yunti-browser-runtime 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +256 -0
- package/bin/yunti-browser-runtime.js +86 -0
- package/docs/EXECUTION_PLAN.md +1278 -0
- package/docs/INSTALL.md +205 -0
- package/docs/PROJECT_INTENT.md +44 -0
- package/docs/PROJECT_STATUS.md +263 -0
- package/docs/PUBLISHING_BLOCKERS.md +110 -0
- package/docs/RELEASE.md +148 -0
- package/docs/ROADMAP.md +42 -0
- package/docs/SECURITY.md +56 -0
- package/docs/TOOL_GUIDE.md +69 -0
- package/extension/background.js +55 -0
- package/extension/cdp.js +582 -0
- package/extension/content.css +9 -0
- package/extension/content.js +946 -0
- package/extension/manifest.json +35 -0
- package/extension/network-monitor.js +140 -0
- package/extension/popup.css +66 -0
- package/extension/popup.html +30 -0
- package/extension/popup.js +55 -0
- package/extension/session-manager.js +332 -0
- package/extension/settings.js +94 -0
- package/extension/tool-handlers.js +1158 -0
- package/lib/runtime-paths.js +39 -0
- package/mcp/bridge-hub.js +604 -0
- package/mcp/http-server.js +326 -0
- package/mcp/json-rpc.js +35 -0
- package/mcp/memory.js +126 -0
- package/mcp/redaction.js +94 -0
- package/mcp/server.js +269 -0
- package/mcp/tools.js +1092 -0
- package/package.json +60 -0
- package/scripts/check-package-metadata.js +131 -0
- package/scripts/check-published-package.js +113 -0
- package/scripts/doctor.js +163 -0
- package/scripts/package-extension.js +137 -0
- package/scripts/print-config.js +116 -0
- package/scripts/release-check.js +472 -0
- package/skills/yunti-browser-runtime/SKILL.md +77 -0
package/docs/INSTALL.md
ADDED
|
@@ -0,0 +1,205 @@
|
|
|
1
|
+
# Install Guide
|
|
2
|
+
|
|
3
|
+
## Requirements
|
|
4
|
+
|
|
5
|
+
- Node.js 22 or newer.
|
|
6
|
+
- Chrome, Edge, or another Chromium browser with extension developer mode.
|
|
7
|
+
- An MCP-capable agent.
|
|
8
|
+
|
|
9
|
+
## Start The Local Bridge
|
|
10
|
+
|
|
11
|
+
From the project root:
|
|
12
|
+
|
|
13
|
+
```bash
|
|
14
|
+
npm install
|
|
15
|
+
npm run bridge
|
|
16
|
+
```
|
|
17
|
+
|
|
18
|
+
By default the bridge listens on:
|
|
19
|
+
|
|
20
|
+
```text
|
|
21
|
+
http://127.0.0.1:48887
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
Use a custom port when needed:
|
|
25
|
+
|
|
26
|
+
```bash
|
|
27
|
+
YUNTI_BROWSER_BRIDGE_PORT=48999 npm run bridge
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
bridge 会在启动时读取或生成本地访问 token,并把请求头名称和值打印到 stderr。
|
|
31
|
+
推荐在 MCP、doctor 和扩展里使用同一个显式 token:
|
|
32
|
+
|
|
33
|
+
```bash
|
|
34
|
+
YUNTI_BROWSER_BRIDGE_TOKEN="$(openssl rand -hex 24)" npm run bridge
|
|
35
|
+
```
|
|
36
|
+
|
|
37
|
+
需要自定义允许的 CORS 来源时:
|
|
38
|
+
|
|
39
|
+
```bash
|
|
40
|
+
YUNTI_BROWSER_BRIDGE_ALLOW_ORIGINS="http://127.0.0.1,http://localhost,chrome-extension://*" npm run bridge
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
When installed as an npm package, the equivalent CLI command is:
|
|
44
|
+
|
|
45
|
+
```bash
|
|
46
|
+
yunti-browser-runtime bridge
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
## Load The Extension
|
|
50
|
+
|
|
51
|
+
Development loading:
|
|
52
|
+
|
|
53
|
+
1. Open `chrome://extensions` or `edge://extensions`.
|
|
54
|
+
2. Enable developer mode.
|
|
55
|
+
3. Choose "Load unpacked".
|
|
56
|
+
4. Select the project `extension/` directory.
|
|
57
|
+
5. Click the extension icon and save the same bridge token printed by the bridge.
|
|
58
|
+
6. Open any `http` or `https` page and click the extension icon to confirm the
|
|
59
|
+
page is connected.
|
|
60
|
+
|
|
61
|
+
The extension registers browser pages with the local bridge. It does not create
|
|
62
|
+
agent conversations or depend on a remote workspace.
|
|
63
|
+
|
|
64
|
+
To create a distributable zip:
|
|
65
|
+
|
|
66
|
+
```bash
|
|
67
|
+
npm run package:extension
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
The package is written to `dist/yunti-browser-runtime-extension-<version>.zip`
|
|
71
|
+
and contains only the extension runtime files.
|
|
72
|
+
|
|
73
|
+
## Register MCP
|
|
74
|
+
|
|
75
|
+
Print the MCP server configuration for your agent, then add it to your agent
|
|
76
|
+
configuration:
|
|
77
|
+
|
|
78
|
+
```bash
|
|
79
|
+
npm run print-config
|
|
80
|
+
npm run print-config -- --agent codex --human
|
|
81
|
+
npm run print-config -- --agent claude-code --human
|
|
82
|
+
npm run print-config -- --agent cursor --human
|
|
83
|
+
npm run print-config -- --agent cline --human
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
The stdio MCP server starts or reuses the local bridge automatically. Running
|
|
87
|
+
`npm run bridge` manually is useful for debugging, but not always required by
|
|
88
|
+
agents that launch the MCP server themselves.
|
|
89
|
+
|
|
90
|
+
### Agent Examples
|
|
91
|
+
|
|
92
|
+
These examples intentionally use `npm run print-config` instead of hard-coded
|
|
93
|
+
local paths. Copy the JSON printed by the command into the matching agent's MCP
|
|
94
|
+
configuration file or UI.
|
|
95
|
+
|
|
96
|
+
#### Codex
|
|
97
|
+
|
|
98
|
+
```bash
|
|
99
|
+
npm run print-config -- --agent codex --human
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
Then install the browser skill if your Codex setup supports skills:
|
|
103
|
+
|
|
104
|
+
```bash
|
|
105
|
+
mkdir -p ~/.codex/skills
|
|
106
|
+
cp -R skills/yunti-browser-runtime ~/.codex/skills/
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
Start a new Codex session after adding the MCP server and skill. For browser
|
|
110
|
+
tasks, the session should call `yunti_get_tool_usage_hints` first, then
|
|
111
|
+
`yunti_list_browser_targets`.
|
|
112
|
+
|
|
113
|
+
#### Claude Code
|
|
114
|
+
|
|
115
|
+
```bash
|
|
116
|
+
npm run print-config -- --agent claude-code --human
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
Add the printed `mcpServers.yunti-browser-runtime` block to Claude Code's MCP
|
|
120
|
+
configuration. If using a bridge token, set `YUNTI_BROWSER_BRIDGE_TOKEN` in the
|
|
121
|
+
same environment Claude Code uses to launch the MCP server, and save the same
|
|
122
|
+
token in the extension popup.
|
|
123
|
+
|
|
124
|
+
#### Cursor
|
|
125
|
+
|
|
126
|
+
```bash
|
|
127
|
+
npm run print-config -- --agent cursor --human
|
|
128
|
+
```
|
|
129
|
+
|
|
130
|
+
Add the printed `mcpServers` JSON to Cursor's MCP configuration. Restart or
|
|
131
|
+
reload Cursor after saving the config, then run `npm run doctor` from this
|
|
132
|
+
project to confirm the bridge and extension are healthy.
|
|
133
|
+
|
|
134
|
+
#### Cline
|
|
135
|
+
|
|
136
|
+
```bash
|
|
137
|
+
npm run print-config -- --agent cline --human
|
|
138
|
+
```
|
|
139
|
+
|
|
140
|
+
Add the printed server entry to Cline's MCP settings. Keep the extension loaded
|
|
141
|
+
in Chrome/Edge and refresh the target page so the content script registers a
|
|
142
|
+
fresh `browserSessionId`.
|
|
143
|
+
|
|
144
|
+
## Check Health
|
|
145
|
+
|
|
146
|
+
```bash
|
|
147
|
+
npm run doctor
|
|
148
|
+
```
|
|
149
|
+
|
|
150
|
+
Or through the package CLI:
|
|
151
|
+
|
|
152
|
+
```bash
|
|
153
|
+
yunti-browser-runtime doctor
|
|
154
|
+
```
|
|
155
|
+
|
|
156
|
+
Expected JSON output includes `ok: true` when the local setup is healthy.
|
|
157
|
+
The command also prints a human-readable summary to stderr. If an agent needs
|
|
158
|
+
machine-only output, run:
|
|
159
|
+
|
|
160
|
+
```bash
|
|
161
|
+
npm run doctor:json
|
|
162
|
+
```
|
|
163
|
+
|
|
164
|
+
## Release Check
|
|
165
|
+
|
|
166
|
+
Before publishing or sharing a release candidate, run:
|
|
167
|
+
|
|
168
|
+
```bash
|
|
169
|
+
npm run release:check
|
|
170
|
+
```
|
|
171
|
+
|
|
172
|
+
This command checks public docs for local/internal residue, runs syntax checks,
|
|
173
|
+
runs the unit test suite, and verifies the npm package contents with
|
|
174
|
+
`npm pack --dry-run`.
|
|
175
|
+
|
|
176
|
+
## Common Recovery
|
|
177
|
+
|
|
178
|
+
- If tools say no browser tab is connected, refresh the target page.
|
|
179
|
+
- If doctor reports `authorized: false`, set `YUNTI_BROWSER_BRIDGE_TOKEN` and
|
|
180
|
+
save the same token in the extension popup.
|
|
181
|
+
- If an old `browserSessionId` fails, call `yunti_list_browser_targets` again
|
|
182
|
+
and use the latest returned session.
|
|
183
|
+
- If a parameter error appears, call `yunti_get_tool_usage_hints` with the
|
|
184
|
+
failed tool name before retrying.
|
|
185
|
+
- For `yunti_fill`, pass `value` plus `uid` or `selector`; coordinate-only fill
|
|
186
|
+
is rejected.
|
|
187
|
+
- For closing a raw `tabId` or `targetId`, use `yunti_cdp_send_command` with
|
|
188
|
+
`Target.closeTarget` instead of `yunti_close_page`.
|
|
189
|
+
- If the extension was reloaded, refresh browser pages so the content script can
|
|
190
|
+
register again.
|
|
191
|
+
|
|
192
|
+
## Real Browser Smoke Test
|
|
193
|
+
|
|
194
|
+
The real-browser E2E smoke test is opt-in so regular CI and local checks can run
|
|
195
|
+
without launching a browser:
|
|
196
|
+
|
|
197
|
+
```bash
|
|
198
|
+
YUNTI_E2E=1 npm run test:e2e
|
|
199
|
+
```
|
|
200
|
+
|
|
201
|
+
It uses Playwright with a persistent Chromium profile, loads the unpacked
|
|
202
|
+
extension, starts a local test page, starts the bridge, and verifies MCP list
|
|
203
|
+
targets, page snapshot, click/fill, and CDP `Runtime.evaluate`. Install
|
|
204
|
+
Playwright and Chromium before enabling it. Failures print the artifact
|
|
205
|
+
directory containing screenshot and error log paths.
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
# Project Intent
|
|
2
|
+
|
|
3
|
+
## Why This Project Exists
|
|
4
|
+
|
|
5
|
+
Modern agents can reason well, but browser operation is still fragile when each
|
|
6
|
+
agent invents its own automation path. Yunti Browser Runtime exists to provide a
|
|
7
|
+
shared local browser operation layer that any agent can call through MCP.
|
|
8
|
+
|
|
9
|
+
The project starts from a practical internal browser agent implementation and
|
|
10
|
+
extracts the reusable foundation:
|
|
11
|
+
|
|
12
|
+
- discover local browser tabs and targets;
|
|
13
|
+
- inspect page state;
|
|
14
|
+
- execute clicks, input, screenshots, file uploads, and navigation;
|
|
15
|
+
- send Chrome DevTools Protocol commands;
|
|
16
|
+
- capture network, console, and CDP observations;
|
|
17
|
+
- keep multi-step operations routed to the intended browser page.
|
|
18
|
+
|
|
19
|
+
## Design Principles
|
|
20
|
+
|
|
21
|
+
- Local first: the first version runs on the user's own machine.
|
|
22
|
+
- Simple deployment: install dependencies, load the extension, register MCP.
|
|
23
|
+
- Fast execution: avoid heavyweight browser re-launches when the user's browser
|
|
24
|
+
is already open.
|
|
25
|
+
- Agent agnostic: Claude Code, Codex, Cursor, Cline, OpenCode, and other MCP
|
|
26
|
+
clients should be able to use the same runtime.
|
|
27
|
+
- Explicit safety: dangerous writes, downloads, uploads, and form submissions
|
|
28
|
+
should be visible to the agent and user.
|
|
29
|
+
- No platform lock-in: the runtime must not depend on any company-internal
|
|
30
|
+
platform.
|
|
31
|
+
|
|
32
|
+
## First Release Boundary
|
|
33
|
+
|
|
34
|
+
The first release is a local single-user runtime:
|
|
35
|
+
|
|
36
|
+
- one local bridge;
|
|
37
|
+
- one user's browser extension;
|
|
38
|
+
- local-only browser sessions;
|
|
39
|
+
- no remote relay;
|
|
40
|
+
- no multi-user server;
|
|
41
|
+
- no shared market, skills, or workspace concepts.
|
|
42
|
+
|
|
43
|
+
Remote multi-user deployment can be designed later as a separate layer. The
|
|
44
|
+
local runtime should stay small and dependable.
|
|
@@ -0,0 +1,263 @@
|
|
|
1
|
+
# Project Status
|
|
2
|
+
|
|
3
|
+
## Current Phase
|
|
4
|
+
|
|
5
|
+
Release readiness: local MVP is prepared for first public release. P4.19 formal
|
|
6
|
+
npm publish is in progress and currently blocked only by npm two-factor
|
|
7
|
+
authentication OTP.
|
|
8
|
+
|
|
9
|
+
## Current State
|
|
10
|
+
|
|
11
|
+
- Project directory created.
|
|
12
|
+
- Project intent, install, tool, security, roadmap, and status docs exist.
|
|
13
|
+
- Local-first architecture selected.
|
|
14
|
+
- MCP server, local bridge, extension, runtime path helper, doctor command, and
|
|
15
|
+
bridge tests have been extracted.
|
|
16
|
+
- A distributable agent skill exists at
|
|
17
|
+
`skills/yunti-browser-runtime/SKILL.md`.
|
|
18
|
+
- README is Chinese-first and includes browser extension setup, MCP registration,
|
|
19
|
+
and agent skill installation steps.
|
|
20
|
+
- A staged execution plan exists at `docs/EXECUTION_PLAN.md`.
|
|
21
|
+
- Tool prefix is `yunti_*`.
|
|
22
|
+
- MCP local mode defaults to `userId=local`.
|
|
23
|
+
- Bridge HTTP routes now require `x-yunti-browser-token`; unauthenticated
|
|
24
|
+
`/health` only returns limited status.
|
|
25
|
+
- Bridge CORS now echoes only local debug origins and browser extension origins
|
|
26
|
+
by default, with `YUNTI_BROWSER_BRIDGE_ALLOW_ORIGINS` as an override.
|
|
27
|
+
- Extension popup can save the local bridge URL, token, and page match patterns.
|
|
28
|
+
- Browser sessions now track `lastSeenAt`, `lastActivatedAt`, `expiresAt`, and
|
|
29
|
+
`staleReason`; extension polling refreshes heartbeat and expired sessions are
|
|
30
|
+
cleaned up with recovery guidance.
|
|
31
|
+
- `npm run doctor` now checks Node version, bridge reachability, token validity,
|
|
32
|
+
registered sessions, active session, extension presence, MCP server path, and
|
|
33
|
+
skill path; it emits JSON plus a human-readable summary.
|
|
34
|
+
- `npm run print-config` prints MCP configuration for Codex, Claude Code,
|
|
35
|
+
Cursor, and Cline, including project paths, bridge port, token guidance, and
|
|
36
|
+
skill installation hints.
|
|
37
|
+
- `npm run package:extension` writes a minimal extension zip to `dist/` with
|
|
38
|
+
only extension runtime files.
|
|
39
|
+
- `npm run release:dry-run` and `npm run release:publish` pin the official npm
|
|
40
|
+
registry at `https://registry.npmjs.org/`, avoiding accidental publication to
|
|
41
|
+
a locally configured mirror registry.
|
|
42
|
+
- `npm run test:e2e` provides an opt-in real-browser Playwright smoke test for
|
|
43
|
+
extension loading, page registration, MCP target listing, snapshot, click/fill,
|
|
44
|
+
and CDP `Runtime.evaluate`.
|
|
45
|
+
- Package metadata now includes bin, files, repository, keywords, homepage,
|
|
46
|
+
bugs, and packageManager fields. The `yunti-browser-runtime` CLI routes
|
|
47
|
+
`mcp`, `bridge`, `doctor`, `print-config`, and `package-extension`.
|
|
48
|
+
- MCP tool schemas and usage hints have been split into `mcp/tools.js` so
|
|
49
|
+
`mcp/server.js` is focused on bridge, routing, and JSON-RPC behavior.
|
|
50
|
+
- MCP JSON-RPC response wrappers, redaction/event normalization helpers, and
|
|
51
|
+
learning memory storage have been split into `mcp/json-rpc.js`,
|
|
52
|
+
`mcp/redaction.js`, and `mcp/memory.js`.
|
|
53
|
+
- MCP session hub, request queueing, network/CDP/console event caches, and
|
|
54
|
+
bridge-local tool routing have been split into `mcp/bridge-hub.js`, while
|
|
55
|
+
`mcp/server.js` keeps compatibility re-exports.
|
|
56
|
+
- MCP HTTP bridge server, CORS/token checks, route handlers, and body parsing
|
|
57
|
+
have been split into `mcp/http-server.js`, while `mcp/server.js` keeps
|
|
58
|
+
compatibility re-exports.
|
|
59
|
+
- Extension settings/page matching and network monitoring have been split into
|
|
60
|
+
`extension/settings.js` and `extension/network-monitor.js`, and the extension
|
|
61
|
+
package script includes those module files.
|
|
62
|
+
- Extension CDP target routing, debugger attach/detach, and tracing helpers
|
|
63
|
+
have been split into `extension/cdp.js`, and the extension package script
|
|
64
|
+
includes the module file.
|
|
65
|
+
- Extension session registration, polling, popup state, bridge posting, and
|
|
66
|
+
console event forwarding have been split into `extension/session-manager.js`,
|
|
67
|
+
and the extension package script includes the module file.
|
|
68
|
+
- Extension tool dispatch and page operation handlers have been split into
|
|
69
|
+
`extension/tool-handlers.js`, and the extension package script includes the
|
|
70
|
+
module file.
|
|
71
|
+
- P3.2 tool argument validation is complete for `yunti_click`, `yunti_hover`,
|
|
72
|
+
`yunti_fill`, `yunti_close_page`, `yunti_cdp_send_command`, and
|
|
73
|
+
`yunti_forget_learning_memory`, with recovery-oriented errors and updated
|
|
74
|
+
usage hints.
|
|
75
|
+
- `docs/TOOL_GUIDE.md` and `skills/yunti-browser-runtime/SKILL.md` now document
|
|
76
|
+
the common P3.2 parameter rules.
|
|
77
|
+
- README and INSTALL now include P3.2 parameter recovery guidance.
|
|
78
|
+
- SECURITY now documents `storage` permission usage and broad host permission
|
|
79
|
+
rationale for the local-first extension.
|
|
80
|
+
- INSTALL now includes Codex, Claude Code, Cursor, and Cline MCP setup examples
|
|
81
|
+
based on `npm run print-config`.
|
|
82
|
+
- Extension registers all `http` and `https` pages by default.
|
|
83
|
+
- Product-specific fixed conversation, workspace, and side-panel entry points
|
|
84
|
+
have been removed from the standalone extension.
|
|
85
|
+
|
|
86
|
+
## Decisions
|
|
87
|
+
|
|
88
|
+
- Project name: `yunti-browser-runtime`.
|
|
89
|
+
- Public package/tooling prefix: `yunti`.
|
|
90
|
+
- Environment variable prefix: `YUNTI_BROWSER_`.
|
|
91
|
+
- Tool prefix target: `yunti_*`.
|
|
92
|
+
- `yunti_list_pages` is a compatibility alias for the live browser target
|
|
93
|
+
inventory, not a separate registration registry.
|
|
94
|
+
- If a `browserSessionId` becomes stale, agents should call
|
|
95
|
+
`yunti_list_browser_targets` to refresh the route inventory.
|
|
96
|
+
- The content script must not call product-specific login APIs in the
|
|
97
|
+
standalone runtime.
|
|
98
|
+
|
|
99
|
+
## Open Work
|
|
100
|
+
|
|
101
|
+
- Follow `docs/EXECUTION_PLAN.md` for the active P4.19 npm publish step.
|
|
102
|
+
- P4.1 release-readiness docs and permission review is complete.
|
|
103
|
+
- P4.2 Agent integration examples are complete.
|
|
104
|
+
- P4.3 npm publishing URL confirmation is complete with the GitHub repository
|
|
105
|
+
`https://github.com/dingguangyi0/yunti-browser-runtime`; package metadata
|
|
106
|
+
points to that repository/homepage/issues URL set and all three URLs return
|
|
107
|
+
HTTP 200.
|
|
108
|
+
- `npm view yunti-browser-runtime` currently returns E404, which is acceptable
|
|
109
|
+
only if `0.1.0` is intended to be the first npm release under this package
|
|
110
|
+
name.
|
|
111
|
+
- Latest release gate checks passed after documenting P4.3: public-doc residue
|
|
112
|
+
check, `npm run check`, `npm test`, and `npm pack --dry-run`.
|
|
113
|
+
- P4.4 release gate scripting is complete: `npm run release:check` now runs
|
|
114
|
+
public-doc residue checks, `npm run check`, `npm test`, and
|
|
115
|
+
`npm pack --dry-run`.
|
|
116
|
+
- P4.5 release runbook is complete: `docs/RELEASE.md` documents external URL
|
|
117
|
+
confirmation, release gates, extension zip checks, optional E2E, and npm
|
|
118
|
+
publish steps.
|
|
119
|
+
- Latest `npm run release:check` passed after adding the runbook; the npm
|
|
120
|
+
tarball includes `docs/RELEASE.md`.
|
|
121
|
+
- P4.6 package metadata checking is complete: `npm run check:metadata` reports
|
|
122
|
+
public reachability for package repository/homepage/bugs URLs and npm package
|
|
123
|
+
status, returning non-zero while the GitHub URLs are unavailable.
|
|
124
|
+
- Latest `npm run release:check` passed after adding metadata checking; the npm
|
|
125
|
+
tarball includes `scripts/check-package-metadata.js`.
|
|
126
|
+
- P4.7 prepublish gate is complete: `npm run release:prepublish` now runs
|
|
127
|
+
metadata checks before the local release gate and is expected to fail until
|
|
128
|
+
P4.3 repository URLs are public.
|
|
129
|
+
- Latest P4.7 validation: `npm run release:check` passed public-doc residue
|
|
130
|
+
checks, `npm run check`, `npm test`, and `npm pack --dry-run`; `npm run
|
|
131
|
+
release:prepublish` failed as expected at `check:metadata` because the current
|
|
132
|
+
repository and bugs URLs still return 404 or are not publicly reachable.
|
|
133
|
+
- P4.3 blocker remediation is documented in `docs/PUBLISHING_BLOCKERS.md`;
|
|
134
|
+
latest `npm run release:check` passed after adding that guide, and the npm
|
|
135
|
+
tarball now includes the blocker guide with 39 total files.
|
|
136
|
+
- P4.8 npm package contents gate is complete: `npm run release:check` now parses
|
|
137
|
+
`npm pack --json --dry-run` and fails if required runtime, extension, skill,
|
|
138
|
+
release documentation, or release helper files are missing from the tarball.
|
|
139
|
+
- Latest P4.8 validation: `npm run release:check` passed public-doc residue
|
|
140
|
+
checks, `npm run check`, `npm test`, and the required npm package contents
|
|
141
|
+
check; the parsed npm pack output contained 39 files.
|
|
142
|
+
- P4.9 extension zip contents gate is complete: `npm run release:check` now
|
|
143
|
+
runs `npm run package:extension`, parses the generated zip, and fails if the
|
|
144
|
+
archive is missing required extension runtime files or includes unexpected
|
|
145
|
+
files.
|
|
146
|
+
- Latest P4.9 validation: `npm run release:check` passed public-doc residue
|
|
147
|
+
checks, `npm run check`, `npm test`, required npm package contents validation,
|
|
148
|
+
and extension zip contents validation; the generated extension zip contained
|
|
149
|
+
exactly 12 runtime files.
|
|
150
|
+
- P4.10 package / extension version consistency gate is complete:
|
|
151
|
+
`npm run release:check` now fails if `package.json.version` and
|
|
152
|
+
`extension/manifest.json.version` are missing or different.
|
|
153
|
+
- Latest P4.10 validation: `npm run release:check` passed public-doc residue
|
|
154
|
+
checks, version consistency check for `0.1.0`, `npm run check`, `npm test`,
|
|
155
|
+
required npm package contents validation, and extension zip contents
|
|
156
|
+
validation.
|
|
157
|
+
- P4.11 npm bin CLI smoke gate is complete: `npm run release:check` now verifies
|
|
158
|
+
`package.json` bin mapping, `yunti-browser-runtime --help`, and
|
|
159
|
+
`yunti-browser-runtime --version` behavior through the local CLI entrypoint.
|
|
160
|
+
- Latest P4.11 validation: `npm run release:check` passed public-doc residue
|
|
161
|
+
checks, version consistency check for `0.1.0`, CLI smoke check for `0.1.0`,
|
|
162
|
+
`npm run check`, `npm test`, required npm package contents validation, and
|
|
163
|
+
extension zip contents validation.
|
|
164
|
+
- P4.12 Agent config smoke gate is complete: `npm run release:check` now
|
|
165
|
+
validates `print-config` JSON output for Codex, Claude Code, Cursor, and
|
|
166
|
+
Cline, plus the human-readable Codex output for token and skill guidance.
|
|
167
|
+
- Latest P4.12 validation: `npm run release:check` passed public-doc residue
|
|
168
|
+
checks, version consistency check for `0.1.0`, CLI smoke check for `0.1.0`,
|
|
169
|
+
print-config smoke check for 4 agents, `npm run check`, `npm test`, required
|
|
170
|
+
npm package contents validation, and extension zip contents validation.
|
|
171
|
+
- P4.13 doctor JSON smoke gate is complete: `npm run release:check` now runs
|
|
172
|
+
`scripts/doctor.js`, parses stdout JSON, validates Node/MCP/skill diagnostics,
|
|
173
|
+
and accepts bridge offline as a structured diagnostic state instead of a release
|
|
174
|
+
gate failure.
|
|
175
|
+
- Latest P4.13 validation: `npm run release:check` passed public-doc residue
|
|
176
|
+
checks, version consistency check for `0.1.0`, CLI smoke check for `0.1.0`,
|
|
177
|
+
print-config smoke check for 4 agents, doctor smoke check with bridge offline,
|
|
178
|
+
`npm run check`, `npm test`, required npm package contents validation, and
|
|
179
|
+
extension zip contents validation.
|
|
180
|
+
- P4.14 public Markdown link gate is complete: `npm run release:check` now scans
|
|
181
|
+
README, docs, and skills Markdown files and fails if a relative Markdown link
|
|
182
|
+
points to a missing local file.
|
|
183
|
+
- Latest P4.14 validation: `npm run release:check` passed public-doc residue
|
|
184
|
+
checks, public Markdown link check for 11 Markdown files, version consistency
|
|
185
|
+
check for `0.1.0`, CLI smoke check for `0.1.0`, print-config smoke check for
|
|
186
|
+
4 agents, doctor smoke check with bridge offline, `npm run check`, `npm test`,
|
|
187
|
+
required npm package contents validation, and extension zip contents
|
|
188
|
+
validation. The release gate test run covered 59 tests, with 58 passed and 1
|
|
189
|
+
real-browser smoke test skipped by configuration.
|
|
190
|
+
- Latest P4.3 validation: `git push -u origin main` succeeded, `npm run
|
|
191
|
+
check:metadata` passed with repository/homepage/bugs all returning HTTP 200,
|
|
192
|
+
and `npm run release:prepublish` passed end to end.
|
|
193
|
+
- `npm run check:metadata` now retries transient repository/homepage/bugs HEAD
|
|
194
|
+
request failures, so temporary GitHub TLS disconnects do not immediately block
|
|
195
|
+
an otherwise reachable public URL set.
|
|
196
|
+
- `npm run check:metadata` also reuses the repository HEAD result when homepage
|
|
197
|
+
resolves to the same GitHub URL, reducing duplicate external requests during
|
|
198
|
+
release gates.
|
|
199
|
+
- P4.15 npm official registry publish scripts are complete:
|
|
200
|
+
`release:dry-run` and `release:publish` explicitly use
|
|
201
|
+
`https://registry.npmjs.org/`.
|
|
202
|
+
- Latest P4.15 validation: local npm registry is
|
|
203
|
+
`https://registry.npmmirror.com`, while
|
|
204
|
+
`npm run release:dry-run` passed and showed the official npm registry as the
|
|
205
|
+
target; the dry-run tarball contained 39 files.
|
|
206
|
+
- P4.16 publish script gate chaining is complete: `release:dry-run` and
|
|
207
|
+
`release:publish` now run `npm run release:prepublish` before reaching npm
|
|
208
|
+
publish or publish dry-run.
|
|
209
|
+
- Latest P4.16 validation: `npm run release:dry-run` passed, entered
|
|
210
|
+
`release:prepublish` first, then completed npm publish dry-run against
|
|
211
|
+
`https://registry.npmjs.org/`; the tarball contained 39 files.
|
|
212
|
+
- P4.17 npm auth preflight is complete: `release:whoami` checks login against
|
|
213
|
+
`https://registry.npmjs.org/`, and `release:publish` runs it before
|
|
214
|
+
`npm publish`.
|
|
215
|
+
- Latest P4.17 validation: after npm login, `npm run release:whoami` succeeds
|
|
216
|
+
against `https://registry.npmjs.org/` and reports account `xuanzhu`.
|
|
217
|
+
- P4.18 post-publish verification command is complete:
|
|
218
|
+
`release:verify-published` checks the published npm package name, version,
|
|
219
|
+
repository, homepage, bugs URL, and tarball URL against local `package.json`.
|
|
220
|
+
- Latest P4.18 validation: `release:verify-published` currently fails with a
|
|
221
|
+
structured unpublished-package report for `yunti-browser-runtime@0.1.0`,
|
|
222
|
+
`node --check scripts/check-published-package.js` passes, and
|
|
223
|
+
`release:dry-run` passes with a 40-file npm tarball that includes the new
|
|
224
|
+
verifier.
|
|
225
|
+
- P4.19 formal npm publish execution is in progress: `npm run release:publish`
|
|
226
|
+
passed metadata checks, release gates, `npm run release:whoami`, `npm run
|
|
227
|
+
check`, `npm test`, npm package contents validation, and extension zip
|
|
228
|
+
validation before reaching `npm publish`.
|
|
229
|
+
- Latest P4.19 validation: official npm publish reached
|
|
230
|
+
`https://registry.npmjs.org/` with a 40-file tarball, then failed with npm
|
|
231
|
+
`E403` because the account requires two-factor authentication OTP or a
|
|
232
|
+
granular access token with bypass 2FA enabled.
|
|
233
|
+
- A temporary npm token publish retry also reached official npm publish after
|
|
234
|
+
passing the full local release gate, but npm returned the same `E403`; the
|
|
235
|
+
token does not satisfy npm's publish-time bypass 2FA requirement.
|
|
236
|
+
- A project-local `.npmrc` retry with the actual token also authenticated
|
|
237
|
+
successfully as `xuanzhu`, then failed at `npm publish` with the same `E403`;
|
|
238
|
+
`.npmrc` is ignored by git to avoid committing local npm credentials.
|
|
239
|
+
- A second npm token written to the project-local `.npmrc` also authenticated
|
|
240
|
+
successfully as `xuanzhu`, then failed at `npm publish` with the same `E403`.
|
|
241
|
+
- Next required release step: rerun
|
|
242
|
+
`npm run release:publish -- --otp=<6-digit-code>` with a current npm OTP, or
|
|
243
|
+
configure an npm granular access token that can publish with bypass 2FA; after
|
|
244
|
+
publish succeeds, run `npm run release:verify-published`.
|
|
245
|
+
|
|
246
|
+
## Known Risks
|
|
247
|
+
|
|
248
|
+
- Remote relay environment variables still exist in MCP code for compatibility
|
|
249
|
+
but are not documented as the first release path.
|
|
250
|
+
- Tool argument validation is improved for the P3.2 focus tools, but broader
|
|
251
|
+
long-tail tools can still receive the same treatment before a later release.
|
|
252
|
+
- Extension broad host permissions are now documented, but should still be
|
|
253
|
+
re-reviewed before any store-distributed release.
|
|
254
|
+
- Package repository/homepage/bugs metadata is publicly reachable, and the
|
|
255
|
+
final npm publish is now waiting on npm 2FA OTP or a publish-capable granular
|
|
256
|
+
access token.
|
|
257
|
+
- Tool names and descriptions must stay clear enough for agents to choose the
|
|
258
|
+
right route without relying on hidden model knowledge.
|
|
259
|
+
|
|
260
|
+
## Maintenance Rule
|
|
261
|
+
|
|
262
|
+
Every meaningful change to runtime behavior, tool schema, extension behavior,
|
|
263
|
+
or install flow must update this file before commit/release.
|
|
@@ -0,0 +1,110 @@
|
|
|
1
|
+
# Publishing Blockers
|
|
2
|
+
|
|
3
|
+
This document tracks release blockers that require external confirmation before
|
|
4
|
+
publishing `yunti-browser-runtime`.
|
|
5
|
+
|
|
6
|
+
## Active Blocker: npm 2FA Publish OTP
|
|
7
|
+
|
|
8
|
+
Status: active as of 2026-07-03.
|
|
9
|
+
|
|
10
|
+
`npm run release:publish` now passes local release gates and npm login preflight,
|
|
11
|
+
then reaches `npm publish --registry=https://registry.npmjs.org/`. The registry
|
|
12
|
+
rejects the publish with `E403` because the logged-in account requires
|
|
13
|
+
two-factor authentication for package publishing.
|
|
14
|
+
|
|
15
|
+
A temporary npm token retry also passed the local release gate and reached
|
|
16
|
+
official npm publish, but npm returned the same `E403`. That token does not
|
|
17
|
+
satisfy the publish-time bypass 2FA requirement.
|
|
18
|
+
|
|
19
|
+
A project-root `.npmrc` retry with the actual token also authenticated
|
|
20
|
+
successfully as `xuanzhu`, then failed at `npm publish` with the same `E403`.
|
|
21
|
+
The local `.npmrc` is ignored by git and must not be committed.
|
|
22
|
+
|
|
23
|
+
A second token written to the project-root `.npmrc` also authenticated
|
|
24
|
+
successfully as `xuanzhu`, then failed at `npm publish` with the same `E403`.
|
|
25
|
+
|
|
26
|
+
Resolution:
|
|
27
|
+
|
|
28
|
+
```bash
|
|
29
|
+
npm run release:publish -- --otp=<6-digit-code>
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
Use a fresh npm one-time password from the account authenticator. As an
|
|
33
|
+
alternative, configure a granular npm access token with package publish
|
|
34
|
+
permission and bypass 2FA enabled, then rerun `npm run release:publish`.
|
|
35
|
+
|
|
36
|
+
After publish succeeds, run:
|
|
37
|
+
|
|
38
|
+
```bash
|
|
39
|
+
npm run release:verify-published
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
## Resolved Blocker: P4.3 Package URLs
|
|
43
|
+
|
|
44
|
+
Status: resolved on 2026-07-02 with
|
|
45
|
+
`https://github.com/dingguangyi0/yunti-browser-runtime`.
|
|
46
|
+
|
|
47
|
+
The package metadata currently points to:
|
|
48
|
+
|
|
49
|
+
- Repository: `https://github.com/dingguangyi0/yunti-browser-runtime`
|
|
50
|
+
- Homepage: `https://github.com/dingguangyi0/yunti-browser-runtime#readme`
|
|
51
|
+
- Issues: `https://github.com/dingguangyi0/yunti-browser-runtime/issues`
|
|
52
|
+
|
|
53
|
+
The previous `yunti-ai/yunti-browser-runtime` metadata returned HTTP 404. The
|
|
54
|
+
project moved to the `dingguangyi0/yunti-browser-runtime` GitHub repository,
|
|
55
|
+
and the initial `main` push succeeded.
|
|
56
|
+
|
|
57
|
+
## Resolution Options
|
|
58
|
+
|
|
59
|
+
### Option A: Create Or Publicize The Current Repository
|
|
60
|
+
|
|
61
|
+
Use this when the intended public home is a not-yet-created or private
|
|
62
|
+
repository.
|
|
63
|
+
|
|
64
|
+
Checklist:
|
|
65
|
+
|
|
66
|
+
- Create the GitHub repository, or make the existing repository public.
|
|
67
|
+
- Enable issues, or choose a different public issue tracker.
|
|
68
|
+
- Confirm the repository URL and issues URL return non-404 responses.
|
|
69
|
+
- Keep the current `package.json` metadata unchanged if these URLs are correct.
|
|
70
|
+
- Run the validation commands below.
|
|
71
|
+
|
|
72
|
+
### Option B: Update Package Metadata To A Different Public Repository
|
|
73
|
+
|
|
74
|
+
Use this when the final public repository lives somewhere else.
|
|
75
|
+
|
|
76
|
+
Checklist:
|
|
77
|
+
|
|
78
|
+
- Update `package.json` `repository.url`.
|
|
79
|
+
- Update `package.json` `homepage`.
|
|
80
|
+
- Update `package.json` `bugs.url`.
|
|
81
|
+
- Update README, release docs, and status docs if they name the old URL.
|
|
82
|
+
- Run the validation commands below.
|
|
83
|
+
|
|
84
|
+
## Validation Commands
|
|
85
|
+
|
|
86
|
+
After either option is complete, run:
|
|
87
|
+
|
|
88
|
+
```bash
|
|
89
|
+
npm run check:metadata
|
|
90
|
+
npm run release:prepublish
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
Actual result after P4.3 is resolved:
|
|
94
|
+
|
|
95
|
+
- `npm run check:metadata` exits 0.
|
|
96
|
+
- Repository, homepage, and issue URLs are publicly reachable.
|
|
97
|
+
- `npm run release:prepublish` reaches and passes `npm run release:check`.
|
|
98
|
+
- npm E404 is accepted only for the first publish under the intended package
|
|
99
|
+
name.
|
|
100
|
+
|
|
101
|
+
Before the final publish, also run:
|
|
102
|
+
|
|
103
|
+
```bash
|
|
104
|
+
npm run release:dry-run
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
## Publish Readiness
|
|
108
|
+
|
|
109
|
+
`npm run release:prepublish` now passes. Before running `npm run
|
|
110
|
+
release:publish`, run and review `npm run release:dry-run`.
|