yunti-browser-runtime 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +256 -0
  3. package/bin/yunti-browser-runtime.js +86 -0
  4. package/docs/EXECUTION_PLAN.md +1278 -0
  5. package/docs/INSTALL.md +205 -0
  6. package/docs/PROJECT_INTENT.md +44 -0
  7. package/docs/PROJECT_STATUS.md +263 -0
  8. package/docs/PUBLISHING_BLOCKERS.md +110 -0
  9. package/docs/RELEASE.md +148 -0
  10. package/docs/ROADMAP.md +42 -0
  11. package/docs/SECURITY.md +56 -0
  12. package/docs/TOOL_GUIDE.md +69 -0
  13. package/extension/background.js +55 -0
  14. package/extension/cdp.js +582 -0
  15. package/extension/content.css +9 -0
  16. package/extension/content.js +946 -0
  17. package/extension/manifest.json +35 -0
  18. package/extension/network-monitor.js +140 -0
  19. package/extension/popup.css +66 -0
  20. package/extension/popup.html +30 -0
  21. package/extension/popup.js +55 -0
  22. package/extension/session-manager.js +332 -0
  23. package/extension/settings.js +94 -0
  24. package/extension/tool-handlers.js +1158 -0
  25. package/lib/runtime-paths.js +39 -0
  26. package/mcp/bridge-hub.js +604 -0
  27. package/mcp/http-server.js +326 -0
  28. package/mcp/json-rpc.js +35 -0
  29. package/mcp/memory.js +126 -0
  30. package/mcp/redaction.js +94 -0
  31. package/mcp/server.js +269 -0
  32. package/mcp/tools.js +1092 -0
  33. package/package.json +60 -0
  34. package/scripts/check-package-metadata.js +131 -0
  35. package/scripts/check-published-package.js +113 -0
  36. package/scripts/doctor.js +163 -0
  37. package/scripts/package-extension.js +137 -0
  38. package/scripts/print-config.js +116 -0
  39. package/scripts/release-check.js +472 -0
  40. package/skills/yunti-browser-runtime/SKILL.md +77 -0
@@ -0,0 +1,205 @@
1
+ # Install Guide
2
+
3
+ ## Requirements
4
+
5
+ - Node.js 22 or newer.
6
+ - Chrome, Edge, or another Chromium browser with extension developer mode.
7
+ - An MCP-capable agent.
8
+
9
+ ## Start The Local Bridge
10
+
11
+ From the project root:
12
+
13
+ ```bash
14
+ npm install
15
+ npm run bridge
16
+ ```
17
+
18
+ By default the bridge listens on:
19
+
20
+ ```text
21
+ http://127.0.0.1:48887
22
+ ```
23
+
24
+ Use a custom port when needed:
25
+
26
+ ```bash
27
+ YUNTI_BROWSER_BRIDGE_PORT=48999 npm run bridge
28
+ ```
29
+
30
+ bridge 会在启动时读取或生成本地访问 token,并把请求头名称和值打印到 stderr。
31
+ 推荐在 MCP、doctor 和扩展里使用同一个显式 token:
32
+
33
+ ```bash
34
+ YUNTI_BROWSER_BRIDGE_TOKEN="$(openssl rand -hex 24)" npm run bridge
35
+ ```
36
+
37
+ 需要自定义允许的 CORS 来源时:
38
+
39
+ ```bash
40
+ YUNTI_BROWSER_BRIDGE_ALLOW_ORIGINS="http://127.0.0.1,http://localhost,chrome-extension://*" npm run bridge
41
+ ```
42
+
43
+ When installed as an npm package, the equivalent CLI command is:
44
+
45
+ ```bash
46
+ yunti-browser-runtime bridge
47
+ ```
48
+
49
+ ## Load The Extension
50
+
51
+ Development loading:
52
+
53
+ 1. Open `chrome://extensions` or `edge://extensions`.
54
+ 2. Enable developer mode.
55
+ 3. Choose "Load unpacked".
56
+ 4. Select the project `extension/` directory.
57
+ 5. Click the extension icon and save the same bridge token printed by the bridge.
58
+ 6. Open any `http` or `https` page and click the extension icon to confirm the
59
+ page is connected.
60
+
61
+ The extension registers browser pages with the local bridge. It does not create
62
+ agent conversations or depend on a remote workspace.
63
+
64
+ To create a distributable zip:
65
+
66
+ ```bash
67
+ npm run package:extension
68
+ ```
69
+
70
+ The package is written to `dist/yunti-browser-runtime-extension-<version>.zip`
71
+ and contains only the extension runtime files.
72
+
73
+ ## Register MCP
74
+
75
+ Print the MCP server configuration for your agent, then add it to your agent
76
+ configuration:
77
+
78
+ ```bash
79
+ npm run print-config
80
+ npm run print-config -- --agent codex --human
81
+ npm run print-config -- --agent claude-code --human
82
+ npm run print-config -- --agent cursor --human
83
+ npm run print-config -- --agent cline --human
84
+ ```
85
+
86
+ The stdio MCP server starts or reuses the local bridge automatically. Running
87
+ `npm run bridge` manually is useful for debugging, but not always required by
88
+ agents that launch the MCP server themselves.
89
+
90
+ ### Agent Examples
91
+
92
+ These examples intentionally use `npm run print-config` instead of hard-coded
93
+ local paths. Copy the JSON printed by the command into the matching agent's MCP
94
+ configuration file or UI.
95
+
96
+ #### Codex
97
+
98
+ ```bash
99
+ npm run print-config -- --agent codex --human
100
+ ```
101
+
102
+ Then install the browser skill if your Codex setup supports skills:
103
+
104
+ ```bash
105
+ mkdir -p ~/.codex/skills
106
+ cp -R skills/yunti-browser-runtime ~/.codex/skills/
107
+ ```
108
+
109
+ Start a new Codex session after adding the MCP server and skill. For browser
110
+ tasks, the session should call `yunti_get_tool_usage_hints` first, then
111
+ `yunti_list_browser_targets`.
112
+
113
+ #### Claude Code
114
+
115
+ ```bash
116
+ npm run print-config -- --agent claude-code --human
117
+ ```
118
+
119
+ Add the printed `mcpServers.yunti-browser-runtime` block to Claude Code's MCP
120
+ configuration. If using a bridge token, set `YUNTI_BROWSER_BRIDGE_TOKEN` in the
121
+ same environment Claude Code uses to launch the MCP server, and save the same
122
+ token in the extension popup.
123
+
124
+ #### Cursor
125
+
126
+ ```bash
127
+ npm run print-config -- --agent cursor --human
128
+ ```
129
+
130
+ Add the printed `mcpServers` JSON to Cursor's MCP configuration. Restart or
131
+ reload Cursor after saving the config, then run `npm run doctor` from this
132
+ project to confirm the bridge and extension are healthy.
133
+
134
+ #### Cline
135
+
136
+ ```bash
137
+ npm run print-config -- --agent cline --human
138
+ ```
139
+
140
+ Add the printed server entry to Cline's MCP settings. Keep the extension loaded
141
+ in Chrome/Edge and refresh the target page so the content script registers a
142
+ fresh `browserSessionId`.
143
+
144
+ ## Check Health
145
+
146
+ ```bash
147
+ npm run doctor
148
+ ```
149
+
150
+ Or through the package CLI:
151
+
152
+ ```bash
153
+ yunti-browser-runtime doctor
154
+ ```
155
+
156
+ Expected JSON output includes `ok: true` when the local setup is healthy.
157
+ The command also prints a human-readable summary to stderr. If an agent needs
158
+ machine-only output, run:
159
+
160
+ ```bash
161
+ npm run doctor:json
162
+ ```
163
+
164
+ ## Release Check
165
+
166
+ Before publishing or sharing a release candidate, run:
167
+
168
+ ```bash
169
+ npm run release:check
170
+ ```
171
+
172
+ This command checks public docs for local/internal residue, runs syntax checks,
173
+ runs the unit test suite, and verifies the npm package contents with
174
+ `npm pack --dry-run`.
175
+
176
+ ## Common Recovery
177
+
178
+ - If tools say no browser tab is connected, refresh the target page.
179
+ - If doctor reports `authorized: false`, set `YUNTI_BROWSER_BRIDGE_TOKEN` and
180
+ save the same token in the extension popup.
181
+ - If an old `browserSessionId` fails, call `yunti_list_browser_targets` again
182
+ and use the latest returned session.
183
+ - If a parameter error appears, call `yunti_get_tool_usage_hints` with the
184
+ failed tool name before retrying.
185
+ - For `yunti_fill`, pass `value` plus `uid` or `selector`; coordinate-only fill
186
+ is rejected.
187
+ - For closing a raw `tabId` or `targetId`, use `yunti_cdp_send_command` with
188
+ `Target.closeTarget` instead of `yunti_close_page`.
189
+ - If the extension was reloaded, refresh browser pages so the content script can
190
+ register again.
191
+
192
+ ## Real Browser Smoke Test
193
+
194
+ The real-browser E2E smoke test is opt-in so regular CI and local checks can run
195
+ without launching a browser:
196
+
197
+ ```bash
198
+ YUNTI_E2E=1 npm run test:e2e
199
+ ```
200
+
201
+ It uses Playwright with a persistent Chromium profile, loads the unpacked
202
+ extension, starts a local test page, starts the bridge, and verifies MCP list
203
+ targets, page snapshot, click/fill, and CDP `Runtime.evaluate`. Install
204
+ Playwright and Chromium before enabling it. Failures print the artifact
205
+ directory containing screenshot and error log paths.
@@ -0,0 +1,44 @@
1
+ # Project Intent
2
+
3
+ ## Why This Project Exists
4
+
5
+ Modern agents can reason well, but browser operation is still fragile when each
6
+ agent invents its own automation path. Yunti Browser Runtime exists to provide a
7
+ shared local browser operation layer that any agent can call through MCP.
8
+
9
+ The project starts from a practical internal browser agent implementation and
10
+ extracts the reusable foundation:
11
+
12
+ - discover local browser tabs and targets;
13
+ - inspect page state;
14
+ - execute clicks, input, screenshots, file uploads, and navigation;
15
+ - send Chrome DevTools Protocol commands;
16
+ - capture network, console, and CDP observations;
17
+ - keep multi-step operations routed to the intended browser page.
18
+
19
+ ## Design Principles
20
+
21
+ - Local first: the first version runs on the user's own machine.
22
+ - Simple deployment: install dependencies, load the extension, register MCP.
23
+ - Fast execution: avoid heavyweight browser re-launches when the user's browser
24
+ is already open.
25
+ - Agent agnostic: Claude Code, Codex, Cursor, Cline, OpenCode, and other MCP
26
+ clients should be able to use the same runtime.
27
+ - Explicit safety: dangerous writes, downloads, uploads, and form submissions
28
+ should be visible to the agent and user.
29
+ - No platform lock-in: the runtime must not depend on any company-internal
30
+ platform.
31
+
32
+ ## First Release Boundary
33
+
34
+ The first release is a local single-user runtime:
35
+
36
+ - one local bridge;
37
+ - one user's browser extension;
38
+ - local-only browser sessions;
39
+ - no remote relay;
40
+ - no multi-user server;
41
+ - no shared market, skills, or workspace concepts.
42
+
43
+ Remote multi-user deployment can be designed later as a separate layer. The
44
+ local runtime should stay small and dependable.
@@ -0,0 +1,263 @@
1
+ # Project Status
2
+
3
+ ## Current Phase
4
+
5
+ Release readiness: local MVP is prepared for first public release. P4.19 formal
6
+ npm publish is in progress and currently blocked only by npm two-factor
7
+ authentication OTP.
8
+
9
+ ## Current State
10
+
11
+ - Project directory created.
12
+ - Project intent, install, tool, security, roadmap, and status docs exist.
13
+ - Local-first architecture selected.
14
+ - MCP server, local bridge, extension, runtime path helper, doctor command, and
15
+ bridge tests have been extracted.
16
+ - A distributable agent skill exists at
17
+ `skills/yunti-browser-runtime/SKILL.md`.
18
+ - README is Chinese-first and includes browser extension setup, MCP registration,
19
+ and agent skill installation steps.
20
+ - A staged execution plan exists at `docs/EXECUTION_PLAN.md`.
21
+ - Tool prefix is `yunti_*`.
22
+ - MCP local mode defaults to `userId=local`.
23
+ - Bridge HTTP routes now require `x-yunti-browser-token`; unauthenticated
24
+ `/health` only returns limited status.
25
+ - Bridge CORS now echoes only local debug origins and browser extension origins
26
+ by default, with `YUNTI_BROWSER_BRIDGE_ALLOW_ORIGINS` as an override.
27
+ - Extension popup can save the local bridge URL, token, and page match patterns.
28
+ - Browser sessions now track `lastSeenAt`, `lastActivatedAt`, `expiresAt`, and
29
+ `staleReason`; extension polling refreshes heartbeat and expired sessions are
30
+ cleaned up with recovery guidance.
31
+ - `npm run doctor` now checks Node version, bridge reachability, token validity,
32
+ registered sessions, active session, extension presence, MCP server path, and
33
+ skill path; it emits JSON plus a human-readable summary.
34
+ - `npm run print-config` prints MCP configuration for Codex, Claude Code,
35
+ Cursor, and Cline, including project paths, bridge port, token guidance, and
36
+ skill installation hints.
37
+ - `npm run package:extension` writes a minimal extension zip to `dist/` with
38
+ only extension runtime files.
39
+ - `npm run release:dry-run` and `npm run release:publish` pin the official npm
40
+ registry at `https://registry.npmjs.org/`, avoiding accidental publication to
41
+ a locally configured mirror registry.
42
+ - `npm run test:e2e` provides an opt-in real-browser Playwright smoke test for
43
+ extension loading, page registration, MCP target listing, snapshot, click/fill,
44
+ and CDP `Runtime.evaluate`.
45
+ - Package metadata now includes bin, files, repository, keywords, homepage,
46
+ bugs, and packageManager fields. The `yunti-browser-runtime` CLI routes
47
+ `mcp`, `bridge`, `doctor`, `print-config`, and `package-extension`.
48
+ - MCP tool schemas and usage hints have been split into `mcp/tools.js` so
49
+ `mcp/server.js` is focused on bridge, routing, and JSON-RPC behavior.
50
+ - MCP JSON-RPC response wrappers, redaction/event normalization helpers, and
51
+ learning memory storage have been split into `mcp/json-rpc.js`,
52
+ `mcp/redaction.js`, and `mcp/memory.js`.
53
+ - MCP session hub, request queueing, network/CDP/console event caches, and
54
+ bridge-local tool routing have been split into `mcp/bridge-hub.js`, while
55
+ `mcp/server.js` keeps compatibility re-exports.
56
+ - MCP HTTP bridge server, CORS/token checks, route handlers, and body parsing
57
+ have been split into `mcp/http-server.js`, while `mcp/server.js` keeps
58
+ compatibility re-exports.
59
+ - Extension settings/page matching and network monitoring have been split into
60
+ `extension/settings.js` and `extension/network-monitor.js`, and the extension
61
+ package script includes those module files.
62
+ - Extension CDP target routing, debugger attach/detach, and tracing helpers
63
+ have been split into `extension/cdp.js`, and the extension package script
64
+ includes the module file.
65
+ - Extension session registration, polling, popup state, bridge posting, and
66
+ console event forwarding have been split into `extension/session-manager.js`,
67
+ and the extension package script includes the module file.
68
+ - Extension tool dispatch and page operation handlers have been split into
69
+ `extension/tool-handlers.js`, and the extension package script includes the
70
+ module file.
71
+ - P3.2 tool argument validation is complete for `yunti_click`, `yunti_hover`,
72
+ `yunti_fill`, `yunti_close_page`, `yunti_cdp_send_command`, and
73
+ `yunti_forget_learning_memory`, with recovery-oriented errors and updated
74
+ usage hints.
75
+ - `docs/TOOL_GUIDE.md` and `skills/yunti-browser-runtime/SKILL.md` now document
76
+ the common P3.2 parameter rules.
77
+ - README and INSTALL now include P3.2 parameter recovery guidance.
78
+ - SECURITY now documents `storage` permission usage and broad host permission
79
+ rationale for the local-first extension.
80
+ - INSTALL now includes Codex, Claude Code, Cursor, and Cline MCP setup examples
81
+ based on `npm run print-config`.
82
+ - Extension registers all `http` and `https` pages by default.
83
+ - Product-specific fixed conversation, workspace, and side-panel entry points
84
+ have been removed from the standalone extension.
85
+
86
+ ## Decisions
87
+
88
+ - Project name: `yunti-browser-runtime`.
89
+ - Public package/tooling prefix: `yunti`.
90
+ - Environment variable prefix: `YUNTI_BROWSER_`.
91
+ - Tool prefix target: `yunti_*`.
92
+ - `yunti_list_pages` is a compatibility alias for the live browser target
93
+ inventory, not a separate registration registry.
94
+ - If a `browserSessionId` becomes stale, agents should call
95
+ `yunti_list_browser_targets` to refresh the route inventory.
96
+ - The content script must not call product-specific login APIs in the
97
+ standalone runtime.
98
+
99
+ ## Open Work
100
+
101
+ - Follow `docs/EXECUTION_PLAN.md` for the active P4.19 npm publish step.
102
+ - P4.1 release-readiness docs and permission review is complete.
103
+ - P4.2 Agent integration examples are complete.
104
+ - P4.3 npm publishing URL confirmation is complete with the GitHub repository
105
+ `https://github.com/dingguangyi0/yunti-browser-runtime`; package metadata
106
+ points to that repository/homepage/issues URL set and all three URLs return
107
+ HTTP 200.
108
+ - `npm view yunti-browser-runtime` currently returns E404, which is acceptable
109
+ only if `0.1.0` is intended to be the first npm release under this package
110
+ name.
111
+ - Latest release gate checks passed after documenting P4.3: public-doc residue
112
+ check, `npm run check`, `npm test`, and `npm pack --dry-run`.
113
+ - P4.4 release gate scripting is complete: `npm run release:check` now runs
114
+ public-doc residue checks, `npm run check`, `npm test`, and
115
+ `npm pack --dry-run`.
116
+ - P4.5 release runbook is complete: `docs/RELEASE.md` documents external URL
117
+ confirmation, release gates, extension zip checks, optional E2E, and npm
118
+ publish steps.
119
+ - Latest `npm run release:check` passed after adding the runbook; the npm
120
+ tarball includes `docs/RELEASE.md`.
121
+ - P4.6 package metadata checking is complete: `npm run check:metadata` reports
122
+ public reachability for package repository/homepage/bugs URLs and npm package
123
+ status, returning non-zero while the GitHub URLs are unavailable.
124
+ - Latest `npm run release:check` passed after adding metadata checking; the npm
125
+ tarball includes `scripts/check-package-metadata.js`.
126
+ - P4.7 prepublish gate is complete: `npm run release:prepublish` now runs
127
+ metadata checks before the local release gate and is expected to fail until
128
+ P4.3 repository URLs are public.
129
+ - Latest P4.7 validation: `npm run release:check` passed public-doc residue
130
+ checks, `npm run check`, `npm test`, and `npm pack --dry-run`; `npm run
131
+ release:prepublish` failed as expected at `check:metadata` because the current
132
+ repository and bugs URLs still return 404 or are not publicly reachable.
133
+ - P4.3 blocker remediation is documented in `docs/PUBLISHING_BLOCKERS.md`;
134
+ latest `npm run release:check` passed after adding that guide, and the npm
135
+ tarball now includes the blocker guide with 39 total files.
136
+ - P4.8 npm package contents gate is complete: `npm run release:check` now parses
137
+ `npm pack --json --dry-run` and fails if required runtime, extension, skill,
138
+ release documentation, or release helper files are missing from the tarball.
139
+ - Latest P4.8 validation: `npm run release:check` passed public-doc residue
140
+ checks, `npm run check`, `npm test`, and the required npm package contents
141
+ check; the parsed npm pack output contained 39 files.
142
+ - P4.9 extension zip contents gate is complete: `npm run release:check` now
143
+ runs `npm run package:extension`, parses the generated zip, and fails if the
144
+ archive is missing required extension runtime files or includes unexpected
145
+ files.
146
+ - Latest P4.9 validation: `npm run release:check` passed public-doc residue
147
+ checks, `npm run check`, `npm test`, required npm package contents validation,
148
+ and extension zip contents validation; the generated extension zip contained
149
+ exactly 12 runtime files.
150
+ - P4.10 package / extension version consistency gate is complete:
151
+ `npm run release:check` now fails if `package.json.version` and
152
+ `extension/manifest.json.version` are missing or different.
153
+ - Latest P4.10 validation: `npm run release:check` passed public-doc residue
154
+ checks, version consistency check for `0.1.0`, `npm run check`, `npm test`,
155
+ required npm package contents validation, and extension zip contents
156
+ validation.
157
+ - P4.11 npm bin CLI smoke gate is complete: `npm run release:check` now verifies
158
+ `package.json` bin mapping, `yunti-browser-runtime --help`, and
159
+ `yunti-browser-runtime --version` behavior through the local CLI entrypoint.
160
+ - Latest P4.11 validation: `npm run release:check` passed public-doc residue
161
+ checks, version consistency check for `0.1.0`, CLI smoke check for `0.1.0`,
162
+ `npm run check`, `npm test`, required npm package contents validation, and
163
+ extension zip contents validation.
164
+ - P4.12 Agent config smoke gate is complete: `npm run release:check` now
165
+ validates `print-config` JSON output for Codex, Claude Code, Cursor, and
166
+ Cline, plus the human-readable Codex output for token and skill guidance.
167
+ - Latest P4.12 validation: `npm run release:check` passed public-doc residue
168
+ checks, version consistency check for `0.1.0`, CLI smoke check for `0.1.0`,
169
+ print-config smoke check for 4 agents, `npm run check`, `npm test`, required
170
+ npm package contents validation, and extension zip contents validation.
171
+ - P4.13 doctor JSON smoke gate is complete: `npm run release:check` now runs
172
+ `scripts/doctor.js`, parses stdout JSON, validates Node/MCP/skill diagnostics,
173
+ and accepts bridge offline as a structured diagnostic state instead of a release
174
+ gate failure.
175
+ - Latest P4.13 validation: `npm run release:check` passed public-doc residue
176
+ checks, version consistency check for `0.1.0`, CLI smoke check for `0.1.0`,
177
+ print-config smoke check for 4 agents, doctor smoke check with bridge offline,
178
+ `npm run check`, `npm test`, required npm package contents validation, and
179
+ extension zip contents validation.
180
+ - P4.14 public Markdown link gate is complete: `npm run release:check` now scans
181
+ README, docs, and skills Markdown files and fails if a relative Markdown link
182
+ points to a missing local file.
183
+ - Latest P4.14 validation: `npm run release:check` passed public-doc residue
184
+ checks, public Markdown link check for 11 Markdown files, version consistency
185
+ check for `0.1.0`, CLI smoke check for `0.1.0`, print-config smoke check for
186
+ 4 agents, doctor smoke check with bridge offline, `npm run check`, `npm test`,
187
+ required npm package contents validation, and extension zip contents
188
+ validation. The release gate test run covered 59 tests, with 58 passed and 1
189
+ real-browser smoke test skipped by configuration.
190
+ - Latest P4.3 validation: `git push -u origin main` succeeded, `npm run
191
+ check:metadata` passed with repository/homepage/bugs all returning HTTP 200,
192
+ and `npm run release:prepublish` passed end to end.
193
+ - `npm run check:metadata` now retries transient repository/homepage/bugs HEAD
194
+ request failures, so temporary GitHub TLS disconnects do not immediately block
195
+ an otherwise reachable public URL set.
196
+ - `npm run check:metadata` also reuses the repository HEAD result when homepage
197
+ resolves to the same GitHub URL, reducing duplicate external requests during
198
+ release gates.
199
+ - P4.15 npm official registry publish scripts are complete:
200
+ `release:dry-run` and `release:publish` explicitly use
201
+ `https://registry.npmjs.org/`.
202
+ - Latest P4.15 validation: local npm registry is
203
+ `https://registry.npmmirror.com`, while
204
+ `npm run release:dry-run` passed and showed the official npm registry as the
205
+ target; the dry-run tarball contained 39 files.
206
+ - P4.16 publish script gate chaining is complete: `release:dry-run` and
207
+ `release:publish` now run `npm run release:prepublish` before reaching npm
208
+ publish or publish dry-run.
209
+ - Latest P4.16 validation: `npm run release:dry-run` passed, entered
210
+ `release:prepublish` first, then completed npm publish dry-run against
211
+ `https://registry.npmjs.org/`; the tarball contained 39 files.
212
+ - P4.17 npm auth preflight is complete: `release:whoami` checks login against
213
+ `https://registry.npmjs.org/`, and `release:publish` runs it before
214
+ `npm publish`.
215
+ - Latest P4.17 validation: after npm login, `npm run release:whoami` succeeds
216
+ against `https://registry.npmjs.org/` and reports account `xuanzhu`.
217
+ - P4.18 post-publish verification command is complete:
218
+ `release:verify-published` checks the published npm package name, version,
219
+ repository, homepage, bugs URL, and tarball URL against local `package.json`.
220
+ - Latest P4.18 validation: `release:verify-published` currently fails with a
221
+ structured unpublished-package report for `yunti-browser-runtime@0.1.0`,
222
+ `node --check scripts/check-published-package.js` passes, and
223
+ `release:dry-run` passes with a 40-file npm tarball that includes the new
224
+ verifier.
225
+ - P4.19 formal npm publish execution is in progress: `npm run release:publish`
226
+ passed metadata checks, release gates, `npm run release:whoami`, `npm run
227
+ check`, `npm test`, npm package contents validation, and extension zip
228
+ validation before reaching `npm publish`.
229
+ - Latest P4.19 validation: official npm publish reached
230
+ `https://registry.npmjs.org/` with a 40-file tarball, then failed with npm
231
+ `E403` because the account requires two-factor authentication OTP or a
232
+ granular access token with bypass 2FA enabled.
233
+ - A temporary npm token publish retry also reached official npm publish after
234
+ passing the full local release gate, but npm returned the same `E403`; the
235
+ token does not satisfy npm's publish-time bypass 2FA requirement.
236
+ - A project-local `.npmrc` retry with the actual token also authenticated
237
+ successfully as `xuanzhu`, then failed at `npm publish` with the same `E403`;
238
+ `.npmrc` is ignored by git to avoid committing local npm credentials.
239
+ - A second npm token written to the project-local `.npmrc` also authenticated
240
+ successfully as `xuanzhu`, then failed at `npm publish` with the same `E403`.
241
+ - Next required release step: rerun
242
+ `npm run release:publish -- --otp=<6-digit-code>` with a current npm OTP, or
243
+ configure an npm granular access token that can publish with bypass 2FA; after
244
+ publish succeeds, run `npm run release:verify-published`.
245
+
246
+ ## Known Risks
247
+
248
+ - Remote relay environment variables still exist in MCP code for compatibility
249
+ but are not documented as the first release path.
250
+ - Tool argument validation is improved for the P3.2 focus tools, but broader
251
+ long-tail tools can still receive the same treatment before a later release.
252
+ - Extension broad host permissions are now documented, but should still be
253
+ re-reviewed before any store-distributed release.
254
+ - Package repository/homepage/bugs metadata is publicly reachable, and the
255
+ final npm publish is now waiting on npm 2FA OTP or a publish-capable granular
256
+ access token.
257
+ - Tool names and descriptions must stay clear enough for agents to choose the
258
+ right route without relying on hidden model knowledge.
259
+
260
+ ## Maintenance Rule
261
+
262
+ Every meaningful change to runtime behavior, tool schema, extension behavior,
263
+ or install flow must update this file before commit/release.
@@ -0,0 +1,110 @@
1
+ # Publishing Blockers
2
+
3
+ This document tracks release blockers that require external confirmation before
4
+ publishing `yunti-browser-runtime`.
5
+
6
+ ## Active Blocker: npm 2FA Publish OTP
7
+
8
+ Status: active as of 2026-07-03.
9
+
10
+ `npm run release:publish` now passes local release gates and npm login preflight,
11
+ then reaches `npm publish --registry=https://registry.npmjs.org/`. The registry
12
+ rejects the publish with `E403` because the logged-in account requires
13
+ two-factor authentication for package publishing.
14
+
15
+ A temporary npm token retry also passed the local release gate and reached
16
+ official npm publish, but npm returned the same `E403`. That token does not
17
+ satisfy the publish-time bypass 2FA requirement.
18
+
19
+ A project-root `.npmrc` retry with the actual token also authenticated
20
+ successfully as `xuanzhu`, then failed at `npm publish` with the same `E403`.
21
+ The local `.npmrc` is ignored by git and must not be committed.
22
+
23
+ A second token written to the project-root `.npmrc` also authenticated
24
+ successfully as `xuanzhu`, then failed at `npm publish` with the same `E403`.
25
+
26
+ Resolution:
27
+
28
+ ```bash
29
+ npm run release:publish -- --otp=<6-digit-code>
30
+ ```
31
+
32
+ Use a fresh npm one-time password from the account authenticator. As an
33
+ alternative, configure a granular npm access token with package publish
34
+ permission and bypass 2FA enabled, then rerun `npm run release:publish`.
35
+
36
+ After publish succeeds, run:
37
+
38
+ ```bash
39
+ npm run release:verify-published
40
+ ```
41
+
42
+ ## Resolved Blocker: P4.3 Package URLs
43
+
44
+ Status: resolved on 2026-07-02 with
45
+ `https://github.com/dingguangyi0/yunti-browser-runtime`.
46
+
47
+ The package metadata currently points to:
48
+
49
+ - Repository: `https://github.com/dingguangyi0/yunti-browser-runtime`
50
+ - Homepage: `https://github.com/dingguangyi0/yunti-browser-runtime#readme`
51
+ - Issues: `https://github.com/dingguangyi0/yunti-browser-runtime/issues`
52
+
53
+ The previous `yunti-ai/yunti-browser-runtime` metadata returned HTTP 404. The
54
+ project moved to the `dingguangyi0/yunti-browser-runtime` GitHub repository,
55
+ and the initial `main` push succeeded.
56
+
57
+ ## Resolution Options
58
+
59
+ ### Option A: Create Or Publicize The Current Repository
60
+
61
+ Use this when the intended public home is a not-yet-created or private
62
+ repository.
63
+
64
+ Checklist:
65
+
66
+ - Create the GitHub repository, or make the existing repository public.
67
+ - Enable issues, or choose a different public issue tracker.
68
+ - Confirm the repository URL and issues URL return non-404 responses.
69
+ - Keep the current `package.json` metadata unchanged if these URLs are correct.
70
+ - Run the validation commands below.
71
+
72
+ ### Option B: Update Package Metadata To A Different Public Repository
73
+
74
+ Use this when the final public repository lives somewhere else.
75
+
76
+ Checklist:
77
+
78
+ - Update `package.json` `repository.url`.
79
+ - Update `package.json` `homepage`.
80
+ - Update `package.json` `bugs.url`.
81
+ - Update README, release docs, and status docs if they name the old URL.
82
+ - Run the validation commands below.
83
+
84
+ ## Validation Commands
85
+
86
+ After either option is complete, run:
87
+
88
+ ```bash
89
+ npm run check:metadata
90
+ npm run release:prepublish
91
+ ```
92
+
93
+ Actual result after P4.3 is resolved:
94
+
95
+ - `npm run check:metadata` exits 0.
96
+ - Repository, homepage, and issue URLs are publicly reachable.
97
+ - `npm run release:prepublish` reaches and passes `npm run release:check`.
98
+ - npm E404 is accepted only for the first publish under the intended package
99
+ name.
100
+
101
+ Before the final publish, also run:
102
+
103
+ ```bash
104
+ npm run release:dry-run
105
+ ```
106
+
107
+ ## Publish Readiness
108
+
109
+ `npm run release:prepublish` now passes. Before running `npm run
110
+ release:publish`, run and review `npm run release:dry-run`.