sunpeak 0.16.24 → 0.16.27

package/bin/commands/dev.mjs

@@ -7,6 +7,7 @@ import { createRequire } from 'module';
 import { pathToFileURL } from 'url';
 import { spawn } from 'child_process';
 import { getPort } from '../lib/get-port.mjs';
+import { startSandboxServer } from '../lib/sandbox-server.mjs';
 
 /**
  * Import a module from the project's node_modules using ESM resolution
@@ -187,7 +188,7 @@ export async function dev(projectRoot = process.cwd(), args = []) {
     sunpeakMcp = await import(pathToFileURL(join(sunpeakBase, 'dist/mcp/index.js')).href);
     sunpeakDiscovery = await import(pathToFileURL(join(sunpeakBase, 'dist/lib/discovery-cli.js')).href);
   }
-  const { FAVICON_BUFFER: faviconBuffer, runMCPServer } = sunpeakMcp;
+  const { FAVICON_BUFFER: faviconBuffer, FAVICON_DATA_URI: faviconDataUri, runMCPServer } = sunpeakMcp;
   const { findResourceDirs, findSimulationFilesFlat, findToolFiles, extractResourceExport, extractToolExport } = sunpeakDiscovery;
 
   // Vite plugin to serve the sunpeak favicon
@@ -283,15 +284,73 @@ export async function dev(projectRoot = process.cwd(), args = []) {
     },
   });
 
+  // Start the separate-origin sandbox server for cross-origin iframe isolation.
+  // This matches how production hosts (ChatGPT, Claude) run app iframes on a
+  // separate sandbox origin (e.g., web-sandbox.oaiusercontent.com).
+  const sandboxPort = Number(process.env.SUNPEAK_SANDBOX_PORT || 24680);
+  const sandbox = await startSandboxServer({ preferredPort: sandboxPort });
+
+  // Load server config from src/server.ts (if present) for simulator display.
+  // Uses a temporary SSR server so the values are available as Vite defines
+  // before the main simulator UI server starts.
+  // The fallback chain matches the MCP server: serverInfo.name → pkg.name → 'sunpeak-app'.
+  const pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf-8'));
+  let serverDisplayName = pkg.name ?? null;
+  let serverDisplayIcon = undefined;
+  const serverEntryPath = join(projectRoot, 'src/server.ts');
+  if (existsSync(serverEntryPath)) {
+    const configLoader = await createServer({
+      root: projectRoot,
+      server: { middlewareMode: true, hmr: false },
+      resolve: { alias: { '@': path.resolve(projectRoot, 'src'), ...(isTemplate && { sunpeak: parentSrc }) } },
+      appType: 'custom',
+      logLevel: 'silent',
+    });
+    try {
+      const serverMod = await configLoader.ssrLoadModule('./src/server.ts');
+      if (serverMod.server && typeof serverMod.server === 'object') {
+        if (serverMod.server.name) serverDisplayName = serverMod.server.name;
+        // Extract a display icon from the icons array (first non-dark icon, or first icon)
+        const icons = serverMod.server.icons;
+        if (Array.isArray(icons) && icons.length > 0) {
+          const lightIcon = icons.find(i => !i.theme || i.theme === 'light') ?? icons[0];
+          serverDisplayIcon = lightIcon?.src;
+        }
+      }
+    } catch (err) {
+      // Non-fatal — simulator will use defaults
+    } finally {
+      await configLoader.close();
+    }
+  }
+
   // Create and start Vite dev server programmatically
   const server = await createServer({
     root: projectRoot,
+    optimizeDeps: {
+      // The simulator UI entry (.sunpeak/dev.tsx) imports sunpeak/simulator
+      // which pulls in React and the simulator components. Pre-include the
+      // dev.tsx entry so its transitive deps are discovered at startup.
+      entries: ['.sunpeak/dev.tsx'],
+    },
     plugins: [
       react(),
       tailwindcss(),
       sunpeakFaviconPlugin(),
       sunpeakCallToolPlugin(),
       sunpeakDistPlugin(),
+      // Inject paint fence responder into all HTML pages served by Vite.
+      // When resources are loaded in the cross-origin sandbox proxy's inner
+      // iframe, the proxy can't inject scripts (cross-origin). This plugin
+      // ensures the fence responder is always present so display mode
+      // transitions resolve deterministically.
+      {
+        name: 'sunpeak-fence-responder',
+        transformIndexHtml(html) {
+          const fenceScript = `<script>window.addEventListener("message",function(e){if(e.data&&e.data.method==="sunpeak/fence"){var fid=e.data.params&&e.data.params.fenceId;requestAnimationFrame(function(){e.source.postMessage({jsonrpc:"2.0",method:"sunpeak/fence-ack",params:{fenceId:fid}},"*");});}});</script>`;
+          return html.replace('</head>', fenceScript + '</head>');
+        },
+      },
       // Health endpoint for Playwright webServer readiness check
       {
         name: 'sunpeak-health',
@@ -306,6 +365,10 @@ export async function dev(projectRoot = process.cwd(), args = []) {
     define: {
       '__SUNPEAK_PROD_TOOLS__': JSON.stringify(isProdTools),
       '__SUNPEAK_PROD_RESOURCES__': JSON.stringify(isProdResources),
+      '__SUNPEAK_SANDBOX_URL__': JSON.stringify(sandbox.url),
+      '__SUNPEAK_APP_NAME__': JSON.stringify(serverDisplayName ?? null),
+      '__SUNPEAK_APP_ICON__': JSON.stringify(serverDisplayIcon ?? null),
+      '__SUNPEAK_DEFAULT_ICON__': JSON.stringify(faviconDataUri),
     },
     resolve: {
       alias: {
@@ -407,7 +470,7 @@ export async function dev(projectRoot = process.cwd(), args = []) {
     try {
       const mod = await toolLoaderServer.ssrLoadModule(`./${relativePath}`);
       if (typeof mod.default === 'function') {
-        toolHandlerMap.set(toolName, { handler: mod.default });
+        toolHandlerMap.set(toolName, { handler: mod.default, outputSchema: mod.outputSchema });
       }
     } catch (err) {
       console.warn(`Warning: Could not load handler for tool "${toolName}": ${err.message}`);
@@ -456,6 +519,10 @@ export async function dev(projectRoot = process.cwd(), args = []) {
         srcPath,
         resource: resourceMap.get(resourceKey),
       } : {}),
+      // Attach output schema from the tool module (if present)
+      ...(toolHandlerMap.has(toolName) && toolHandlerMap.get(toolName).outputSchema ? {
+        outputSchema: toolHandlerMap.get(toolName).outputSchema,
+      } : {}),
       // Attach real handler for tools consumed by the MCP server.
       // Backend-only tools (no resource) always need handlers for callServerTool.
       // UI tools only get handlers in --prod-tools mode (otherwise simulation mock data is used).
@@ -479,6 +546,7 @@ export async function dev(projectRoot = process.cwd(), args = []) {
     simulations.push({
       name: `__tool_${toolName}`,
       tool: { name: toolName, ...tool },
+      ...(handlerInfo?.outputSchema ? { outputSchema: handlerInfo.outputSchema } : {}),
       ...(handlerInfo ? { handler: handlerInfo.handler } : {}),
     });
   }
@@ -571,16 +639,37 @@ if (import.meta.hot) {
         },
       },
       optimizeDeps: {
+        // Pre-scan resource source files so ALL their dependencies are
+        // discovered and pre-bundled at startup. Without this, the first
+        // resource load discovers new deps (e.g., mapbox-gl, embla-carousel),
+        // triggers re-optimization, and reloads all connections — killing
+        // any active ChatGPT/Claude iframe connections with ECONNRESET.
+        entries: [
+          'src/resources/**/*.{ts,tsx}',
+          'src/tools/**/*.ts',
+        ],
         include: ['react', 'react-dom/client'],
       },
       appType: 'custom',
     });
 
-    const pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf-8'));
+    // Load server config from src/server.ts (if present) for server identity
+    let serverInfo = undefined;
+    if (existsSync(serverEntryPath)) {
+      try {
+        const serverMod = await toolLoaderServer.ssrLoadModule('./src/server.ts');
+        if (serverMod.server && typeof serverMod.server === 'object') {
+          serverInfo = serverMod.server;
+        }
+      } catch (err) {
+        console.warn(`Warning: Could not load server config: ${err.message}`);
+      }
+    }
 
     const mcpHandle = runMCPServer({
-      name: pkg.name || 'Sunpeak',
-      version: pkg.version || '0.1.0',
+      name: serverInfo?.name ?? pkg.name ?? 'Sunpeak',
+      version: serverInfo?.version ?? pkg.version ?? '0.1.0',
+      serverInfo,
       simulations,
       port: mcpPort,
       hmrPort,
@@ -601,6 +690,7 @@ if (import.meta.hot) {
       await mcpViteServer.close();
       await toolLoaderServer.close();
       if (loaderServer) await loaderServer.close();
+      await sandbox.close();
       await server.close();
       process.exit(0);
     });
@@ -609,6 +699,7 @@ if (import.meta.hot) {
       await mcpViteServer.close();
       await toolLoaderServer.close();
       if (loaderServer) await loaderServer.close();
+      await sandbox.close();
       await server.close();
       process.exit(0);
     });
@@ -617,6 +708,7 @@ if (import.meta.hot) {
     process.on('SIGINT', async () => {
       await toolLoaderServer.close();
       if (loaderServer) await loaderServer.close();
+      await sandbox.close();
       await server.close();
       process.exit(0);
     });
@@ -624,6 +716,7 @@ if (import.meta.hot) {
     process.on('SIGTERM', async () => {
       await toolLoaderServer.close();
       if (loaderServer) await loaderServer.close();
+      await sandbox.close();
       await server.close();
       process.exit(0);
     });

package/bin/commands/start.mjs

@@ -125,6 +125,7 @@ export async function start(projectRoot = process.cwd(), args = []) {
         const mod = await import(toolPath);
         const tool = mod.tool;
         const schema = mod.schema;
+        const outputSchema = mod.outputSchema;
         const handler = mod.default;
 
         if (!tool) {
@@ -136,7 +137,7 @@ export async function start(projectRoot = process.cwd(), args = []) {
           continue;
         }
 
-        tools.push({ name: toolName, tool, schema, handler });
+        tools.push({ name: toolName, tool, schema, outputSchema, handler });
       } catch (err) {
         console.error(`Failed to load tool ${toolName}:`, err.message);
         process.exit(1);
@@ -190,7 +191,7 @@ export async function start(projectRoot = process.cwd(), args = []) {
   console.log(`\nStarting ${name} v${version} on ${host}:${port}...`);
 
   startProductionHttpServer(
-    { name, version, tools, resources, auth },
+    { name, version, serverInfo: serverConfig, tools, resources, auth },
     { port, host }
   );
 }

package/bin/lib/live/browser-auth.mjs

@@ -14,24 +14,39 @@ const BROWSER_PROFILES = {
   edge: join(homedir(), 'Library/Application Support/Microsoft Edge'),
 };
 
+/**
+ * Get the Chrome profile subdirectory name to copy from.
+ * Defaults to "Default" but can be overridden via SUNPEAK_CHROME_PROFILE env var
+ * (e.g., "Profile 5" for a non-default Chrome profile).
+ */
+function getProfileSubdir() {
+  return process.env.SUNPEAK_CHROME_PROFILE || 'Default';
+}
+
 /**
  * Subdirectories/files to copy from the browser profile.
  * These contain session cookies and local storage — enough for authenticated browsing.
  * Copying only these keeps the operation fast (<2s) vs copying the full profile (500MB+).
+ *
+ * The profile subdirectory (Default, Profile 1, Profile 5, etc.) is determined by
+ * getProfileSubdir(). Set SUNPEAK_CHROME_PROFILE env var to use a non-default profile.
  */
-const ESSENTIAL_PATHS = [
-  'Default/Cookies',
-  'Default/Cookies-journal',
-  'Default/Local Storage',
-  'Default/Session Storage',
-  'Default/IndexedDB',
-  'Default/Login Data',
-  'Default/Login Data-journal',
-  'Default/Preferences',
-  'Default/Secure Preferences',
-  'Default/Web Data',
-  'Local State',
-];
+function getEssentialPaths() {
+  const profile = getProfileSubdir();
+  return [
+    `${profile}/Cookies`,
+    `${profile}/Cookies-journal`,
+    `${profile}/Local Storage`,
+    `${profile}/Session Storage`,
+    `${profile}/IndexedDB`,
+    `${profile}/Login Data`,
+    `${profile}/Login Data-journal`,
+    `${profile}/Preferences`,
+    `${profile}/Secure Preferences`,
+    `${profile}/Web Data`,
+    'Local State',
+  ];
+}
 
 /**
  * Detect which browser the user has installed.
@@ -63,13 +78,20 @@ function copyProfile(browser) {
     );
   }
 
+  const profileSubdir = getProfileSubdir();
+  const essentialPaths = getEssentialPaths();
   const tempDir = mkdtempSync(join(tmpdir(), 'sunpeak-live-'));
 
-  for (const relativePath of ESSENTIAL_PATHS) {
+  for (const relativePath of essentialPaths) {
     const src = join(profileDir, relativePath);
     if (!existsSync(src)) continue;
 
-    const dest = join(tempDir, relativePath);
+    // Remap the source profile subdir to "Default" in the temp dir.
+    // Playwright's launchPersistentContext always uses "Default" as the profile name.
+    const destRelative = relativePath.startsWith(profileSubdir + '/')
+      ? 'Default' + relativePath.slice(profileSubdir.length)
+      : relativePath;
+    const dest = join(tempDir, destRelative);
     try {
       cpSync(src, dest, { recursive: true });
     } catch {
@@ -78,12 +100,15 @@ function copyProfile(browser) {
   }
 
   // Ensure Default directory exists even if no essential files were copied.
-  // Use an allowlist to avoid copying large cache/media directories.
   const defaultDir = join(tempDir, 'Default');
   if (!existsSync(defaultDir)) {
     mkdirSync(defaultDir, { recursive: true });
   }
 
+  if (profileSubdir !== 'Default') {
+    console.log(`Using Chrome profile: ${profileSubdir}`);
+  }
+
   return tempDir;
 }
 
@@ -99,7 +124,18 @@ function copyProfile(browser) {
  * @returns {Promise<{ context: BrowserContext, page: Page, cleanup: () => void }>}
  */
 export async function launchAuthenticatedBrowser({ browser = 'chrome', headless = false } = {}) {
-  const { chromium } = await import('playwright');
+  // Resolve chromium from @playwright/test (which re-exports it) rather than
+  // the standalone 'playwright' package — pnpm doesn't hoist transitive deps
+  // so 'playwright' isn't directly resolvable from user projects.
+  let chromium;
+  try {
+    ({ chromium } = await import('playwright'));
+  } catch {
+    // Fallback: resolve via @playwright/test which is always a direct dependency
+    const projectRoot = process.env.SUNPEAK_PROJECT_ROOT || process.cwd();
+    const { resolvePlaywright } = await import('./utils.mjs');
+    ({ chromium } = resolvePlaywright(projectRoot));
+  }
 
   const tempDir = copyProfile(browser);
 

package/bin/lib/live/global-setup.mjs

@@ -2,26 +2,31 @@
  * Global setup for live tests.
  *
  * Runs exactly once before all workers. Two responsibilities:
- *  1. Authenticate — import cookies from the user's real browser or open a
- *     manual login window. Session state is saved to disk for 24 hours.
+ *  1. Authenticate — launch a browser, verify login, wait for user if needed.
  *  2. Refresh MCP server — navigate to host settings and click Refresh so
  *     all workers start with pre-loaded resources.
  *
+ * Auth approach:
+ *  - Opens a browser with storageState if a fresh auth file exists (<24h).
+ *  - Checks that we're truly logged in (profile button visible AND no "Log in" buttons).
+ *  - If not logged in, prints a clear message and waits for the user to log in
+ *    in the open browser window (up to 5 minutes).
+ *  - Saves storageState after successful login for future runs.
+ *  - The same browser session is reused for MCP refresh so Cloudflare's
+ *    HttpOnly cookies (which storageState can't capture) remain valid.
+ *
  * This file is referenced by the Playwright config created by defineLiveConfig().
  * The auth file path is passed via SUNPEAK_AUTH_FILE env var.
  */
-import { existsSync, mkdirSync, statSync } from 'fs';
+import { existsSync, mkdirSync, statSync, unlinkSync } from 'fs';
 import { dirname } from 'path';
 import { ANTI_BOT_ARGS, CHROME_USER_AGENT, resolvePlaywright, getAppName } from './utils.mjs';
-import { launchAuthenticatedBrowser, detectBrowser } from './browser-auth.mjs';
 import { ChatGPTPage, CHATGPT_SELECTORS, CHATGPT_URLS } from './chatgpt-page.mjs';
 
 /** Auth state expires after 24 hours — ChatGPT session cookies are short-lived. */
 const MAX_AGE_MS = 24 * 60 * 60 * 1000;
 
-/** Reuse selectors and URLs from the canonical ChatGPT page object. */
 const CHATGPT_URL = CHATGPT_URLS.base;
-const LOGIN_SELECTOR = CHATGPT_SELECTORS.loggedInIndicator;
 
 function isAuthFresh(authFile) {
   if (!existsSync(authFile)) return false;
@@ -30,121 +35,124 @@ function isAuthFresh(authFile) {
 }
 
 /**
- * Refresh the MCP server connection in ChatGPT settings.
- * Opens a browser with the saved auth, navigates to settings, clicks Refresh,
- * then closes. Runs once so parallel test workers don't each refresh.
+ * Check if we're truly logged into ChatGPT.
+ * Must have the profile button AND must NOT have any "Log in" buttons.
+ * The logged-out ChatGPT page can show some UI elements that look like
+ * a logged-in state, so checking just the profile button isn't enough.
  */
-async function refreshMcpServer(authFile) {
+async function isFullyLoggedIn(page) {
+  const hasProfile = await page
+    .locator(CHATGPT_SELECTORS.loggedInIndicator)
+    .first()
+    .isVisible()
+    .catch(() => false);
+
+  if (!hasProfile) return false;
+
+  // Must NOT have "Log in" buttons — these appear on the logged-out page
+  const hasLoginButton = await page
+    .locator(CHATGPT_SELECTORS.loginPage)
+    .first()
+    .isVisible()
+    .catch(() => false);
+
+  return !hasLoginButton;
+}
+
+export default async function globalSetup() {
+  const authFile = process.env.SUNPEAK_AUTH_FILE;
+
+  if (process.env.SUNPEAK_STORAGE_STATE) {
+    return;
+  }
+
+  if (!authFile) {
+    console.warn('SUNPEAK_AUTH_FILE not set — skipping auth setup.');
+    return;
+  }
+
   const projectRoot = process.env.SUNPEAK_PROJECT_ROOT || process.cwd();
   const appName = getAppName(projectRoot);
   const { chromium } = resolvePlaywright(projectRoot);
 
+  // Launch a browser. Use saved storageState if fresh, otherwise start clean.
+  const hasFreshAuth = isAuthFresh(authFile);
   const browser = await chromium.launch({
     headless: false,
     args: ANTI_BOT_ARGS,
   });
   const context = await browser.newContext({
     userAgent: CHROME_USER_AGENT,
-    storageState: authFile,
+    ...(hasFreshAuth ? { storageState: authFile } : {}),
   });
   const page = await context.newPage();
 
   try {
-    const hostPage = new ChatGPTPage(page);
-    await hostPage.refreshMcpServer({ appName });
-    console.log('MCP server refreshed.');
-  } finally {
-    await browser.close();
-  }
-}
+    await page.goto(CHATGPT_URL, { waitUntil: 'domcontentloaded' });
 
-export default async function globalSetup() {
-  // If storage state was provided externally, skip auth but still refresh.
-  const authFile = process.env.SUNPEAK_AUTH_FILE;
+    // Wait for page to settle — Cloudflare challenge or ChatGPT UI loading
+    await page.waitForTimeout(5_000);
 
-  if (!process.env.SUNPEAK_STORAGE_STATE) {
-    if (!authFile) {
-      console.warn('SUNPEAK_AUTH_FILE not set — skipping auth setup.');
-      return;
-    }
-
-    if (!isAuthFresh(authFile)) {
-      await authenticate(authFile);
-    }
-  }
-
-  // Refresh MCP server connection so all workers start with pre-loaded resources.
-  const resolvedAuth = process.env.SUNPEAK_STORAGE_STATE || authFile;
-  if (resolvedAuth && existsSync(resolvedAuth)) {
-    await refreshMcpServer(resolvedAuth);
-  }
-}
+    // Check if truly logged in (profile button visible, no "Log in" buttons)
+    let loggedIn = await isFullyLoggedIn(page);
 
-/**
- * Authenticate by importing cookies from the user's browser or manual login.
- */
-async function authenticate(authFile) {
-  // Try importing cookies from the user's real browser profile.
-  const browserName = process.env.SUNPEAK_LIVE_BROWSER || detectBrowser();
-  if (browserName) {
-    let auth;
-    try {
-      auth = await launchAuthenticatedBrowser({ browser: browserName, headless: false });
-      const page = auth.page;
-
-      await page.goto(CHATGPT_URL, { waitUntil: 'domcontentloaded' });
-
-      const loggedIn = await page
-        .locator(LOGIN_SELECTOR)
-        .first()
-        .waitFor({ timeout: 15_000 })
-        .then(() => true)
-        .catch(() => false);
-
-      if (loggedIn) {
-        mkdirSync(dirname(authFile), { recursive: true });
-        await auth.context.storageState({ path: authFile });
-        console.log(`Session imported from ${browserName} browser.`);
+    if (loggedIn) {
+      console.log('Authenticated (from saved session).');
+    } else {
+      // If we loaded a stale auth file that didn't work, delete it
+      if (hasFreshAuth) {
+        try { unlinkSync(authFile); } catch {}
       }
 
-      await auth.context.close();
-      auth.cleanup();
+      console.log(
+        `\n` +
+        `╔══════════════════════════════════════════════════════════════╗\n` +
+        `║  Please log in to ChatGPT                                  ║\n` +
+        `║                                                            ║\n` +
+        `║  A browser window has opened at chatgpt.com.               ║\n` +
+        `║  Log in and wait for the chat to load.                     ║\n` +
+        `║                                                            ║\n` +
+        `║  Waiting up to 5 minutes...                                ║\n` +
+        `╚══════════════════════════════════════════════════════════════╝\n`
+      );
+
+      // Poll until truly logged in
+      const maxWait = 300_000; // 5 minutes
+      const pollInterval = 3_000;
+      const start = Date.now();
+
+      while (Date.now() - start < maxWait) {
+        loggedIn = await isFullyLoggedIn(page);
+        if (loggedIn) break;
+        await page.waitForTimeout(pollInterval);
+      }
 
-      if (loggedIn) return;
-      // Not logged in — fall through to manual login.
-    } catch {
-      // Profile copy failed — clean up and fall through to manual login.
-      if (auth) {
-        try { await auth.context.close(); } catch {}
-        auth.cleanup();
+      if (!loggedIn) {
+        throw new Error(
+          'Login timed out after 5 minutes.\n' +
+          'Please log in to chatgpt.com in the browser window that opened.\n' +
+          'If the session expired, delete the .auth/ directory and try again.'
+        );
       }
+      console.log('Logged in!');
     }
-  }
-
-  // Fallback: open a bare browser for the user to log in manually.
-  console.log('\nNo saved ChatGPT session found (or session expired).');
-  console.log('Opening browser — please log in to chatgpt.com.\n');
-
-  const projectRoot = process.env.SUNPEAK_PROJECT_ROOT || process.cwd();
-  const { chromium } = resolvePlaywright(projectRoot);
-
-  const browser = await chromium.launch({
-    headless: false,
-    args: ANTI_BOT_ARGS,
-  });
 
-  const context = await browser.newContext({
-    userAgent: CHROME_USER_AGENT,
-  });
-
-  const page = await context.newPage();
-  await page.goto(CHATGPT_URL, { waitUntil: 'domcontentloaded' });
-
-  console.log('Waiting for login... (this will timeout after 5 minutes)\n');
-  await page.locator(LOGIN_SELECTOR).first().waitFor({ timeout: 300_000 });
-  console.log('Logged in! Saving session...\n');
-
-  mkdirSync(dirname(authFile), { recursive: true });
-  await context.storageState({ path: authFile });
-  await browser.close();
+    // Save session for future runs (best effort — HttpOnly cookies won't be captured).
+    mkdirSync(dirname(authFile), { recursive: true });
+    await context.storageState({ path: authFile });
+    console.log('Session saved.\n');
+
+    // Refresh MCP server in the SAME browser session.
+    // This is critical — Cloudflare's cf_clearance cookie is HttpOnly and
+    // won't be in the saved storageState. By refreshing here, the cookie
+    // is still valid for navigating to settings.
+    //
+    // This MUST succeed — if the MCP server isn't reachable or the refresh
+    // fails, tests will fail with confusing iframe/timeout errors.
+    const hostPage = new ChatGPTPage(page);
+    await hostPage.refreshMcpServer({ appName });
+    console.log('MCP server refreshed.');
+  } finally {
+    await browser.close();
+  }
 }