npm - opengstack - Versions diffs - 0.13.7 → 0.13.8 - Mend

opengstack 0.13.7 → 0.13.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (135) hide show

package/bin/opengstack.js +35 -90
package/package.json +2 -3
package/scripts/install-skills.js +29 -58
package/skills/browse/bin/find-browse +21 -0
package/skills/browse/bin/remote-slug +14 -0
package/skills/browse/scripts/build-node-server.sh +48 -0
package/skills/browse/src/activity.ts +208 -0
package/skills/browse/src/browser-manager.ts +959 -0
package/skills/browse/src/buffers.ts +137 -0
package/skills/browse/src/bun-polyfill.cjs +109 -0
package/skills/browse/src/cli.ts +678 -0
package/skills/browse/src/commands.ts +128 -0
package/skills/browse/src/config.ts +150 -0
package/skills/browse/src/cookie-import-browser.ts +625 -0
package/skills/browse/src/cookie-picker-routes.ts +230 -0
package/skills/browse/src/cookie-picker-ui.ts +688 -0
package/skills/browse/src/find-browse.ts +61 -0
package/skills/browse/src/meta-commands.ts +550 -0
package/skills/browse/src/platform.ts +17 -0
package/skills/browse/src/read-commands.ts +358 -0
package/skills/browse/src/server.ts +1192 -0
package/skills/browse/src/sidebar-agent.ts +280 -0
package/skills/browse/src/sidebar-utils.ts +21 -0
package/skills/browse/src/snapshot.ts +407 -0
package/skills/browse/src/url-validation.ts +95 -0
package/skills/browse/src/write-commands.ts +364 -0
package/skills/browse/test/activity.test.ts +120 -0
package/skills/browse/test/adversarial-security.test.ts +32 -0
package/skills/browse/test/browser-manager-unit.test.ts +17 -0
package/skills/browse/test/bun-polyfill.test.ts +72 -0
package/skills/browse/test/commands.test.ts +2075 -0
package/skills/browse/test/compare-board.test.ts +342 -0
package/skills/browse/test/config.test.ts +316 -0
package/skills/browse/test/cookie-import-browser.test.ts +519 -0
package/skills/browse/test/cookie-picker-routes.test.ts +260 -0
package/skills/browse/test/file-drop.test.ts +271 -0
package/skills/browse/test/find-browse.test.ts +50 -0
package/skills/browse/test/findport.test.ts +191 -0
package/skills/browse/test/fixtures/basic.html +33 -0
package/skills/browse/test/fixtures/cursor-interactive.html +22 -0
package/skills/browse/test/fixtures/dialog.html +15 -0
package/skills/browse/test/fixtures/empty.html +2 -0
package/skills/browse/test/fixtures/forms.html +55 -0
package/skills/browse/test/fixtures/iframe.html +30 -0
package/skills/browse/test/fixtures/network-idle.html +30 -0
package/skills/browse/test/fixtures/qa-eval-checkout.html +108 -0
package/skills/browse/test/fixtures/qa-eval-spa.html +98 -0
package/skills/browse/test/fixtures/qa-eval.html +51 -0
package/skills/browse/test/fixtures/responsive.html +49 -0
package/skills/browse/test/fixtures/snapshot.html +55 -0
package/skills/browse/test/fixtures/spa.html +24 -0
package/skills/browse/test/fixtures/states.html +17 -0
package/skills/browse/test/fixtures/upload.html +25 -0
package/skills/browse/test/gstack-config.test.ts +138 -0
package/skills/browse/test/gstack-update-check.test.ts +514 -0
package/skills/browse/test/handoff.test.ts +235 -0
package/skills/browse/test/path-validation.test.ts +91 -0
package/skills/browse/test/platform.test.ts +37 -0
package/skills/browse/test/server-auth.test.ts +65 -0
package/skills/browse/test/sidebar-agent-roundtrip.test.ts +226 -0
package/skills/browse/test/sidebar-agent.test.ts +199 -0
package/skills/browse/test/sidebar-integration.test.ts +320 -0
package/skills/browse/test/sidebar-unit.test.ts +96 -0
package/skills/browse/test/snapshot.test.ts +467 -0
package/skills/browse/test/state-ttl.test.ts +35 -0
package/skills/browse/test/test-server.ts +57 -0
package/skills/browse/test/url-validation.test.ts +72 -0
package/skills/browse/test/watch.test.ts +129 -0
package/skills/careful/bin/check-careful.sh +112 -0
package/skills/cso/ACKNOWLEDGEMENTS.md +14 -0
package/skills/freeze/bin/check-freeze.sh +79 -0
package/skills/qa/references/issue-taxonomy.md +85 -0
package/skills/qa/templates/qa-report-template.md +126 -0
package/skills/review/TODOS-format.md +62 -0
package/skills/review/checklist.md +220 -0
package/skills/review/design-checklist.md +132 -0
package/skills/review/greptile-triage.md +220 -0
/package/{autoplan → skills/autoplan}/SKILL.md +0 -0
/package/{autoplan → skills/autoplan}/SKILL.md.tmpl +0 -0
/package/{benchmark → skills/benchmark}/SKILL.md +0 -0
/package/{benchmark → skills/benchmark}/SKILL.md.tmpl +0 -0
/package/{browse → skills/browse}/SKILL.md +0 -0
/package/{browse → skills/browse}/SKILL.md.tmpl +0 -0
/package/{canary → skills/canary}/SKILL.md +0 -0
/package/{canary → skills/canary}/SKILL.md.tmpl +0 -0
/package/{careful → skills/careful}/SKILL.md +0 -0
/package/{careful → skills/careful}/SKILL.md.tmpl +0 -0
/package/{codex → skills/codex}/SKILL.md +0 -0
/package/{codex → skills/codex}/SKILL.md.tmpl +0 -0
/package/{connect-chrome → skills/connect-chrome}/SKILL.md +0 -0
/package/{connect-chrome → skills/connect-chrome}/SKILL.md.tmpl +0 -0
/package/{cso → skills/cso}/SKILL.md +0 -0
/package/{cso → skills/cso}/SKILL.md.tmpl +0 -0
/package/{design-consultation → skills/design-consultation}/SKILL.md +0 -0
/package/{design-consultation → skills/design-consultation}/SKILL.md.tmpl +0 -0
/package/{design-review → skills/design-review}/SKILL.md +0 -0
/package/{design-review → skills/design-review}/SKILL.md.tmpl +0 -0
/package/{design-shotgun → skills/design-shotgun}/SKILL.md +0 -0
/package/{design-shotgun → skills/design-shotgun}/SKILL.md.tmpl +0 -0
/package/{document-release → skills/document-release}/SKILL.md +0 -0
/package/{document-release → skills/document-release}/SKILL.md.tmpl +0 -0
/package/{freeze → skills/freeze}/SKILL.md +0 -0
/package/{freeze → skills/freeze}/SKILL.md.tmpl +0 -0
/package/{gstack-upgrade → skills/gstack-upgrade}/SKILL.md +0 -0
/package/{gstack-upgrade → skills/gstack-upgrade}/SKILL.md.tmpl +0 -0
/package/{guard → skills/guard}/SKILL.md +0 -0
/package/{guard → skills/guard}/SKILL.md.tmpl +0 -0
/package/{investigate → skills/investigate}/SKILL.md +0 -0
/package/{investigate → skills/investigate}/SKILL.md.tmpl +0 -0
/package/{land-and-deploy → skills/land-and-deploy}/SKILL.md +0 -0
/package/{land-and-deploy → skills/land-and-deploy}/SKILL.md.tmpl +0 -0
/package/{office-hours → skills/office-hours}/SKILL.md +0 -0
/package/{office-hours → skills/office-hours}/SKILL.md.tmpl +0 -0
/package/{plan-ceo-review → skills/plan-ceo-review}/SKILL.md +0 -0
/package/{plan-ceo-review → skills/plan-ceo-review}/SKILL.md.tmpl +0 -0
/package/{plan-design-review → skills/plan-design-review}/SKILL.md +0 -0
/package/{plan-design-review → skills/plan-design-review}/SKILL.md.tmpl +0 -0
/package/{plan-eng-review → skills/plan-eng-review}/SKILL.md +0 -0
/package/{plan-eng-review → skills/plan-eng-review}/SKILL.md.tmpl +0 -0
/package/{qa → skills/qa}/SKILL.md +0 -0
/package/{qa → skills/qa}/SKILL.md.tmpl +0 -0
/package/{qa-only → skills/qa-only}/SKILL.md +0 -0
/package/{qa-only → skills/qa-only}/SKILL.md.tmpl +0 -0
/package/{retro → skills/retro}/SKILL.md +0 -0
/package/{retro → skills/retro}/SKILL.md.tmpl +0 -0
/package/{review → skills/review}/SKILL.md +0 -0
/package/{review → skills/review}/SKILL.md.tmpl +0 -0
/package/{setup-browser-cookies → skills/setup-browser-cookies}/SKILL.md +0 -0
/package/{setup-browser-cookies → skills/setup-browser-cookies}/SKILL.md.tmpl +0 -0
/package/{setup-deploy → skills/setup-deploy}/SKILL.md +0 -0
/package/{setup-deploy → skills/setup-deploy}/SKILL.md.tmpl +0 -0
/package/{ship → skills/ship}/SKILL.md +0 -0
/package/{ship → skills/ship}/SKILL.md.tmpl +0 -0
/package/{unfreeze → skills/unfreeze}/SKILL.md +0 -0
/package/{unfreeze → skills/unfreeze}/SKILL.md.tmpl +0 -0

package/skills/browse/src/write-commands.ts ADDED Viewed

@@ -0,0 +1,364 @@
+/**
+ * Write commands — navigate and interact with pages (side effects)
+ *
+ * goto, back, forward, reload, click, fill, select, hover, type,
+ * press, scroll, wait, viewport, cookie, header, useragent
+ */
+import type { BrowserManager } from './browser-manager';
+import { findInstalledBrowsers, importCookies, listSupportedBrowserNames } from './cookie-import-browser';
+import { validateNavigationUrl } from './url-validation';
+import * as fs from 'fs';
+import * as path from 'path';
+import { TEMP_DIR, isPathWithin } from './platform';
+export async function handleWriteCommand(
+  command: string,
+  args: string[],
+  bm: BrowserManager
+): Promise<string> {
+  const page = bm.getPage();
+  // Frame-aware target for locator-based operations (click, fill, etc.)
+  const target = bm.getActiveFrameOrPage();
+  const inFrame = bm.getFrame() !== null;
+  switch (command) {
+    case 'goto': {
+      if (inFrame) throw new Error('Cannot use goto inside a frame. Run \'frame main\' first.');
+      const url = args[0];
+      if (!url) throw new Error('Usage: browse goto <url>');
+      await validateNavigationUrl(url);
+      const response = await page.goto(url, { waitUntil: 'domcontentloaded', timeout: 15000 });
+      const status = response?.status() || 'unknown';
+      return `Navigated to ${url} (${status})`;
+    }
+    case 'back': {
+      if (inFrame) throw new Error('Cannot use back inside a frame. Run \'frame main\' first.');
+      await page.goBack({ waitUntil: 'domcontentloaded', timeout: 15000 });
+      return `Back → ${page.url()}`;
+    }
+    case 'forward': {
+      if (inFrame) throw new Error('Cannot use forward inside a frame. Run \'frame main\' first.');
+      await page.goForward({ waitUntil: 'domcontentloaded', timeout: 15000 });
+      return `Forward → ${page.url()}`;
+    }
+    case 'reload': {
+      if (inFrame) throw new Error('Cannot use reload inside a frame. Run \'frame main\' first.');
+      await page.reload({ waitUntil: 'domcontentloaded', timeout: 15000 });
+      return `Reloaded ${page.url()}`;
+    }
+    case 'click': {
+      const selector = args[0];
+      if (!selector) throw new Error('Usage: browse click <selector>');
+      // Auto-route: if ref points to a real <option> inside a <select>, use selectOption
+      const role = bm.getRefRole(selector);
+      if (role === 'option') {
+        const resolved = await bm.resolveRef(selector);
+        if ('locator' in resolved) {
+          const optionInfo = await resolved.locator.evaluate(el => {
+            if (el.tagName !== 'OPTION') return null; // custom [role=option], not real <option>
+            const option = el as HTMLOptionElement;
+            const select = option.closest('select');
+            if (!select) return null;
+            return { value: option.value, text: option.text };
+          });
+          if (optionInfo) {
+            await resolved.locator.locator('xpath=ancestor::select').selectOption(optionInfo.value, { timeout: 5000 });
+            return `Selected "${optionInfo.text}" (auto-routed from click on <option>) → now at ${page.url()}`;
+          }
+          // Real <option> with no parent <select> or custom [role=option] — fall through to normal click
+        }
+      }
+      const resolved = await bm.resolveRef(selector);
+      try {
+        if ('locator' in resolved) {
+          await resolved.locator.click({ timeout: 5000 });
+        } else {
+          await target.locator(resolved.selector).click({ timeout: 5000 });
+        }
+      } catch (err: any) {
+        // Enhanced error guidance: clicking <option> elements always fails (not visible / timeout)
+        const isOption = 'locator' in resolved
+          ? await resolved.locator.evaluate(el => el.tagName === 'OPTION').catch(() => false)
+          : await target.locator(resolved.selector).evaluate(
+              el => el.tagName === 'OPTION'
+            ).catch(() => false);
+        if (isOption) {
+          throw new Error(
+            `Cannot click <option> elements. Use 'browse select <parent-select> <value>' instead of 'click' for dropdown options.`
+          );
+        }
+        throw err;
+      }
+      // Wait for network to settle (catches XHR/fetch triggered by clicks)
+      await page.waitForLoadState('networkidle', { timeout: 2000 }).catch(() => {});
+      return `Clicked ${selector} → now at ${page.url()}`;
+    }
+    case 'fill': {
+      const [selector, ...valueParts] = args;
+      const value = valueParts.join(' ');
+      if (!selector || !value) throw new Error('Usage: browse fill <selector> <value>');
+      const resolved = await bm.resolveRef(selector);
+      if ('locator' in resolved) {
+        await resolved.locator.fill(value, { timeout: 5000 });
+      } else {
+        await target.locator(resolved.selector).fill(value, { timeout: 5000 });
+      }
+      // Wait for network to settle (form validation XHRs)
+      await page.waitForLoadState('networkidle', { timeout: 2000 }).catch(() => {});
+      return `Filled ${selector}`;
+    }
+    case 'select': {
+      const [selector, ...valueParts] = args;
+      const value = valueParts.join(' ');
+      if (!selector || !value) throw new Error('Usage: browse select <selector> <value>');
+      const resolved = await bm.resolveRef(selector);
+      if ('locator' in resolved) {
+        await resolved.locator.selectOption(value, { timeout: 5000 });
+      } else {
+        await target.locator(resolved.selector).selectOption(value, { timeout: 5000 });
+      }
+      // Wait for network to settle (dropdown-triggered requests)
+      await page.waitForLoadState('networkidle', { timeout: 2000 }).catch(() => {});
+      return `Selected "${value}" in ${selector}`;
+    }
+    case 'hover': {
+      const selector = args[0];
+      if (!selector) throw new Error('Usage: browse hover <selector>');
+      const resolved = await bm.resolveRef(selector);
+      if ('locator' in resolved) {
+        await resolved.locator.hover({ timeout: 5000 });
+      } else {
+        await target.locator(resolved.selector).hover({ timeout: 5000 });
+      }
+      return `Hovered ${selector}`;
+    }
+    case 'type': {
+      const text = args.join(' ');
+      if (!text) throw new Error('Usage: browse type <text>');
+      await page.keyboard.type(text);
+      return `Typed ${text.length} characters`;
+    }
+    case 'press': {
+      const key = args[0];
+      if (!key) throw new Error('Usage: browse press <key> (e.g., Enter, Tab, Escape)');
+      await page.keyboard.press(key);
+      return `Pressed ${key}`;
+    }
+    case 'scroll': {
+      const selector = args[0];
+      if (selector) {
+        const resolved = await bm.resolveRef(selector);
+        if ('locator' in resolved) {
+          await resolved.locator.scrollIntoViewIfNeeded({ timeout: 5000 });
+        } else {
+          await target.locator(resolved.selector).scrollIntoViewIfNeeded({ timeout: 5000 });
+        }
+        return `Scrolled ${selector} into view`;
+      }
+      await target.evaluate(() => window.scrollTo(0, document.body.scrollHeight));
+      return 'Scrolled to bottom';
+    }
+    case 'wait': {
+      const selector = args[0];
+      if (!selector) throw new Error('Usage: browse wait <selector|--networkidle|--load|--domcontentloaded>');
+      if (selector === '--networkidle') {
+        const timeout = args[1] ? parseInt(args[1], 10) : 15000;
+        await page.waitForLoadState('networkidle', { timeout });
+        return 'Network idle';
+      }
+      if (selector === '--load') {
+        await page.waitForLoadState('load');
+        return 'Page loaded';
+      }
+      if (selector === '--domcontentloaded') {
+        await page.waitForLoadState('domcontentloaded');
+        return 'DOM content loaded';
+      }
+      const timeout = args[1] ? parseInt(args[1], 10) : 15000;
+      const resolved = await bm.resolveRef(selector);
+      if ('locator' in resolved) {
+        await resolved.locator.waitFor({ state: 'visible', timeout });
+      } else {
+        await target.locator(resolved.selector).waitFor({ state: 'visible', timeout });
+      }
+      return `Element ${selector} appeared`;
+    }
+    case 'viewport': {
+      const size = args[0];
+      if (!size || !size.includes('x')) throw new Error('Usage: browse viewport <WxH> (e.g., 375x812)');
+      const [w, h] = size.split('x').map(Number);
+      await bm.setViewport(w, h);
+      return `Viewport set to ${w}x${h}`;
+    }
+    case 'cookie': {
+      const cookieStr = args[0];
+      if (!cookieStr || !cookieStr.includes('=')) throw new Error('Usage: browse cookie <name>=<value>');
+      const eq = cookieStr.indexOf('=');
+      const name = cookieStr.slice(0, eq);
+      const value = cookieStr.slice(eq + 1);
+      const url = new URL(page.url());
+      await page.context().addCookies([{
+        name,
+        value,
+        domain: url.hostname,
+        path: '/',
+      }]);
+      return `Cookie set: ${name}=****`;
+    }
+    case 'header': {
+      const headerStr = args[0];
+      if (!headerStr || !headerStr.includes(':')) throw new Error('Usage: browse header <name>:<value>');
+      const sep = headerStr.indexOf(':');
+      const name = headerStr.slice(0, sep).trim();
+      const value = headerStr.slice(sep + 1).trim();
+      await bm.setExtraHeader(name, value);
+      const sensitiveHeaders = ['authorization', 'cookie', 'set-cookie', 'x-api-key', 'x-auth-token'];
+      const redactedValue = sensitiveHeaders.includes(name.toLowerCase()) ? '****' : value;
+      return `Header set: ${name}: ${redactedValue}`;
+    }
+    case 'useragent': {
+      const ua = args.join(' ');
+      if (!ua) throw new Error('Usage: browse useragent <string>');
+      bm.setUserAgent(ua);
+      const error = await bm.recreateContext();
+      if (error) {
+        return `User agent set to "${ua}" but: ${error}`;
+      }
+      return `User agent set: ${ua}`;
+    }
+    case 'upload': {
+      const [selector, ...filePaths] = args;
+      if (!selector || filePaths.length === 0) throw new Error('Usage: browse upload <selector> <file1> [file2...]');
+      // Validate all files exist before upload
+      for (const fp of filePaths) {
+        if (!fs.existsSync(fp)) throw new Error(`File not found: ${fp}`);
+      }
+      const resolved = await bm.resolveRef(selector);
+      if ('locator' in resolved) {
+        await resolved.locator.setInputFiles(filePaths);
+      } else {
+        await target.locator(resolved.selector).setInputFiles(filePaths);
+      }
+      const fileInfo = filePaths.map(fp => {
+        const stat = fs.statSync(fp);
+        return `${path.basename(fp)} (${stat.size}B)`;
+      }).join(', ');
+      return `Uploaded: ${fileInfo}`;
+    }
+    case 'dialog-accept': {
+      const text = args.length > 0 ? args.join(' ') : null;
+      bm.setDialogAutoAccept(true);
+      bm.setDialogPromptText(text);
+      return text
+        ? `Dialogs will be accepted with text: "${text}"`
+        : 'Dialogs will be accepted';
+    }
+    case 'dialog-dismiss': {
+      bm.setDialogAutoAccept(false);
+      bm.setDialogPromptText(null);
+      return 'Dialogs will be dismissed';
+    }
+    case 'cookie-import': {
+      const filePath = args[0];
+      if (!filePath) throw new Error('Usage: browse cookie-import <json-file>');
+      // Path validation — prevent reading arbitrary files
+      if (path.isAbsolute(filePath)) {
+        const safeDirs = [TEMP_DIR, process.cwd()];
+        const resolved = path.resolve(filePath);
+        if (!safeDirs.some(dir => isPathWithin(resolved, dir))) {
+          throw new Error(`Path must be within: ${safeDirs.join(', ')}`);
+        }
+      }
+      if (path.normalize(filePath).includes('..')) {
+        throw new Error('Path traversal sequences (..) are not allowed');
+      }
+      if (!fs.existsSync(filePath)) throw new Error(`File not found: ${filePath}`);
+      const raw = fs.readFileSync(filePath, 'utf-8');
+      let cookies: any[];
+      try { cookies = JSON.parse(raw); } catch { throw new Error(`Invalid JSON in ${filePath}`); }
+      if (!Array.isArray(cookies)) throw new Error('Cookie file must contain a JSON array');
+      // Auto-fill domain from current page URL when missing (consistent with cookie command)
+      const pageUrl = new URL(page.url());
+      const defaultDomain = pageUrl.hostname;
+      for (const c of cookies) {
+        if (!c.name || c.value === undefined) throw new Error('Each cookie must have "name" and "value" fields');
+        if (!c.domain) c.domain = defaultDomain;
+        if (!c.path) c.path = '/';
+      }
+      await page.context().addCookies(cookies);
+      return `Loaded ${cookies.length} cookies from ${filePath}`;
+    }
+    case 'cookie-import-browser': {
+      // Two modes:
+      // 1. Direct CLI import: cookie-import-browser <browser> --domain <domain> [--profile <profile>]
+      // 2. Open picker UI: cookie-import-browser [browser]
+      const browserArg = args[0];
+      const domainIdx = args.indexOf('--domain');
+      const profileIdx = args.indexOf('--profile');
+      const profile = (profileIdx !== -1 && profileIdx + 1 < args.length) ? args[profileIdx + 1] : 'Default';
+      if (domainIdx !== -1 && domainIdx + 1 < args.length) {
+        // Direct import mode — no UI
+        const domain = args[domainIdx + 1];
+        const browser = browserArg || 'comet';
+        const result = await importCookies(browser, [domain], profile);
+        if (result.cookies.length > 0) {
+          await page.context().addCookies(result.cookies);
+        }
+        const msg = [`Imported ${result.count} cookies for ${domain} from ${browser}`];
+        if (result.failed > 0) msg.push(`(${result.failed} failed to decrypt)`);
+        return msg.join(' ');
+      }
+      // Picker UI mode — open in user's browser
+      const port = bm.serverPort;
+      if (!port) throw new Error('Server port not available');
+      const browsers = findInstalledBrowsers();
+      if (browsers.length === 0) {
+        throw new Error(`No Chromium browsers found. Supported: ${listSupportedBrowserNames().join(', ')}`);
+      }
+      const pickerUrl = `http://127.0.0.1:${port}/cookie-picker`;
+      try {
+        Bun.spawn(['open', pickerUrl], { stdout: 'ignore', stderr: 'ignore' });
+      } catch {
+        // open may fail silently — URL is in the message below
+      }
+      return `Cookie picker opened at ${pickerUrl}\nDetected browsers: ${browsers.map(b => b.name).join(', ')}\nSelect domains to import, then close the picker when done.`;
+    }
+    default:
+      throw new Error(`Unknown write command: ${command}`);
+  }
+}

package/skills/browse/test/activity.test.ts ADDED Viewed

@@ -0,0 +1,120 @@
+import { describe, it, expect } from 'bun:test';
+import { filterArgs, emitActivity, getActivityAfter, getActivityHistory, subscribe } from '../src/activity';
+describe('filterArgs — privacy filtering', () => {
+  it('redacts fill value for password fields', () => {
+    expect(filterArgs('fill', ['#password', 'mysecret123'])).toEqual(['#password', '[REDACTED]']);
+    expect(filterArgs('fill', ['input[type=passwd]', 'abc'])).toEqual(['input[type=passwd]', '[REDACTED]']);
+  });
+  it('preserves fill value for non-password fields', () => {
+    expect(filterArgs('fill', ['#email', 'user@test.com'])).toEqual(['#email', 'user@test.com']);
+  });
+  it('redacts type command args', () => {
+    expect(filterArgs('type', ['my password'])).toEqual(['[REDACTED]']);
+  });
+  it('redacts Authorization header', () => {
+    expect(filterArgs('header', ['Authorization:Bearer abc123'])).toEqual(['Authorization:[REDACTED]']);
+  });
+  it('preserves non-sensitive headers', () => {
+    expect(filterArgs('header', ['Content-Type:application/json'])).toEqual(['Content-Type:application/json']);
+  });
+  it('redacts cookie values', () => {
+    expect(filterArgs('cookie', ['session_id=abc123'])).toEqual(['session_id=[REDACTED]']);
+  });
+  it('redacts sensitive URL query params', () => {
+    const result = filterArgs('goto', ['https://example.com?api_key=secret&page=1']);
+    expect(result[0]).toContain('api_key=%5BREDACTED%5D');
+    expect(result[0]).toContain('page=1');
+  });
+  it('preserves non-sensitive URL query params', () => {
+    const result = filterArgs('goto', ['https://example.com?page=1&sort=name']);
+    expect(result[0]).toBe('https://example.com?page=1&sort=name');
+  });
+  it('handles empty args', () => {
+    expect(filterArgs('click', [])).toEqual([]);
+  });
+  it('handles non-URL non-sensitive args', () => {
+    expect(filterArgs('click', ['@e3'])).toEqual(['@e3']);
+  });
+});
+describe('emitActivity', () => {
+  it('emits with auto-incremented id', () => {
+    const e1 = emitActivity({ type: 'command_start', command: 'goto', args: ['https://example.com'] });
+    const e2 = emitActivity({ type: 'command_end', command: 'goto', status: 'ok', duration: 100 });
+    expect(e2.id).toBe(e1.id + 1);
+  });
+  it('truncates long results', () => {
+    const longResult = 'x'.repeat(500);
+    const entry = emitActivity({ type: 'command_end', command: 'text', result: longResult });
+    expect(entry.result!.length).toBeLessThanOrEqual(203); // 200 + "..."
+  });
+  it('applies privacy filtering', () => {
+    const entry = emitActivity({ type: 'command_start', command: 'type', args: ['my secret password'] });
+    expect(entry.args).toEqual(['[REDACTED]']);
+  });
+});
+describe('getActivityAfter', () => {
+  it('returns entries after cursor', () => {
+    const e1 = emitActivity({ type: 'command_start', command: 'test1' });
+    const e2 = emitActivity({ type: 'command_start', command: 'test2' });
+    const result = getActivityAfter(e1.id);
+    expect(result.entries.some(e => e.id === e2.id)).toBe(true);
+    expect(result.gap).toBe(false);
+  });
+  it('returns all entries when cursor is 0', () => {
+    emitActivity({ type: 'command_start', command: 'test3' });
+    const result = getActivityAfter(0);
+    expect(result.entries.length).toBeGreaterThan(0);
+  });
+});
+describe('getActivityHistory', () => {
+  it('returns limited entries', () => {
+    for (let i = 0; i < 5; i++) {
+      emitActivity({ type: 'command_start', command: `history-test-${i}` });
+    }
+    const result = getActivityHistory(3);
+    expect(result.entries.length).toBeLessThanOrEqual(3);
+  });
+});
+describe('subscribe', () => {
+  it('receives new events', async () => {
+    const received: any[] = [];
+    const unsub = subscribe((entry) => received.push(entry));
+    emitActivity({ type: 'command_start', command: 'sub-test' });
+    // queueMicrotask is async — wait a tick
+    await new Promise(resolve => setTimeout(resolve, 10));
+    expect(received.length).toBeGreaterThanOrEqual(1);
+    expect(received[received.length - 1].command).toBe('sub-test');
+    unsub();
+  });
+  it('stops receiving after unsubscribe', async () => {
+    const received: any[] = [];
+    const unsub = subscribe((entry) => received.push(entry));
+    unsub();
+    emitActivity({ type: 'command_start', command: 'should-not-see' });
+    await new Promise(resolve => setTimeout(resolve, 10));
+    expect(received.filter(e => e.command === 'should-not-see').length).toBe(0);
+  });
+});

package/skills/browse/test/adversarial-security.test.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * Adversarial security tests — XSS and boundary-check hardening
+ *
+ * Test 19: Sidepanel escapes entry.command in activity feed (prevents XSS)
+ * Test 20: Freeze hook uses trailing slash in boundary check (prevents prefix collision)
+ */
+import { describe, test, expect } from 'bun:test';
+import * as fs from 'fs';
+import * as path from 'path';
+describe('Adversarial security', () => {
+  test('sidepanel escapes entry.command in activity feed', () => {
+    const source = fs.readFileSync(
+      path.join(import.meta.dir, '../../extension/sidepanel.js'),
+      'utf-8',
+    );
+    // entry.command must be wrapped in escapeHtml() to prevent XSS injection
+    // via crafted command names in the activity feed
+    expect(source).toContain('escapeHtml(entry.command');
+  });
+  test('freeze hook uses trailing slash in boundary check', () => {
+    const source = fs.readFileSync(
+      path.join(import.meta.dir, '../../freeze/bin/check-freeze.sh'),
+      'utf-8',
+    );
+    // The boundary check must use "${FREEZE_DIR}/" with a trailing slash
+    // to prevent prefix collision (e.g., /app matching /application)
+    expect(source).toContain('"${FREEZE_DIR}/"');
+  });
+});

package/skills/browse/test/browser-manager-unit.test.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import { describe, it, expect } from 'bun:test';
+// ─── BrowserManager basic unit tests ─────────────────────────────
+describe('BrowserManager defaults', () => {
+  it('getConnectionMode defaults to launched', async () => {
+    const { BrowserManager } = await import('../src/browser-manager');
+    const bm = new BrowserManager();
+    expect(bm.getConnectionMode()).toBe('launched');
+  });
+  it('getRefMap returns empty array initially', async () => {
+    const { BrowserManager } = await import('../src/browser-manager');
+    const bm = new BrowserManager();
+    expect(bm.getRefMap()).toEqual([]);
+  });
+});

package/skills/browse/test/bun-polyfill.test.ts ADDED Viewed

@@ -0,0 +1,72 @@
+import { describe, test, expect, afterAll } from 'bun:test';
+import * as path from 'path';
+// Load the polyfill into a fresh object (don't clobber globalThis.Bun)
+const polyfillPath = path.resolve(import.meta.dir, '../src/bun-polyfill.cjs');
+describe('bun-polyfill', () => {
+  // We test the polyfill by requiring it in a subprocess under Node.js
+  // since it's designed for Node, not Bun.
+  test('Bun.sleep resolves after delay', async () => {
+    const result = Bun.spawnSync(['node', '-e', `
+      require('${polyfillPath}');
+      (async () => {
+        const start = Date.now();
+        await Bun.sleep(50);
+        const elapsed = Date.now() - start;
+        console.log(elapsed >= 40 ? 'OK' : 'TOO_FAST');
+      })();
+    `], { stdout: 'pipe', stderr: 'pipe' });
+    expect(result.stdout.toString().trim()).toBe('OK');
+    expect(result.exitCode).toBe(0);
+  });
+  test('Bun.spawnSync runs a command and returns stdout', () => {
+    const result = Bun.spawnSync(['node', '-e', `
+      require('${polyfillPath}');
+      const r = Bun.spawnSync(['echo', 'hello'], { stdout: 'pipe' });
+      console.log(r.stdout.toString().trim());
+      console.log('exit:' + r.exitCode);
+    `], { stdout: 'pipe', stderr: 'pipe' });
+    const lines = result.stdout.toString().trim().split('\n');
+    expect(lines[0]).toBe('hello');
+    expect(lines[1]).toBe('exit:0');
+  });
+  test('Bun.spawn launches a process with pid', async () => {
+    const result = Bun.spawnSync(['node', '-e', `
+      require('${polyfillPath}');
+      const p = Bun.spawn(['echo', 'test'], { stdio: ['pipe', 'pipe', 'pipe'] });
+      console.log(typeof p.pid === 'number' ? 'HAS_PID' : 'NO_PID');
+      console.log(typeof p.kill === 'function' ? 'HAS_KILL' : 'NO_KILL');
+      console.log(typeof p.unref === 'function' ? 'HAS_UNREF' : 'NO_UNREF');
+    `], { stdout: 'pipe', stderr: 'pipe' });
+    const lines = result.stdout.toString().trim().split('\n');
+    expect(lines[0]).toBe('HAS_PID');
+    expect(lines[1]).toBe('HAS_KILL');
+    expect(lines[2]).toBe('HAS_UNREF');
+  });
+  test('Bun.serve creates an HTTP server that responds', async () => {
+    const result = Bun.spawnSync(['node', '-e', `
+      require('${polyfillPath}');
+      const server = Bun.serve({
+        port: 0,  // Note: polyfill uses port directly, so we pick one
+        hostname: '127.0.0.1',
+        fetch(req) {
+          return new Response(JSON.stringify({ ok: true }), {
+            headers: { 'Content-Type': 'application/json' },
+          });
+        },
+      });
+      // The polyfill doesn't support port 0, so we test the object shape
+      console.log(typeof server.stop === 'function' ? 'HAS_STOP' : 'NO_STOP');
+      console.log(typeof server.port === 'number' ? 'HAS_PORT' : 'NO_PORT');
+      server.stop();
+    `], { stdout: 'pipe', stderr: 'pipe' });
+    const lines = result.stdout.toString().trim().split('\n');
+    expect(lines[0]).toBe('HAS_STOP');
+    expect(lines[1]).toBe('HAS_PORT');
+  });
+});