npm - looking-glass-mcp - Versions diffs - 2.2.0 → 3.0.0 - Mend

looking-glass-mcp 2.2.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -2,47 +2,73 @@
   <img src=".github/assets/looking-glass-logo.png" alt="Looking Glass" width="600" />
 </p>
-# Looking Glass
+<h1 align="center">Looking Glass</h1>
-**Give your AI agent real eyes.** Looking Glass is an MCP server that hands Claude Code a full Chromium browser — 63 tools for navigating, clicking, screenshotting, testing, auditing, and automating any web application.
+<p align="center">
+  <strong>The AI-native browser for agents.</strong><br/>
+  72 MCP tools. Self-healing interactions. Semantic change detection. Structured extraction. Credential vault. Enterprise-grade security. Deploy anywhere.
+</p>
-Built by Sahib Sawhney. [MIT License](LICENSE).
+<p align="center">
+  <a href="#quickstart">Quickstart</a> &nbsp;|&nbsp;
+  <a href="#intelligence-layer">Intelligence</a> &nbsp;|&nbsp;
+  <a href="#tools">Tools</a> &nbsp;|&nbsp;
+  <a href="#deploy-to-azure">Deploy to Azure</a> &nbsp;|&nbsp;
+  <a href="#security">Security</a> &nbsp;|&nbsp;
+  <a href="#configuration">Configuration</a>
+</p>
----
+<p align="center">
+  <a href="https://portal.azure.com/#create/Microsoft.Template"><img src="https://aka.ms/deploytoazurebutton" alt="Deploy to Azure" /></a>
+</p>
-## Why Looking Glass?
+---
-Claude Code is powerful, but it is blind. It cannot see your web app, click your buttons, or verify your login flow actually works. Looking Glass fixes that.
+## What's New in v3.0
-```
-You:    "Does the checkout flow work on staging?"
+Looking Glass v3.0 transforms from a browser automation tool into an **AI-native intelligence platform**. The browser now thinks alongside the agent.
-Claude: Opens a real browser. Navigates to staging. Fills the cart.
-        Enters payment details. Clicks submit. Screenshots every step.
-        Checks for console errors. Monitors API responses.
-        "Checkout completes successfully. One warning: the /api/payment
-        endpoint took 4.2s — see the performance audit below."
-```
-This is not a mock. Not a simulation. Claude controls a real browser, sees real screenshots, and reads real DOM trees.
+- **Semantic change detection** -- after every action, the browser tells you *what changed* (modal opened, form validation failed, content added), not just the raw page state
+- **Self-healing interactions** -- every `browser_click`, `browser_type`, and `browser_hover` now has the test runner's self-healing: CSS selector fails? Automatic fallback to semantic resolution with confidence scoring
+- **Structured data extraction** -- `browser_extract` takes a schema and returns structured JSON from tables, repeated elements, or single-entity pages
+- **Intent-based navigation** -- `browser_go "settings page"` figures out how to get there
+- **Semantic waiting** -- `browser_wait_for "search results loaded"` instead of guessing CSS selectors
+- **Workflow tracking** -- every response includes page type, form progress, breadcrumbs, modal state, and step indicators
+- **Credential vault** -- AES-256-GCM encrypted credentials with PBKDF2 key derivation and blind injection (the agent never sees passwords)
+- **HTTP transport** -- deploy as a cloud service with `StreamableHTTPServerTransport`
+- **Docker + Terraform** -- one-command Azure deployment with Key Vault, managed identity, and hardened security
+- **Enterprise security** -- timing-safe auth, rate limiting, auth lockout, deep audit logging, non-root containers
 ---
-## Get Running in 60 Seconds
+## Quickstart
-**Option A** — Add directly to Claude Code:
+**Claude Code:**
 ```bash
 claude mcp add looking-glass -- npx looking-glass-mcp
 ```
-**Option B** — Install globally:
+**GitHub Copilot / VS Code:**
-```bash
-npm install -g looking-glass-mcp
+Add to `.vscode/mcp.json`:
+```json
+{
+  "servers": {
+    "looking-glass": {
+      "command": "npx",
+      "args": ["looking-glass-mcp"],
+      "env": {
+        "BROWSER_HEADLESS": "false",
+        "BROWSER_SECURITY_PROFILE": "local-dev"
+      }
+    }
+  }
+}
 ```
-**Option C** — Configure `.mcp.json` manually:
+**Any MCP client** via `.mcp.json`:
 ```json
 {
@@ -51,292 +77,384 @@ npm install -g looking-glass-mcp
       "command": "npx",
       "args": ["looking-glass-mcp"],
       "env": {
-        "BROWSER_HEADLESS": "false"
+        "BROWSER_HEADLESS": "false",
+        "BROWSER_SECURITY_PROFILE": "local-dev"
       }
     }
   }
 }
 ```
-Then just talk to Claude:
+**Global install:**
+```bash
+npm install -g looking-glass-mcp
+```
+Once connected, the agent can:
 ```
 "Open localhost:3000 and tell me what you see"
+"Extract all products from this page as JSON with name, price, and rating"
+"Go to the settings page"
+"Wait for the search results to load, then extract the table"
 "Run an accessibility audit on the landing page"
-"Test the signup flow with an invalid email"
-"Explore the entire site and map all the pages"
+"Log in with vault profile staging-admin"
 ```
 ---
-## The 63-Tool Arsenal
+## Intelligence Layer
-Looking Glass ships with **63 MCP tools** organized across 7 categories. Every interaction and navigation tool automatically returns a **page state envelope** — URL, title, console errors, failed requests, and a screenshot — so the agent never needs follow-up calls to see what happened.
+These capabilities run **automatically** on every interaction -- no extra tool calls needed.
-### Core Browser Control
+### Semantic Change Detection
-| Tool | What it does |
-|------|-------------|
-| `browser_navigate` | Go to any URL |
-| `browser_click` | Click by CSS selector or plain text |
-| `browser_smart_click` | Click by natural language description ("the blue Submit button") |
-| `browser_type` | Fill input fields |
-| `browser_hover` | Hover over elements |
-| `browser_drag` | Drag and drop |
-| `browser_select_option` | Choose from dropdowns |
-| `browser_press_key` | Keyboard input (Enter, Tab, Escape, etc.) |
-| `browser_scroll` | Scroll page or scroll to a specific element |
-| `browser_go_back` / `browser_go_forward` | History navigation |
-| `browser_tab_new` / `browser_tab_list` / `browser_tab_select` / `browser_close` | Multi-tab management |
-### AI-Native Intelligence
-These tools exist because an AI is the operator — they would be useless to a human.
-| Tool | What it does |
-|------|-------------|
-| `browser_analyze_page` | Returns structured page analysis: type (login, dashboard, form, error), available actions, forms, navigation links, data elements, and page state |
-| `browser_resolve_element` | Finds elements by natural language ("the email input", "third navigation link") with confidence scores, **visibility, enabled state, bounding box, and viewport position** |
-| `browser_smart_click` | Click elements described in plain English instead of fragile CSS selectors. Returns page state envelope with screenshot. |
-| `browser_suggest_actions` | Examines the page and suggests what the agent should do next, with pre-filled tool parameters (returns structured JSON) |
-| `browser_explore` | Autonomously crawls the site within domain boundaries, classifies every page, and returns a complete site map (returns structured JSON) |
-| `browser_wait_until_stable` | Waits for true page readiness using multiple signals: network idle, DOM settled, spinners gone, images loaded |
-| `browser_login` | **Composite action**: navigates to login URL, auto-detects fields, fills credentials, submits, verifies redirect, reports cookies set — all in one call |
-| `browser_fill_and_submit` | **Composite action**: fills form fields by selector or label, submits, returns before/after state with screenshot |
-### Observation & Debugging
-| Tool | What it does |
-|------|-------------|
-| `browser_screenshot` | Capture viewport or full-page screenshot (returned inline) |
-| `browser_snapshot` | Get the full accessibility tree as structured text |
-| `browser_evaluate` | Execute arbitrary JavaScript in page context |
-| `browser_console_messages` | Read console logs, warnings, errors |
-| `browser_network_requests` | Monitor all HTTP requests and responses |
-| `browser_diagnose` | One-shot diagnostic bundle: console errors + failed requests + DOM context + screenshot |
-| `browser_error_report` | Catalog of all uncaught JS exceptions and failed resource loads |
-| `browser_snapshot_state` / `browser_diff_state` | Take a before/after snapshot and see exactly what changed on the page |
-| `browser_action_history` | Full journal of every action taken: tool, args, URL before/after, new errors, duration (returns structured JSON) |
-| `browser_clear_history` | Reset the action journal |
-### Storage & State Inspection
-| Tool | What it does |
-|------|-------------|
-| `browser_get_cookies` / `browser_set_cookie` | Read and write browser cookies |
-| `browser_get_localstorage` / `browser_set_localstorage` | Read and write localStorage entries |
-| `browser_clear_storage` | Clear cookies, localStorage, sessionStorage, or all at once |
-| `browser_clean_slate` | Nuclear option: wipe cookies, localStorage, sessionStorage, IndexedDB, and Cache API |
+After every click, type, or navigation, the response includes a `Changes Detected` section:
+```
+--- Changes Detected ---
+* Modal appeared: "Confirm Order"
+* 3 table rows added
+* Form validation: Please enter a valid email
+* Loading completed
+```
+The browser captures a page snapshot before and after each action, then categorizes the differences into 11 semantic change types: `url_changed`, `title_changed`, `modal_opened`, `modal_closed`, `alert_appeared`, `form_validation`, `content_added`, `content_removed`, `loading_started`, `loading_finished`, `toast_notification`.
-### Test Automation
+### Self-Healing Interactions
-| Tool | What it does |
+Every interaction tool (`browser_click`, `browser_type`, `browser_hover`, `browser_select_option`) now uses the same resolution chain as the test runner:
+1. Try the CSS selector (fast path, 2s timeout)
+2. If it fails, resolve semantically via the accessibility tree (role, text, label, placeholder matching)
+3. Report which strategy worked and the confidence score
+```
+Clicked: "Submit Order" (resolved via getByRole('button', {name: 'Submit Order'}), confidence: 0.92)
+```
+If the CSS selector failed and semantic resolution succeeded:
+```
+Self-healed: selector "#old-btn" failed -> resolved via getByText('Submit') (confidence: 0.85)
+```
+### Workflow Context
+Every response includes workflow intelligence:
+```
+--- Workflow ---
+Page: form (populated) | Step: Payment (3/5) | Form: 2/6 filled | Required: phone, address
+```
+Detects: page type (login, dashboard, form, listing, article, error), breadcrumbs, step indicators (wizard/stepper), form progress (filled/remaining/validation errors), active modals, and toast notifications.
+---
+## Tools
+Looking Glass ships with **72 tools** across 10 categories.
+### Browser Control (11 tools)
+| Tool | Description |
+|------|-------------|
+| `browser_navigate` | Navigate to a URL |
+| `browser_click` | Click by CSS selector or text (self-healing) |
+| `browser_type` | Fill an input field (self-healing) |
+| `browser_hover` | Hover over an element (self-healing) |
+| `browser_drag` | Drag and drop between elements |
+| `browser_select_option` | Select a dropdown option (self-healing) |
+| `browser_press_key` | Send keyboard input |
+| `browser_scroll` | Scroll the page or to a specific element |
+| `browser_go_back` / `browser_go_forward` | Navigate browser history |
+| `browser_tab_*` | Multi-tab management (new, list, select, close) |
+### AI Intelligence (13 tools)
+| Tool | Description |
 |------|-------------|
-| `test_scenario_run` | Execute multi-step test scenarios with smart element resolution, self-healing selectors, composite steps, and data-driven testing |
-| `test_scenario_status` | Check progress of a running scenario |
-| `test_assert` | Run a single assertion (12 types: exists, textContains, urlEquals, isVisible, etc.) |
-| `test_fill_form` | Auto-fill form fields by selector mapping |
-| `test_auth_flow` | Test complete login/signup flows end-to-end |
-| `test_watch_events` / `test_stop_watch` | Monitor DOM mutations, network requests, console errors, and dialogs |
-| `test_accessibility_audit` | WCAG 2.1 AA compliance audit with severity-ranked violations and fix suggestions |
-| `browser_performance_audit` | Core Web Vitals, page timing, resource analysis, and a performance score |
-| `test_generate_assertions` | Auto-detect what should be tested on the current page |
-| `test_chaos` / `test_chaos_clear` | Chaos testing: slow-3g, offline, block-api, random-delays, no-js, slow-cpu |
-### Session Recording & Visual Regression
-| Tool | What it does |
+| `browser_analyze_page` | Structured page analysis: type, forms, navigation, actions, data elements |
+| `browser_resolve_element` | Semantic element lookup with confidence scoring |
+| `browser_smart_click` | Click by natural language description |
+| `browser_suggest_actions` | Context-aware action recommendations |
+| `browser_explore` | Autonomous site crawl with page classification |
+| `browser_wait_until_stable` | Multi-signal page readiness detection |
+| `browser_login` | Composite login flow with auto-detection |
+| `browser_fill_and_submit` | Composite form fill and submit |
+| `browser_extract` | **NEW** Schema-driven structured data extraction |
+| `browser_go` | **NEW** Intent-based navigation ("go to settings") |
+| `browser_wait_for` | **NEW** Semantic condition waiting ("results loaded") |
+| `browser_workflow` | **NEW** On-demand workflow context |
+### Credential Vault (5 tools)
+| Tool | Description |
 |------|-------------|
-| `session_start` / `session_end` / `session_list` | Record browser sessions with action timelines |
-| `session_export_playwright` | Convert a recorded session into a standalone Playwright `.spec.ts` test file |
-| `visual_baseline` / `visual_compare` | Pixel-level visual regression testing with diff images |
+| `vault_store` | Store encrypted credential profile (AES-256-GCM + PBKDF2) |
+| `vault_list` | List profile names and timestamps (no values) |
+| `vault_delete` | Delete a credential profile |
+| `vault_login` | Login using a vault profile (blind injection) |
+| `vault_inject` | Fill form fields from vault without submitting |
-### Request Mocking
+### Observation & Debugging (10 tools)
-| Tool | What it does |
-|------|-------------|
-| `browser_mock_route` | Intercept requests matching a URL pattern and return mock responses |
-| `browser_list_mocks` / `browser_clear_mocks` | Manage active mock routes |
+`browser_screenshot`, `browser_snapshot`, `browser_evaluate`, `browser_console_messages`, `browser_network_requests`, `browser_diagnose`, `browser_error_report`, `browser_snapshot_state` / `browser_diff_state`, `browser_action_history`
-### Enterprise & Reliability
+### Storage & State (6 tools)
-| Tool | What it does |
-|------|-------------|
-| `browser_health_check` | Verify the browser is responsive |
-| `browser_recover` | Auto-recover from crashes by relaunching and restoring the last URL |
+`browser_get_cookies` / `browser_set_cookie`, `browser_get_localstorage` / `browser_set_localstorage`, `browser_clear_storage`, `browser_clean_slate`
----
+### Test Automation (12 tools)
-## Test Scenarios
+`test_scenario_run`, `test_scenario_status`, `test_assert`, `test_fill_form`, `test_auth_flow`, `test_watch_events` / `test_stop_watch`, `test_accessibility_audit`, `browser_performance_audit`, `test_generate_assertions`, `test_chaos` / `test_chaos_clear`
-Define multi-step test flows in JSON and run them with `test_scenario_run`. Steps support **smart element resolution** — use `query` for natural language element matching, `selector` for CSS selectors, or both (selector is tried first, query is the self-healing fallback).
+### Session & Visual (5 tools)
-### Basic scenario with CSS selectors
+`session_start` / `session_end` / `session_list`, `session_export_playwright`, `visual_baseline` / `visual_compare`
-```json
-{
-  "name": "Login Flow",
-  "steps": [
-    { "name": "Navigate", "action": "navigate", "url": "http://localhost:3000/login" },
-    { "name": "Enter email", "action": "type", "selector": "input[type='email']", "value": "user@test.com" },
-    { "name": "Enter password", "action": "type", "selector": "input[type='password']", "value": "secret" },
-    { "name": "Submit", "action": "click", "selector": "button[type='submit']" },
-    { "name": "Verify redirect", "action": "assert", "type": "urlContains", "expected": "/dashboard" },
-    { "name": "Capture result", "action": "screenshot", "screenshotName": "post-login" }
-  ]
-}
-```
+### Request Mocking (3 tools)
-### Smart scenario with natural language queries
+`browser_mock_route`, `browser_list_mocks`, `browser_clear_mocks`
-```json
-{
-  "name": "Login Flow (smart)",
-  "steps": [
-    { "name": "Navigate", "action": "navigate", "url": "http://localhost:3000/login" },
-    { "name": "Enter email", "action": "type", "query": "email input", "value": "user@test.com" },
-    { "name": "Enter password", "action": "type", "query": "password field", "value": "secret" },
-    { "name": "Submit", "action": "click", "query": "sign in button" },
-    { "name": "Verify redirect", "action": "assert", "type": "urlContains", "expected": "/dashboard" }
-  ]
-}
-```
+### Reliability (2 tools)
-### Self-healing selectors
+`browser_health_check`, `browser_recover`
-Provide both `selector` and `query`. The selector is tried first (fast). If it fails (DOM changed, class renamed), the query resolves the element semantically via the accessibility tree. The step is marked `[HEALED]` in the results so you know it happened.
+---
-```json
-{ "name": "Submit", "action": "click", "selector": "button.btn-login", "query": "the login button" }
-```
+## Deploy to Azure
-### Composite steps
+Looking Glass can be deployed as a cloud service on Azure Container Apps with persistent sessions, encrypted credential storage, and enterprise security.
-High-level actions that replace 5-6 atomic steps:
+### Prerequisites
-```json
-{ "name": "Log in", "action": "login", "url": "/login", "value": "admin@co.com", "password": "P@ssw0rd", "waitForSelector": ".dashboard" }
-```
+- [Terraform](https://terraform.io) >= 1.5
+- [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/) authenticated
+- [Docker](https://docker.com)
-```json
-{ "name": "Fill signup", "action": "fill_form", "fields": { "Email": "test@co.com", "Name": "Jane" }, "selector": "button.submit" }
-```
+### Quick Deploy
-```json
-{ "name": "Wait for page", "action": "wait_stable", "timeout": 5000 }
-```
+```bash
+# 1. Build and push the Docker image
+cd deploy/azure
+cp terraform.tfvars.example terraform.tfvars
+# Edit terraform.tfvars with your API key (32+ chars required)
-### Data-driven testing
+terraform init
+terraform apply
-Use `{{variable}}` placeholders and provide `dataSets` to run the same scenario with multiple inputs:
+# 2. Build and push the image to ACR
+bash build-and-push.sh
-```json
-{
-  "name": "Login with {{role}} user",
-  "steps": [
-    { "name": "Enter email", "action": "type", "query": "email input", "value": "{{username}}" },
-    { "name": "Enter password", "action": "type", "query": "password field", "value": "{{password}}" },
-    { "name": "Submit", "action": "click", "query": "sign in button" },
-    { "name": "Verify", "action": "assert", "type": "urlContains", "expected": "{{expectedUrl}}" }
-  ],
-  "dataSets": [
-    { "label": "admin", "variables": { "role": "admin", "username": "admin@co.com", "password": "Admin1!", "expectedUrl": "/dashboard" } },
-    { "label": "viewer", "variables": { "role": "viewer", "username": "view@co.com", "password": "View1!", "expectedUrl": "/readonly" } },
-    { "label": "invalid", "variables": { "role": "invalid", "username": "bad@co.com", "password": "wrong", "expectedUrl": "/login" } }
-  ]
-}
+# 3. Access your instance
+terraform output container_app_url
 ```
-### Full observability
+### What Gets Deployed
-Every step automatically captures a screenshot, page state (URL, console errors, network failures), and resolution details (method, confidence score, whether self-healing was used). Scenario results include aggregated resolution metrics.
+| Resource | Purpose |
+|----------|---------|
+| Azure Container Registry | Docker image storage |
+| Azure Container Apps | Runs Looking Glass (scale-to-zero) |
+| Azure Key Vault | Stores API key and vault encryption key |
+| Azure Files | Persistent session data and credentials |
+| Log Analytics | Container logs (90-day retention) |
+| Managed Identity | Secure auth between services (no passwords) |
-**18 step actions**: navigate, click, type, select, hover, scroll, press, waitForSelector, waitForText, waitForNavigation, waitForNetworkIdle, assert, screenshot, evaluate, sleep, login, fill_form, wait_stable
+### Security Features
-**12 assertion types**: exists, notExists, textContains, textEquals, hasAttribute, hasClass, isVisible, isEnabled, urlContains, urlEquals, countEquals, consoleNoErrors
+- **HTTPS** -- Azure Container Apps provides automatic TLS termination
+- **API key required** -- 32+ character key, stored in Key Vault
+- **Managed Identity** -- ACR pull and Key Vault access without stored credentials
+- **Non-root container** -- Runs as unprivileged `lglass` user
+- **Rate limiting** -- 120 req/min per IP, auth lockout after 5 failures
+- **Audit logging** -- Every tool call, auth event, and session lifecycle logged
----
+### Docker (standalone)
-## Configuration
+```bash
+docker build -t looking-glass .
+docker run -p 8080:8080 \
+  -e MCP_API_KEY=your-secret-key-at-least-32-chars \
+  -v looking-glass-data:/data \
+  looking-glass
+```
-Everything is configured through environment variables.
+---
-| Variable | Default | Purpose |
-|----------|---------|---------|
-| `BROWSER_HEADLESS` | `true` | Set `false` to watch the browser in real-time |
-| `BROWSER_ENGINE` | `chromium` | Browser engine: `chromium`, `firefox`, or `webkit` |
-| `BROWSER_VIEWPORT_WIDTH` | `1280` | Viewport width in pixels |
-| `BROWSER_VIEWPORT_HEIGHT` | `720` | Viewport height in pixels |
-| `BROWSER_TIMEOUT` | `30000` | Default operation timeout (ms) |
-| `BROWSER_SESSIONS_DIR` | `.browser-sessions` | Where screenshots, sessions, and audit logs are stored |
-| `BROWSER_SECURITY_PROFILE` | `local-dev` | Security profile (see below) |
-| `BROWSER_CHANNEL` | — | Specific browser channel (`chrome`, `msedge`) |
-| `BROWSER_PROXY_URL` | — | HTTP/HTTPS/SOCKS5 proxy for corporate environments |
-| `BROWSER_CA_CERT_PATH` | — | Path to custom CA certificate |
+## Security
+See [SECURITY.md](SECURITY.md) for the full security model.
 ### Security Profiles
 | Profile | URL Access | JS Execution | Tool Access | Rate Limit |
 |---------|-----------|--------------|-------------|------------|
+| `restricted` (default) | localhost only | Blocked | Observation only | 30/min |
 | `local-dev` | All HTTP/HTTPS | Allowed | All tools | 60/min |
-| `restricted` | localhost only | Blocked | Observation only | 30/min |
 | `open` | Everything | Allowed | All tools | 120/min |
+| `sandbox` | Blocked | Blocked | Observation only | 10/min |
+### HTTP Transport Security
+- API key **required** in HTTP mode (server exits if unset)
+- Timing-safe key comparison (no side-channel leakage)
+- Per-IP rate limiting with auth failure lockout (5 failures = 60s ban)
+- Session IDs via cryptographic `randomUUID()`
+### Credential Vault
+- AES-256-GCM encryption with PBKDF2 key derivation (100k iterations, SHA-512)
+- Field names and values encrypted together (no metadata leakage)
+- Vault file permissions restricted to owner (`0600`)
+- Agent never sees plaintext credentials -- blind injection only
+- `createdAt` and `lastUsedAt` tracking per profile
-The `restricted` profile enforces **read-only access** — the agent can screenshot and inspect but cannot click, type, or modify anything. Ideal for production monitoring.
+### Audit Trail
+Every operation is logged to `audit/audit-YYYY-MM-DD.jsonl`:
+- Tool calls with deep-redacted arguments
+- Auth successes and failures (with client IP)
+- Session start/end events
+- Policy violations
+- 20+ sensitive field patterns redacted recursively
 ---
-## Architecture
+## Configuration
-```mermaid
-graph TD
-    A[Claude Code] -->|MCP stdio| B[Looking Glass]
-    B -->|Playwright API| C[Browser Engine]
-    C -->|Screenshots + DOM| B
-    B -->|Inline images + text| A
+All configuration is through environment variables.
-    B --> D[Middleware Layer]
-    D --> E[Audit Logger]
-    D --> F[RBAC Policy]
+### Browser
-    B --> G[Session Recorder]
-    B --> H[Visual Comparator]
-```
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `BROWSER_HEADLESS` | `true` | Set to `false` to display the browser window |
+| `BROWSER_ENGINE` | `chromium` | `chromium`, `firefox`, or `webkit` |
+| `BROWSER_VIEWPORT_WIDTH` | `1280` | Viewport width in pixels |
+| `BROWSER_VIEWPORT_HEIGHT` | `720` | Viewport height in pixels |
+| `BROWSER_TIMEOUT` | `30000` | Default operation timeout (ms) |
+| `BROWSER_SESSIONS_DIR` | `.browser-sessions` | Directory for data storage |
+| `BROWSER_SECURITY_PROFILE` | `restricted` | Security profile |
+| `BROWSER_CHANNEL` | | Browser channel (`chrome`, `msedge`) |
+| `BROWSER_ENGINE` | `chromium` | Browser engine |
+| `BROWSER_PROXY_URL` | | HTTP/HTTPS/SOCKS5 proxy |
+| `BROWSER_VISUAL_THRESHOLD` | `0.1` | Pixel comparison threshold (increase for Firefox/WebKit) |
+| `BROWSER_PERSISTENT_CONTEXT` | `false` | Persist cookies/localStorage across restarts |
+| `BROWSER_USER_DATA_DIR` | `.browser-data` | User data directory for persistent context |
+### Transport
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `MCP_TRANSPORT` | `stdio` | `stdio` (local) or `http` (cloud) |
+| `MCP_HTTP_PORT` | `8080` | HTTP server port |
+| `MCP_API_KEY` | | **Required in HTTP mode.** Minimum 32 characters. |
-Looking Glass sits between Claude Code and a real browser. Every tool invocation passes through a middleware layer that handles audit logging and role-based access control. Sessions are recorded to disk. Visual baselines are stored for regression comparison.
+### Vault
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `VAULT_ENCRYPTION_KEY` | | Passphrase for credential encryption (32+ chars). Key derived via PBKDF2. |
 ---
-## Claude Code Integration
+## Test Scenarios
+`test_scenario_run` executes multi-step test flows defined in JSON with three targeting strategies:
-### Agent: `e2e-tester`
+- **`selector`** -- CSS selectors (fast, exact)
+- **`query`** -- natural language resolution via accessibility tree (resilient to DOM changes)
+- **Both** -- self-healing: selector tried first, query as fallback
-A specialized testing agent that knows all 63 tools and follows a structured workflow. Invoke it for comprehensive testing:
+### Example: Self-Healing Login
+```json
+{
+  "name": "Login Flow",
+  "steps": [
+    { "name": "Navigate", "action": "navigate", "url": "http://localhost:3000/login" },
+    { "name": "Email", "action": "type", "selector": "input[type='email']", "query": "email input", "value": "user@test.com" },
+    { "name": "Password", "action": "type", "selector": "input[type='password']", "query": "password field", "value": "secret" },
+    { "name": "Submit", "action": "click", "selector": "button[type='submit']", "query": "sign in button" },
+    { "name": "Verify", "action": "assert", "type": "urlContains", "expected": "/dashboard" }
+  ]
+}
 ```
-"Use the e2e-tester agent to verify the entire checkout flow"
+### Data-Driven Testing
+```json
+{
+  "name": "Login as {{role}}",
+  "steps": [
+    { "name": "Email", "action": "type", "query": "email input", "value": "{{username}}" },
+    { "name": "Password", "action": "type", "query": "password field", "value": "{{password}}" },
+    { "name": "Submit", "action": "click", "query": "sign in button" },
+    { "name": "Verify", "action": "assert", "type": "urlContains", "expected": "{{expectedUrl}}" }
+  ],
+  "dataSets": [
+    { "label": "admin", "variables": { "role": "admin", "username": "admin@co.com", "password": "Admin1!", "expectedUrl": "/dashboard" } },
+    { "label": "viewer", "variables": { "role": "viewer", "username": "view@co.com", "password": "View1!", "expectedUrl": "/readonly" } }
+  ]
+}
 ```
-### Skill: `/looking-glass-test`
+**18 step actions:** `navigate`, `click`, `type`, `select`, `hover`, `scroll`, `press`, `waitForSelector`, `waitForText`, `waitForNavigation`, `waitForNetworkIdle`, `assert`, `screenshot`, `evaluate`, `sleep`, `login`, `fill_form`, `wait_stable`
-Quick-fire E2E testing. Give it a URL and it handles the rest:
+**12 assertion types:** `exists`, `notExists`, `textContains`, `textEquals`, `hasAttribute`, `hasClass`, `isVisible`, `isEnabled`, `urlContains`, `urlEquals`, `countEquals`, `consoleNoErrors`
+---
+## Architecture
 ```
-/looking-glass-test https://myapp.com
+MCP Client (Claude, Copilot, etc.)
+    |
+    |  stdio or HTTP (StreamableHTTP)
+    v
++-------------------------------------------+
+|  Looking Glass v3.0                       |
+|                                           |
+|  Middleware Layer (automatic)              |
+|  - Change Detection (pre/post snapshot)   |
+|  - Workflow Tracking (page state machine) |
+|  - Self-Healing Resolution                |
+|  - Audit Logging (deep redaction)         |
+|  - RBAC Policy Enforcement                |
+|                                           |
+|  72 Tools                                 |
+|  - Intelligence (extract, go, wait_for)   |
+|  - Interaction (click, type, hover)       |
+|  - Observation (screenshot, snapshot)     |
+|  - Testing (scenarios, assertions)        |
+|  - Vault (store, inject, login)           |
+|                                           |
+|  Browser Manager                          |
+|  - Playwright (Chromium/Firefox/WebKit)   |
+|  - Persistent context (optional)          |
+|  - Console/network tracking               |
++-------------------------------------------+
+    |
+    |  Playwright API
+    v
+  Browser Engine
 ```
-It will navigate, screenshot, discover pages, run assertions, check for JS errors, audit accessibility, and generate a pass/fail report.
 ---
 ## Development
 ```bash
-git clone <your-repo-url>
-cd looking-glass
+git clone https://github.com/Sahib-Sawhney-WH/LookingGlass.git
+cd LookingGlass
 npm install
 npx playwright install chromium
 npm run build
+npm test
 npm start
 ```