yunti-browser-runtime 0.1.3 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +41 -9
- package/bin/yunti-browser-runtime.js +6 -0
- package/docs/ACTION_RESULT_COVERAGE.md +41 -0
- package/docs/AGENT_WORKFLOW_CONTRACT.md +108 -0
- package/docs/EXECUTION_PLAN.md +1433 -5
- package/docs/EXTENSION_DISTRIBUTION.md +146 -0
- package/docs/EXTENSION_PERMISSION_STRATEGY.md +167 -0
- package/docs/EXTENSION_STORE_COPY.md +213 -0
- package/docs/INSTALL.md +13 -7
- package/docs/NEXT_MAJOR_PLAN.md +808 -0
- package/docs/PROJECT_STATUS.md +1037 -7
- package/docs/PUBLISHING_BLOCKERS.md +1 -1
- package/docs/RELEASE.md +6 -2
- package/docs/RELEASE_0_2_0_CHECKLIST.md +827 -0
- package/docs/ROADMAP.md +44 -0
- package/docs/SECURITY.md +34 -0
- package/docs/TOOL_GUIDE.md +290 -5
- package/extension/background.js +20 -0
- package/extension/cdp.js +4 -0
- package/extension/content.js +167 -16
- package/extension/dom-observer.js +588 -0
- package/extension/manifest.json +3 -2
- package/extension/popup.js +2 -2
- package/extension/session-manager.js +106 -4
- package/extension/tool-handlers.js +1090 -156
- package/mcp/bridge-hub.js +257 -3
- package/mcp/http-server.js +213 -0
- package/mcp/memory.js +5 -5
- package/mcp/redaction.js +52 -3
- package/mcp/server.js +2 -0
- package/mcp/tools.js +421 -38
- package/package.json +4 -2
- package/scripts/check-action-result-coverage.js +145 -0
- package/scripts/doctor.js +6 -1
- package/scripts/package-extension.js +1 -0
- package/scripts/release-check.js +3 -0
- package/skills/yunti-browser-runtime/SKILL.md +128 -3
|
@@ -0,0 +1,146 @@
|
|
|
1
|
+
# Extension Distribution Readiness
|
|
2
|
+
|
|
3
|
+
This document tracks browser-store readiness for the Yunti Browser Runtime
|
|
4
|
+
extension. It is intentionally an audit and submission plan first, not an
|
|
5
|
+
immediate permission rewrite.
|
|
6
|
+
|
|
7
|
+
## Current Goal
|
|
8
|
+
|
|
9
|
+
Prepare for Chrome Web Store and Microsoft Edge Add-ons distribution while
|
|
10
|
+
preserving Yunti's local-first browser automation purpose:
|
|
11
|
+
|
|
12
|
+
- operate real user-opened Chrome/Edge pages through a local bridge;
|
|
13
|
+
- keep the unpacked extension path for developers and npm installs;
|
|
14
|
+
- avoid narrowing permissions until there is a tested replacement path;
|
|
15
|
+
- explain broad permissions honestly before any store submission.
|
|
16
|
+
|
|
17
|
+
## Official Policy Baseline
|
|
18
|
+
|
|
19
|
+
The store-facing baseline for this project is:
|
|
20
|
+
|
|
21
|
+
- Chrome permissions must be declared in the manifest, and some permissions
|
|
22
|
+
trigger install warnings. The current `debugger` permission is especially
|
|
23
|
+
sensitive because Chrome warns that it can access the page debugger backend
|
|
24
|
+
and read/change site data.
|
|
25
|
+
- Chrome Web Store policy expects a narrow, easy-to-understand single purpose,
|
|
26
|
+
minimum permissions, and user-data use limited to the disclosed purpose.
|
|
27
|
+
- Chrome Web Store privacy disclosures must match the extension behavior and
|
|
28
|
+
privacy policy, especially when handling page content, browsing activity,
|
|
29
|
+
request data, screenshots, or form data.
|
|
30
|
+
- Edge Add-ons policy similarly requires permissions only when necessary for
|
|
31
|
+
the declared functionality, plus a privacy policy link and store metadata.
|
|
32
|
+
- Edge Add-ons submission requires a zip package, required visual assets, a
|
|
33
|
+
listing description, and a privacy policy link.
|
|
34
|
+
|
|
35
|
+
References:
|
|
36
|
+
|
|
37
|
+
- Chrome permissions reference:
|
|
38
|
+
https://developer.chrome.com/docs/extensions/reference/permissions-list
|
|
39
|
+
- Chrome permission declaration guide:
|
|
40
|
+
https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions
|
|
41
|
+
- Chrome Web Store program policies:
|
|
42
|
+
https://developer.chrome.com/docs/webstore/program-policies/policies
|
|
43
|
+
- Chrome Web Store Limited Use policy:
|
|
44
|
+
https://developer.chrome.com/docs/webstore/program-policies/limited-use
|
|
45
|
+
- Microsoft Edge extensions overview and publishing requirements:
|
|
46
|
+
https://learn.microsoft.com/en-us/microsoft-edge/extensions/
|
|
47
|
+
- Microsoft Edge Add-ons developer policies:
|
|
48
|
+
https://learn.microsoft.com/en-us/legal/microsoft-edge/extensions/developer-policies
|
|
49
|
+
|
|
50
|
+
## Current Manifest Audit
|
|
51
|
+
|
|
52
|
+
Current file: `extension/manifest.json`.
|
|
53
|
+
|
|
54
|
+
| Manifest field | Current value | Why Yunti uses it | Store risk | P6.6.1 decision |
|
|
55
|
+
| --- | --- | --- | --- | --- |
|
|
56
|
+
| `manifest_version` | `3` | Required modern extension format. | Low. | Keep. |
|
|
57
|
+
| `permissions.activeTab` | present | Visible-tab capture fallback and temporary page access semantics. | Low to medium; generally narrower than persistent host access. | Keep. |
|
|
58
|
+
| `permissions.debugger` | present | CDP commands, target-level automation, console/runtime/network events, and low-level recovery. | High. Chrome shows a debugger warning and reviewers may ask why this is core. | Keep for now; store copy must explain this is the core browser automation transport. |
|
|
59
|
+
| `permissions.scripting` | present | Programmatically inject packaged content scripts into already-open supported pages after extension load or recovery. | Medium with broad host access; reviewers may ask why dynamic injection is needed. | Keep for developer/npm path so install does not require manual page refresh; explain it as recovery/registration, not arbitrary remote code execution. |
|
|
60
|
+
| `permissions.storage` | present | Local bridge URL, optional token, user id/name, and page match settings. | Low. | Keep. |
|
|
61
|
+
| `permissions.tabs` | present | Tab inventory, active tab selection, switching, and metadata routing. | Medium. Chrome may warn about browsing history. | Keep for now; evaluate whether any read paths can use host/activeTab data later. |
|
|
62
|
+
| `permissions.webRequest` | present | Sanitized network diagnostics and request observation. | Medium to high with broad hosts. | Keep for now; P6.6.2 should evaluate optionalizing network diagnostics. |
|
|
63
|
+
| `host_permissions` | `http://*/*`, `https://*/*` | Register and operate arbitrary user-selected http/https pages. | High because it maps to broad site access. | Keep for developer/npm path; store submission must decide broad access vs optional/site-request flow. |
|
|
64
|
+
| `host_permissions` | `http://127.0.0.1/*`, `http://localhost/*` | Local bridge communication. | Low but should be explained as local-only bridge access. | Keep. |
|
|
65
|
+
| `content_scripts.matches` | `http://*/*`, `https://*/*` | Observe and act on arbitrary web pages once loaded. | High because content scripts imply broad page access. | Keep for now; evaluate `optional_host_permissions` or user-triggered site access later. |
|
|
66
|
+
|
|
67
|
+
## Store Submission Checklist
|
|
68
|
+
|
|
69
|
+
Required before submitting to either store:
|
|
70
|
+
|
|
71
|
+
- Store description with one clear purpose:
|
|
72
|
+
"Local browser runtime that lets user-authorized AI agents inspect and
|
|
73
|
+
operate the user's own Chrome/Edge pages through a local bridge."
|
|
74
|
+
- Permission rationale for every manifest permission above.
|
|
75
|
+
- Privacy policy page that states:
|
|
76
|
+
- no hosted Yunti service is used in the default install path;
|
|
77
|
+
- observations are sent only to the local bridge on loopback by default;
|
|
78
|
+
- screenshots are visible pixels and may contain sensitive content;
|
|
79
|
+
- raw CDP diagnostics are a low-level exception and should be cleared;
|
|
80
|
+
- learning memory is local filesystem data;
|
|
81
|
+
- network/console/memory text is sanitized before storage or display;
|
|
82
|
+
- users can remove the extension and clear local memory.
|
|
83
|
+
- Store privacy/data disclosure answers aligned with `docs/SECURITY.md`.
|
|
84
|
+
- Visual assets:
|
|
85
|
+
- extension icon set for store and manifest;
|
|
86
|
+
- at least one screenshot of the optional local console;
|
|
87
|
+
- at least one screenshot or diagram of the extension popup zero-config state;
|
|
88
|
+
- optional short demo media showing local bridge + extension + agent workflow.
|
|
89
|
+
- Package artifact:
|
|
90
|
+
- `npm run package-extension` zip;
|
|
91
|
+
- package/manifest version consistency verified by `npm run release:check`;
|
|
92
|
+
- no local-only residue in public docs.
|
|
93
|
+
- Review notes:
|
|
94
|
+
- explain why `debugger` is core to browser automation;
|
|
95
|
+
- explain why broad host access exists in the developer/npm path;
|
|
96
|
+
- document the local-only bridge and no hosted relay default.
|
|
97
|
+
|
|
98
|
+
## Permission Narrowing Options
|
|
99
|
+
|
|
100
|
+
These are follow-up options, not P6.6.1 changes:
|
|
101
|
+
|
|
102
|
+
| Option | Benefit | Cost / risk |
|
|
103
|
+
| --- | --- | --- |
|
|
104
|
+
| Keep broad host permissions for store release | Preserves current one-step operation after install. | Highest review and user-trust burden. |
|
|
105
|
+
| Move broad hosts to optional host permissions | Better minimum-permission story. | Requires new UX for granting host access and robust recovery when not granted. |
|
|
106
|
+
| Use `activeTab` for a user-invoked page grant path | Much smaller default warning surface. | Breaks always-on agent operation unless redesigned around explicit user gestures. |
|
|
107
|
+
| Make network diagnostics optional | Reduces review surface for users who only need DOM actions. | Splits tool availability and recovery guidance; needs schema/tool hint updates. |
|
|
108
|
+
| Keep unpacked-only for 0.2.0 and defer store listing | Avoids premature permission compromises. | Users still manually load the extension. |
|
|
109
|
+
|
|
110
|
+
Recommended next slice: keep current manifest behavior, but draft store-facing
|
|
111
|
+
permission and privacy copy. Then decide whether `webRequest` and broad hosts
|
|
112
|
+
should become optional before a real store submission.
|
|
113
|
+
|
|
114
|
+
## Store Copy Draft
|
|
115
|
+
|
|
116
|
+
P6.6.2 store-facing copy is tracked in
|
|
117
|
+
[EXTENSION_STORE_COPY.md](EXTENSION_STORE_COPY.md). It contains draft short and
|
|
118
|
+
long descriptions, permission rationale, privacy-policy text, store data
|
|
119
|
+
disclosure guidance, reviewer notes, and the final review checklist.
|
|
120
|
+
|
|
121
|
+
## Permission Strategy Decision
|
|
122
|
+
|
|
123
|
+
P6.6.3 pre-store permission strategy is tracked in
|
|
124
|
+
[EXTENSION_PERMISSION_STRATEGY.md](EXTENSION_PERMISSION_STRATEGY.md). The
|
|
125
|
+
current decision keeps the npm/unpacked developer path unchanged, does not
|
|
126
|
+
recommend submitting the current broad-permission manifest unchanged by default,
|
|
127
|
+
and defines a future store-candidate track for optional host access and optional
|
|
128
|
+
network diagnostics.
|
|
129
|
+
|
|
130
|
+
## Current P6.6.1 Outcome
|
|
131
|
+
|
|
132
|
+
P6.6.1 completes when this audit is linked from public docs and the status files
|
|
133
|
+
identify the next store-readiness slice. It does not change extension runtime
|
|
134
|
+
behavior.
|
|
135
|
+
|
|
136
|
+
## Current P6.6.2 Outcome
|
|
137
|
+
|
|
138
|
+
P6.6.2 completes when the draft store copy pack is available and linked from
|
|
139
|
+
this distribution readiness audit. It does not change extension runtime
|
|
140
|
+
behavior or the submitted manifest strategy.
|
|
141
|
+
|
|
142
|
+
## Current P6.6.3 Outcome
|
|
143
|
+
|
|
144
|
+
P6.6.3 completes when the permission strategy decision is available and linked
|
|
145
|
+
from this distribution readiness audit. It does not change extension runtime
|
|
146
|
+
behavior or `extension/manifest.json`.
|
|
@@ -0,0 +1,167 @@
|
|
|
1
|
+
# Extension Permission Strategy
|
|
2
|
+
|
|
3
|
+
This document is the P6.6.3 pre-store permission strategy decision for Yunti
|
|
4
|
+
Browser Runtime. It turns the manifest audit and store-copy draft into a clear
|
|
5
|
+
product decision before any browser-store implementation work.
|
|
6
|
+
|
|
7
|
+
## Decision Summary
|
|
8
|
+
|
|
9
|
+
Yunti will keep the current npm/unpacked extension path unchanged for the
|
|
10
|
+
current `0.2.0` development cycle:
|
|
11
|
+
|
|
12
|
+
- broad `http` / `https` host access remains acceptable for the local developer
|
|
13
|
+
and npm-installed extension path;
|
|
14
|
+
- `webRequest` remains available by default for local diagnostics;
|
|
15
|
+
- `debugger`, `scripting`, `tabs`, screenshots, CDP, network, console, upload, and tab
|
|
16
|
+
capabilities remain part of Yunti's core local browser automation surface;
|
|
17
|
+
- the current manifest should not be submitted to Chrome Web Store or Edge
|
|
18
|
+
Add-ons as the recommended store build without an explicit maintainer
|
|
19
|
+
decision.
|
|
20
|
+
|
|
21
|
+
The recommended store-candidate direction is a two-track model:
|
|
22
|
+
|
|
23
|
+
- **Developer/npm track**: preserve today's zero-config, broad-access local
|
|
24
|
+
runtime for users who intentionally install Yunti as a browser automation
|
|
25
|
+
tool.
|
|
26
|
+
- **Store-candidate track**: design and test a lower-warning permission mode
|
|
27
|
+
before submission, likely using optional host access and optional network
|
|
28
|
+
diagnostics where the browser APIs and Yunti UX can support it reliably.
|
|
29
|
+
|
|
30
|
+
This is a decision checkpoint, not a manifest rewrite.
|
|
31
|
+
|
|
32
|
+
## Why This Decision
|
|
33
|
+
|
|
34
|
+
Yunti's core product promise is real local browser automation for arbitrary
|
|
35
|
+
user-opened Chrome/Edge pages. The current broad permissions support that
|
|
36
|
+
promise: an agent can observe, click, fill, scroll, inspect diagnostics, switch
|
|
37
|
+
tabs, and recover through CDP without forcing the user to grant site access on
|
|
38
|
+
every page first.
|
|
39
|
+
|
|
40
|
+
However, browser stores evaluate extension trust differently from a local
|
|
41
|
+
developer install:
|
|
42
|
+
|
|
43
|
+
- Chrome recommends optional permissions when functionality allows it, so users
|
|
44
|
+
get informed control over resource and data access.
|
|
45
|
+
- Chrome permission and host declarations can trigger user-visible install
|
|
46
|
+
warnings.
|
|
47
|
+
- Edge policy says extensions should request only permissions essential for the
|
|
48
|
+
declared functionality, and must clearly disclose dependency on non-integrated
|
|
49
|
+
software and testing steps.
|
|
50
|
+
- Yunti's current `debugger`, `scripting`, broad host access, `tabs`, and `webRequest`
|
|
51
|
+
combination is truthful for a browser automation runtime, but it is also the
|
|
52
|
+
highest-review-burden shape.
|
|
53
|
+
|
|
54
|
+
The safest product path is therefore:
|
|
55
|
+
|
|
56
|
+
1. Do not weaken the local Yunti experience just to reduce store warnings.
|
|
57
|
+
2. Do not submit a broad-permission store build casually.
|
|
58
|
+
3. Build a store-candidate mode only after the permission UX and recovery
|
|
59
|
+
behavior are designed and tested.
|
|
60
|
+
|
|
61
|
+
## Decision Matrix
|
|
62
|
+
|
|
63
|
+
| Option | Decision | Reason |
|
|
64
|
+
| --- | --- | --- |
|
|
65
|
+
| Submit current manifest unchanged to stores | Not recommended by default. | It preserves functionality, but broad host access plus `debugger` and `webRequest` creates high reviewer and user-trust burden. |
|
|
66
|
+
| Remove broad host permissions immediately | Rejected for now. | It would break the current zero-config observe/action workflow unless a replacement permission UX is implemented first. |
|
|
67
|
+
| Make `webRequest` optional before store submission | Recommended for design/prototype. | Network diagnostics are valuable but not required for every click/fill/scroll workflow. Optionalizing them may reduce review surface. |
|
|
68
|
+
| Move broad web access to optional host permissions | Recommended for design/prototype. | Better aligns with user-controlled access, but needs UX, content-script registration/injection changes, recovery guidance, and tests. |
|
|
69
|
+
| Keep npm/unpacked as the only 0.2.0 distribution path | Acceptable fallback. | Preserves the core product while avoiding premature store compromises. |
|
|
70
|
+
|
|
71
|
+
## Permission Strategy
|
|
72
|
+
|
|
73
|
+
### Developer / npm Track
|
|
74
|
+
|
|
75
|
+
Keep current behavior:
|
|
76
|
+
|
|
77
|
+
- `permissions`: `activeTab`, `debugger`, `scripting`, `storage`, `tabs`, `webRequest`.
|
|
78
|
+
- `host_permissions`: `http://*/*`, `https://*/*`, localhost bridge access.
|
|
79
|
+
- Static content scripts for `http` / `https` pages.
|
|
80
|
+
- Programmatic injection for already-open supported pages after extension load,
|
|
81
|
+
startup, bridge recovery, or target inventory refresh.
|
|
82
|
+
- Popup remains zero-config by default.
|
|
83
|
+
- Advanced page match patterns remain a runtime registration filter, not a
|
|
84
|
+
browser permission boundary.
|
|
85
|
+
|
|
86
|
+
This track is the default for local users who intentionally install the runtime
|
|
87
|
+
from npm and load the extension from the package directory.
|
|
88
|
+
|
|
89
|
+
### Store-Candidate Track
|
|
90
|
+
|
|
91
|
+
Do not implement this until the next slice has a concrete design. The target
|
|
92
|
+
shape should evaluate:
|
|
93
|
+
|
|
94
|
+
- `optional_host_permissions` for broad `http` / `https` page access.
|
|
95
|
+
- A first-run or popup flow that clearly requests access for the current site
|
|
96
|
+
or all sites, without becoming a mandatory hub.
|
|
97
|
+
- Recovery messages when the agent cannot observe a page because host access
|
|
98
|
+
has not been granted.
|
|
99
|
+
- Whether content scripts should remain declarative, be dynamically registered,
|
|
100
|
+
or be injected after permission grant.
|
|
101
|
+
- Optionalizing network diagnostics so `webRequest` is requested only when the
|
|
102
|
+
user enables debugging.
|
|
103
|
+
- Whether `debugger` can remain required for the store candidate, with strong
|
|
104
|
+
single-purpose justification, or whether some workflows can operate before
|
|
105
|
+
debugger attachment.
|
|
106
|
+
|
|
107
|
+
The store-candidate track must remain additive. It must not remove the
|
|
108
|
+
developer/npm track or narrow Yunti into a page-only automation tool.
|
|
109
|
+
|
|
110
|
+
## Required UX Before Store Submission
|
|
111
|
+
|
|
112
|
+
Before any store build with narrowed permissions:
|
|
113
|
+
|
|
114
|
+
- Popup should show a clear "grant access for this site" or equivalent action
|
|
115
|
+
when the current page is blocked by missing host permission.
|
|
116
|
+
- Agent-facing errors should say whether the page is unavailable because host
|
|
117
|
+
permission is missing, the bridge is offline, the page is unsupported, or the
|
|
118
|
+
browser blocked automatic injection.
|
|
119
|
+
- Tool hints and the packaged skill should explain how to recover:
|
|
120
|
+
`open page -> grant site access -> yunti_list_browser_targets`, with page
|
|
121
|
+
refresh only as a fallback.
|
|
122
|
+
- Optional network diagnostics should be visibly separate from basic DOM
|
|
123
|
+
automation.
|
|
124
|
+
- `doctor` should detect permission-mode problems and provide a human-readable
|
|
125
|
+
next step.
|
|
126
|
+
|
|
127
|
+
## Required Engineering Work Before Store Submission
|
|
128
|
+
|
|
129
|
+
If the store-candidate track proceeds, the next implementation slices should be
|
|
130
|
+
small and testable:
|
|
131
|
+
|
|
132
|
+
1. Add a permission-mode design/prototype for host access.
|
|
133
|
+
2. Add a diagnostics-mode design/prototype for `webRequest`.
|
|
134
|
+
3. Update extension popup state and background registration flow.
|
|
135
|
+
4. Update MCP errors, `yunti_get_tool_usage_hints`, Tool Guide, and packaged
|
|
136
|
+
skill for missing-permission recovery.
|
|
137
|
+
5. Add deterministic extension tests for permission-denied and permission-
|
|
138
|
+
granted paths.
|
|
139
|
+
6. Add real-browser E2E coverage for:
|
|
140
|
+
- page blocked before host grant;
|
|
141
|
+
- grant access;
|
|
142
|
+
- auto-register existing pages;
|
|
143
|
+
- observe/action success;
|
|
144
|
+
- optional diagnostics enabled/disabled.
|
|
145
|
+
7. Update store copy and privacy text after the final manifest strategy is
|
|
146
|
+
known.
|
|
147
|
+
|
|
148
|
+
## Store Readiness Gate
|
|
149
|
+
|
|
150
|
+
A browser-store submission should not proceed until all of these are true:
|
|
151
|
+
|
|
152
|
+
- final manifest permissions match the submitted store copy;
|
|
153
|
+
- privacy policy URL is published and matches runtime behavior;
|
|
154
|
+
- support URL and reviewer test steps are confirmed;
|
|
155
|
+
- screenshots use non-sensitive demo pages;
|
|
156
|
+
- `npm run release:check` passes;
|
|
157
|
+
- real-browser E2E passes with the submitted extension package;
|
|
158
|
+
- no local token, private path, unpublished account detail, or internal-only
|
|
159
|
+
URL appears in store metadata;
|
|
160
|
+
- maintainer explicitly accepts the remaining `debugger` and host-access
|
|
161
|
+
warnings.
|
|
162
|
+
|
|
163
|
+
## P6.6.3 Outcome
|
|
164
|
+
|
|
165
|
+
P6.6.3 completes when this decision is linked from distribution readiness docs
|
|
166
|
+
and status files. It does not change `extension/manifest.json` or runtime
|
|
167
|
+
behavior.
|
|
@@ -0,0 +1,213 @@
|
|
|
1
|
+
# Extension Store Copy Draft
|
|
2
|
+
|
|
3
|
+
This document is the P6.6.2 draft copy pack for future Chrome Web Store and
|
|
4
|
+
Microsoft Edge Add-ons submissions. It is written as reviewable product copy and
|
|
5
|
+
reviewer notes, not as a final legal policy.
|
|
6
|
+
|
|
7
|
+
Current status: draft for maintainer review. Do not submit this text to a store
|
|
8
|
+
until the maintainer has confirmed the final permission strategy, privacy-policy
|
|
9
|
+
URL, support URL, screenshots, and test instructions.
|
|
10
|
+
|
|
11
|
+
The current pre-store permission strategy decision is tracked in
|
|
12
|
+
`docs/EXTENSION_PERMISSION_STRATEGY.md`. Store copy must be reviewed again after
|
|
13
|
+
any manifest or permission-mode change.
|
|
14
|
+
|
|
15
|
+
## Policy Baseline
|
|
16
|
+
|
|
17
|
+
This copy follows the browser-store principles recorded in
|
|
18
|
+
`docs/EXTENSION_DISTRIBUTION.md`:
|
|
19
|
+
|
|
20
|
+
- Chrome extension permissions, host permissions, and content script matches
|
|
21
|
+
must be declared in the manifest. Some permissions and match patterns can
|
|
22
|
+
trigger install warnings.
|
|
23
|
+
- Chrome recommends optional permissions when the feature can support runtime
|
|
24
|
+
user grants.
|
|
25
|
+
- Chrome Web Store policy expects user data use to be limited to the disclosed
|
|
26
|
+
single purpose and the narrowest permissions needed for implemented features.
|
|
27
|
+
- Edge Add-ons policy expects the extension to request only permissions
|
|
28
|
+
essential for functioning, clearly disclose data handling, and maintain a
|
|
29
|
+
relevant privacy policy.
|
|
30
|
+
|
|
31
|
+
Official references:
|
|
32
|
+
|
|
33
|
+
- Chrome permission declaration:
|
|
34
|
+
https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions
|
|
35
|
+
- Chrome Web Store program policies:
|
|
36
|
+
https://developer.chrome.com/docs/webstore/program-policies/policies
|
|
37
|
+
- Chrome Web Store Limited Use policy:
|
|
38
|
+
https://developer.chrome.com/docs/webstore/program-policies/limited-use
|
|
39
|
+
- Microsoft Edge Add-ons developer policies:
|
|
40
|
+
https://learn.microsoft.com/en-us/legal/microsoft-edge/extensions/developer-policies
|
|
41
|
+
|
|
42
|
+
## One-Sentence Purpose
|
|
43
|
+
|
|
44
|
+
Local browser runtime that lets user-authorized AI agents inspect and operate
|
|
45
|
+
the user's own Chrome or Edge pages through a local MCP bridge.
|
|
46
|
+
|
|
47
|
+
## Short Description
|
|
48
|
+
|
|
49
|
+
Yunti Browser Runtime connects MCP-capable AI agents to the user's local
|
|
50
|
+
Chrome/Edge browser so the agent can inspect pages, click, type, switch tabs,
|
|
51
|
+
capture screenshots, and read sanitized diagnostics through a local bridge.
|
|
52
|
+
|
|
53
|
+
## Long Description Draft
|
|
54
|
+
|
|
55
|
+
Yunti Browser Runtime is a local-first browser automation extension for users
|
|
56
|
+
who want MCP-capable AI agents to operate their own Chrome or Edge pages.
|
|
57
|
+
|
|
58
|
+
The extension connects pages in the user's browser to a local bridge running on
|
|
59
|
+
the user's machine. Agents can then inspect the active page, click, type,
|
|
60
|
+
select, scroll, switch tabs, capture screenshots when needed, and read sanitized
|
|
61
|
+
network or console diagnostics. The default install path does not use a hosted
|
|
62
|
+
Yunti service.
|
|
63
|
+
|
|
64
|
+
Yunti is designed for explicit user-directed automation. The user installs the
|
|
65
|
+
runtime, loads or installs the extension, starts an MCP-capable agent, and keeps
|
|
66
|
+
control of which browser pages are open. The extension popup shows connection
|
|
67
|
+
status and keeps advanced settings, such as a custom bridge URL or optional
|
|
68
|
+
token, out of the default first-run path.
|
|
69
|
+
|
|
70
|
+
The extension needs broad browser access because browser automation must work
|
|
71
|
+
on user-selected websites, tabs, and application pages. Sensitive diagnostics
|
|
72
|
+
are minimized by default: page observation redacts credential-like values,
|
|
73
|
+
network and console summaries are sanitized before storage or display, and raw
|
|
74
|
+
CDP diagnostics are a low-level debugging exception that should be cleared after
|
|
75
|
+
use. Screenshots are real visible page pixels and may contain sensitive content,
|
|
76
|
+
so agents should request or use them only when visual evidence is needed.
|
|
77
|
+
|
|
78
|
+
## Permission Rationale Draft
|
|
79
|
+
|
|
80
|
+
Use this table as the source for Chrome Web Store permission justification,
|
|
81
|
+
Edge certification notes, and any public privacy-policy explanation.
|
|
82
|
+
|
|
83
|
+
| Manifest item | User-facing reason | Reviewer-facing detail | Keep / decide |
|
|
84
|
+
| --- | --- | --- | --- |
|
|
85
|
+
| `activeTab` | Allows temporary access to the visible tab for user-directed capture and fallback operations. | Used as a narrower visible-tab fallback where possible. It does not replace persistent access needed for the current automation workflow. | Keep. |
|
|
86
|
+
| `debugger` | Enables the local agent to control the user's browser tab through the browser's debugging protocol. | Core transport for CDP commands, target routing, console/runtime diagnostics, screenshots, and low-level recovery. This is high-sensitivity and must be explained as the product's primary browser automation mechanism. | Keep for current developer path; re-review before store submission. |
|
|
87
|
+
| `scripting` | Lets the extension inject its packaged content scripts into supported pages that were already open before the extension loaded. | Used for automatic page registration and recovery after install, browser startup, or background service worker restart. It does not execute remote code. | Keep for current developer path so users do not need to refresh pages by default; re-review before store submission. |
|
|
88
|
+
| `storage` | Saves local extension settings such as bridge URL, optional token, user id/name, and page match settings. | Stores local configuration only. It is not used for hosted sync by default. | Keep. |
|
|
89
|
+
| `tabs` | Lets the agent list and switch the user's open browser tabs. | Needed for tab inventory, target selection, activation, and routing metadata. Store copy should explain that tab metadata is used only for user-directed local automation. | Keep for current workflow; evaluate narrower alternatives later. |
|
|
90
|
+
| `webRequest` | Lets the runtime provide sanitized network diagnostics when debugging page automation. | Used for observation and diagnostics, not ad blocking or request modification. Because this combines with broad hosts, consider making network diagnostics optional in a later slice. | Keep for developer path; P6.6.3 should decide optionalization. |
|
|
91
|
+
| `host_permissions` for `http://*/*` and `https://*/*` | Lets the extension work on the web pages the user wants the agent to operate. | Broad host access supports arbitrary user-selected business apps, websites, and local workflows. This has the highest trust and review burden. Store submission must choose between broad access and an optional/site-grant UX. | Decision required before store submission. |
|
|
92
|
+
| `host_permissions` for `http://127.0.0.1/*` and `http://localhost/*` | Lets the extension communicate with the local bridge on the user's machine. | Required for local loopback communication. The default bridge URL is `http://127.0.0.1:48887`; no hosted relay is used by default. | Keep. |
|
|
93
|
+
| `content_scripts.matches` for `http://*/*` and `https://*/*` | Lets the extension observe and act on user-selected web pages. | Required for DOM observation, fresh element ids, click/fill/select/scroll actions, and page registration. Consider optional host permission UX before a store release if broad install-time warnings are unacceptable. | Decision required before store submission. |
|
|
94
|
+
|
|
95
|
+
## Privacy Policy Draft
|
|
96
|
+
|
|
97
|
+
Yunti Browser Runtime is local-first software. In the default install path, the
|
|
98
|
+
extension communicates with a bridge on the user's own machine at
|
|
99
|
+
`http://127.0.0.1:48887`. Yunti does not provide a hosted relay service in the
|
|
100
|
+
default install path.
|
|
101
|
+
|
|
102
|
+
The extension may access page content, page titles, URLs, tab metadata, visible
|
|
103
|
+
page pixels in screenshots, console messages, and network request metadata when
|
|
104
|
+
the user directs an MCP-capable agent to inspect or operate browser pages. This
|
|
105
|
+
access is used to provide the single purpose of local browser automation.
|
|
106
|
+
|
|
107
|
+
The runtime minimizes sensitive data exposure where possible. Structured page
|
|
108
|
+
observation redacts credential-like values by default and supports stricter
|
|
109
|
+
redaction for likely personal information. Network URLs, headers, request
|
|
110
|
+
bodies, console messages, learning-memory text, and diagnostic summaries are
|
|
111
|
+
sanitized before storage or display. Cookies and raw authorization headers are
|
|
112
|
+
not returned by the documented network tools.
|
|
113
|
+
|
|
114
|
+
Screenshots are real visible page pixels and may contain sensitive information.
|
|
115
|
+
Raw CDP diagnostics are a low-level debugging exception and may contain
|
|
116
|
+
sensitive payloads. Users and agents should prefer sanitized observations and
|
|
117
|
+
diagnostics, use screenshots and raw CDP only when needed, and clear raw CDP
|
|
118
|
+
diagnostics after debugging.
|
|
119
|
+
|
|
120
|
+
Learning memory, if used, is stored on the local filesystem under the user's
|
|
121
|
+
Yunti data directory. Users can delete local learning memory and can remove the
|
|
122
|
+
browser extension at any time.
|
|
123
|
+
|
|
124
|
+
Yunti Browser Runtime does not intentionally collect data for advertising,
|
|
125
|
+
profiling, resale, or cross-site tracking. External agents that call Yunti MCP
|
|
126
|
+
tools may have their own data handling policies; users should review the agent
|
|
127
|
+
they choose to connect.
|
|
128
|
+
|
|
129
|
+
## Store Data Disclosure Draft
|
|
130
|
+
|
|
131
|
+
These answers are draft guidance for store forms. Final answers must match the
|
|
132
|
+
actual submitted build and privacy policy.
|
|
133
|
+
|
|
134
|
+
| Data surface | Accessed? | Stored by Yunti by default? | Sent to hosted Yunti service? | Draft disclosure |
|
|
135
|
+
| --- | --- | --- | --- | --- |
|
|
136
|
+
| Page content / DOM text | Yes, when an agent observes or operates a page. | No persistent DOM storage by default. | No. | Used only for local browser automation and redacted by default for credential-like values. |
|
|
137
|
+
| URLs and tab titles | Yes. | May appear in sanitized runtime summaries or local diagnostics. | No. | Used for tab selection, routing, and user-visible diagnostics. |
|
|
138
|
+
| Screenshots | Yes, when requested by an agent/tool. | Not persisted by the extension by default. | No hosted Yunti service by default. | Visible pixels may contain sensitive content; use only when visual inspection is needed. |
|
|
139
|
+
| Network diagnostics | Yes, for pages where the extension is active. | Sanitized summaries may be cached locally in memory. | No. | Used to debug page automation; cookies and raw authorization headers are not returned by documented tools. |
|
|
140
|
+
| Console diagnostics | Yes. | Sanitized summaries may be cached locally in memory. | No. | Used to debug page automation and JavaScript errors. |
|
|
141
|
+
| Learning memory | Optional MCP feature. | Yes, local filesystem only when the user/agent writes memory. | No. | Sanitized before disk writes; users can delete memory. |
|
|
142
|
+
| Bridge settings | Yes. | Yes, in extension local storage. | No. | Stores bridge URL, optional token, user id/name, and page-match settings. |
|
|
143
|
+
|
|
144
|
+
## Reviewer Notes Draft
|
|
145
|
+
|
|
146
|
+
Yunti Browser Runtime depends on local software outside the extension: an MCP
|
|
147
|
+
server and bridge installed through npm. The extension is not useful by itself;
|
|
148
|
+
it is the browser-side component for the local runtime. Submission notes should
|
|
149
|
+
include install and test steps:
|
|
150
|
+
|
|
151
|
+
1. Install Node.js 22 or newer.
|
|
152
|
+
2. Install the runtime package.
|
|
153
|
+
3. Start or configure an MCP-capable agent so it launches the local bridge.
|
|
154
|
+
4. Install the extension build.
|
|
155
|
+
5. Open or keep an `http` or `https` page; the extension auto-registers
|
|
156
|
+
accessible pages and only needs a refresh if browser restrictions prevent
|
|
157
|
+
injection.
|
|
158
|
+
6. Run `yunti-browser-runtime doctor`.
|
|
159
|
+
7. Verify that the extension shows a connected page and that MCP tools can list
|
|
160
|
+
browser targets.
|
|
161
|
+
|
|
162
|
+
Reviewer explanation for broad access:
|
|
163
|
+
|
|
164
|
+
```text
|
|
165
|
+
Yunti Browser Runtime is a local browser automation runtime. Its single purpose
|
|
166
|
+
is to let a user-authorized MCP agent inspect and operate the user's own
|
|
167
|
+
Chrome/Edge pages through a local bridge. Broad web access is currently required
|
|
168
|
+
because the user may ask the agent to operate arbitrary websites and business
|
|
169
|
+
applications that are already open in the browser. The default path does not use
|
|
170
|
+
a hosted Yunti service; observations route to the local bridge on loopback.
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
Reviewer explanation for `debugger`:
|
|
174
|
+
|
|
175
|
+
```text
|
|
176
|
+
The debugger permission is part of the core automation transport. It lets the
|
|
177
|
+
runtime use Chrome DevTools Protocol for target routing, tab-level automation,
|
|
178
|
+
screenshots, console/runtime diagnostics, and low-level recovery. The extension
|
|
179
|
+
does not use debugger access for advertising, profiling, or unrelated browsing
|
|
180
|
+
history collection.
|
|
181
|
+
```
|
|
182
|
+
|
|
183
|
+
Reviewer explanation for local bridge dependency:
|
|
184
|
+
|
|
185
|
+
```text
|
|
186
|
+
The extension communicates with local software running on the user's own
|
|
187
|
+
machine, normally at http://127.0.0.1:48887. This local bridge is installed as
|
|
188
|
+
part of yunti-browser-runtime and is required for the extension's primary
|
|
189
|
+
browser automation function.
|
|
190
|
+
```
|
|
191
|
+
|
|
192
|
+
## Final Review Checklist
|
|
193
|
+
|
|
194
|
+
Before store submission:
|
|
195
|
+
|
|
196
|
+
- Confirm whether broad `http` / `https` host access remains in the submitted
|
|
197
|
+
manifest or moves to optional host permissions.
|
|
198
|
+
- Confirm whether `webRequest` remains always-on or becomes an optional
|
|
199
|
+
diagnostics feature.
|
|
200
|
+
- Confirm the submitted build follows the accepted strategy in
|
|
201
|
+
`docs/EXTENSION_PERMISSION_STRATEGY.md`.
|
|
202
|
+
- Confirm the final privacy-policy URL and support URL.
|
|
203
|
+
- Confirm screenshots do not expose real private browser data.
|
|
204
|
+
- Confirm all store form answers match the submitted manifest and package.
|
|
205
|
+
- Confirm reviewer test steps work on a clean machine.
|
|
206
|
+
- Confirm no npm token, local path, private account, or unpublished internal
|
|
207
|
+
detail appears in public store metadata.
|
|
208
|
+
|
|
209
|
+
## P6.6.2 Outcome
|
|
210
|
+
|
|
211
|
+
P6.6.2 is complete when this copy pack is linked from distribution readiness
|
|
212
|
+
docs and status files. It intentionally does not change the extension manifest
|
|
213
|
+
or runtime behavior.
|
package/docs/INSTALL.md
CHANGED
|
@@ -63,7 +63,8 @@ Development loading:
|
|
|
63
63
|
2. Enable developer mode.
|
|
64
64
|
3. Choose "Load unpacked".
|
|
65
65
|
4. Select the project `extension/` directory.
|
|
66
|
-
5. Open or
|
|
66
|
+
5. Open or keep any `http` or `https` page. The extension automatically tries
|
|
67
|
+
to inject and register accessible existing pages.
|
|
67
68
|
6. Do not open the extension popup unless you want to confirm status or
|
|
68
69
|
customize settings.
|
|
69
70
|
|
|
@@ -150,8 +151,9 @@ npm run print-config -- --agent cline --human
|
|
|
150
151
|
```
|
|
151
152
|
|
|
152
153
|
Add the printed server entry to Cline's MCP settings. Keep the extension loaded
|
|
153
|
-
in Chrome/Edge
|
|
154
|
-
|
|
154
|
+
in Chrome/Edge. The extension should register accessible `http`/`https` pages
|
|
155
|
+
automatically; refresh the target page only if browser restrictions or a failed
|
|
156
|
+
doctor check make it necessary.
|
|
155
157
|
|
|
156
158
|
## Check Health
|
|
157
159
|
|
|
@@ -187,7 +189,9 @@ runs the unit test suite, and verifies the npm package contents with
|
|
|
187
189
|
|
|
188
190
|
## Common Recovery
|
|
189
191
|
|
|
190
|
-
- If tools say no browser tab is connected,
|
|
192
|
+
- If tools say no browser tab is connected, call `yunti_list_browser_targets`
|
|
193
|
+
or run doctor first; the extension will try to auto-register accessible pages.
|
|
194
|
+
Refresh the target page only as a fallback.
|
|
191
195
|
- If doctor reports `authorized: false` with `authRequired: true`, set
|
|
192
196
|
`YUNTI_BROWSER_BRIDGE_TOKEN` and save the same token in the extension popup.
|
|
193
197
|
- If an old `browserSessionId` fails, call `yunti_list_browser_targets` again
|
|
@@ -198,8 +202,9 @@ runs the unit test suite, and verifies the npm package contents with
|
|
|
198
202
|
is rejected.
|
|
199
203
|
- For closing a raw `tabId` or `targetId`, use `yunti_cdp_send_command` with
|
|
200
204
|
`Target.closeTarget` instead of `yunti_close_page`.
|
|
201
|
-
- If the extension was reloaded,
|
|
202
|
-
|
|
205
|
+
- If the extension was reloaded, it should scan and register accessible pages
|
|
206
|
+
automatically. Refresh browser pages only if the page cannot be injected or
|
|
207
|
+
remains invisible after the recovery check.
|
|
203
208
|
|
|
204
209
|
## Real Browser Smoke Test
|
|
205
210
|
|
|
@@ -212,6 +217,7 @@ YUNTI_E2E=1 npm run test:e2e
|
|
|
212
217
|
|
|
213
218
|
It uses Playwright with a persistent Chromium profile, loads the unpacked
|
|
214
219
|
extension, starts a local test page, starts the bridge, and verifies MCP list
|
|
215
|
-
targets, page snapshot, click
|
|
220
|
+
targets, page snapshot, `observe -> click uid -> verify`, fill, and CDP
|
|
221
|
+
`Runtime.evaluate`. Install
|
|
216
222
|
Playwright and Chromium before enabling it. Failures print the artifact
|
|
217
223
|
directory containing screenshot and error log paths.
|