebang-regex": "^3.0.0" } }, "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA=="],
+
+    "shebang-regex": ["shebang-regex@3.0.0", "", {}, "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A=="],
+
+    "side-channel": ["side-channel@1.1.0", "", { "dependencies": { "es-errors": "^1.3.0", "object-inspect": "^1.13.3", "side-channel-list": "^1.0.0", "side-channel-map": "^1.0.1", "side-channel-weakmap": "^1.0.2" } }, "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw=="],
+
+    "side-channel-list": ["side-channel-list@1.0.0", "", { "dependencies": { "es-errors": "^1.3.0", "object-inspect": "^1.13.3" } }, "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA=="],
+
+    "side-channel-map": ["side-channel-map@1.0.1", "", { "dependencies": { "call-bound": "^1.0.2", "es-errors": "^1.3.0", "get-intrinsic": "^1.2.5", "object-inspect": "^1.13.3" } }, "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA=="],
+
+    "side-channel-weakmap": ["side-channel-weakmap@1.0.2", "", { "dependencies": { "call-bound": "^1.0.2", "es-errors": "^1.3.0", "get-intrinsic": "^1.2.5", "object-inspect": "^1.13.3", "side-channel-map": "^1.0.1" } }, "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A=="],
+
+    "statuses": ["statuses@2.0.2", "", {}, "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw=="],
+
+    "toidentifier": ["toidentifier@1.0.1", "", {}, "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA=="],
+
+    "type-is": ["type-is@2.0.1", "", { "dependencies": { "content-type": "^1.0.5", "media-typer": "^1.1.0", "mime-types": "^3.0.0" } }, "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw=="],
+
+    "unpipe": ["unpipe@1.0.0", "", {}, "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ=="],
+
+    "vary": ["vary@1.1.2", "", {}, "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg=="],
+
+    "which": ["which@2.0.2", "", { "dependencies": { "isexe": "^2.0.0" }, "bin": { "node-which": "./bin/node-which" } }, "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA=="],
+
+    "wrappy": ["wrappy@1.0.2", "", {}, "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="],
+
+    "zod": ["zod@4.3.6", "", {}, "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg=="],
+
+    "zod-to-json-schema": ["zod-to-json-schema@3.25.2", "", { "peerDependencies": { "zod": "^3.25.28 || ^4" } }, "sha512-O/PgfnpT1xKSDeQYSCfRI5Gy3hPf91mKVDuYLUHZJMiDFptvP41MSnWofm8dnCm0256ZNfZIM7DSzuSMAFnjHA=="],
+  }
+}

package/cli.cjs

@@ -0,0 +1,575 @@
+#!/usr/bin/env node
+
+const http = require("http");
+const fs = require("fs");
+const path = require("path");
+const { execSync } = require("child_process");
+
+const readline = require("readline");
+
+const CONFIG_DIR = path.join(require("os").homedir(), ".iframer");
+const CREDENTIALS_FILE = path.join(CONFIG_DIR, "credentials.json");
+const DEFAULT_SERVER = "https://api.iframer.sh";
+
+function getServer() {
+  return process.env.IFRAMER_URL || DEFAULT_SERVER;
+}
+
+function loadToken() {
+  try {
+    const data = JSON.parse(fs.readFileSync(CREDENTIALS_FILE, "utf8"));
+    return data.token || null;
+  } catch {
+    return null;
+  }
+}
+
+function saveToken(token) {
+  fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  fs.writeFileSync(CREDENTIALS_FILE, JSON.stringify({ token, savedAt: new Date().toISOString() }, null, 2));
+}
+
+function clearToken() {
+  try { fs.unlinkSync(CREDENTIALS_FILE); } catch {}
+}
+
+function openBrowser(url) {
+  try {
+    if (process.platform === "darwin") execSync(`open "${url}"`);
+    else if (process.platform === "win32") execSync(`start "${url}"`);
+    else execSync(`xdg-open "${url}"`);
+  } catch {
+    console.log(`  Open this URL in your browser:\n  ${url}`);
+  }
+}
+
+function prompt(question) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+function promptHidden(question) {
+  return new Promise((resolve) => {
+    process.stdout.write(question);
+    const stdin = process.stdin;
+    stdin.setRawMode(true);
+    stdin.resume();
+    stdin.setEncoding("utf8");
+
+    let input = "";
+    const onData = (char) => {
+      if (char === "\n" || char === "\r" || char === "\u0004") {
+        stdin.setRawMode(false);
+        stdin.pause();
+        stdin.removeListener("data", onData);
+        process.stdout.write("\n");
+        resolve(input);
+      } else if (char === "\u0003") {
+        // ctrl+c
+        process.stdout.write("\n");
+        process.exit(0);
+      } else if (char === "\u007f" || char === "\b") {
+        // backspace
+        if (input.length > 0) {
+          input = input.slice(0, -1);
+          process.stdout.write("\b \b");
+        }
+      } else {
+        input += char;
+        process.stdout.write("*");
+      }
+    };
+    stdin.on("data", onData);
+  });
+}
+
+function requireToken() {
+  const token = loadToken();
+  if (!token) {
+    console.error("  Not logged in. Run: iframer login");
+    process.exit(1);
+  }
+  return token;
+}
+
+function authHeaders(token) {
+  return {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${token}`,
+  };
+}
+
+async function apiPost(endpoint, body, token) {
+  const res = await fetch(`${getServer()}${endpoint}`, {
+    method: "POST",
+    headers: authHeaders(token),
+    body: body ? JSON.stringify(body) : undefined,
+  });
+  return res.json();
+}
+
+async function apiGet(endpoint, token) {
+  const res = await fetch(`${getServer()}${endpoint}`, {
+    headers: authHeaders(token),
+  });
+  return res.json();
+}
+
+// Strip screenshot from response, save to file, print the rest as JSON
+function handleResponse(data, screenshotPath) {
+  const { screenshot, tileScreenshots, ...rest } = data;
+  if (screenshot && screenshotPath) {
+    fs.writeFileSync(screenshotPath, Buffer.from(screenshot, "base64"));
+    rest._screenshotSaved = screenshotPath;
+  }
+  if (tileScreenshots && tileScreenshots.length > 0) {
+    const tileDir = "/tmp/browser-tiles";
+    fs.mkdirSync(tileDir, { recursive: true });
+    const tilePaths = [];
+    for (const tile of tileScreenshots) {
+      if (tile.screenshot) {
+        const tilePath = `${tileDir}/tile-${tile.index}.png`;
+        fs.writeFileSync(tilePath, Buffer.from(tile.screenshot, "base64"));
+        tilePaths.push(tilePath);
+      }
+    }
+    rest._tilesSaved = tilePaths;
+  }
+  console.log(JSON.stringify(rest, null, 2));
+  if (!data.ok) process.exit(1);
+}
+
+// ─── Commands ────────────────────────────────────────────────────────
+
+async function login() {
+  if (loadToken()) {
+    console.log("Already logged in. Use 'logout' first to re-authenticate.");
+    return;
+  }
+
+  const server = getServer();
+
+  return new Promise((resolve, reject) => {
+    const localServer = http.createServer((req, res) => {
+      const url = new URL(req.url, "http://localhost");
+      if (url.pathname === "/callback") {
+        const token = url.searchParams.get("token");
+        if (token) {
+          saveToken(token);
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end(`<!DOCTYPE html><html><body style="font-family:system-ui;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#0a0a0a;color:#4ade80"><h1>Authorized! You can close this tab.</h1></body></html>`);
+          console.log("\n  Authorized! Token saved to ~/.iframer/credentials.json");
+          localServer.close();
+          resolve();
+        } else {
+          res.writeHead(400, { "Content-Type": "text/plain" });
+          res.end("Missing token");
+          localServer.close();
+          reject(new Error("No token received"));
+        }
+      } else {
+        res.writeHead(404);
+        res.end();
+      }
+    });
+
+    localServer.listen(0, () => {
+      const port = localServer.address().port;
+      const callbackUrl = `http://localhost:${port}/callback`;
+      const authUrl = `${server}/auth/device?callback=${encodeURIComponent(callbackUrl)}`;
+      console.log("\n  Opening browser for authorization...");
+      openBrowser(authUrl);
+      console.log(`\n  If the browser didn't open, visit:\n  ${authUrl}\n`);
+      console.log("  Waiting for authorization...");
+    });
+
+    setTimeout(() => {
+      localServer.close();
+      reject(new Error("Authorization timed out after 2 minutes"));
+    }, 120_000);
+  });
+}
+
+// ─── CLI entry point ─────────────────────────────────────────────────
+
+const [,, command, ...args] = process.argv;
+
+async function main() {
+  switch (command) {
+    case "login":
+      await login();
+      break;
+
+    case "logout":
+      clearToken();
+      console.log("  Logged out. Token removed.");
+      break;
+
+    case "status": {
+      const token = loadToken();
+      if (token) {
+        console.log(`  Logged in`);
+        console.log(`  Server: ${getServer()}`);
+        console.log(`  Credentials: ${CREDENTIALS_FILE}`);
+      } else {
+        console.log("  Not logged in. Run 'login' to authenticate.");
+      }
+      break;
+    }
+
+    // ─── Credentials ───────────────────────────────────────────────
+
+    case "credentials": {
+      const token = requireToken();
+      const sub = args[0];
+
+      if (sub === "add") {
+        let domain = args[1];
+        const body = {};
+
+        // Check if flags were passed (non-interactive mode)
+        const hasFlags = args.some(a => a.startsWith("--"));
+
+        if (hasFlags && domain) {
+          // Non-interactive: parse flags
+          body.domain = domain;
+          for (let i = 2; i < args.length; i++) {
+            if (args[i] === "--username" && args[i + 1]) body.username = args[++i];
+            else if (args[i] === "--password" && args[i + 1]) body.password = args[++i];
+            else if (args[i] === "--totp-secret" && args[i + 1]) body.totp_secret = args[++i];
+          }
+        } else {
+          // Interactive: prompt for each field
+          console.log("");
+          if (!domain) {
+            domain = await prompt("  Domain (e.g. github.com): ");
+            if (!domain) { console.error("  Domain is required."); process.exit(1); }
+          }
+          body.domain = domain;
+
+          console.log(`\n  Storing credentials for ${domain}\n`);
+          body.username = await prompt("  Username / email: ");
+          body.password = await promptHidden("  Password: ");
+
+          const totp = await prompt("  TOTP secret (press Enter to skip): ");
+          if (totp) body.totp_secret = totp;
+        }
+
+        if (!body.username && !body.password) {
+          console.error("  Must provide at least username or password.");
+          process.exit(1);
+        }
+
+        const data = await apiPost("/credentials", body, token);
+        if (!data.ok) { console.error(`  Error: ${data.error}`); process.exit(1); }
+        console.log(`\n  Credentials stored for ${domain}`);
+
+      } else if (sub === "list") {
+        const data = await apiGet("/credentials", token);
+        if (!data.ok) { console.error(`  Error: ${data.error}`); process.exit(1); }
+        if (data.domains.length === 0) {
+          console.log("  No credentials stored.");
+        } else {
+          console.log("  Stored credentials:");
+          for (const d of data.domains) console.log(`    - ${d}`);
+        }
+
+      } else if (sub === "remove") {
+        const domain = args[1];
+        if (!domain) { console.error("  Usage: iframer credentials remove <domain>"); process.exit(1); }
+        const res = await fetch(`${getServer()}/credentials/${encodeURIComponent(domain)}`, {
+          method: "DELETE",
+          headers: authHeaders(token),
+        });
+        const data = await res.json();
+        if (!data.ok) { console.error(`  Error: ${data.error}`); process.exit(1); }
+        console.log(`  Credentials for ${domain} removed.`);
+
+      } else {
+        console.error("  Usage: iframer credentials <add|list|remove>");
+        process.exit(1);
+      }
+      break;
+    }
+
+    // ─── Headless fetch ────────────────────────────────────────────
+
+    case "fetch": {
+      const token = requireToken();
+      const url = args[0];
+      if (!url) {
+        console.error("  Usage: iframer fetch <url> [--extract <js>] [--html] [--sessionless]");
+        process.exit(1);
+      }
+      const options = {};
+      for (let i = 1; i < args.length; i++) {
+        if (args[i] === "--extract" && args[i + 1]) options.extract = args[++i];
+        else if (args[i] === "--html") options.returnHtml = true;
+        else if (args[i] === "--sessionless") options.sessionless = true;
+        else if (args[i] === "--wait-for" && args[i + 1]) options.waitForSelector = args[++i];
+        else if (args[i] === "--browser" && args[i + 1]) options.browser = args[++i];
+      }
+      const data = await apiPost("/fetch", { url, ...options }, token);
+      console.log(JSON.stringify(data, null, 2));
+      if (!data.ok) process.exit(1);
+      break;
+    }
+
+    // ─── Interactive session management ────────────────────────────
+
+    case "interactive": {
+      const token = requireToken();
+      const sub = args[0];
+
+      if (sub === "stop") {
+        const data = await apiPost("/interactive/stop", null, token);
+        if (!data.ok) { console.error(`  Error: ${data.error}`); process.exit(1); }
+        console.log("  Interactive session stopped. Session saved.");
+
+      } else if (sub === "status") {
+        const data = await apiGet("/interactive/status", token);
+        if (!data.ok) { console.error(`  Error: ${data.error}`); process.exit(1); }
+        if (!data.active) {
+          console.log("  No active interactive session.");
+        } else {
+          console.log(`  Active session`);
+          console.log(`  noVNC: ${data.noVncUrl}`);
+          console.log(`  Started: ${data.createdAt}`);
+        }
+
+      } else if (sub) {
+        // Start session with URL
+        const data = await apiPost("/interactive/start", { url: sub }, token);
+        if (!data.ok) { console.error(`  Error: ${data.error}`); process.exit(1); }
+        console.log(`\n  Interactive session started!`);
+        console.log(`  noVNC: ${data.noVncUrl}\n`);
+        console.log(`  Stop with: iframer interactive stop`);
+        openBrowser(data.noVncUrl);
+
+      } else {
+        console.error("  Usage: iframer interactive <url|stop|status>");
+        process.exit(1);
+      }
+      break;
+    }
+
+    // ─── Watch (poll for active session and open noVNC) ─────────────
+
+    case "watch": {
+      const token = requireToken();
+      console.log("  Watching for interactive session...\n");
+
+      const poll = async () => {
+        try {
+          const data = await apiGet("/interactive/status", token);
+          if (data.ok && data.active) return data.noVncUrl;
+        } catch {}
+        return null;
+      };
+
+      // Check immediately
+      let vncUrl = await poll();
+      if (vncUrl) {
+        console.log(`  Session active! Opening noVNC viewer...`);
+        console.log(`  ${vncUrl}\n`);
+        openBrowser(vncUrl);
+      }
+
+      // Keep polling and reopen if session restarts
+      let lastUrl = vncUrl;
+      const interval = setInterval(async () => {
+        const url = await poll();
+        if (url && url !== lastUrl) {
+          console.log(`  New session detected! Opening noVNC viewer...`);
+          console.log(`  ${url}\n`);
+          openBrowser(url);
+        }
+        lastUrl = url;
+      }, 2000);
+
+      // Keep process alive, clean exit on ctrl+c
+      process.on("SIGINT", () => {
+        clearInterval(interval);
+        console.log("\n  Stopped watching.");
+        process.exit(0);
+      });
+
+      // Block forever
+      await new Promise(() => {});
+      break;
+    }
+
+    // ─── Screenshot ────────────────────────────────────────────────
+
+    case "screenshot": {
+      const token = requireToken();
+      const outPath = args[0] || "/tmp/browser-screenshot.png";
+      const res = await fetch(`${getServer()}/interactive/screenshot?format=raw`, {
+        headers: authHeaders(token),
+      });
+      if (!res.ok) {
+        const data = await res.json();
+        console.error(`  Error: ${data.error}`);
+        process.exit(1);
+      }
+      const buffer = Buffer.from(await res.arrayBuffer());
+      fs.writeFileSync(outPath, buffer);
+      console.log(outPath);
+      break;
+    }
+
+    // ─── Act (send action to interactive session) ──────────────────
+
+    case "act": {
+      const token = requireToken();
+      const actionType = args[0];
+      if (!actionType) {
+        console.error(`  Usage: iframer act <action-type> [options]
+
+  Actions:
+    click <selector>                Click an element
+    human-click <selector>          Click with human-like mouse movement
+    human-click <x> <y>             Click at coordinates with human-like movement
+    human-type <selector> <text>    Type with human-like keystroke timing
+    navigate <url>                  Navigate to a URL
+    scroll [deltaY]                 Scroll the page
+    wait <ms>                       Wait for milliseconds
+    evaluate <expression>           Evaluate JavaScript
+    wait-for-selector <selector>    Wait for element to appear
+    keyboard <key>                  Press a keyboard key
+
+  reCAPTCHA:
+    recaptcha-click                 Click the reCAPTCHA checkbox
+    recaptcha-select <tiles...>     Click tiles by index (e.g. 0 2 5)
+    recaptcha-verify                Click the verify button
+    recaptcha-info                  Get challenge info without clicking
+
+  Output:
+    Every action returns a screenshot saved to /tmp/browser-act.png`);
+        process.exit(1);
+      }
+
+      let action = {};
+      const screenshotPath = "/tmp/browser-act.png";
+
+      switch (actionType) {
+        case "click":
+          action = { type: "click", selector: args[1] };
+          break;
+        case "human-click":
+          if (args[1] && !isNaN(args[1]) && args[2] && !isNaN(args[2])) {
+            action = { type: "human-click", x: parseFloat(args[1]), y: parseFloat(args[2]) };
+          } else {
+            action = { type: "human-click", selector: args[1] };
+          }
+          break;
+        case "human-type":
+          action = { type: "human-type", selector: args[1], value: args.slice(2).join(" ") };
+          break;
+        case "navigate":
+          action = { type: "navigate", url: args[1], waitUntil: args[2] || "networkidle" };
+          break;
+        case "scroll":
+          action = { type: "scroll", deltaY: args[1] ? parseInt(args[1]) : undefined };
+          break;
+        case "wait":
+          action = { type: "wait", ms: parseInt(args[1]) || 1000 };
+          break;
+        case "evaluate":
+          action = { type: "evaluate", expression: args.slice(1).join(" ") };
+          break;
+        case "wait-for-selector":
+          action = { type: "wait-for-selector", selector: args[1], timeout: args[2] ? parseInt(args[2]) : undefined };
+          break;
+        case "keyboard":
+          action = { type: "keyboard", key: args[1] };
+          break;
+        case "recaptcha-click":
+          action = { type: "recaptcha-click" };
+          break;
+        case "recaptcha-select":
+          action = { type: "recaptcha-select", tiles: args.slice(1).map(Number) };
+          break;
+        case "recaptcha-verify":
+          action = { type: "recaptcha-verify" };
+          break;
+        case "recaptcha-info":
+          action = { type: "recaptcha-info" };
+          break;
+        default:
+          console.error(`  Unknown action: ${actionType}`);
+          process.exit(1);
+      }
+
+      const data = await apiPost("/interactive/act", { action }, token);
+      handleResponse(data, screenshotPath);
+      break;
+    }
+
+    // ─── Help ──────────────────────────────────────────────────────
+
+    default:
+      console.log(`
+  iframer - CLI for the Agentic Browser API
+
+  Commands:
+    login                          Authenticate with the server
+    logout                         Remove saved credentials
+    status                         Show current auth status
+
+  Credentials:
+    credentials add <domain>       Store login credentials (encrypted, server-side)
+      --username <user>            Username or email
+      --password <pass>            Password
+      --totp-secret <secret>       TOTP secret for 2FA
+    credentials list               List domains with stored credentials
+    credentials remove <domain>    Delete credentials for a domain
+
+  Headless:
+    fetch <url> [options]          Fetch a URL through the headless browser
+
+  Interactive (headful):
+    interactive <url>              Open a live browser session
+    interactive stop               Stop session and save state
+    interactive status             Check if session is active
+    watch                          Watch the agent work (opens noVNC when session starts)
+    screenshot [path]              Take a screenshot (default: /tmp/browser-screenshot.png)
+    act <action> [args...]         Send an action to the interactive browser
+
+  Actions (use with 'act'):
+    click <selector>               Click an element
+    human-click <selector|x y>     Human-like click
+    human-type <selector> <text>   Human-like typing
+    navigate <url>                 Go to URL
+    scroll [pixels]                Scroll page
+    wait <ms>                      Wait
+    evaluate <js>                  Run JavaScript
+    keyboard <key>                 Press key
+    recaptcha-click                Click reCAPTCHA checkbox
+    recaptcha-select <tiles...>    Select tiles (e.g. act recaptcha-select 0 2 5)
+    recaptcha-verify               Click verify button
+    recaptcha-info                 Get challenge metadata
+
+  Fetch options:
+    --extract <js>                 JavaScript to evaluate on page
+    --html                         Return full page HTML
+    --sessionless                  Skip session persistence
+    --wait-for <selector>          Wait for element
+    --browser <name>               Browser preference
+
+  Environment:
+    IFRAMER_URL            Server URL (default: ${DEFAULT_SERVER})
+`);
+      break;
+  }
+}
+
+main().catch((err) => {
+  console.error(`  ${err.message}`);
+  process.exit(1);
+});

package/index.js

@@ -0,0 +1,520 @@
+#!/usr/bin/env node
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+import { readFileSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+
+// ─── Config ──────────────────────────────────────────────────────────
+
+const BASE_URL = process.env.IFRAMER_URL || "https://api.iframer.sh";
+const CREDENTIALS_PATH = join(homedir(), ".iframer", "credentials.json");
+
+let cachedToken = null;
+
+function loadToken() {
+  if (cachedToken) return cachedToken;
+  try {
+    const data = JSON.parse(readFileSync(CREDENTIALS_PATH, "utf8"));
+    cachedToken = data.token;
+    return cachedToken;
+  } catch {
+    throw new Error("Not logged in. Run: iframer login");
+  }
+}
+
+function authHeaders() {
+  return {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${loadToken()}`,
+  };
+}
+
+async function apiPost(endpoint, body) {
+  const res = await fetch(`${BASE_URL}${endpoint}`, {
+    method: "POST",
+    headers: authHeaders(),
+    body: body ? JSON.stringify(body) : undefined,
+  });
+  return res.json();
+}
+
+async function apiGet(endpoint) {
+  const res = await fetch(`${BASE_URL}${endpoint}`, { headers: authHeaders() });
+  return res.json();
+}
+
+async function apiDelete(endpoint) {
+  const res = await fetch(`${BASE_URL}${endpoint}`, {
+    method: "DELETE",
+    headers: authHeaders(),
+  });
+  return res.json();
+}
+
+function errorResponse(message) {
+  return { content: [{ type: "text", text: message }], isError: true };
+}
+
+// ─── MCP Server ──────────────────────────────────────────────────────
+
+const server = new McpServer({
+  name: "iframer",
+  version: "1.0.0",
+  instructions: `iframer — a headful/headless browser for AI agents.
+
+CRITICAL: NEVER use the CLI (bin/cli.js) or bash commands. NEVER tell the user to run CLI commands. Use ONLY these MCP tools. Everything works through MCP — no bash, no curl, no CLI.
+
+WORKFLOW:
+1. Call "status" FIRST to check API, auth, sessions, and credentials.
+2. For simple page fetches, use "browse" (headless, fast, cheap).
+3. For anything requiring vision (CAPTCHAs, login forms, 2FA), use "interactive_start" then "interactive_act".
+4. Screenshots are returned as URLs. Use Read tool to view them ONLY when you need to see the page.
+5. Skip screenshots (screenshot: false) when you already know what to click.
+6. For logins: check credentials with "status". If credentials are missing, call "store_credentials" to prompt the user — NEVER tell them to use the CLI. Then use "login" tool.
+7. Always call "interactive_stop" when done to save session state.
+
+MINIMIZE TOKEN USAGE: Don't screenshot every action. Only look when you need to decide what to do next.
+NEVER use bash/CLI. NEVER suggest CLI commands to the user. ALL interaction goes through these MCP tools.`,
+});
+
+// ─── Tool 0: status (call this first) ────────────────────────────────
+
+server.tool(
+  "status",
+  `Get the full state of iframer in one call. CALL THIS FIRST before doing anything else. Returns: API health, auth status, active sessions, stored credentials. This eliminates the need for discovery.`,
+  {},
+  async () => {
+    try {
+      const status = { api: false, authenticated: false, session: null, credentials: [] };
+
+      // Check API health
+      try {
+        const health = await fetch(`${BASE_URL}/health`);
+        const data = await health.json();
+        status.api = data.ok === true;
+      } catch {
+        return { content: [{ type: "text", text: `API not running at ${BASE_URL}. Start it with: bun run start:docker` }], isError: true };
+      }
+
+      // Check auth
+      try {
+        loadToken();
+        status.authenticated = true;
+      } catch {
+        return { content: [{ type: "text", text: JSON.stringify({ ...status, authenticated: false, message: "Not logged in. Run: iframer login" }, null, 2) }] };
+      }
+
+      // Check interactive session
+      try {
+        const sessionData = await apiGet("/interactive/status");
+        if (sessionData.ok && sessionData.active) {
+          status.session = { active: true, noVncUrl: sessionData.noVncUrl, createdAt: sessionData.createdAt };
+        } else {
+          status.session = { active: false };
+        }
+      } catch {}
+
+      // Check stored credentials
+      try {
+        const credData = await apiGet("/credentials");
+        if (credData.ok) status.credentials = credData.domains;
+      } catch {}
+
+      return { content: [{ type: "text", text: JSON.stringify(status, null, 2) }] };
+    } catch (err) {
+      return errorResponse(`Error: ${err.message}`);
+    }
+  }
+);
+
+// ─── Tool 1: browse ──────────────────────────────────────────────────
+
+server.tool(
+  "browse",
+  "Fetch a web page using a headless browser. Renders JavaScript, can execute actions (click, fill, scroll), and extract data. Session cookies persist across calls.",
+  {
+    url: z.string().describe("URL to navigate to"),
+    extract: z.string().optional().describe("JavaScript expression to evaluate on the page (e.g. 'document.title')"),
+    actions: z.array(z.object({
+      type: z.enum(["click", "fill", "wait", "scroll", "human-click", "human-type"]),
+      selector: z.string().optional(),
+      value: z.string().optional(),
+      ms: z.number().optional(),
+    })).optional().describe("Actions to execute before extracting"),
+    returnHtml: z.boolean().optional().describe("Return full page HTML"),
+    waitForSelector: z.string().optional().describe("Wait for this CSS selector before proceeding"),
+    sessionless: z.boolean().optional().describe("Skip session persistence for this request"),
+  },
+  async (params) => {
+    try {
+      const data = await apiPost("/fetch", params);
+      if (!data.ok) return errorResponse(`Error: ${data.error}`);
+      const { html, ...rest } = data;
+      const text = html
+        ? JSON.stringify(rest, null, 2) + "\n\n--- HTML ---\n" + html
+        : JSON.stringify(rest, null, 2);
+      return { content: [{ type: "text", text }] };
+    } catch (err) {
+      return errorResponse(`Connection error: ${err.message}. Is the API running at ${BASE_URL}?`);
+    }
+  }
+);
+
+// ─── Tool 2: interactive_start ───────────────────────────────────────
+
+server.tool(
+  "interactive_start",
+  "Start an interactive headful browser session. Opens a real Chromium window (streamed via noVNC). Use this when you need to see and interact with the page — CAPTCHAs, 2FA, login flows, etc.",
+  {
+    url: z.string().optional().describe("URL to navigate to on start"),
+  },
+  async (params) => {
+    try {
+      const data = await apiPost("/interactive/start", params);
+      if (!data.ok) return errorResponse(`Error: ${data.error}`);
+      return {
+        content: [{
+          type: "text",
+          text: `Interactive session started.\nnoVNC viewer: ${data.noVncUrl}\n\nUse interactive_screenshot to see the page, interactive_act to interact with it.`,
+        }],
+      };
+    } catch (err) {
+      return errorResponse(`Connection error: ${err.message}. Is the API running at ${BASE_URL}?`);
+    }
+  }
+);
+
+// ─── Tool 3: interactive_screenshot ──────────────────────────────────
+
+server.tool(
+  "interactive_screenshot",
+  "Take a screenshot of the current interactive browser session. Returns a URL to the image — use Read tool or WebFetch to view it.",
+  {},
+  async () => {
+    try {
+      const data = await apiGet("/interactive/screenshot");
+      if (!data.ok) return errorResponse(`Error: ${data.error}`);
+      return {
+        content: [{
+          type: "text",
+          text: `Page: ${data.title}\nURL: ${data.url}\nScreenshot: ${data.screenshotUrl}`,
+        }],
+      };
+    } catch (err) {
+      return errorResponse(`Connection error: ${err.message}. Is the API running at ${BASE_URL}?`);
+    }
+  }
+);
+
+// ─── Tool 4: interactive_act ─────────────────────────────────────────
+
+server.tool(
+  "interactive_act",
+  `Send an action to the interactive browser and get a screenshot URL of the result.
+
+Actions: click, human-click, human-type, fill, navigate, scroll, wait, evaluate, wait-for-selector, keyboard.
+reCAPTCHA: recaptcha-click (click checkbox), recaptcha-select (select tiles by index), recaptcha-verify (click verify), recaptcha-info (get challenge metadata).
+
+Screenshots are saved as files and returned as URLs. Use Read tool to view them. For reCAPTCHA, individual tile image URLs are returned.`,
+  {
+    action: z.enum([
+      "click", "human-click", "human-type", "fill",
+      "navigate", "scroll", "wait", "evaluate",
+      "wait-for-selector", "keyboard",
+      "recaptcha-click", "recaptcha-select", "recaptcha-verify", "recaptcha-info",
+    ]).describe("Action type to perform"),
+    selector: z.string().optional().describe("CSS selector (for click, fill, human-click, human-type, wait-for-selector)"),
+    value: z.string().optional().describe("Value to type (for fill, human-type)"),
+    url: z.string().optional().describe("URL for navigate action"),
+    x: z.number().optional().describe("X coordinate for human-click"),
+    y: z.number().optional().describe("Y coordinate for human-click"),
+    deltaY: z.number().optional().describe("Scroll pixels (default: full page)"),
+    ms: z.number().optional().describe("Milliseconds for wait action"),
+    expression: z.string().optional().describe("JavaScript for evaluate action"),
+    key: z.string().optional().describe("Key for keyboard action (e.g. Enter, Tab)"),
+    tiles: z.array(z.number()).optional().describe("Tile indices for recaptcha-select (e.g. [0, 2, 5])"),
+    timeout: z.number().optional().describe("Timeout in ms for wait-for-selector"),
+    screenshot: z.boolean().optional().describe("Set to false to skip screenshot (faster)"),
+  },
+  async (params) => {
+    try {
+      const { action: actionType, screenshot: wantScreenshot, ...rest } = params;
+      const actionObj = { type: actionType };
+
+      for (const [key, val] of Object.entries(rest)) {
+        if (val !== undefined) actionObj[key] = val;
+      }
+
+      const data = await apiPost("/interactive/act", { action: actionObj, screenshot: wantScreenshot });
+      if (!data.ok) return errorResponse(`Error: ${data.error}`);
+
+      const textData = { url: data.url, title: data.title };
+      if (data.result !== null && data.result !== undefined) textData.result = data.result;
+      if (data.screenshotUrl) textData.screenshotUrl = data.screenshotUrl;
+
+      // Include tile URLs for reCAPTCHA
+      if (data.tileUrls && data.tileUrls.length > 0) {
+        textData.tileUrls = data.tileUrls;
+      }
+
+      return { content: [{ type: "text", text: JSON.stringify(textData, null, 2) }] };
+    } catch (err) {
+      return errorResponse(`Connection error: ${err.message}. Is the API running at ${BASE_URL}?`);
+    }
+  }
+);
+
+// ─── Tool 4b: interactive_batch ──────────────────────────────────────
+
+server.tool(
+  "interactive_batch",
+  `Run multiple actions in a single call. Much faster than calling interactive_act repeatedly.
+Each action is an object with a "type" and its parameters. Actions run sequentially. Stops on first error unless continueOnError is true.
+Only one screenshot is taken at the end (or none if screenshot: false).
+
+Example: [
+  {"type": "navigate", "url": "https://example.com"},
+  {"type": "wait", "ms": 2000},
+  {"type": "click", "selector": "#login"},
+  {"type": "evaluate", "expression": "document.title"}
+]`,
+  {
+    actions: z.array(z.object({
+      type: z.string().describe("Action type"),
+      selector: z.string().optional(),
+      value: z.string().optional(),
+      url: z.string().optional(),
+      x: z.number().optional(),
+      y: z.number().optional(),
+      deltaY: z.number().optional(),
+      ms: z.number().optional(),
+      expression: z.string().optional(),
+      key: z.string().optional(),
+      tiles: z.array(z.number()).optional(),
+      timeout: z.number().optional(),
+      waitUntil: z.string().optional(),
+    })).describe("Array of actions to execute sequentially"),
+    screenshot: z.boolean().optional().describe("Take screenshot at the end (default true)"),
+    continueOnError: z.boolean().optional().describe("Continue executing actions even if one fails"),
+  },
+  async (params) => {
+    try {
+      const data = await apiPost("/interactive/batch", params);
+      if (!data.ok) return errorResponse(`Error: ${data.error}`);
+
+      const textData = {
+        url: data.url,
+        title: data.title,
+        results: data.results,
+      };
+      if (data.screenshotUrl) textData.screenshotUrl = data.screenshotUrl;
+
+      return { content: [{ type: "text", text: JSON.stringify(textData, null, 2) }] };
+    } catch (err) {
+      return errorResponse(`Connection error: ${err.message}. Is the API running at ${BASE_URL}?`);
+    }
+  }
+);
+
+// ─── Tool 5: interactive_stop ────────────────────────────────────────
+
+server.tool(
+  "interactive_stop",
+  "Stop the interactive browser session and save session state (cookies, localStorage) for future use.",
+  {},
+  async () => {
+    try {
+      const data = await apiPost("/interactive/stop");
+      if (!data.ok) return errorResponse(`Error: ${data.error}`);
+      return {
+        content: [{ type: "text", text: `Session stopped. State saved: ${data.sessionSaved}` }],
+      };
+    } catch (err) {
+      return errorResponse(`Connection error: ${err.message}. Is the API running at ${BASE_URL}?`);
+    }
+  }
+);
+
+// ─── Tool 6: interactive_status ──────────────────────────────────────
+
+server.tool(
+  "interactive_status",
+  "Check if an interactive browser session is currently active.",
+  {},
+  async () => {
+    try {
+      const data = await apiGet("/interactive/status");
+      if (!data.ok) return errorResponse(`Error: ${data.error}`);
+      if (!data.active) {
+        return { content: [{ type: "text", text: "No active interactive session." }] };
+      }
+      return {
+        content: [{
+          type: "text",
+          text: `Active session\nnoVNC: ${data.noVncUrl}\nStarted: ${data.createdAt}`,
+        }],
+      };
+    } catch (err) {
+      return errorResponse(`Connection error: ${err.message}. Is the API running at ${BASE_URL}?`);
+    }
+  }
+);
+
+// ─── Tool 7: clear_session ───────────────────────────────────────────
+
+server.tool(
+  "clear_session",
+  "Clear all stored browser session data (cookies, localStorage). Start fresh on next browse.",
+  {},
+  async () => {
+    try {
+      const data = await apiDelete("/session");
+      if (!data.ok) return errorResponse(`Error: ${data.error}`);
+      return { content: [{ type: "text", text: "Session cleared." }] };
+    } catch (err) {
+      return errorResponse(`Connection error: ${err.message}. Is the API running at ${BASE_URL}?`);
+    }
+  }
+);
+
+// ─── Tool 8: login ──────────────────────────────────────────────────
+
+server.tool(
+  "login",
+  `Log into a website using stored credentials. The server handles the login — passwords never enter the AI context.
+
+Users must store credentials first via store_credentials tool or CLI.
+
+The agent provides CSS selectors for the login form fields. The server decrypts credentials internally, fills the form with human-like typing, and clicks submit. If TOTP 2FA is configured, it generates and enters the code automatically.
+
+IMPORTANT: You will never see the actual credentials. You only need to identify the form selectors on the page.`,
+  {
+    domain: z.string().describe("Domain to log into (must match stored credentials, e.g. 'github.com')"),
+    usernameSelector: z.string().optional().describe("CSS selector for the username/email input field"),
+    passwordSelector: z.string().optional().describe("CSS selector for the password input field"),
+    submitSelector: z.string().optional().describe("CSS selector for the submit/login button"),
+    totpSelector: z.string().optional().describe("CSS selector for the TOTP/2FA code input (if applicable)"),
+  },
+  async (params) => {
+    try {
+      const data = await apiPost("/credentials/login", params);
+      if (!data.ok) return errorResponse(`Error: ${data.error}`);
+
+      const result = {
+        message: data.message,
+        totpGenerated: data.totpGenerated,
+        url: data.url,
+        title: data.title,
+      };
+      if (data.screenshotUrl) result.screenshotUrl = data.screenshotUrl;
+
+      return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+    } catch (err) {
+      return errorResponse(`Connection error: ${err.message}. Is the API running at ${BASE_URL}?`);
+    }
+  }
+);
+
+// ─── Tool 9: list_credentials ───────────────────────────────────────
+
+server.tool(
+  "list_credentials",
+  "List domains for which the user has stored login credentials. Returns only domain names, never the actual credential values.",
+  {},
+  async () => {
+    try {
+      const data = await apiGet("/credentials");
+      if (!data.ok) return errorResponse(`Error: ${data.error}`);
+      if (data.domains.length === 0) {
+        return { content: [{ type: "text", text: "No credentials stored. User can add them with: iframer credentials add <domain>" }] };
+      }
+      return {
+        content: [{ type: "text", text: `Stored credentials for:\n${data.domains.map(d => `  - ${d}`).join("\n")}` }],
+      };
+    } catch (err) {
+      return errorResponse(`Connection error: ${err.message}. Is the API running at ${BASE_URL}?`);
+    }
+  }
+);
+
+// ─── Tool 10: store_credentials ─────────────────────────────────────
+
+server.tool(
+  "store_credentials",
+  `Store login credentials for a website. Prompts the user directly for their username, password, and optional TOTP secret. Credentials are encrypted and stored server-side — the AI never sees them.
+
+ALWAYS call this tool when credentials are needed but not stored. NEVER tell the user to run CLI commands — this tool handles it via a secure prompt.`,
+  {
+    domain: z.string().describe("Domain to store credentials for (e.g. 'github.com', 'mercadolivre.com.br')"),
+  },
+  async ({ domain }) => {
+    try {
+      const result = await server.server.elicitInput({
+        mode: "form",
+        message: `Enter your login credentials for ${domain}.\nThese will be encrypted and stored securely. The AI will never see them.`,
+        requestedSchema: {
+          type: "object",
+          properties: {
+            username: {
+              type: "string",
+              title: "Username / Email",
+              description: "Your username or email for this site",
+              minLength: 1,
+            },
+            password: {
+              type: "string",
+              title: "Password",
+              description: "Your password",
+              minLength: 1,
+            },
+            totp_secret: {
+              type: "string",
+              title: "TOTP Secret (optional)",
+              description: "Your authenticator app secret key for automatic 2FA. Leave empty if not using TOTP.",
+            },
+          },
+          required: ["username", "password"],
+        },
+      });
+
+      if (result.action === "decline" || !result.content) {
+        return { content: [{ type: "text", text: "Credential storage cancelled by user." }] };
+      }
+
+      const { username, password, totp_secret } = result.content;
+      const data = await apiPost("/credentials", {
+        domain,
+        username,
+        password,
+        totp_secret: totp_secret || undefined,
+      });
+
+      if (!data.ok) return errorResponse(`Error: ${data.error}`);
+
+      return {
+        content: [{
+          type: "text",
+          text: `Credentials stored securely for ${domain}. Use the login tool to log in.`,
+        }],
+      };
+    } catch (err) {
+      if (err.message?.includes("does not support")) {
+        return {
+          content: [{
+            type: "text",
+            text: `This client doesn't support secure input prompts. Please store credentials via the CLI instead:\n\niframer credentials add ${domain}`,
+          }],
+          isError: true,
+        };
+      }
+      return errorResponse(`Error: ${err.message}`);
+    }
+  }
+);
+
+// ─── Start ───────────────────────────────────────────────────────────
+
+const transport = new StdioServerTransport();
+await server.connect(transport);

package/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "iframer-cli",
+  "version": "1.0.0",
+  "description": "CLI and MCP server for iframer — a headful/headless browser for AI agents",
+  "type": "module",
+  "main": "index.js",
+  "bin": {
+    "iframer-mcp": "./index.js",
+    "iframer": "./cli.cjs"
+  },
+  "keywords": [
+    "mcp",
+    "browser",
+    "ai-agent",
+    "playwright",
+    "headless",
+    "automation",
+    "claude",
+    "model-context-protocol"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/EduardoFazolo/iframer-agentic-browser"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.12.0"
+  }
+}