pi-chrome 0.15.9 → 0.15.11

package/CHANGELOG.md

@@ -2,6 +2,15 @@
 
 All notable user-facing changes to `pi-chrome`.
 
+## 0.15.11 — 2026-05-14
+
+- **README cleanup.** Removed the Playwright/CDP/Selenium comparison table and low-signal Composes with / Contributing sections from the package page because they are noisy and easy to drift.
+
+## 0.15.10 — 2026-05-14
+
+- **Browser-side Chrome consent.** `/chrome authorize` now opens a Pi Chrome Connector approval page inside Chrome showing duration, workspace, process id, and extension/package versions. Chrome control unlocks only after the user approves there; denying, closing the tab, or timeout leaves control locked.
+- **README cleanup.** Removed npm/download/license shield badges from the package page because they are noisy and easy to drift.
+
 ## 0.15.9 — 2026-05-14
 
 - **Tighter `/chrome` menu.** Removed the redundant “Connection status” item from the interactive `/chrome` menu because connection/auth/background are already shown in the menu header. `/chrome status` remains available as a slash command.

package/README.md

@@ -12,10 +12,6 @@ Agent:  chrome_tab(list) → chrome_snapshot(uid:…) → chrome_screenshot(...)
 You:    [keeps coding — agent never asked you to log in]
 ```
 
-[![npm version](https://img.shields.io/npm/v/pi-chrome.svg)](https://www.npmjs.com/package/pi-chrome)
-[![npm downloads](https://img.shields.io/npm/dm/pi-chrome.svg)](https://www.npmjs.com/package/pi-chrome)
-[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE)
-
 `pi-chrome` ships **20+ browser tools** for Pi agents, backed by a small MIT-licensed Chrome extension that runs inside the Chrome profile **you already use** — including every site you're already signed into.
 
 ---
@@ -34,11 +30,11 @@ Then in Pi:
 
 On macOS this opens `chrome://extensions`, reveals the bundled `browser-extension/` folder in Finder, and copies its path to your clipboard. In Chrome: **Developer mode** → **Load unpacked** → paste the path. Done.
 
-Verify and authorize current Pi session:
+Verify, then authorize current Pi session in Chrome:
 
 ```text
 /chrome doctor
-/chrome authorize
+/chrome authorize   # opens a Chrome approval page
 ```
 
 ```text
@@ -124,28 +120,6 @@ You:    [files the ticket with the folder attached]
 
 ---
 
-## Why pi-chrome vs. Playwright / CDP / Selenium
-
-> Short version: **pi-chrome is primitives — "Playwright for the Chrome you're already signed into."** Not an agent loop. Plug it under any agent framework (Browser Use, Stagehand, LangGraph) or call its tools directly from a Pi agent. See [docs/COMPARISON.md](./docs/COMPARISON.md) for the full three-axis landscape (drivers, agents, cloud providers).
-
-|                                | **pi-chrome**                     | Playwright / Puppeteer        | CDP-based agents              | Selenium / WebDriver          |
-| ------------------------------ | --------------------------------- | ----------------------------- | ----------------------------- | ----------------------------- |
-| **Time from `pi install` → first useful action on your real account** | ~60s (load unpacked, `/chrome doctor`) | hours (script login, store creds, debug headless) | 30+ min (`--remote-debug` setup, attach) | hours (driver + login script) |
-| **Survives MFA / SSO without code** | ✅ already logged in              | ❌                             | ⚠️ if you re-auth             | ❌                             |
-| Uses your real signed-in Chrome | ✅ extension in your profile      | ❌ throwaway profile           | ⚠️ requires `--remote-debug`  | ❌ throwaway profile           |
-| Re-login required               | **Never**                         | Every run                     | Sometimes                     | Every run                     |
-| **Multiple agents drive the same Chrome at once** | ✅ shared bridge | ❌ port collisions             | ❌                             | ❌                             |
-| Watch agent work, live          | ✅ default; run in background optional | ❌ headless or new window      | ⚠️ debugger banner always     | ❌ new window                  |
-| Real browser input              | ✅ always for input tools         | ✅                             | ✅                             | ✅                             |
-| Network/console capture         | ✅ built-in                       | ✅                             | ✅                             | ⚠️ via extensions             |
-| **Honest result envelopes¹**    | ✅                                 | ⚠️                            | ❌                             | ❌                             |
-| Self-graded by built-in benchmark² | ✅ 38 primitives + 4 long-horizon | n/a                          | n/a                           | n/a                           |
-
-¹ Every action returns `pageMutated`, `defaultPrevented`, `elementVisible`, `occludedBy`, and `valueMatches` so the agent knows when a click didn't take effect — instead of looping blindly.
-² [`test-suite/`](./test-suite) grades browser-control primitives across input fidelity, activation gates, DOM complexity, and agent safety. If you build a competing tool, send a PR with your scores. We benchmark in public.
-
----
-
 ## Honest results
 
 Most browser-automation libraries return `void` or a generic ack. `pi-chrome` returns a structured envelope on every interaction:
@@ -188,7 +162,7 @@ Each tool is documented inline in Pi — agents see the parameters and gotchas (
 
 ### Authorization
 
-Chrome control is locked by default. Before any agent can use `chrome_*` tools, explicitly authorize the current Pi session:
+Chrome control is locked by default. Before any agent can use `chrome_*` tools, explicitly authorize the current Pi session. `/chrome authorize` opens a browser-side approval page in Chrome; control unlocks only after you approve there.
 
 ```text
 /chrome authorize          # default: authorize for 15 minutes
@@ -199,7 +173,7 @@ Chrome control is locked by default. Before any agent can use `chrome_*` tools,
 /chrome status             # shows connection + auth + background
 ```
 
-This protects your signed-in Chrome profile from accidental agent use. The loopback bridge also rejects browser-origin command requests so arbitrary web pages cannot call into `127.0.0.1:17318` through CORS.
+This protects your signed-in Chrome profile from accidental agent use and makes the approval happen inside the browser profile being controlled. The loopback bridge also rejects browser-origin command requests so arbitrary web pages cannot call into `127.0.0.1:17318` through CORS.
 
 ### Run in background / watch modes
 
@@ -265,7 +239,7 @@ If you build a competing tool, please open a PR with your scores. We benchmark i
 
 **Unpacked on purpose.** A Web Store extension cannot talk to a local bridge controlled by another tool on the same machine — so pi-chrome ships its bridge as an inspectable, MIT-licensed folder you load once with Developer Mode. Every line is yours to read in [`extensions/chrome-profile-bridge/browser-extension/`](./extensions/chrome-profile-bridge/browser-extension). `/chrome doctor` reports the loaded extension version and warns when it drifts from your installed `pi-chrome`.
 
-The companion extension runs in the Chrome profile where you install it and has broad tab/scripting permissions. Only install it from a package source you trust. Even after install, `chrome_*` tools stay locked until you run `/chrome authorize` in Pi. Use `/chrome revoke` to lock them again.
+The companion extension runs in the Chrome profile where you install it and has broad tab/scripting permissions. Only install it from a package source you trust. Even after install, `chrome_*` tools stay locked until you run `/chrome authorize` in Pi and approve the browser-side consent page in Chrome. Use `/chrome revoke` to lock them again.
 
 The Pi side listens on `127.0.0.1:17318` by default and rejects browser-origin command requests; ordinary web pages cannot use CORS to drive the bridge. Override before starting Pi:
 
@@ -277,14 +251,6 @@ There is no network exposure; the bridge binds to loopback only.
 
 ---
 
-## Composes with
-
-- **[pi-qq](https://www.npmjs.com/package/pi-qq)** — `/qq summarize what the active GitHub tab shows` without polluting the main transcript.
-- **[pi-bar](https://www.npmjs.com/package/pi-bar)** — when the agent scrapes large pages, watch the context-usage segment turn yellow → red as a signal to `/qq` for a recap.
-- **PR demo skills** — screenshots write to `.pi/chrome-screenshots/` so you can attach them to PR descriptions or demo bundles.
-
----
-
 ## Roadmap signals
 
 `pi-chrome` is actively shipped. Things on the near roadmap:
@@ -298,16 +264,6 @@ If you want one of those next, open an issue.
 
 ---
 
-## Contributing
-
-PRs welcome. The bar:
-
-1. Add a benchmark page in `test-suite/` that fails before your change and passes after.
-2. Keep `chrome_*` tool results honest — surface `pageMutated`, `valueMatches`, `defaultPrevented`, etc.
-3. Don't break the "no re-login" guarantee. Anything that requires a fresh profile is out of scope.
-
----
-
 ## License
 
 MIT. See [LICENSE](./LICENSE).

package/SECURITY.md

@@ -9,13 +9,13 @@ Open a GitHub issue prefixed with `[security]` at https://github.com/tianrendong
 `pi-chrome` is a developer tool you install knowingly. It is **not** designed to defend against:
 
 - Hostile pages running in your Chrome trying to detect or escape automation. (Standard browser security boundaries still apply, but a hostile page that already runs in your tab can do anything that page can already do.)
-- Other processes on your local machine. The bridge binds to `127.0.0.1:17318` (loopback only) and chrome_* tools require `/chrome authorize` inside Pi, but the bridge does not authenticate arbitrary non-browser local callers. If your threat model includes hostile local processes running as you, run pi-chrome on a separate user account.
+- Other processes on your local machine. The bridge binds to `127.0.0.1:17318` (loopback only) and chrome_* tools require `/chrome authorize` plus browser-side consent in Chrome, but the bridge does not authenticate arbitrary non-browser local callers. If your threat model includes hostile local processes running as you, run pi-chrome on a separate user account.
 
 `pi-chrome` **is** designed to:
 
 - Never exfiltrate page state to the network. All communication is loopback (`127.0.0.1`).
 - Surface every action with an honest result envelope so the agent can't silently do the wrong thing.
-- Keep Chrome control locked until the user explicitly runs `/chrome authorize` in the current Pi session.
+- Keep Chrome control locked until the user explicitly runs `/chrome authorize` in the current Pi session and approves the Chrome-side consent page.
 - Reject browser-origin command requests to the loopback bridge so ordinary web pages cannot use CORS to drive Chrome.
 
 ## The companion extension
@@ -26,7 +26,7 @@ The Chrome extension under `extensions/chrome-profile-bridge/browser-extension/`
 
 - Loopback bridge only. No remote port. No telemetry.
 - Chrome real input layer for interactive controls.
-- Chrome control locked by default; `/chrome authorize` unlocks current Pi session, `/chrome revoke` locks it again.
+- Chrome control locked by default; `/chrome authorize` opens a Chrome consent page, approval unlocks current Pi session, `/chrome revoke` locks it again.
 - Run-in-background optional; tab/window focus is observable by default (the user can see Pi acting).
 
 ## Override the port

package/docs/COMPARISON.md

@@ -126,7 +126,7 @@ Yes — you can export cookies and replay them, or point Playwright at your exis
 Different security boundary, not strictly safer.
 
 - **CDP-based tools** require `chrome --remote-debugging-port=...`. That port is unauthenticated and exposes the whole browser to any local process. Easy to misconfigure.
-- **pi-chrome** runs through an extension you install yourself with broad permissions (tabs, scripting, debugger, webNavigation). The bridge listens on `127.0.0.1:17318` loopback only, rejects browser-origin command requests, and keeps chrome_* tools locked until `/chrome authorize` is run in the current Pi session. **Only install the bundled extension if you trust the source you got the npm package from.**
+- **pi-chrome** runs through an extension you install yourself with broad permissions (tabs, scripting, debugger, webNavigation). The bridge listens on `127.0.0.1:17318` loopback only, rejects browser-origin command requests, and keeps chrome_* tools locked until `/chrome authorize` is run in the current Pi session and approved on the Chrome-side consent page. **Only install the bundled extension if you trust the source you got the npm package from.**
 
 If your threat model excludes extensions with broad permissions, neither approach is a fit — you want a sandboxed CI runner.
 

package/docs/EXAMPLES.md

@@ -1,6 +1,6 @@
 # pi-chrome examples
 
-Real, useful agent prompts. Drop any of these into Pi after running `/chrome onboard` and `/chrome authorize`. Each one uses Chrome tabs and accounts you already have.
+Real, useful agent prompts. Drop any of these into Pi after running `/chrome onboard`, then `/chrome authorize` and approving in Chrome. Each one uses Chrome tabs and accounts you already have.
 
 ## Daily workflow
 

package/docs/FAQ.md

@@ -26,11 +26,11 @@ That's Chrome's built-in warning when an extension uses `chrome.debugger`. pi-ch
 
 No — pages cannot directly talk to extensions. Commands flow agent → local bridge (`127.0.0.1:17318`) → extension → tab. The bridge binds to loopback only and rejects browser-origin command requests, so ordinary web pages cannot use CORS to drive it.
 
-Chrome control is also locked per Pi session until you run `/chrome authorize`; `/chrome revoke` locks it again. The remaining risk surface is **other local processes running as you** that can connect to loopback and imitate Pi. If that's in your threat model, run pi-chrome in a separate OS user account.
+Chrome control is also locked per Pi session until you run `/chrome authorize` and approve the Chrome-side consent page; `/chrome revoke` locks it again. The remaining risk surface is **other local processes running as you** that can connect to loopback and imitate Pi. If that's in your threat model, run pi-chrome in a separate OS user account.
 
 ## Can multiple Pi sessions use it at once?
 
-Yes. The first session opens the local bridge; later sessions detect it and pipe their commands through the same bridge. Each Pi session must be authorized with `/chrome authorize` before its chrome_* tools work.
+Yes. The first session opens the local bridge; later sessions detect it and pipe their commands through the same bridge. Each Pi session must be authorized with `/chrome authorize` and approved in Chrome before its chrome_* tools work.
 
 ## Why can't this be on the Chrome Web Store?
 

package/extensions/chrome-profile-bridge/browser-extension/consent.css

@@ -0,0 +1,141 @@
+:root {
+  color-scheme: light dark;
+  font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+  background: #0f172a;
+  color: #e5e7eb;
+}
+
+* { box-sizing: border-box; }
+
+body {
+  margin: 0;
+  min-height: 100vh;
+  display: grid;
+  place-items: center;
+  padding: 32px;
+  background:
+    radial-gradient(circle at 20% 10%, rgba(79, 70, 229, 0.35), transparent 30%),
+    radial-gradient(circle at 80% 80%, rgba(14, 165, 233, 0.2), transparent 32%),
+    #0f172a;
+}
+
+.card {
+  width: min(680px, 100%);
+  background: rgba(15, 23, 42, 0.9);
+  border: 1px solid rgba(148, 163, 184, 0.25);
+  border-radius: 24px;
+  box-shadow: 0 24px 80px rgba(0, 0, 0, 0.4);
+  padding: 32px;
+}
+
+.badge {
+  display: inline-flex;
+  align-items: center;
+  border: 1px solid rgba(129, 140, 248, 0.45);
+  border-radius: 999px;
+  padding: 6px 12px;
+  color: #c7d2fe;
+  background: rgba(79, 70, 229, 0.18);
+  font-size: 13px;
+  font-weight: 700;
+}
+
+h1 {
+  margin: 18px 0 8px;
+  font-size: clamp(32px, 6vw, 48px);
+  line-height: 1;
+}
+
+.lead {
+  margin: 0 0 24px;
+  color: #cbd5e1;
+  font-size: 18px;
+}
+
+.details {
+  display: grid;
+  gap: 12px;
+  margin: 24px 0;
+}
+
+.details div {
+  display: grid;
+  grid-template-columns: 140px 1fr;
+  gap: 16px;
+  align-items: start;
+  padding: 14px 16px;
+  border-radius: 14px;
+  background: rgba(30, 41, 59, 0.72);
+  border: 1px solid rgba(148, 163, 184, 0.14);
+}
+
+.details span {
+  color: #94a3b8;
+  font-size: 13px;
+  font-weight: 700;
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+}
+
+.details strong {
+  color: #f8fafc;
+  font-size: 15px;
+  overflow-wrap: anywhere;
+}
+
+.warning {
+  margin: 0 0 24px;
+  padding: 16px;
+  border-radius: 14px;
+  background: rgba(245, 158, 11, 0.12);
+  border: 1px solid rgba(245, 158, 11, 0.35);
+  color: #fde68a;
+}
+
+.actions {
+  display: flex;
+  justify-content: flex-end;
+  gap: 12px;
+}
+
+button {
+  border: 0;
+  border-radius: 12px;
+  padding: 12px 18px;
+  font: inherit;
+  font-weight: 800;
+  cursor: pointer;
+}
+
+button:focus-visible {
+  outline: 3px solid #93c5fd;
+  outline-offset: 2px;
+}
+
+.primary {
+  background: #4f46e5;
+  color: white;
+}
+
+.primary:hover { background: #4338ca; }
+
+.secondary {
+  background: rgba(148, 163, 184, 0.16);
+  color: #e2e8f0;
+}
+
+.secondary:hover { background: rgba(148, 163, 184, 0.26); }
+
+.status {
+  min-height: 20px;
+  margin: 18px 0 0;
+  color: #cbd5e1;
+}
+
+@media (max-width: 560px) {
+  body { padding: 16px; }
+  .card { padding: 22px; }
+  .details div { grid-template-columns: 1fr; gap: 6px; }
+  .actions { flex-direction: column-reverse; }
+  button { width: 100%; }
+}

package/extensions/chrome-profile-bridge/browser-extension/consent.html

@@ -0,0 +1,33 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Authorize pi-chrome</title>
+  <link rel="stylesheet" href="consent.css">
+</head>
+<body>
+  <main class="card">
+    <div class="badge">Pi Chrome Connector</div>
+    <h1>Authorize Chrome control?</h1>
+    <p class="lead">Pi is asking to inspect and control this Chrome profile.</p>
+
+    <section class="details" aria-label="Request details">
+      <div><span>Duration</span><strong id="duration">—</strong></div>
+      <div><span>Workspace</span><strong id="workspace">—</strong></div>
+      <div><span>Pi process</span><strong id="pid">—</strong></div>
+      <div><span>Extension</span><strong id="extension">—</strong></div>
+    </section>
+
+    <p class="warning">Approve only if you trust this Pi session and current task. Approved actions use your signed-in browser state and real Chrome input.</p>
+
+    <div class="actions">
+      <button id="deny" class="secondary" type="button">Deny</button>
+      <button id="approve" class="primary" type="button" autofocus>Authorize</button>
+    </div>
+
+    <p id="status" class="status" role="status"></p>
+  </main>
+  <script src="consent.js"></script>
+</body>
+</html>

package/extensions/chrome-profile-bridge/browser-extension/consent.js

@@ -0,0 +1,75 @@
+const params = new URLSearchParams(location.search);
+const id = params.get("id") || "";
+
+const els = {
+  duration: document.getElementById("duration"),
+  workspace: document.getElementById("workspace"),
+  pid: document.getElementById("pid"),
+  extension: document.getElementById("extension"),
+  approve: document.getElementById("approve"),
+  deny: document.getElementById("deny"),
+  status: document.getElementById("status"),
+};
+
+function setStatus(text) {
+  els.status.textContent = text || "";
+}
+
+function setDisabled(disabled) {
+  els.approve.disabled = disabled;
+  els.deny.disabled = disabled;
+}
+
+function render(request) {
+  els.duration.textContent = request.durationLabel || "—";
+  els.workspace.textContent = request.workspace || "unknown workspace";
+  els.pid.textContent = request.pid ? String(request.pid) : "unknown";
+  const versions = [];
+  if (request.extensionVersion) versions.push(`extension ${request.extensionVersion}`);
+  if (request.piChromeVersion) versions.push(`pi-chrome ${request.piChromeVersion}`);
+  els.extension.textContent = versions.join(" · ") || request.extensionId || "—";
+}
+
+async function send(message) {
+  return await chrome.runtime.sendMessage(message);
+}
+
+async function decide(approved) {
+  setDisabled(true);
+  setStatus(approved ? "Authorizing…" : "Denying…");
+  try {
+    const response = await send({ type: "piChromeConsentDecision", id, approved });
+    if (!response?.ok) throw new Error(response?.error || "Consent request failed");
+    setStatus(approved ? "Authorized. You can close this tab." : "Denied. You can close this tab.");
+    window.close();
+  } catch (error) {
+    setDisabled(false);
+    setStatus(error?.message || String(error));
+  }
+}
+
+async function init() {
+  if (!id) {
+    setDisabled(true);
+    setStatus("Missing consent request id.");
+    return;
+  }
+  setStatus("Loading request…");
+  try {
+    const response = await send({ type: "piChromeConsentGet", id });
+    if (!response?.ok) throw new Error(response?.error || "Consent request not found");
+    render(response.request || {});
+    setStatus("");
+  } catch (error) {
+    setDisabled(true);
+    setStatus(error?.message || String(error));
+  }
+}
+
+els.approve.addEventListener("click", () => decide(true));
+els.deny.addEventListener("click", () => decide(false));
+document.addEventListener("keydown", (event) => {
+  if (event.key === "Escape") decide(false);
+});
+
+void init();

package/extensions/chrome-profile-bridge/browser-extension/manifest.json

@@ -1,7 +1,7 @@
 {
   "manifest_version": 3,
   "name": "Pi Chrome Connector",
-  "version": "0.15.9",
+  "version": "0.15.11",
   "description": "Lets Pi control tabs in Chrome via a local connector at 127.0.0.1.",
   "permissions": [
     "tabs",

package/extensions/chrome-profile-bridge/browser-extension/service_worker.js

@@ -1,7 +1,10 @@
 const BRIDGE_URL = "http://127.0.0.1:17318";
 const CLIENT_NAME = `Pi Chrome Connector ${chrome.runtime.id}`;
 const POLL_ERROR_BACKOFF_MS = 2000;
+const CONSENT_TIMEOUT_MS = 5 * 60 * 1000;
 let polling = false;
+let nextConsentRequestId = 1;
+const pendingConsentRequests = new Map(); // id -> { request, resolve, timer, tabId }
 
 // =================== Chrome input (CDP) layer ===================
 // Tracks which tabs we have attached chrome.debugger to.
@@ -591,6 +594,82 @@ async function chromeInputUpload(params) {
 // ===============================================================
 
 
+function consentRequestSnapshot(id, request) {
+  return {
+    id,
+    extensionVersion: chrome.runtime.getManifest().version,
+    extensionId: chrome.runtime.id,
+    workspace: String(request.workspace || ""),
+    pid: request.pid ?? null,
+    durationLabel: String(request.durationLabel || "15 minutes"),
+    requestedAt: request.requestedAt || Date.now(),
+    piChromeVersion: String(request.piChromeVersion || ""),
+  };
+}
+
+async function requestBrowserConsent(params) {
+  const id = String(nextConsentRequestId++);
+  const request = {
+    ...params,
+    requestedAt: Date.now(),
+  };
+  const url = chrome.runtime.getURL(`consent.html?id=${encodeURIComponent(id)}`);
+  const decision = new Promise((resolve) => {
+    const finish = (approved, reason) => {
+      const pending = pendingConsentRequests.get(id);
+      if (!pending) return;
+      pendingConsentRequests.delete(id);
+      clearTimeout(pending.timer);
+      if (pending.tabId) chrome.tabs.remove(pending.tabId).catch(() => undefined);
+      resolve({ approved, reason, id, decidedAt: Date.now() });
+    };
+    const timer = setTimeout(() => finish(false, "timed out waiting for browser approval"), CONSENT_TIMEOUT_MS);
+    pendingConsentRequests.set(id, { request, resolve: finish, timer, tabId: null });
+  });
+  try {
+    const tab = await chrome.tabs.create({ url, active: true });
+    if (tab.windowId !== undefined) await chrome.windows.update(tab.windowId, { focused: true }).catch(() => undefined);
+    const pending = pendingConsentRequests.get(id);
+    if (pending) pending.tabId = tab.id;
+  } catch (error) {
+    const pending = pendingConsentRequests.get(id);
+    if (pending) pending.resolve(false, `could not open consent tab: ${error?.message || error}`);
+  }
+  return await decision;
+}
+
+chrome.runtime.onMessage.addListener((message, sender, sendResponse) => {
+  if (!message || typeof message !== "object") return false;
+  if (message.type === "piChromeConsentGet") {
+    const id = String(message.id || "");
+    const pending = pendingConsentRequests.get(id);
+    sendResponse(pending ? { ok: true, request: consentRequestSnapshot(id, pending.request) } : { ok: false, error: "Consent request expired or not found" });
+    return true;
+  }
+  if (message.type === "piChromeConsentDecision") {
+    const id = String(message.id || "");
+    const pending = pendingConsentRequests.get(id);
+    if (!pending) {
+      sendResponse({ ok: false, error: "Consent request expired or not found" });
+      return true;
+    }
+    pending.resolve(message.approved === true, message.approved === true ? "approved in Chrome" : "denied in Chrome");
+    sendResponse({ ok: true });
+    return true;
+  }
+  return false;
+});
+
+chrome.tabs.onRemoved.addListener((tabId) => {
+  for (const [id, pending] of pendingConsentRequests) {
+    if (pending.tabId === tabId) {
+      pending.resolve(false, "consent tab closed");
+      pendingConsentRequests.delete(id);
+      clearTimeout(pending.timer);
+    }
+  }
+});
+
 function armKeepaliveAlarm() {
   chrome.alarms.create("pi-bridge-keepalive", { periodInMinutes: 0.5 });
 }
@@ -686,6 +765,8 @@ async function dispatch(action, params) {
         bridgeUrl: BRIDGE_URL,
         userAgent: navigator.userAgent,
       };
+    case "consent.request":
+      return requestBrowserConsent(params);
     case "tab.list":
       return (await chrome.tabs.query({})).map(formatTab);
     case "tab.new": {

package/extensions/chrome-profile-bridge/index.ts

@@ -609,12 +609,25 @@ Usage rules:
 	};
 
 	const authorizeFor = async (ctx: ExtensionContext, label: string, until: number | "indefinite") => {
-		const ok = await ctx.ui.confirm(
-			"Authorize pi-chrome control?",
-			`This Pi session will be allowed to inspect and control your existing Chrome profile for ${label}.\n\nChrome actions use your signed-in browser state and real input. Only approve if you trust the current agent/task.`,
-		);
-		if (!ok) {
-			ctx.ui.notify("Chrome control remains locked.", "info");
+		ctx.ui.notify("Opening Chrome approval page…", "info");
+		let consent: { approved?: boolean; reason?: string };
+		try {
+			consent = (await bridge.send("consent.request", {
+				durationLabel: label,
+				workspace: workspaceCwd(ctx),
+				pid: process.pid,
+				piChromeVersion: PI_CHROME_VERSION,
+			}, 5 * 60_000 + 5_000)) as { approved?: boolean; reason?: string };
+		} catch (error) {
+			const message = (error as Error).message;
+			const hint = message.includes("Unknown action: consent.request")
+				? "Open chrome://extensions and reload 'Pi Chrome Connector', then try /chrome authorize again."
+				: "Run /chrome doctor if the companion extension is not responding.";
+			ctx.ui.notify(`Chrome approval failed: ${message}\n${hint}`, "warning");
+			return;
+		}
+		if (!consent.approved) {
+			ctx.ui.notify(`Chrome control remains locked${consent.reason ? ` (${consent.reason})` : ""}.`, "info");
 			return;
 		}
 		chromeAuthorizedUntil = until;
@@ -743,7 +756,7 @@ Usage rules:
 
 	pi.registerCommand("chrome", {
 		description:
-			"All pi-chrome controls in one place.\n  /chrome authorize [15m|30m|<minutes>|indefinite] — allow this Pi session to use chrome_* tools.\n  /chrome revoke   — lock Chrome control.\n  /chrome status   — one-line snapshot of connection, auth, and background setting.\n  /chrome doctor   — full health check.\n  /chrome onboard  — install the Chrome companion extension.\n  /chrome background [on|off|status|toggle] — whether pi-chrome runs without focusing Chrome.\nRun with no arguments for an interactive picker that shows current state.",
+			"All pi-chrome controls in one place.\n  /chrome authorize [15m|30m|<minutes>|indefinite] — open Chrome approval and allow this Pi session to use chrome_* tools.\n  /chrome revoke   — lock Chrome control.\n  /chrome status   — one-line snapshot of connection, auth, and background setting.\n  /chrome doctor   — full health check.\n  /chrome onboard  — install the Chrome companion extension.\n  /chrome background [on|off|status|toggle] — whether pi-chrome runs without focusing Chrome.\nRun with no arguments for an interactive picker that shows current state.",
 		getArgumentCompletions: (prefix) => {
 			const raw = prefix;
 			const trimmedRight = raw.replace(/\s+$/, "");
@@ -760,7 +773,7 @@ Usage rules:
 			let candidates: Item[] = [];
 			if (path.length === 0) {
 				candidates = [
-					{ fullValue: "authorize", label: "authorize", description: "Allow this Pi session to use chrome_* tools." },
+					{ fullValue: "authorize", label: "authorize", description: "Open Chrome approval and allow this Pi session to use chrome_* tools." },
 					{ fullValue: "revoke", label: "revoke", description: "Lock Chrome control for this Pi session." },
 					{ fullValue: "status", label: "status", description: "One-line summary: connection, auth, and background setting." },
 					{ fullValue: "doctor", label: "doctor", description: "Full health check. Tells you if Chrome is connected and what's wrong if it isn't." },

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "pi-chrome",
-	"version": "0.15.9",
+	"version": "0.15.11",
 	"scripts": {
 		"version": "node scripts/sync-manifest-version.js",
 		"prepublishOnly": "node scripts/sync-manifest-version.js"