sliccy 1.4.0 → 1.5.0

package/README.md

@@ -1,4 +1,13 @@
-![slicc - A felt-toy of an anthropomorphized ice cream cone, with pink and mint-green colors for the scoop, googly eyes, an oversized mouth and tongue sticking out](hero-banner.png)
+![A screenshot of a macOS desktop](screenshots/full-desktop.png)
+
+You are looking at a macOS desktop, with four windows running:
+
+1. Google Chrome, running SLICC as a web application. It shows a Welcome page, a hidden tab with meeting preparation notes that were created by the agent, and a terminal, showing that the operating system is of the unlikely `Mozilla/5.0` kind. What?
+2. Slack, the desktop app. Err. Slack the Electron app. It has on overlay injected, showing the ice cream logo asking to join a tray. If you do this, Slack can be remote-controlled by your agent. What the?
+3. Sliccstart, the desktop app. It's an actual macOS app, but one that controls browsers, and browsers that prentend to be native apps alike. What the ice cream?
+4. An image of an antropomorphized ice cream cone made out of felt and googly eyes. It's sticking out its tongue, half in astonishment, half in anticipation. What the ice cream truck?
+
+If this scares, confuses, or excites you, keep reading.
 
 # slicc — Self-Licking Ice Cream Cone
 
@@ -8,13 +17,14 @@
 
 SLICC runs in a browser and controls the browser it runs in. It combines a shell, files, browser automation, and multi-agent delegation so you can do real work from one workspace — coding, web automation, authenticated app tasks, and the weird in-between jobs that do not fit neatly inside a chat panel. SLICC can orchestrate multiple browsers, and even some apps through telepathy, making it a powerful hub for your digital work.
 
-- Launch it from the CLI today (we also have a Chrome extension)
+- Head over to [releases](https://github.com/ai-ecoverse/slicc/releases) and grab the latest `.dmg` file. No Windows or Linux UI yet
+- Or launch it from the CLI today (we also have a Chrome extension)
 - Connect other browser windows or Electron apps
 - Install skills that teach it how to perform challenging tasks
 - Give it practical tools models already know how to use
 - Delegate parallel work so tasks get done faster
 
-> Status: active working prototype. The CLI is the easiest way in today; and we have submitted the extension to Chrome Web Store.
+> Status: active working prototype. The macOS app is the easiest way in today; and we have submitted the extension to Chrome Web Store.
 
 ## Why SLICC is different
 

package/dist/cli/electron-controller.d.ts

@@ -21,6 +21,7 @@ export declare class ElectronOverlayInjector {
     private readonly cdpPort;
     private readonly bootstrapScript;
     private readonly connections;
+    private readonly cspBypassedTargets;
     private syncTimer;
     private syncing;
     private constructor();
@@ -33,6 +34,11 @@ export declare class ElectronOverlayInjector {
     start(): Promise<void>;
     stop(): void;
     private syncTargets;
+    /**
+     * Check if the overlay iframe loaded successfully by evaluating a probe script.
+     * Returns true if the iframe element exists and has started loading content.
+     */
+    private probeOverlayIframeLoaded;
     private connectToTarget;
 }
 export {};

package/dist/cli/electron-controller.js

@@ -1,9 +1,11 @@
 import { execFile as nodeExecFile, spawn } from 'child_process';
 import { existsSync } from 'fs';
 import { readFile } from 'fs/promises';
+import * as http from 'http';
+import * as https from 'https';
 import { promisify } from 'util';
 import { WebSocket } from 'ws';
-import { buildElectronAppLaunchSpec, buildElectronOverlayAppUrl, buildElectronOverlayBootstrapScript, buildElectronOverlayEntryUrl, getElectronOverlayEntryDistPath, getElectronServeOrigin, shouldInjectElectronOverlayTarget, } from './electron-runtime.js';
+import { buildElectronAppLaunchSpec, buildElectronOverlayAppUrl, buildElectronOverlayBootstrapScript, buildElectronOverlayEntryUrl, getElectronOverlayEntryDistPath, getElectronServeOrigin, selectBestOverlayTargets, } from './electron-runtime.js';
 const execFile = promisify(nodeExecFile);
 const ELECTRON_OVERLAY_SYNC_INTERVAL_MS = 1500;
 function commandLineExecutableMatchesPattern(commandLine, pattern) {
@@ -183,6 +185,7 @@ export class ElectronOverlayInjector {
     cdpPort;
     bootstrapScript;
     connections = new Map();
+    cspBypassedTargets = new Set();
     syncTimer = null;
     syncing = false;
     constructor(cdpPort, bootstrapScript) {
@@ -228,7 +231,14 @@ export class ElectronOverlayInjector {
                 throw new Error(`CDP target listing failed with ${response.status} ${response.statusText}`);
             }
             const targets = (await response.json());
-            const injectableTargets = targets.filter(shouldInjectElectronOverlayTarget);
+            const pageCount = targets.filter(t => t.type === 'page').length;
+            const injectableTargets = selectBestOverlayTargets(targets);
+            if (injectableTargets.length < pageCount) {
+                console.log(`[electron-float] Selected ${injectableTargets.length}/${pageCount} page targets for overlay injection`);
+                for (const t of injectableTargets) {
+                    console.log(`[electron-float]   → ${t.title || '(untitled)'} @ ${t.url.substring(0, 80)}`);
+                }
+            }
             const liveConnectionIds = new Set(injectableTargets.map((target) => target.webSocketDebuggerUrl));
             for (const [targetId, connection] of this.connections.entries()) {
                 if (liveConnectionIds.has(targetId))
@@ -256,20 +266,232 @@ export class ElectronOverlayInjector {
             this.syncing = false;
         }
     }
+    /**
+     * Check if the overlay iframe loaded successfully by evaluating a probe script.
+     * Returns true if the iframe element exists and has started loading content.
+     */
+    async probeOverlayIframeLoaded(ws, send) {
+        return new Promise((resolve) => {
+            const probeId = send('Runtime.evaluate', {
+                expression: `(function() {
+          var host = document.getElementById('slicc-electron-overlay-root');
+          if (!host || !host.shadowRoot) return 'no-host';
+          var sidebar = host.shadowRoot.querySelector('slicc-electron-sidebar');
+          if (!sidebar || !sidebar.shadowRoot) return 'no-sidebar';
+          var iframe = sidebar.shadowRoot.querySelector('iframe');
+          if (!iframe) return 'no-iframe';
+          if (!iframe.src) return 'no-src';
+          return 'ok';
+        })()`,
+                awaitPromise: false,
+                returnByValue: true,
+            });
+            const timeout = setTimeout(() => {
+                cleanup();
+                resolve(false);
+            }, 3000);
+            const onMessage = (data) => {
+                try {
+                    const msg = JSON.parse(data.toString());
+                    if (msg.id === probeId) {
+                        cleanup();
+                        const value = msg.result?.result?.value;
+                        resolve(value === 'ok');
+                    }
+                }
+                catch { /* ignore */ }
+            };
+            const cleanup = () => {
+                clearTimeout(timeout);
+                ws.off('message', onMessage);
+            };
+            ws.on('message', onMessage);
+        });
+    }
     connectToTarget(target) {
         const targetId = target.webSocketDebuggerUrl;
         const ws = new WebSocket(targetId);
         this.connections.set(targetId, ws);
         let messageId = 1;
         const send = (method, params) => {
-            ws.send(JSON.stringify({ id: messageId++, method, params }));
+            const id = messageId++;
+            ws.send(JSON.stringify({ id, method, params }));
+            return id;
         };
+        const cspBypassedTargets = this.cspBypassedTargets;
+        const bootstrapScript = this.bootstrapScript;
+        let pendingReload = false;
+        let pendingCspEscalation = false;
+        let fetchProxyActive = false;
         ws.on('open', () => {
-            send('Page.enable');
+            const isWebContent = target.url.startsWith('https://');
+            const alreadyBypassed = cspBypassedTargets.has(target.url);
+            console.log(`[electron-float] Connected to target, web=${isWebContent}, bypassed=${alreadyBypassed}, url=${target.url}`);
             send('Runtime.enable');
-            send('Page.addScriptToEvaluateOnNewDocument', { source: this.bootstrapScript });
-            send('Runtime.evaluate', { expression: this.bootstrapScript, awaitPromise: false });
-            console.log(`[electron-float] Overlay injector attached to ${target.url}`);
+            send('Page.enable');
+            // Set CSP bypass — affects future resource loads on the current page
+            send('Page.setBypassCSP', { enabled: true });
+            if (alreadyBypassed) {
+                // Already reloaded with CSP bypass previously — just inject
+                console.log(`[electron-float] Injecting overlay (CSP already bypassed)...`);
+                send('Runtime.evaluate', { expression: bootstrapScript, awaitPromise: false });
+                return;
+            }
+            // First connection to this target URL: inject overlay immediately, then
+            // check if the iframe loaded. If CSP blocked it, fall back to reload+proxy.
+            console.log(`[electron-float] Injecting overlay (first attempt)...`);
+            send('Runtime.evaluate', { expression: bootstrapScript, awaitPromise: false });
+            if (!isWebContent) {
+                // Local content (file://, app protocol) — CSP is not an issue
+                return;
+            }
+            // After a short delay, probe whether the overlay iframe loaded.
+            // If CSP blocked it, reload the page so Page.setBypassCSP takes effect.
+            // If that still doesn't work, escalate to the Fetch proxy.
+            setTimeout(async () => {
+                if (ws.readyState !== WebSocket.OPEN)
+                    return;
+                const loaded = await this.probeOverlayIframeLoaded(ws, send);
+                if (loaded) {
+                    console.log(`[electron-float] Overlay iframe loaded successfully — no CSP reload needed`);
+                    cspBypassedTargets.add(target.url);
+                    return;
+                }
+                // Phase 2: Page.setBypassCSP was already set — a simple reload should
+                // make the browser ignore CSP headers on the fresh navigation.
+                console.log(`[electron-float] Overlay iframe blocked by CSP, reloading with bypass: ${target.url}`);
+                cspBypassedTargets.add(target.url);
+                pendingReload = true;
+                pendingCspEscalation = true;
+                send('Page.reload', { ignoreCache: true });
+            }, 1500);
+        });
+        // Handle CDP events: lifecycle events and Fetch interception
+        ws.on('message', (data) => {
+            try {
+                const msg = JSON.parse(data.toString());
+                // Inject overlay after page load completes (after CSP-bypass reload)
+                if (msg.method === 'Page.loadEventFired' && pendingReload) {
+                    pendingReload = false;
+                    console.log(`[electron-float] Page loaded after CSP reload, injecting overlay...`);
+                    if (ws.readyState !== WebSocket.OPEN)
+                        return;
+                    send('Runtime.evaluate', { expression: bootstrapScript, awaitPromise: false });
+                    // If this was a simple reload (no proxy), check if the iframe loads now.
+                    // If it still doesn't, escalate to the Fetch proxy as a last resort.
+                    if (pendingCspEscalation) {
+                        pendingCspEscalation = false;
+                        setTimeout(async () => {
+                            if (ws.readyState !== WebSocket.OPEN)
+                                return;
+                            const loaded = await this.probeOverlayIframeLoaded(ws, send);
+                            if (loaded) {
+                                console.log(`[electron-float] Overlay iframe loaded after CSP reload — no proxy needed`);
+                                return;
+                            }
+                            console.log(`[electron-float] CSP reload insufficient, escalating to Fetch proxy: ${target.url}`);
+                            fetchProxyActive = true;
+                            const urlOrigin = new URL(target.url).origin;
+                            send('Fetch.enable', {
+                                patterns: [{ urlPattern: `${urlOrigin}/*`, requestStage: 'Request' }],
+                            });
+                            pendingReload = true;
+                            send('Page.reload', { ignoreCache: true });
+                        }, 1500);
+                    }
+                }
+                if (msg.method === 'Fetch.requestPaused' && fetchProxyActive) {
+                    const requestId = msg.params?.requestId;
+                    if (!requestId) {
+                        console.warn('[electron-float] Fetch.requestPaused without requestId, skipping');
+                        return;
+                    }
+                    const url = msg.params?.request?.url || '';
+                    const method = msg.params?.request?.method || 'GET';
+                    const requestHeaders = msg.params?.request?.headers || {};
+                    const postData = msg.params?.request?.postData;
+                    // Only proxy HTML document requests (Accept header contains text/html)
+                    const acceptHeader = requestHeaders['Accept'] || requestHeaders['accept'] || '';
+                    if (!acceptHeader.includes('text/html')) {
+                        send('Fetch.continueRequest', { requestId });
+                        return;
+                    }
+                    console.log(`[electron-float] Proxying request to strip CSP: ${url.substring(0, 60)}`);
+                    // Make the request ourselves using Node.js http/https
+                    const parsedUrl = new URL(url);
+                    const transport = parsedUrl.protocol === 'https:' ? https : http;
+                    const options = {
+                        hostname: parsedUrl.hostname,
+                        port: parsedUrl.port || (parsedUrl.protocol === 'https:' ? 443 : 80),
+                        path: parsedUrl.pathname + parsedUrl.search,
+                        method: method,
+                        headers: requestHeaders,
+                    };
+                    const proxyReq = transport.request(options, (proxyRes) => {
+                        const bodyChunks = [];
+                        proxyRes.on('data', (chunk) => bodyChunks.push(chunk));
+                        proxyRes.on('end', () => {
+                            if (ws.readyState !== WebSocket.OPEN)
+                                return;
+                            const fullBody = Buffer.concat(bodyChunks);
+                            // Build response headers, stripping CSP and hop-by-hop headers
+                            // that are invalid in Fetch.fulfillRequest responses
+                            const HOP_BY_HOP = new Set([
+                                'content-security-policy',
+                                'content-security-policy-report-only',
+                                'transfer-encoding',
+                                'connection',
+                                'keep-alive',
+                            ]);
+                            const responseHeaders = [];
+                            let strippedCSP = false;
+                            for (const [name, value] of Object.entries(proxyRes.headers)) {
+                                const lower = name.toLowerCase();
+                                if (lower.includes('content-security-policy')) {
+                                    strippedCSP = true;
+                                    continue;
+                                }
+                                if (HOP_BY_HOP.has(lower))
+                                    continue;
+                                // Update content-length to match actual body size
+                                if (lower === 'content-length') {
+                                    responseHeaders.push({ name, value: String(fullBody.length) });
+                                    continue;
+                                }
+                                if (Array.isArray(value)) {
+                                    value.forEach(v => responseHeaders.push({ name, value: v }));
+                                }
+                                else if (value) {
+                                    responseHeaders.push({ name, value });
+                                }
+                            }
+                            if (strippedCSP) {
+                                console.log(`[electron-float] Stripped CSP from: ${url.substring(0, 60)}`);
+                            }
+                            send('Fetch.fulfillRequest', {
+                                requestId,
+                                responseCode: proxyRes.statusCode || 200,
+                                responseHeaders,
+                                body: fullBody.toString('base64'),
+                            });
+                        });
+                    });
+                    proxyReq.on('error', (err) => {
+                        console.error(`[electron-float] Proxy request failed for ${url.substring(0, 60)}:`, err.message);
+                        if (ws.readyState === WebSocket.OPEN) {
+                            send('Fetch.failRequest', { requestId, errorReason: 'Failed' });
+                        }
+                    });
+                    // Forward request body if present (for POST/PUT requests)
+                    if (postData) {
+                        proxyReq.write(postData);
+                    }
+                    proxyReq.end();
+                }
+            }
+            catch {
+                // Ignore parse errors for non-JSON messages
+            }
         });
         ws.on('close', () => {
             if (this.connections.get(targetId) === ws) {

package/dist/cli/electron-runtime.d.ts

@@ -17,6 +17,7 @@ export interface ElectronAppLaunchSpec {
 }
 export interface ElectronInspectableTarget {
     type: string;
+    title?: string;
     url: string;
     webSocketDebuggerUrl?: string;
 }
@@ -26,6 +27,25 @@ export declare const DEFAULT_ELECTRON_CDP_PORT = 9223;
 export declare const DEFAULT_ELECTRON_TARGET_URL = "about:blank";
 export declare const DEFAULT_ELECTRON_OVERLAY_TAB = "chat";
 export declare const ELECTRON_OVERLAY_APP_PATH = "/electron";
+export declare const PORT_HASH_RANGE = 40;
+/**
+ * Simple string hash function that returns a value between 0 and max-1.
+ * Exported for testing.
+ */
+export declare function hashString(str: string, max: number): number;
+/**
+ * Get a port for an Electron app based on its path.
+ * Uses hash-based offset from base port, with fallback to next available port
+ * starting from the preferred port (to stay in the app's "slot" range).
+ */
+export declare function getElectronAppPort(appPath: string, basePort: number): Promise<number>;
+/**
+ * Get both CDP and serve ports for an Electron app.
+ */
+export declare function getElectronAppPorts(appPath: string): Promise<{
+    cdpPort: number;
+    servePort: number;
+}>;
 export declare function getElectronAppDisplayName(appPath: string): string;
 export declare function resolveElectronAppExecutablePath(appPath: string, platform?: NodeJS.Platform): string;
 export declare function buildElectronAppProcessMatchPatterns(appPath: string, platform?: NodeJS.Platform): string[];
@@ -56,3 +76,9 @@ export declare function buildElectronOverlayBootstrapScript(options: {
     activeTab?: string;
 }): string;
 export declare function shouldInjectElectronOverlayTarget(target: ElectronInspectableTarget): boolean;
+/**
+ * From a list of injectable targets, select the best target per origin.
+ * Multi-window apps (like Teams) expose several page targets for the same origin;
+ * we only want to inject the overlay into the primary content window.
+ */
+export declare function selectBestOverlayTargets(targets: ElectronInspectableTarget[]): ElectronInspectableTarget[];

package/dist/cli/electron-runtime.js

@@ -1,10 +1,97 @@
 import { basename, join, resolve } from 'path';
+import { accessSync, constants, readdirSync, statSync } from 'fs';
 export const DEFAULT_ELECTRON_SERVE_PORT = 5710;
 export const DEFAULT_ELECTRON_SERVE_HOST = 'localhost';
 export const DEFAULT_ELECTRON_CDP_PORT = 9223;
 export const DEFAULT_ELECTRON_TARGET_URL = 'about:blank';
 export const DEFAULT_ELECTRON_OVERLAY_TAB = 'chat';
 export const ELECTRON_OVERLAY_APP_PATH = '/electron';
+// Port allocation constants
+export const PORT_HASH_RANGE = 40;
+/**
+ * Simple string hash function that returns a value between 0 and max-1.
+ * Exported for testing.
+ */
+export function hashString(str, max) {
+    let hash = 0;
+    for (let i = 0; i < str.length; i++) {
+        const char = str.charCodeAt(i);
+        hash = ((hash << 5) - hash) + char;
+        hash = hash & hash; // Convert to 32-bit integer
+    }
+    return Math.abs(hash) % max;
+}
+/**
+ * Try to listen on a specific port and host, returning the assigned port.
+ */
+async function tryListenOnPort(port, host) {
+    const { createServer } = await import('net');
+    return new Promise((resolve, reject) => {
+        const server = createServer();
+        server.on('error', reject);
+        server.listen(port, host, () => {
+            const addr = server.address();
+            const assignedPort = addr && typeof addr === 'object' ? addr.port : port;
+            server.close(() => resolve(assignedPort));
+        });
+    });
+}
+/**
+ * Check if a port is available on both IPv4 (127.0.0.1) and IPv6 (::1).
+ * On macOS, `localhost` resolves to `::1`, so we need to check both.
+ */
+async function isPortAvailable(port) {
+    try {
+        await tryListenOnPort(port, '127.0.0.1');
+        try {
+            await tryListenOnPort(port, '::1');
+        }
+        catch (err) {
+            // ::1 may not be available on some systems — only fail on EADDRINUSE
+            if (err.code === 'EADDRINUSE') {
+                return false;
+            }
+        }
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Find an available port starting from the given port.
+ */
+async function findAvailablePort(startPort, maxAttempts = 100) {
+    for (let i = 0; i < maxAttempts; i++) {
+        const port = startPort + i;
+        if (await isPortAvailable(port)) {
+            return port;
+        }
+    }
+    throw new Error(`Could not find available port starting from ${startPort}`);
+}
+/**
+ * Get a port for an Electron app based on its path.
+ * Uses hash-based offset from base port, with fallback to next available port
+ * starting from the preferred port (to stay in the app's "slot" range).
+ */
+export async function getElectronAppPort(appPath, basePort) {
+    const offset = hashString(appPath, PORT_HASH_RANGE);
+    const preferredPort = basePort + offset;
+    if (await isPortAvailable(preferredPort)) {
+        return preferredPort;
+    }
+    // Fallback: find next available port starting from preferred (stay in slot range)
+    return findAvailablePort(preferredPort + 1);
+}
+/**
+ * Get both CDP and serve ports for an Electron app.
+ */
+export async function getElectronAppPorts(appPath) {
+    const cdpPort = await getElectronAppPort(appPath, DEFAULT_ELECTRON_CDP_PORT);
+    const servePort = await getElectronAppPort(appPath, DEFAULT_ELECTRON_SERVE_PORT);
+    return { cdpPort, servePort };
+}
 export function getElectronAppDisplayName(appPath) {
     const trimmedPath = appPath.replace(/[\\/]+$/, '');
     const fileName = basename(trimmedPath);
@@ -16,7 +103,80 @@ export function getElectronAppDisplayName(appPath) {
 export function resolveElectronAppExecutablePath(appPath, platform = process.platform) {
     const resolvedAppPath = resolve(appPath);
     if (platform === 'darwin' && resolvedAppPath.toLowerCase().endsWith('.app')) {
-        return join(resolvedAppPath, 'Contents', 'MacOS', getElectronAppDisplayName(resolvedAppPath));
+        const macOSDir = join(resolvedAppPath, 'Contents', 'MacOS');
+        // First try the expected name (app name without .app)
+        const expectedName = getElectronAppDisplayName(resolvedAppPath);
+        const expectedPath = join(macOSDir, expectedName);
+        try {
+            const stat = statSync(expectedPath);
+            if (stat.isFile()) {
+                return expectedPath;
+            }
+        }
+        catch {
+            // Expected path doesn't exist, scan the directory
+        }
+        // Scan MacOS directory for the main executable
+        // Many Electron apps use "Electron" as the executable name
+        // Prefer known main executable names, filter out helper processes
+        const helperPatterns = [
+            /helper/i,
+            /crash/i,
+            /gpu/i,
+            /renderer/i,
+            /plugin/i,
+            /utility/i,
+        ];
+        try {
+            const entries = readdirSync(macOSDir);
+            // Helper to check if a file is executable
+            const isExecutable = (path) => {
+                try {
+                    accessSync(path, constants.X_OK);
+                    return true;
+                }
+                catch {
+                    return false;
+                }
+            };
+            // First pass: look for "Electron" executable (common in Electron apps)
+            if (entries.includes('Electron')) {
+                const electronPath = join(macOSDir, 'Electron');
+                try {
+                    const stat = statSync(electronPath);
+                    if (stat.isFile() && isExecutable(electronPath)) {
+                        return electronPath;
+                    }
+                }
+                catch {
+                    // Continue to next fallback
+                }
+            }
+            // Second pass: find first non-helper executable with execute permission
+            for (const entry of entries) {
+                // Skip hidden files, scripts, and helper executables
+                if (entry.startsWith('.') || entry.endsWith('.sh'))
+                    continue;
+                if (helperPatterns.some((p) => p.test(entry)))
+                    continue;
+                const entryPath = join(macOSDir, entry);
+                try {
+                    const stat = statSync(entryPath);
+                    if (stat.isFile() && isExecutable(entryPath)) {
+                        return entryPath;
+                    }
+                }
+                catch {
+                    continue;
+                }
+            }
+        }
+        catch {
+            // Can't read directory, fall back to expected path
+        }
+        // Fall back to expected path even if it doesn't exist
+        // (error will be caught later)
+        return expectedPath;
     }
     return resolvedAppPath;
 }
@@ -135,3 +295,67 @@ export function shouldInjectElectronOverlayTarget(target) {
         return false;
     return true;
 }
+/**
+ * Extract the origin from a URL, or return the URL as-is for non-standard schemes.
+ */
+function safeOrigin(url) {
+    try {
+        return new URL(url).origin;
+    }
+    catch {
+        return url;
+    }
+}
+/**
+ * Score a target for "primary window" ranking within a group of same-origin pages.
+ * Higher score = more likely the main content window.
+ */
+function scoreOverlayTarget(target) {
+    let score = 0;
+    const title = target.title ?? '';
+    const url = target.url;
+    // Longer, more descriptive titles indicate content windows (e.g.
+    // "Calendar | Adobe | Microsoft Teams" vs generic "Microsoft Teams")
+    score += Math.min(title.length, 120);
+    // Penalize URLs with hash fragments that suggest hidden/auxiliary windows
+    // (e.g. Teams uses #deepLink=default&isMinimized=false for background windows)
+    if (url.includes('isMinimized=') || url.includes('deepLink=')) {
+        score -= 200;
+    }
+    // Prefer clean URLs without large hash fragments (shell pages often have them)
+    const hashLength = url.includes('#') ? url.length - url.indexOf('#') : 0;
+    score -= Math.min(hashLength, 100);
+    return score;
+}
+/**
+ * From a list of injectable targets, select the best target per origin.
+ * Multi-window apps (like Teams) expose several page targets for the same origin;
+ * we only want to inject the overlay into the primary content window.
+ */
+export function selectBestOverlayTargets(targets) {
+    const injectable = targets.filter(shouldInjectElectronOverlayTarget);
+    // Group by origin
+    const byOrigin = new Map();
+    for (const target of injectable) {
+        const origin = safeOrigin(target.url);
+        const group = byOrigin.get(origin);
+        if (group) {
+            group.push(target);
+        }
+        else {
+            byOrigin.set(origin, [target]);
+        }
+    }
+    // Pick the best target from each origin group
+    const result = [];
+    for (const group of byOrigin.values()) {
+        if (group.length === 1) {
+            result.push(group[0]);
+            continue;
+        }
+        // Sort by score descending and pick the winner
+        group.sort((a, b) => scoreOverlayTarget(b) - scoreOverlayTarget(a));
+        result.push(group[0]);
+    }
+    return result;
+}