pi-chrome 0.15.10 → 0.15.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,14 @@
|
|
|
2
2
|
|
|
3
3
|
All notable user-facing changes to `pi-chrome`.
|
|
4
4
|
|
|
5
|
+
## 0.15.12 — 2026-05-14
|
|
6
|
+
|
|
7
|
+
- **Docs accuracy.** Clarified that the bundled Chrome extension currently polls `127.0.0.1:17318`; custom bridge ports are not supported without editing/reloading the extension source. Also softened the unpacked-extension rationale to avoid overstating Web Store limitations and fixed stale strict-CSP guidance for `chrome_evaluate`.
|
|
8
|
+
|
|
9
|
+
## 0.15.11 — 2026-05-14
|
|
10
|
+
|
|
11
|
+
- **README cleanup.** Removed the Playwright/CDP/Selenium comparison table and low-signal Composes with / Contributing sections from the package page because they are noisy and easy to drift.
|
|
12
|
+
|
|
5
13
|
## 0.15.10 — 2026-05-14
|
|
6
14
|
|
|
7
15
|
- **Browser-side Chrome consent.** `/chrome authorize` now opens a Pi Chrome Connector approval page inside Chrome showing duration, workspace, process id, and extension/package versions. Chrome control unlocks only after the user approves there; denying, closing the tab, or timeout leaves control locked.
|
package/README.md
CHANGED
|
@@ -120,28 +120,6 @@ You: [files the ticket with the folder attached]
|
|
|
120
120
|
|
|
121
121
|
---
|
|
122
122
|
|
|
123
|
-
## Why pi-chrome vs. Playwright / CDP / Selenium
|
|
124
|
-
|
|
125
|
-
> Short version: **pi-chrome is primitives — "Playwright for the Chrome you're already signed into."** Not an agent loop. Plug it under any agent framework (Browser Use, Stagehand, LangGraph) or call its tools directly from a Pi agent. See [docs/COMPARISON.md](./docs/COMPARISON.md) for the full three-axis landscape (drivers, agents, cloud providers).
|
|
126
|
-
|
|
127
|
-
| | **pi-chrome** | Playwright / Puppeteer | CDP-based agents | Selenium / WebDriver |
|
|
128
|
-
| ------------------------------ | --------------------------------- | ----------------------------- | ----------------------------- | ----------------------------- |
|
|
129
|
-
| **Time from `pi install` → first useful action on your real account** | ~60s (load unpacked, `/chrome doctor`) | hours (script login, store creds, debug headless) | 30+ min (`--remote-debug` setup, attach) | hours (driver + login script) |
|
|
130
|
-
| **Survives MFA / SSO without code** | ✅ already logged in | ❌ | ⚠️ if you re-auth | ❌ |
|
|
131
|
-
| Uses your real signed-in Chrome | ✅ extension in your profile | ❌ throwaway profile | ⚠️ requires `--remote-debug` | ❌ throwaway profile |
|
|
132
|
-
| Re-login required | **Never** | Every run | Sometimes | Every run |
|
|
133
|
-
| **Multiple agents drive the same Chrome at once** | ✅ shared bridge | ❌ port collisions | ❌ | ❌ |
|
|
134
|
-
| Watch agent work, live | ✅ default; run in background optional | ❌ headless or new window | ⚠️ debugger banner always | ❌ new window |
|
|
135
|
-
| Real browser input | ✅ always for input tools | ✅ | ✅ | ✅ |
|
|
136
|
-
| Network/console capture | ✅ built-in | ✅ | ✅ | ⚠️ via extensions |
|
|
137
|
-
| **Honest result envelopes¹** | ✅ | ⚠️ | ❌ | ❌ |
|
|
138
|
-
| Self-graded by built-in benchmark² | ✅ 38 primitives + 4 long-horizon | n/a | n/a | n/a |
|
|
139
|
-
|
|
140
|
-
¹ Every action returns `pageMutated`, `defaultPrevented`, `elementVisible`, `occludedBy`, and `valueMatches` so the agent knows when a click didn't take effect — instead of looping blindly.
|
|
141
|
-
² [`test-suite/`](./test-suite) grades browser-control primitives across input fidelity, activation gates, DOM complexity, and agent safety. If you build a competing tool, send a PR with your scores. We benchmark in public.
|
|
142
|
-
|
|
143
|
-
---
|
|
144
|
-
|
|
145
123
|
## Honest results
|
|
146
124
|
|
|
147
125
|
Most browser-automation libraries return `void` or a generic ack. `pi-chrome` returns a structured envelope on every interaction:
|
|
@@ -259,25 +237,13 @@ If you build a competing tool, please open a PR with your scores. We benchmark i
|
|
|
259
237
|
|
|
260
238
|
## Security model & why unpacked
|
|
261
239
|
|
|
262
|
-
**Unpacked on purpose.**
|
|
240
|
+
**Unpacked on purpose.** pi-chrome ships as an inspectable, MIT-licensed extension folder you load once with Developer Mode, so the local bridge and browser permissions are easy to audit and update without a Web Store release cycle. Every line is yours to read in [`extensions/chrome-profile-bridge/browser-extension/`](./extensions/chrome-profile-bridge/browser-extension). `/chrome doctor` reports the loaded extension version and warns when it drifts from your installed `pi-chrome`.
|
|
263
241
|
|
|
264
242
|
The companion extension runs in the Chrome profile where you install it and has broad tab/scripting permissions. Only install it from a package source you trust. Even after install, `chrome_*` tools stay locked until you run `/chrome authorize` in Pi and approve the browser-side consent page in Chrome. Use `/chrome revoke` to lock them again.
|
|
265
243
|
|
|
266
|
-
The Pi side listens on `127.0.0.1:17318`
|
|
267
|
-
|
|
268
|
-
```bash
|
|
269
|
-
PI_CHROME_BRIDGE_PORT=17319 pi
|
|
270
|
-
```
|
|
244
|
+
The Pi side listens on `127.0.0.1:17318` and rejects browser-origin command requests; ordinary web pages cannot use CORS to drive the bridge. The bundled Chrome extension currently polls that default port, so custom bridge ports are not supported without editing the extension source and reloading it.
|
|
271
245
|
|
|
272
|
-
There is no network exposure; the bridge binds to loopback only.
|
|
273
|
-
|
|
274
|
-
---
|
|
275
|
-
|
|
276
|
-
## Composes with
|
|
277
|
-
|
|
278
|
-
- **[pi-qq](https://www.npmjs.com/package/pi-qq)** — `/qq summarize what the active GitHub tab shows` without polluting the main transcript.
|
|
279
|
-
- **[pi-bar](https://www.npmjs.com/package/pi-bar)** — when the agent scrapes large pages, watch the context-usage segment turn yellow → red as a signal to `/qq` for a recap.
|
|
280
|
-
- **PR demo skills** — screenshots write to `.pi/chrome-screenshots/` so you can attach them to PR descriptions or demo bundles.
|
|
246
|
+
There is no network exposure in the default configuration; the bridge binds to loopback only.
|
|
281
247
|
|
|
282
248
|
---
|
|
283
249
|
|
|
@@ -294,16 +260,6 @@ If you want one of those next, open an issue.
|
|
|
294
260
|
|
|
295
261
|
---
|
|
296
262
|
|
|
297
|
-
## Contributing
|
|
298
|
-
|
|
299
|
-
PRs welcome. The bar:
|
|
300
|
-
|
|
301
|
-
1. Add a benchmark page in `test-suite/` that fails before your change and passes after.
|
|
302
|
-
2. Keep `chrome_*` tool results honest — surface `pageMutated`, `valueMatches`, `defaultPrevented`, etc.
|
|
303
|
-
3. Don't break the "no re-login" guarantee. Anything that requires a fresh profile is out of scope.
|
|
304
|
-
|
|
305
|
-
---
|
|
306
|
-
|
|
307
263
|
## License
|
|
308
264
|
|
|
309
265
|
MIT. See [LICENSE](./LICENSE).
|
package/SECURITY.md
CHANGED
|
@@ -29,11 +29,9 @@ The Chrome extension under `extensions/chrome-profile-bridge/browser-extension/`
|
|
|
29
29
|
- Chrome control locked by default; `/chrome authorize` opens a Chrome consent page, approval unlocks current Pi session, `/chrome revoke` locks it again.
|
|
30
30
|
- Run-in-background optional; tab/window focus is observable by default (the user can see Pi acting).
|
|
31
31
|
|
|
32
|
-
##
|
|
32
|
+
## Custom ports
|
|
33
33
|
|
|
34
|
-
|
|
35
|
-
PI_CHROME_BRIDGE_PORT=17319 pi
|
|
36
|
-
```
|
|
34
|
+
The bundled Chrome extension currently polls `127.0.0.1:17318`. Custom bridge ports are not supported without editing the extension source and reloading it.
|
|
37
35
|
|
|
38
36
|
## Supported versions
|
|
39
37
|
|
package/docs/FAQ.md
CHANGED
|
@@ -51,7 +51,7 @@ The Pi-facing tools are thin wrappers around an HTTP bridge at `127.0.0.1:17318`
|
|
|
51
51
|
|
|
52
52
|
## Does `chrome_evaluate` work on strict-CSP pages?
|
|
53
53
|
|
|
54
|
-
|
|
54
|
+
Not always. `chrome_evaluate` and `chrome_snapshot` run in the page's MAIN world through the Function constructor, so pages whose CSP blocks `'unsafe-eval'` can reject them. `chrome_screenshot`, `chrome_navigate`, tab tools, and real Chrome input still work because they use extension/browser APIs rather than page JavaScript.
|
|
55
55
|
|
|
56
56
|
## Why does my click return `pageMutated=false`?
|
|
57
57
|
|
|
@@ -835,7 +835,7 @@ Usage rules:
|
|
|
835
835
|
"Start/check the local bridge used by the companion Chrome extension. This does not launch a separate Chrome profile; install the unpacked Chrome extension in your existing Chrome profile to connect.",
|
|
836
836
|
promptSnippet: "Show instructions for connecting Pi to the user's existing Chrome profile via the companion extension.",
|
|
837
837
|
parameters: Type.Object({
|
|
838
|
-
port: Type.Optional(Type.Number({ description: "Ignored
|
|
838
|
+
port: Type.Optional(Type.Number({ description: "Ignored. The bundled Chrome extension polls 127.0.0.1:17318." })),
|
|
839
839
|
url: Type.Optional(Type.String({ description: "Optional URL to open in the existing Chrome profile after the extension is connected." })),
|
|
840
840
|
userDataDir: Type.Optional(Type.String({ description: "Ignored. This bridge intentionally uses the user's existing Chrome profile through the companion extension." })),
|
|
841
841
|
useDefaultProfile: Type.Optional(Type.Boolean({ description: "Ignored; existing-profile access comes from the companion Chrome extension." })),
|