real-browser-cli 0.14.2__py3-none-any.whl

browser_cli/command_security.py

@@ -0,0 +1,119 @@
+"""Safety policy for generic command execution surfaces.
+
+Dedicated first-party CLI/SDK methods keep their normal behavior. This module
+only gates raw surfaces where a single string can trigger arbitrary browser
+capabilities: ``browser-cli command``, ``browser-cli script``, and the HTTP
+``/command`` endpoint.
+"""
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+SAFE_COMMANDS = {
+  "clients.list",
+  "extension.capabilities",
+  "extension.info",
+  "group.list",
+  "group.query",
+  "group.tabs",
+  "page.info",
+  "perf.status",
+  "tabs.active_in_window",
+  "tabs.count",
+  "tabs.filter",
+  "tabs.list",
+  "tabs.query",
+  "tabs.status",
+  "windows.list",
+}
+
+READ_PAGE_COMMANDS = {
+  "dom.attr",
+  "dom.exists",
+  "dom.query",
+  "dom.text",
+  "extract.html",
+  "extract.images",
+  "extract.json",
+  "extract.links",
+  "extract.markdown",
+  "extract.text",
+  "tabs.html",
+}
+
+CONTROL_PREFIXES = (
+  "navigate.",
+  "nav.",
+  "group.",
+  "session.",
+  "tabs.",
+  "windows.",
+)
+CONTROL_COMMANDS = {
+  "dom.check",
+  "dom.clear",
+  "dom.click",
+  "dom.focus",
+  "dom.hover",
+  "dom.key",
+  "dom.poll",
+  "dom.scroll",
+  "dom.select",
+  "dom.submit",
+  "dom.type",
+  "dom.uncheck",
+  "dom.wait_for",
+  "extension.reload",
+}
+
+DANGEROUS_COMMANDS = {
+  "dom.eval",
+  "tabs.screenshot",
+}
+DANGEROUS_PREFIXES = (
+  "storage.",
+)
+
+@dataclass(frozen=True)
+class CommandPolicy:
+  allow_read_page: bool = False
+  allow_control: bool = False
+  allow_dangerous: bool = False
+
+  @classmethod
+  def unrestricted(cls) -> "CommandPolicy":
+    return cls(allow_read_page=True, allow_control=True, allow_dangerous=True)
+
+def _is_control(command: str) -> bool:
+  if command in CONTROL_COMMANDS:
+    return True
+  if any(command.startswith(prefix) for prefix in CONTROL_PREFIXES):
+    return command not in SAFE_COMMANDS and command not in READ_PAGE_COMMANDS and command not in DANGEROUS_COMMANDS
+  return False
+
+def command_category(command: str) -> str:
+  name = str(command or "")
+  if name in DANGEROUS_COMMANDS or any(name.startswith(prefix) for prefix in DANGEROUS_PREFIXES):
+    return "dangerous"
+  if name in READ_PAGE_COMMANDS:
+    return "read-page"
+  if name in SAFE_COMMANDS:
+    return "safe"
+  if _is_control(name):
+    return "control"
+  return "unknown"
+
+def assert_command_allowed(command: str, policy: CommandPolicy) -> None:
+  category = command_category(command)
+  if category == "safe":
+    return
+  if category == "read-page" and policy.allow_read_page:
+    return
+  if category == "control" and policy.allow_control:
+    return
+  if category == "dangerous" and policy.allow_dangerous:
+    return
+  raise PermissionError(
+    f"Raw command '{command}' is {category} and blocked by default; "
+    "use --allow-read-page, --allow-control, or --allow-dangerous explicitly"
+  )

browser_cli/commands/__init__.py

@@ -0,0 +1,81 @@
+"""Shared helpers for the Click CLI command modules.
+
+Every CLI command is a thin presentation layer over the Python SDK: it builds a
+:class:`~browser_cli.BrowserCLI` from the global ``--browser/--remote/--key``
+options, calls the matching SDK namespace method, and renders the result. The
+SDK is the single source of truth for command strings, argument shapes, and
+multi-browser routing.
+"""
+import functools
+import click
+from rich.console import Console
+from rich.table import Table
+
+from browser_cli import BrowserCLI, BrowserCounts
+from browser_cli.client import BrowserNotConnected
+from browser_cli.constants import GENTLE_MODES
+
+_console = Console()
+
+# Reusable ``--tab`` option: select a tab by ID (default: the active tab).
+tab_option = click.option("--tab", "tab_id", type=int, default=None, help="Tab ID (default: active tab)")
+
+
+def gentle_mode_option(help_text: str):
+    """Reusable ``--gentle-mode`` Click option (throttle mode for large operations)."""
+    return click.option(
+        "--gentle-mode",
+        type=click.Choice(GENTLE_MODES),
+        default="auto",
+        show_default=True,
+        help=help_text,
+    )
+
+def print_counts(result, noun: str, *, single_suffix: str = "") -> None:
+    """Render a count result.
+
+    In multi-browser mode (*result* is a :class:`~browser_cli.BrowserCounts`) print a
+    per-browser table with a Total row; otherwise print a single ``N noun(s)`` line.
+    """
+    if isinstance(result, BrowserCounts):
+        table = Table(show_header=True, header_style="bold cyan")
+        table.add_column("Browser")
+        table.add_column(f"{noun.capitalize()}s", justify="right")
+        for name, count in result.by_browser.items():
+            table.add_row(name, str(count))
+        table.add_row("Total", str(result.total))
+        _console.print(table)
+    else:
+        _console.print(f"[bold]{result}[/bold] {noun}(s){single_suffix}")
+
+def client_from_ctx() -> BrowserCLI:
+    """Build a BrowserCLI from the root context's global options.
+
+    Reads ``browser``/``remote``/``key`` set by the top-level ``main`` group.
+    Falls back to an unconfigured client when a command group is invoked
+    standalone (e.g. in unit tests).
+    """
+    obj = click.get_current_context().find_root().obj or {}
+    return BrowserCLI(browser=obj.get("browser"), remote=obj.get("remote"), key=obj.get("key"))
+
+def handle_errors(fn):
+    """Decorate a CLI command so SDK exceptions become clean errors + exit(1).
+
+    Apply as the innermost decorator (directly above ``def``) so Click's option
+    decorators attach their params to the wrapper.
+    """
+    @functools.wraps(fn)
+    def wrapper(*args, **kwargs):
+        try:
+            return fn(*args, **kwargs)
+        except BrowserNotConnected as e:
+            _console.print(f"[red]Error:[/red] {e}")
+            raise SystemExit(1)
+        except PermissionError as e:
+            _console.print(f"[red]Blocked:[/red] {e}")
+            raise SystemExit(1)
+        except RuntimeError as e:
+            _console.print(f"[red]Browser error:[/red] {e}")
+            raise SystemExit(1)
+
+    return wrapper

browser_cli/commands/auth.py

@@ -0,0 +1,157 @@
+"""Click commands for browser-cli remote authentication keys."""
+from __future__ import annotations
+
+import os
+import sys
+from pathlib import Path
+
+import click
+from rich.console import Console
+
+console = Console()
+
+@click.group("auth")
+def auth_group():
+  """Manage Ed25519 keys for public-key authentication with browser-cli serve."""
+
+@auth_group.command("keygen")
+@click.option("--output", "-o", default=None, metavar="PATH", help="Output path for the private key PEM.")
+@click.option("--force", is_flag=True, help="Overwrite existing key.")
+def cmd_auth_keygen(output, force):
+  """Generate an Ed25519 keypair for pubkey auth."""
+  from browser_cli.auth import DEFAULT_KEY_PATH, generate_keypair
+
+  key_path = Path(output) if output else DEFAULT_KEY_PATH
+  if key_path.exists() and not force:
+    console.print(f"[red]Key already exists:[/red] {key_path}  (use --force to overwrite)")
+    sys.exit(1)
+  pem, pub_hex = generate_keypair()
+  key_path.parent.mkdir(parents=True, exist_ok=True)
+  fd = os.open(str(key_path), os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+  with os.fdopen(fd, "wb") as f:
+    f.write(pem)
+  console.print(f"[green]✓[/green] Private key: {key_path}")
+  console.print(f"\nPublic key:\n  [bold cyan]{pub_hex}[/bold cyan]")
+  console.print("\nOn the serve host, trust this key:")
+  console.print(f"  [dim]browser-cli auth trust {pub_hex}[/dim]")
+
+@auth_group.command("trust")
+@click.argument("pubkey")
+@click.option("--name", default="", metavar="NAME", help="Human-friendly label for this key.")
+@click.option("--file", "keys_file", default=None, metavar="PATH", help="Authorized keys file (default: ~/.config/browser-cli/authorized_keys).")
+@click.pass_context
+def cmd_auth_trust(ctx, pubkey, name, keys_file):
+  """Add a public key to the authorized keys file (locally or on a remote serve host)."""
+  from browser_cli.auth import DEFAULT_AUTHORIZED_KEYS_PATH, add_authorized_key
+
+  if len(pubkey) != 64:
+    console.print("[red]Invalid public key:[/red] expected 64 hex characters (Ed25519 raw public key)")
+    sys.exit(1)
+  try:
+    bytes.fromhex(pubkey)
+  except ValueError:
+    console.print("[red]Invalid public key:[/red] not valid hex")
+    sys.exit(1)
+
+  remote = (ctx.obj or {}).get("remote")
+  if remote:
+    from browser_cli.client import send_command
+    result = send_command(
+      "browser-cli.auth.trust",
+      args={"pubkey": pubkey, "name": name},
+      remote=remote,
+      key=(ctx.obj or {}).get("key"),
+    )
+    added = (result or {}).get("added", False)
+    label = f" ({name})" if name else ""
+    if added:
+      console.print(f"[green]✓[/green] Trusted on {remote}{label}: [cyan]{pubkey}[/cyan]")
+    else:
+      console.print(f"[yellow]Already trusted on {remote}:[/yellow] {pubkey}")
+    return
+
+  path = Path(keys_file) if keys_file else DEFAULT_AUTHORIZED_KEYS_PATH
+  added = add_authorized_key(path, pubkey, name)
+  label = f" ({name})" if name else ""
+  if added:
+    console.print(f"[green]✓[/green] Trusted{label}: [cyan]{pubkey}[/cyan]")
+    console.print(f"  File: {path}")
+    console.print("\nStart the server with:")
+    console.print(f"  [dim]browser-cli serve --authorized-keys {path}[/dim]")
+  else:
+    console.print(f"[yellow]Already trusted:[/yellow] {pubkey}")
+
+@auth_group.command("show")
+@click.option(
+  "--key",
+  "key_src",
+  default=None,
+  metavar="PATH|agent[:<selector>]",
+  help="Key source: path to PEM file, 'agent', or 'agent:<comment-filter>'.",
+)
+def cmd_auth_show(key_src):
+  """Print the Ed25519 public key that browser-cli will use for auth."""
+  from browser_cli.auth import DEFAULT_KEY_PATH, agent_find_key, load_private_key, public_key_hex
+
+  src = key_src or os.environ.get("BROWSER_CLI_KEY", str(DEFAULT_KEY_PATH))
+
+  if src == "agent" or src.startswith("agent:"):
+    selector = src[6:] or None
+    key = agent_find_key(selector)
+    if key is None:
+      console.print("[red]No Ed25519 key found in SSH agent.[/red]")
+      console.print("  Make sure gpg-agent / ssh-agent is running and the key is loaded.")
+      sys.exit(1)
+    console.print(f"[dim]source:[/dim] agent ({key.comment})")
+    console.print(public_key_hex(key))
+    return
+
+  path = Path(src)
+  if not path.exists():
+    console.print(f"[red]No key found at {path}[/red]")
+    console.print("  Run: [dim]browser-cli auth keygen[/dim]")
+    console.print("  Or use: [dim]browser-cli auth show --key agent[/dim]")
+    sys.exit(1)
+  try:
+    priv = load_private_key(path)
+    console.print(f"[dim]source:[/dim] {path}")
+    console.print(public_key_hex(priv))
+  except Exception as e:
+    console.print(f"[red]Failed to load key:[/red] {e}")
+    sys.exit(1)
+
+@auth_group.command("keys")
+@click.option("--file", "keys_file", default=None, metavar="PATH", help="Authorized keys file (default: ~/.config/browser-cli/authorized_keys).")
+@click.pass_context
+def cmd_auth_keys(ctx, keys_file):
+  """List trusted public keys (server's authorized_keys). With --remote, queries the remote server."""
+  from rich.table import Table
+
+  remote = (ctx.obj or {}).get("remote")
+  if remote:
+    from browser_cli.client import send_command
+    result = send_command(
+      "browser-cli.auth.keys",
+      remote=remote,
+      key=(ctx.obj or {}).get("key"),
+    )
+    entries = result or []
+    source_label = remote
+  else:
+    from browser_cli.auth import DEFAULT_AUTHORIZED_KEYS_PATH, load_authorized_keys_with_names
+    path = Path(keys_file) if keys_file else DEFAULT_AUTHORIZED_KEYS_PATH
+    entries = [{"pubkey": pk, "name": name} for pk, name in load_authorized_keys_with_names(path)]
+    source_label = str(path)
+
+  if not entries:
+    console.print(f"[yellow]No trusted keys[/yellow] in {source_label}")
+    console.print("  Add one: [dim]browser-cli auth trust <public-key> --name <label>[/dim]")
+    return
+
+  table = Table(show_header=True, header_style="bold cyan")
+  table.add_column("Name")
+  table.add_column("Public Key")
+  for entry in entries:
+    name = entry.get("name") or "[dim]—[/dim]"
+    table.add_row(name, entry.get("pubkey", ""))
+  console.print(table)

browser_cli/commands/clients.py

@@ -0,0 +1,173 @@
+"""Click commands for inspecting connected browser clients."""
+from __future__ import annotations
+
+import os
+import sys
+
+import click
+from rich.console import Console
+
+from browser_cli.client import (
+  BrowserNotConnected,
+  REGISTRY_PATH,
+  active_browser_targets,
+  display_browser_name,
+  remote_browser_targets,
+  remote_target_for_alias,
+  send_command,
+)
+from browser_cli.registry import load_registry
+
+console = Console()
+
+def _rename_target_profile(target_browser: str | None) -> str | None:
+  if target_browser:
+    return target_browser
+
+  active = active_browser_targets()
+  if len(active) == 1:
+    return active[0].profile
+  return None
+
+def _ensure_unique_browser_alias(alias: str, target_browser: str | None) -> None:
+  target_profile = _rename_target_profile(target_browser)
+  profiles: dict[str, str] = load_registry(REGISTRY_PATH)
+
+  if alias in profiles and alias != target_profile:
+    raise click.ClickException(f"Browser alias '{alias}' already exists")
+
+def _append_clients(into, label, *, profile=None, remote=None, key=None, quiet_remote_warning=False):
+  """Query clients.list for one target and append each, tagged with *label*."""
+  if quiet_remote_warning:
+    result = send_command(
+      "clients.list",
+      profile=profile,
+      remote=remote,
+      key=key,
+      suppress_pq_warning=True,
+    )
+  else:
+    result = send_command("clients.list", profile=profile, remote=remote, key=key)
+  for c in (result or []):
+    c["profile"] = label
+    into.append(c)
+
+@click.group("clients", invoke_without_command=True)
+@click.pass_context
+def clients_group(ctx):
+  """Inspect and manage connected browser clients."""
+  if ctx.invoked_subcommand is not None:
+    return
+
+  all_clients = []
+
+  browser_alias = (ctx.obj or {}).get("browser")
+  remote = (ctx.obj or {}).get("remote") or os.environ.get("BROWSER_CLI_REMOTE")
+  key = (ctx.obj or {}).get("key")
+
+  if not remote and browser_alias:
+    _collect_remote_alias_clients(all_clients, browser_alias, key)
+  elif remote:
+    _collect_explicit_remote_clients(all_clients, browser_alias, remote, key)
+  else:
+    _collect_local_and_saved_remote_clients(all_clients)
+
+  if not all_clients:
+    console.print("[yellow]No browser clients found. Start a browser with the extension enabled first.[/yellow]")
+    sys.exit(1)
+
+  _print_clients(all_clients)
+
+def _collect_remote_alias_clients(all_clients: list, browser_alias: str, key) -> None:
+  resolved = remote_target_for_alias(browser_alias)
+  if not resolved:
+    return
+  try:
+    targets = remote_browser_targets(resolved.remote)
+  except (BrowserNotConnected, RuntimeError) as e:
+    console.print(f"[red]Error:[/red] {e}")
+    sys.exit(1)
+  for target in targets:
+    try:
+      _append_clients(all_clients, target.display_name, profile=target.profile, remote=resolved.remote, key=key)
+    except (BrowserNotConnected, RuntimeError):
+      continue
+
+def _collect_explicit_remote_clients(all_clients: list, browser_alias: str | None, remote: str, key) -> None:
+  try:
+    result = send_command("clients.list", profile=browser_alias, remote=remote, key=key)
+    for c in (result or []):
+      c["profile"] = c.get("profile") or browser_alias or "remote"
+      all_clients.append(c)
+  except (BrowserNotConnected, RuntimeError) as e:
+    console.print(f"[red]Error:[/red] {e}")
+    sys.exit(1)
+
+def _collect_local_and_saved_remote_clients(all_clients: list) -> None:
+  profiles: dict[str, str] = load_registry(REGISTRY_PATH) if REGISTRY_PATH.exists() else {}
+
+  for profile_name, sock_path in profiles.items():
+    display_profile = display_browser_name(profile_name, sock_path)
+    try:
+      _append_clients(all_clients, display_profile, profile=profile_name)
+    except (BrowserNotConnected, RuntimeError):
+      all_clients.append({
+        "profile": display_profile,
+        "name": "—",
+        "version": "—",
+        "extensionVersion": "disconnected",
+      })
+
+  targets = active_browser_targets(suppress_pq_warning=True)
+
+  for target in targets:
+    if target.remote is None:
+      continue
+    try:
+      _append_clients(
+        all_clients,
+        target.display_name,
+        profile=target.profile,
+        remote=target.remote,
+        quiet_remote_warning=True,
+      )
+    except (BrowserNotConnected, RuntimeError):
+      continue
+
+def _print_clients(all_clients: list) -> None:
+  from rich.table import Table
+  table = Table(show_header=True, header_style="bold cyan")
+  table.add_column("Profile")
+  table.add_column("Browser")
+  table.add_column("Version")
+  table.add_column("Extension Version")
+  for c in all_clients:
+    table.add_row(
+      c.get("profile", ""),
+      c.get("name", ""),
+      c.get("version", ""),
+      c.get("extensionVersion", ""),
+    )
+  console.print(table)
+
+@clients_group.command("rename")
+@click.option(
+  "--browser",
+  "target_browser",
+  default=None,
+  metavar="ALIAS",
+  help="Browser profile alias to rename. Overrides the global --browser option for this command.",
+)
+@click.argument("alias")
+@click.pass_context
+def cmd_clients_rename(ctx, target_browser, alias):
+  """Set the profile alias used to identify this browser instance."""
+  root_obj = ctx.find_root().obj or {}
+  selected_browser = target_browser or root_obj.get("browser")
+  try:
+    _ensure_unique_browser_alias(alias, selected_browser)
+    send_command("clients.rename_profile", {"alias": alias}, profile=selected_browser)
+  except BrowserNotConnected as e:
+    console.print(f"[red]Error:[/red] {e}")
+    sys.exit(1)
+  console.print(f"[green]Profile renamed to '{alias}'[/green]")

browser_cli/commands/completion.py

@@ -0,0 +1,56 @@
+"""Shell completion command."""
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+import click
+from rich.console import Console
+
+console = Console()
+
+@click.command("completion")
+@click.argument("shell", type=click.Choice(["zsh", "bash", "fish"]))
+@click.option("--script", is_flag=True, help="Output the raw completion script instead of instructions")
+@click.pass_context
+def cmd_completion(ctx, shell, script):
+  """Print shell completion setup instructions (or output the script with --script)."""
+  if script:
+    from click.shell_completion import BashComplete, FishComplete, ZshComplete
+    cls = {"zsh": ZshComplete, "bash": BashComplete, "fish": FishComplete}[shell]
+    comp = cls(ctx.find_root().command, {}, "browser-cli", "_BROWSER_CLI_COMPLETE")
+    click.echo(comp.source())
+    return
+
+  exe = sys.executable.replace("/python", "/browser-cli").replace("/python3", "/browser-cli")
+  if not Path(exe).exists():
+    exe = "browser-cli"
+
+  env_var = "_BROWSER_CLI_COMPLETE"
+
+  if shell == "zsh":
+    console.print("[bold]Quickest setup — generate the file once:[/bold]")
+    console.print()
+    console.print("  [cyan]uv run browser-cli completion zsh --script > ~/.zfunc/_browser-cli[/cyan]")
+    console.print()
+    console.print("  Then add these lines to [bold]~/.zshrc[/bold] (before any compinit call):")
+    console.print("  [cyan]fpath=(~/.zfunc $fpath)[/cyan]")
+    console.print("  [cyan]autoload -Uz compinit && compinit[/cyan]")
+    console.print()
+    console.print("  Reload: [cyan]exec zsh[/cyan]")
+    console.print()
+    console.print("[bold]Alternative — eval on every shell start (simpler but slower):[/bold]")
+    console.print(f'  [cyan]eval "$({env_var}=zsh_source {exe})"[/cyan]')
+  elif shell == "bash":
+    console.print("[bold]Quickest setup — generate the file once:[/bold]")
+    console.print()
+    console.print("  [cyan]uv run browser-cli completion bash --script > ~/.bash_completion.d/browser-cli[/cyan]")
+    console.print()
+    console.print("  Reload: [cyan]source ~/.bashrc[/cyan]")
+    console.print()
+    console.print("[bold]Alternative — eval on every shell start:[/bold]")
+    console.print(f'  [cyan]eval "$({env_var}=bash_source {exe})"[/cyan]')
+  elif shell == "fish":
+    console.print("[bold]Setup:[/bold]")
+    console.print()
+    console.print("  [cyan]uv run browser-cli completion fish --script > ~/.config/fish/completions/browser-cli.fish[/cyan]")

browser_cli/commands/doctor.py

@@ -0,0 +1,90 @@
+from __future__ import annotations
+
+import re
+import shutil
+from importlib.metadata import PackageNotFoundError, version as package_version
+from pathlib import Path
+
+import click
+from rich.console import Console
+from rich.table import Table
+
+from browser_cli.commands import handle_errors, client_from_ctx
+from browser_cli.client import active_browser_targets
+from browser_cli.constants import NATIVE_HOST_DIRS, NATIVE_HOST_NAME
+from browser_cli.platform import is_windows
+
+console = Console()
+
+def _project_version() -> str:
+    pyproject_path = Path(__file__).resolve().parents[2] / "pyproject.toml"
+    try:
+        content = pyproject_path.read_text(encoding="utf-8")
+        match = re.search(r'^version\s*=\s*"([^"]+)"', content, re.MULTILINE)
+        if match:
+            return match.group(1)
+    except OSError:
+        pass
+    try:
+        return package_version("browser-cli")
+    except PackageNotFoundError:
+        return "unknown"
+
+def _status(ok: bool) -> str:
+    return "[green]OK[/green]" if ok else "[red]FAIL[/red]"
+
+@click.command("doctor")
+@click.option("--remote", "check_remote", is_flag=True, help="Also probe the configured remote endpoint")
+@handle_errors
+def cmd_doctor(check_remote):
+    """Diagnose browser-cli installation, extension, and connection health."""
+    rows: list[tuple[str, bool, str]] = []
+    version = _project_version()
+    rows.append(("Python package", version != "unknown", version))
+    rows.append(("browser-cli executable", shutil.which("browser-cli") is not None, shutil.which("browser-cli") or "not on PATH"))
+
+    manifest_notes = []
+    if not is_windows():
+        import sys
+        platform = "darwin" if sys.platform == "darwin" else "linux"
+        for browser, by_platform in NATIVE_HOST_DIRS.items():
+            for directory in by_platform.get(platform, []):
+                path = directory / f"{NATIVE_HOST_NAME}.json"
+                if path.exists():
+                    manifest_notes.append(f"{browser}: {path}")
+    rows.append(("Native host manifest", bool(manifest_notes), "; ".join(manifest_notes) or "not found for common browsers"))
+
+    try:
+        targets = active_browser_targets(include_remotes=check_remote)
+        rows.append(("Browser registry", bool(targets), f"{len(targets)} active target(s)"))
+    except Exception as exc:
+        rows.append(("Browser registry", False, str(exc)))
+
+    client = client_from_ctx()
+    try:
+        clients = client.clients()
+        rows.append(("Connection", True, f"{len(clients)} client(s) responded"))
+        ext_versions = sorted({str(c.get("extensionVersion", "unknown")) for c in clients if isinstance(c, dict)})
+        if ext_versions:
+            rows.append(("Extension version", version in ext_versions, ", ".join(ext_versions)))
+    except Exception as exc:
+        rows.append(("Connection", False, str(exc)))
+
+    try:
+        info = client.extension.info()
+        caps = info.get("capabilities") or []
+        rows.append(("Extension info", True, f"v{info.get('version', 'unknown')} · {len(caps)} capabilities"))
+    except Exception as exc:
+        rows.append(("Extension info", False, f"not available ({exc})"))
+
+    table = Table(show_header=True, header_style="bold cyan")
+    table.add_column("Check")
+    table.add_column("Status")
+    table.add_column("Details")
+    for name, ok, detail in rows:
+        table.add_row(name, _status(ok), detail)
+    console.print(table)
+
+    failed = [name for name, ok, _ in rows if not ok and name in {"Connection", "Browser registry"}]
+    if failed:
+        raise SystemExit(1)