omnikey-cli 1.0.27 → 1.0.28

package/README.md

@@ -18,6 +18,7 @@ OmnikeyAI is a productivity tool that helps you quickly rewrite selected text us
 - Optional **web search tool** integration for enhanced responses.
 - Accepts CLI flags for non-interactive setup.
 - Configure and run the backend daemon — persisted across reboots on both macOS and Windows.
+- `omnikey grant-browser-access`: One-time setup to give Omnikey access to authenticated browser tabs for web fetch.
 
 ## Usage
 
@@ -57,6 +58,12 @@ omnikey logs --lines 100
 
 # Check daemon error logs only
 omnikey logs --errors
+
+# Grant Omnikey access to authenticated browser tabs
+omnikey grant-browser-access
+
+# Reopen the browser with its saved Omnikey debug profile at any time
+omnikey browser open
 ```
 
 ### Command reference
@@ -72,6 +79,49 @@ omnikey logs --errors
 | `omnikey remove-config [--db]` | Remove config files; add `--db` to also delete the database |
 | `omnikey status` | Show what process is using the daemon port |
 | `omnikey logs [--lines N] [--errors]` | Tail daemon logs |
+| `omnikey grant-browser-access` | Set up authenticated browser tab access for web fetch |
+| `omnikey browser open` | Reopen the browser with the saved Omnikey debug profile |
+
+## Browser access (`grant-browser-access` / `browser open`)
+
+Omnikey can read content from your authenticated browser tabs when fetching web pages that require a login. `omnikey grant-browser-access` performs a guided, one-time setup to enable this.
+
+After setup, run `omnikey browser open` at any time to relaunch the browser with its saved Omnikey debug profile (kills any running instance first, cleans up stale lock files, then re-launches and confirms the debug port is active).
+
+### Windows
+
+On Windows the only supported method is **Remote Debugging Port (CDP)**:
+
+1. Detects installed browsers (Chrome, Edge, Brave).
+2. Prompts you to select a browser and profile.
+3. Finds an available port starting at 9222.
+4. Saves `BROWSER_DEBUG_PORT` to `~/.omnikey/config.json`.
+5. Registers a **Windows Registry Run key** (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OmnikeyBrowserDebug`) so the browser launches automatically with `--remote-debugging-port=<port>` on every login.
+6. Force-kills any running browser processes, waits until they are fully gone, then launches the browser immediately.
+7. Verifies the debug port is reachable at `http://127.0.0.1:<port>/json` and reports success or a diagnostic error.
+
+Re-running the command when a startup entry already exists lets you **Update** (change browser/profile/port) or **Remove** (disable the startup entry).
+
+### macOS
+
+On macOS you choose between two methods:
+
+#### Remote Debugging Port (CDP) — recommended
+
+Same flow as Windows, but the startup entry is written as a **launchd agent** (`~/Library/LaunchAgents/com.omnikey.browser-debug.plist`) loaded immediately with `launchctl`.
+
+Supported browsers: Chrome, Brave, Edge, Arc, Vivaldi, Opera, Chromium.
+
+#### AppleScript
+
+No port or browser restart needed. Omnikey reads the live tab content directly via Apple Events.
+
+The CLI automatically enables **"Allow JavaScript from Apple Events"** for every selected browser:
+
+- **Chrome / Brave / Edge / Arc / Vivaldi / Opera** — patches the `devtools.allow_javascript_apple_events` key in each profile's `Preferences` JSON file. The browser must be closed before patching (the CLI will warn you if it is still running).
+- **Safari** — runs `defaults write com.apple.Safari AllowJavaScriptFromAppleEvents -bool YES`.
+
+Both changes are permanent and survive reboots. Restart each browser once after setup for the change to take effect.
 
 ## Platform notes
 

package/backend-dist/agent/agentServer.js

@@ -790,7 +790,11 @@ function createAgentRouter() {
                 const truncated = cleaned.length > MAX_CHARS
                     ? cleaned.slice(0, MAX_CHARS) + '… [message truncated]'
                     : cleaned;
-                return { id: `${index}-${m.role}`, role: m.role, text: truncated };
+                return {
+                    id: `${index}-${m.role}`,
+                    role: m.role,
+                    text: truncated,
+                };
             })
                 .filter((m) => m.text.length > 0);
             res.json({ messages });

package/backend-dist/bucket-adapter/index.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getDownloadCounts = getDownloadCounts;
+exports.incrementDownloadCount = incrementDownloadCount;
+const storage_1 = require("@google-cloud/storage");
+const logger_1 = require("../logger");
+const config_1 = require("../config");
+const DEFAULT_COUNTS = { macos: 0, windows: 0 };
+// Initialised once at module load — uses Application Default Credentials when
+// running on Cloud Run (or any GCP environment), and falls back to ADC from
+// the local environment during development.
+const storage = new storage_1.Storage();
+function getGcsConfig() {
+    const bucketName = config_1.config.gcsBucketName;
+    const objectPath = config_1.config.gcsDownloadCountObject;
+    if (!bucketName || !objectPath)
+        return null;
+    return { bucketName, objectPath };
+}
+async function getDownloadCounts() {
+    const gcs = getGcsConfig();
+    if (!gcs)
+        return { ...DEFAULT_COUNTS };
+    return readCounts(gcs.bucketName, gcs.objectPath);
+}
+async function readCounts(bucketName, objectPath) {
+    const file = storage.bucket(bucketName).file(objectPath);
+    const [exists] = await file.exists();
+    if (!exists) {
+        return { ...DEFAULT_COUNTS };
+    }
+    const [contents] = await file.download();
+    const parsed = JSON.parse(contents.toString('utf8'));
+    return {
+        macos: typeof parsed.macos === 'number' ? parsed.macos : 0,
+        windows: typeof parsed.windows === 'number' ? parsed.windows : 0,
+    };
+}
+async function writeCounts(bucketName, objectPath, counts) {
+    const file = storage.bucket(bucketName).file(objectPath);
+    await file.save(JSON.stringify(counts), {
+        contentType: 'application/json',
+        resumable: false,
+    });
+}
+async function incrementDownloadCount(platform) {
+    const gcs = getGcsConfig();
+    if (!gcs)
+        return;
+    try {
+        const counts = await readCounts(gcs.bucketName, gcs.objectPath);
+        counts[platform] += 1;
+        await writeCounts(gcs.bucketName, gcs.objectPath, counts);
+        logger_1.logger.info(`Download count incremented for ${platform}.`, { counts });
+    }
+    catch (err) {
+        logger_1.logger.error(`Failed to increment download count for ${platform}.`, { error: err });
+    }
+}

package/backend-dist/config.js

@@ -93,4 +93,15 @@ exports.config = {
     searxngUrl: getEnv('SEARXNG_URL', false),
     terminalPlatform: getEnv('TERMINAL_PLATFORM', false),
     blockSaas: getBooleanEnv('BLOCK_SAAS', false),
+    // User-configured CDP debug port (set by `omnikey grant-browser-access`)
+    browserDebugPort: (() => {
+        const raw = getEnv('BROWSER_DEBUG_PORT', false);
+        if (!raw)
+            return undefined;
+        const n = parseInt(raw, 10);
+        return Number.isNaN(n) ? undefined : n;
+    })(),
+    // GCS download-count tracking (both must be set to enable counting)
+    gcsBucketName: getEnv('GCS_BUCKET_NAME', false),
+    gcsDownloadCountObject: getEnv('GCS_DOWNLOAD_COUNT_OBJECT', false),
 };

package/backend-dist/index.js

@@ -17,6 +17,7 @@ const config_1 = require("./config");
 const agentServer_1 = require("./agent/agentServer");
 // Importing AgentSession ensures the model is registered with Sequelize before initDatabase().
 require("./models/agentSession");
+const bucket_adapter_1 = require("./bucket-adapter");
 const app = (0, express_1.default)();
 const PORT = Number(config_1.config.port);
 app.set('trust proxy', 1);
@@ -39,6 +40,7 @@ app.get('/macos/download', (_req, res) => {
         'Content-Disposition': 'attachment; filename="OmniKeyAI.dmg"',
         'Content-Encoding': 'gzip',
     });
+    (0, bucket_adapter_1.incrementDownloadCount)('macos').catch(() => { });
     const fileStream = fs_1.default.createReadStream(dmgPath);
     const gzip = zlib_1.default.createGzip();
     fileStream.on('error', (err) => {
@@ -97,7 +99,7 @@ app.get('/macos/appcast', (req, res) => {
 // ── Windows distribution endpoints ───────────────────────────────────────────
 // These should match the values in windows/OmniKey.Windows.csproj
 // <Version> and windows/build_release_zip.ps1 $APP_VERSION.
-const WIN_VERSION = '1.7';
+const WIN_VERSION = '1.8';
 const WIN_ZIP_FILENAME = 'OmniKeyAI-windows-win-x64.zip';
 const WIN_ZIP_PATH = path_1.default.join(process.cwd(), 'windows', WIN_ZIP_FILENAME);
 // Serves the pre-built ZIP produced by windows/build_release_zip.ps1.
@@ -112,6 +114,7 @@ app.get('/windows/download', (_req, res) => {
         'Content-Disposition': `attachment; filename="${WIN_ZIP_FILENAME}"`,
         'Content-Encoding': 'gzip',
     });
+    (0, bucket_adapter_1.incrementDownloadCount)('windows').catch(() => { });
     const fileStream = fs_1.default.createReadStream(WIN_ZIP_PATH);
     const gzip = zlib_1.default.createGzip();
     fileStream.on('error', (err) => {
@@ -138,9 +141,19 @@ app.get('/windows/update', (req, res) => {
         version: WIN_VERSION,
         downloadUrl: `${baseUrl}/windows/download`,
         fileSize,
-        releaseNotes: '',
+        releaseNotes: `What's new in ${WIN_VERSION}\n\n• OmniAgent session management — choose to start a new session or resume an existing one each time you run @omniAgent. Save a default to skip the picker automatically on future runs.\n• History button in the OmniAgent window — change your default session at any time without re-running the agent.\n• OmniAgent Session tray menu item — open session settings directly from the system tray.\n• Left-clicking the tray icon now opens the menu (previously right-click only).`,
     });
 });
+app.get('/downloads/stats', async (_req, res) => {
+    try {
+        const counts = await (0, bucket_adapter_1.getDownloadCounts)();
+        res.json(counts);
+    }
+    catch (err) {
+        logger_1.logger.error('Failed to retrieve download stats.', { error: err });
+        res.status(500).json({ error: 'Unable to retrieve download stats.' });
+    }
+});
 app.get('/health', (_req, res) => {
     res.json({ status: 'ok' });
 });

package/backend-dist/web-search/browser-playwright.js

@@ -40,44 +40,12 @@ exports.isAnyBrowserRunning = isAnyBrowserRunning;
 exports.isBrowserOpenWithUrl = isBrowserOpenWithUrl;
 exports.fetchWithPlaywright = fetchWithPlaywright;
 const axios_1 = __importDefault(require("axios"));
-// Utility: Promise with timeout
-async function withTimeout(promise, ms, label, log) {
-    let timeoutId;
-    return Promise.race([
-        promise,
-        new Promise((resolve) => {
-            timeoutId = setTimeout(() => {
-                log.warn('browser-playwright: fetch timed out', { label, ms });
-                resolve(null);
-            }, ms);
-        }),
-    ]).then((result) => {
-        clearTimeout(timeoutId);
-        return result;
-    });
-}
-/**
- * Playwright-based web fetching using the user's installed browser profile.
- *
- * Key design decisions:
- *   1. Detects which Chromium browsers are currently RUNNING and tries those
- *      first — the active browser is where the authenticated session lives.
- *   2. Discovers the actual profile directory dynamically (Default, Profile 1,
- *      Profile 2 …) rather than hardcoding "Default".
- *   3. Checks multiple executable locations (system /Applications and
- *      user ~/Applications).
- *   4. Firefox is intentionally excluded from Playwright — headless Firefox
- *      on macOS has a known RenderCompositorSWGL rendering bug that causes
- *      30-second timeouts. Cookies from Firefox are still extracted separately
- *      by browser-cookies.ts for the plain-HTTP fallback.
- *
- * macOS only. Returns null on other platforms.
- */
 const child_process_1 = require("child_process");
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
 const playwright_core_1 = __importDefault(require("playwright-core"));
+const config_1 = require("../config");
 const home = os.homedir();
 const BROWSER_CATALOGUE = [
     {
@@ -137,6 +105,44 @@ const BROWSER_CATALOGUE = [
         userDataDir: path.join(home, 'Library/Application Support/Chromium'),
     },
 ];
+const WINDOWS_BROWSER_CATALOGUE = [
+    {
+        name: 'Chrome',
+        executablePaths: [
+            'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe',
+            'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe',
+            path.join(home, 'AppData', 'Local', 'Google', 'Chrome', 'Application', 'chrome.exe'),
+        ],
+        userDataDir: path.join(home, 'AppData', 'Local', 'Google', 'Chrome', 'User Data'),
+    },
+    {
+        name: 'Edge',
+        executablePaths: [
+            'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe',
+            'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe',
+            path.join(home, 'AppData', 'Local', 'Microsoft', 'Edge', 'Application', 'msedge.exe'),
+        ],
+        userDataDir: path.join(home, 'AppData', 'Local', 'Microsoft', 'Edge', 'User Data'),
+    },
+    {
+        name: 'Brave',
+        executablePaths: [
+            'C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\brave.exe',
+            path.join(home, 'AppData', 'Local', 'BraveSoftware', 'Brave-Browser', 'Application', 'brave.exe'),
+        ],
+        userDataDir: path.join(home, 'AppData', 'Local', 'BraveSoftware', 'Brave-Browser', 'User Data'),
+    },
+];
+function resolveExistingExecutablePath(paths) {
+    for (const p of paths) {
+        try {
+            if (fs.existsSync(p))
+                return p;
+        }
+        catch { }
+    }
+    return null;
+}
 // ─── Running browser detection ────────────────────────────────────────────────
 /**
  * Returns the names of browsers that are currently running.
@@ -145,6 +151,32 @@ const BROWSER_CATALOGUE = [
  */
 function getRunningBrowserNames() {
     const running = new Set();
+    if (process.platform === 'win32') {
+        // tasklist /FO CSV /NH outputs one "ImageName","PID",... line per process.
+        const exeMap = {
+            'chrome.exe': 'Chrome',
+            'msedge.exe': 'Edge',
+            'brave.exe': 'Brave',
+            'opera.exe': 'Opera',
+            'vivaldi.exe': 'Vivaldi',
+        };
+        try {
+            const out = (0, child_process_1.execSync)('tasklist /FO CSV /NH 2>nul', {
+                encoding: 'utf8',
+                stdio: ['pipe', 'pipe', 'pipe'],
+            });
+            for (const line of out.split('\n')) {
+                const exe = line.split(',')[0]?.replace(/"/g, '').trim().toLowerCase();
+                const name = exeMap[exe];
+                if (name)
+                    running.add(name);
+            }
+        }
+        catch {
+            // tasklist failed — proceed without running-browser info
+        }
+        return running;
+    }
     try {
         // ps -axco command lists only the process name (no path, no args)
         const output = (0, child_process_1.execSync)('ps -axco command', {
@@ -164,13 +196,11 @@ function getRunningBrowserNames() {
         };
         for (const [processName, browserName] of Object.entries(processMap)) {
             if (processName === 'safari') {
-                // Only match the main Safari process exactly (case-insensitive, trimmed)
                 if (lines.some((l) => l.trim() === 'safari')) {
                     running.add(browserName);
                 }
             }
             else {
-                // For other browsers, allow exact match or substring match
                 if (lines.some((l) => l.trim() === processName || l.includes(processName))) {
                     running.add(browserName);
                 }
@@ -194,23 +224,60 @@ async function fetchWithCDP(url, browsersWithUrl, log) {
     // Collect candidate ports:
     //   1. DevToolsActivePort file (written when Chrome was started with --remote-debugging-port)
     //   2. Well-known default ports developers commonly use
+    //   3. On Windows: all ports browser processes are currently listening on
     const candidatePorts = [];
-    for (const candidate of BROWSER_CATALOGUE) {
-        if (!browsersWithUrl.has(candidate.name))
-            continue;
-        if (candidate.name === 'Safari')
-            continue; // CDP is Chromium-only
-        const portFile = path.join(candidate.userDataDir, 'DevToolsActivePort');
-        if (fs.existsSync(portFile)) {
-            try {
-                const raw = fs.readFileSync(portFile, 'utf8');
-                const port = parseInt(raw.split('\n')[0].trim(), 10);
-                if (!isNaN(port) && port > 0 && !candidatePorts.includes(port)) {
+    if (process.platform !== 'win32') {
+        // macOS: read DevToolsActivePort from confirmed-open browsers
+        for (const candidate of BROWSER_CATALOGUE) {
+            if (!browsersWithUrl.has(candidate.name))
+                continue;
+            if (candidate.name === 'Safari')
+                continue;
+            const portFile = path.join(candidate.userDataDir, 'DevToolsActivePort');
+            if (fs.existsSync(portFile)) {
+                try {
+                    const raw = fs.readFileSync(portFile, 'utf8');
+                    const port = parseInt(raw.split('\n')[0].trim(), 10);
+                    if (!isNaN(port) && port > 0 && !candidatePorts.includes(port)) {
+                        candidatePorts.push(port);
+                    }
+                }
+                catch { }
+            }
+        }
+    }
+    // Windows: AppleScript is unavailable so browsersWithUrl is always empty.
+    // Read DevToolsActivePort from Windows browser paths directly, and also ask
+    // PowerShell for every TCP port the browser processes are listening on —
+    // this catches any --remote-debugging-port value, not just well-known ones.
+    if (process.platform === 'win32') {
+        for (const candidate of WINDOWS_BROWSER_CATALOGUE) {
+            const portFile = path.join(candidate.userDataDir, 'DevToolsActivePort');
+            if (fs.existsSync(portFile)) {
+                try {
+                    const raw = fs.readFileSync(portFile, 'utf8');
+                    const port = parseInt(raw.split('\n')[0].trim(), 10);
+                    if (!isNaN(port) && port > 0 && !candidatePorts.includes(port)) {
+                        candidatePorts.push(port);
+                    }
+                }
+                catch { }
+            }
+        }
+        // Enumerate all listening ports owned by browser processes via PowerShell.
+        try {
+            const psOut = (0, child_process_1.execSync)('powershell -NoProfile -NonInteractive -Command ' +
+                '"$p=Get-Process -Name chrome,msedge,brave,opera,vivaldi -EA SilentlyContinue;' +
+                'if($p){$p|%{$id=$_.Id;Get-NetTCPConnection -OwningProcess $id -State Listen -EA SilentlyContinue}}' +
+                '|Select-Object -ExpandProperty LocalPort|Sort-Object -Unique"', { encoding: 'utf8', timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+            for (const line of psOut.split('\n')) {
+                const port = parseInt(line.trim(), 10);
+                if (!isNaN(port) && port > 1024 && !candidatePorts.includes(port)) {
                     candidatePorts.push(port);
                 }
             }
-            catch { }
         }
+        catch { }
     }
     // Always probe the most common debug ports — many developers run Chrome with
     // --remote-debugging-port=9222 and these checks are cheap (instant refusal if closed).
@@ -218,11 +285,22 @@ async function fetchWithCDP(url, browsersWithUrl, log) {
         if (!candidatePorts.includes(p))
             candidatePorts.push(p);
     }
+    // User-configured port (set via `omnikey grant-browser-access`) gets tried first.
+    if (config_1.config.browserDebugPort && !candidatePorts.includes(config_1.config.browserDebugPort)) {
+        candidatePorts.unshift(config_1.config.browserDebugPort);
+    }
+    else if (config_1.config.browserDebugPort) {
+        // Already in the list — move it to the front so it is tried before auto-detected ports.
+        candidatePorts.splice(candidatePorts.indexOf(config_1.config.browserDebugPort), 1);
+        candidatePorts.unshift(config_1.config.browserDebugPort);
+    }
     for (const port of candidatePorts) {
         // Quick HTTP probe: /json/version returns immediately if the debug endpoint is up.
         let endpointUp = false;
         try {
-            const probe = await axios_1.default.get(`http://localhost:${port}/json/version`, { timeout: 800 });
+            // Use 127.0.0.1 explicitly — on Windows, `localhost` may resolve to ::1
+            // while Chrome binds its debug endpoint to 127.0.0.1 only.
+            const probe = await axios_1.default.get(`http://127.0.0.1:${port}/json/version`, { timeout: 800 });
             endpointUp = probe.status === 200;
         }
         catch {
@@ -345,12 +423,12 @@ function getBrowsersWithUrlOpen(url, log) {
                     return false;
                 }
             });
-            log.debug('browser-playwright: tab check', { browser: browserName, targetHostname, found });
+            log.info('browser-playwright: tab check', { browser: browserName, targetHostname, found });
             if (found)
                 confirmed.add(browserName);
         }
         catch {
-            log.debug('browser-playwright: AppleScript tab check failed — skipping browser', {
+            log.warn('browser-playwright: AppleScript tab check failed — skipping browser', {
                 browser: browserName,
             });
         }
@@ -359,12 +437,62 @@ function getBrowsersWithUrlOpen(url, log) {
 }
 /**
  * Returns true if the given URL's hostname is confirmed open in any running
- * browser tab via AppleScript. Returns false if the check cannot be performed
- * or if no browser has the URL open.
+ * browser tab. On macOS this uses AppleScript; on Windows it queries the CDP
+ * debug endpoint's /json tab list (requires --remote-debugging-port).
  */
-function isBrowserOpenWithUrl(url, log) {
+async function isBrowserOpenWithUrl(url, log) {
+    if (process.platform === 'win32') {
+        return isBrowserOpenWithUrlWindows(url, log);
+    }
     return getBrowsersWithUrlOpen(url, log).size > 0;
 }
+async function isBrowserOpenWithUrlWindows(url, log) {
+    let targetHostname;
+    try {
+        targetHostname = new URL(url).hostname;
+    }
+    catch {
+        return false;
+    }
+    // If no browser processes are running at all, skip the port probes.
+    if (getRunningBrowserNames().size === 0)
+        return false;
+    const candidatePorts = [];
+    if (config_1.config.browserDebugPort)
+        candidatePorts.push(config_1.config.browserDebugPort);
+    for (const p of [9222, 9229, 9333]) {
+        if (!candidatePorts.includes(p))
+            candidatePorts.push(p);
+    }
+    for (const port of candidatePorts) {
+        try {
+            const resp = await axios_1.default.get(`http://127.0.0.1:${port}/json`, {
+                timeout: 800,
+            });
+            if (!Array.isArray(resp.data))
+                continue;
+            const found = resp.data.some((tab) => {
+                try {
+                    return new URL(tab.url ?? '').hostname === targetHostname;
+                }
+                catch {
+                    return false;
+                }
+            });
+            if (found) {
+                log.info('browser-playwright: Windows CDP tab check confirmed URL open', {
+                    port,
+                    hostname: targetHostname,
+                });
+                return true;
+            }
+        }
+        catch {
+            // Port not listening — skip
+        }
+    }
+    return false;
+}
 // ─── Strategy 0: Live-tab AppleScript extraction ──────────────────────────────
 //
 // When the user already has the URL open in a browser we can pull the rendered
@@ -441,7 +569,7 @@ function findTabLocation(appName, url) {
  * URL open. Returns null if the URL is not open or extraction fails.
  */
 async function fetchFromRunningBrowserTab(url, browsersWithUrl, log) {
-    if (process.platform !== 'darwin' || browsersWithUrl.size === 0)
+    if (config_1.config.terminalPlatform !== 'macos' || browsersWithUrl.size === 0)
         return null;
     for (const browserName of browsersWithUrl) {
         const info = BROWSER_APPLESCRIPT[browserName];
@@ -574,40 +702,23 @@ async function fetchFromRunningBrowserTab(url, browsersWithUrl, log) {
 /**
  * Fetches a URL using the user's browser session.
  *
- * Only browsers that are confirmed (via AppleScript) to have the URL open are
- * tried — this avoids wasting time on browsers or profiles that don't hold the
- * active session.
- *
- * Strategies in order:
- *  0. Live-tab extraction — reads content directly from the open tab via
- *     AppleScript JS execution. No cookie decryption required.
- *  1. Cookie injection — decrypts cookies and injects into a fresh headless
- *     Chromium context (handles cookie-based auth when live tab unavailable).
- *  2. Profile copy — copies Local Storage + IndexedDB to a temp dir (handles
- *     localStorage/sessionStorage token auth flows).
- *  3. Safari Playwright — WebKit with injected Safari cookies (Safari only).
+ * Strategies:
+ *  -1. CDP via --remote-debugging-port — macOS + Windows; requires Chrome to be
+ *      started with --remote-debugging-port=9222.
+ *   0. Live-tab AppleScript extraction — macOS only.
  */
 async function fetchWithPlaywright(url, log) {
-    // Determine which browsers have the URL open right now.
     const browsersWithUrl = getBrowsersWithUrlOpen(url, log);
     log.info('browser-playwright: browsers with URL open', {
         url,
         browsers: [...browsersWithUrl],
     });
-    // ── Strategy -1: CDP via DevToolsActivePort ──────────────────────────────
-    // Fastest path — connects directly to the live browser's JS-rendered tab.
-    // Only works when Chrome was launched with --remote-debugging-port.
-    if (browsersWithUrl.size > 0) {
-        const cdpResult = await fetchWithCDP(url, browsersWithUrl, log);
-        if (cdpResult) {
-            return cdpResult.content;
-        }
-    }
-    // ── Strategy 0: extract from the live tab directly ────────────────────────
+    const cdpResult = await fetchWithCDP(url, browsersWithUrl, log);
+    if (cdpResult)
+        return cdpResult.content;
     const liveContent = await fetchFromRunningBrowserTab(url, browsersWithUrl, log);
-    if (liveContent) {
+    if (liveContent)
         return liveContent;
-    }
-    log.warn('browser-playwright: all strategies exhausted', { url });
+    log.warn('browser-playwright: all strategies exhausted — on Windows, launch Chrome with --remote-debugging-port=9222', { url });
     return null;
 }

package/backend-dist/web-search/web-search-provider.js

@@ -170,7 +170,7 @@ async function fetchPlainHttp(url, log) {
         // sites use redirects, 302s, custom error pages, or soft-blocks
         // rather than a clean 401/403, so checking status codes alone is
         // unreliable. Fall through to the browser-session path instead.
-        if (isSelfHostedMacOS && (0, browser_playwright_1.isBrowserOpenWithUrl)(url, log)) {
+        if (isSelfHostedWithBrowserSession && (await (0, browser_playwright_1.isBrowserOpenWithUrl)(url, log))) {
             return { html: null, authBlocked: true, finalUrl: url };
         }
         if (status === 401 || status === 403) {
@@ -192,19 +192,19 @@ async function fetchFromActiveTab(url, log) {
     log.info('web_fetch: falling back to active-tab extraction', { url });
     return (0, browser_playwright_1.fetchWithPlaywright)(url, log);
 }
-const isSelfHostedMacOS = config_1.config.isSelfHosted && config_1.config.terminalPlatform === 'macos';
+const isSelfHostedWithBrowserSession = config_1.config.isSelfHosted;
 async function executeWebFetch(url, log) {
     log.info('Executing web_fetch tool', { url });
     // ── Step 1: plain HTTP request ────────────────────────────────────────────
     const { html, authBlocked, finalUrl } = await fetchPlainHttp(url, log);
     const plainText = html ? stripHtml(html) : '';
-    if (!isSelfHostedMacOS) {
+    if (!isSelfHostedWithBrowserSession) {
         if (authBlocked) {
-            log.warn('Error: page requires authentication. Run OmniKey in self-hosted mode on macOS to enable browser-session access.');
+            log.warn('Error: page requires authentication. Run OmniKey in self-hosted mode on macOS or Windows to enable browser-session access.');
         }
         return plainText.slice(0, exports.MAX_TOOL_CONTENT_CHARS) || 'No content retrieved';
     }
-    // ── Step 2 (self-hosted macOS only): LLM auth check on plain response ─────
+    // ── Step 2 (self-hosted desktop): LLM auth check on plain response ────────
     let looksUnauthenticated = false;
     if (!authBlocked && plainText) {
         log.info('web_fetch: performing LLM auth check on plain HTTP response', { url });
@@ -214,7 +214,7 @@ async function executeWebFetch(url, log) {
         }
         looksUnauthenticated = true;
     }
-    // ── Step 3 (self-hosted macOS only): active-tab extraction ───────────────
+    // ── Step 3 (self-hosted desktop): active-tab extraction ──────────────────
     // Only attempted when there is evidence authentication is required.
     const needsAuth = authBlocked || looksUnauthenticated;
     if (needsAuth) {
@@ -226,7 +226,15 @@ async function executeWebFetch(url, log) {
     }
     // All strategies exhausted.
     if (authBlocked) {
-        log.warn('Error: page requires authentication. Open the page in Chrome and ensure "Allow JavaScript from Apple Events" is enabled (View → Developer → Allow JavaScript from Apple Events).');
+        if (config_1.config.terminalPlatform === 'macos') {
+            log.warn('Error: page requires authentication. Open the page in Chrome and ensure "Allow JavaScript from Apple Events" is enabled (View → Developer → Allow JavaScript from Apple Events).');
+        }
+        else if (config_1.config.terminalPlatform === 'windows') {
+            log.warn('Error: page requires authentication. To enable live browser-session access on Windows, ' +
+                'launch Chrome with --remote-debugging-port=9222: right-click your Chrome shortcut → Properties, ' +
+                'and append "--remote-debugging-port=9222" to the Target field, then restart Chrome. ' +
+                'OmniKey will then read the authenticated tab directly.');
+        }
     }
     return plainText.slice(0, exports.MAX_TOOL_CONTENT_CHARS) || 'No content retrieved';
 }