16 Commits

Author SHA1 Message Date
Tommy D. Rossi 86e7f7d861 Update remote-access.md 2026-02-26 21:18:43 +01:00
Tommy D. Rossi f87b0243cd format 2026-02-22 15:21:38 +01:00
Tommy D. Rossi 539aeaac91 rename accessibilitySnapshot to snapshot for shorter agent usage
The function is now exposed as `snapshot()` in the executor sandbox scope.
`accessibilitySnapshot` remains as a backward-compatible alias pointing to
the same function, so existing agents and saved commands continue to work.

Updated all code examples across skill.md, README, PLAYWRITER_AGENTS,
docs, tests, and the extension welcome page to use the shorter name.
2026-02-18 17:13:57 +01:00
Tommy D. Rossi 7ed17d264f skill: add computer use section mapping Anthropic/Claude extension actions to Playwright equivalents
Add a 'computer use' section to skill.md showing how Playwriter covers all
actions from the Anthropic computer_20250124 tool and the Claude Chrome
extension's custom computer tool, using Playwright APIs instead of
screenshot-based coordinate clicking.

Each subsection shows the declarative locator-based approach first (preferred)
with coordinate-based fallback for canvas/maps/custom widgets.

Also adds docs/claude-extension-tools.json with all 16 tool schemas extracted
from the Claude Chrome extension v1.0.39 (minified source) for reference.
2026-02-18 00:44:44 +01:00
Tommy D. Rossi 05700fa53b release: playwriter@0.0.63
Security hardening for privileged HTTP routes (/cli/*, /recording/*).

- Block cross-origin browser requests via Sec-Fetch-Site header validation (browsers always set this forbidden header; Node.js/curl clients don't send it, so they're unaffected)
- Reject POST requests without Content-Type: application/json to prevent the CORS simple-request bypass (text/plain POST skips CORS preflight entirely)
- Enforce token authentication on /cli/* and /recording/* when --token is set (remote access mode), matching the behavior documented in remote-access.md
- Update remote-access.md to clarify which routes require token auth
- Add security regression tests covering all attack vectors: Sec-Fetch-Site blocking, Content-Type enforcement, token validation, and Node.js client pass-through
2026-02-17 15:54:39 +01:00
Tommy D. Rossi ce775c06f6 fix: hide frontmatter in remote-access doc from GitHub rendering 2026-02-16 11:32:12 +01:00
Tommy D. Rossi fa68e33a78 feat: support HTTPS URLs in PLAYWRITER_HOST + remote access guide
PLAYWRITER_HOST now accepts full URLs like `https://x-tunnel.traforo.dev`
in addition to plain hostnames. Previously it always constructed
`http://${host}:19988` which broke when using traforo tunnels (HTTPS on
port 443).

Added `parseRelayHost()` utility that detects URL protocols and returns
correct HTTP/WebSocket base URLs. Updated all consumers:
- cli.ts: getServerUrl()
- mcp.ts: getLogServerUrl(), checkRemoteServer()
- executor.ts: checkExtensionStatus()
- utils.ts: getCdpUrl() (ws:// → wss:// for HTTPS hosts)

Plain hostnames still work as before (appends :19988).

Added docs/remote-access.md covering:
- Architecture: playwriter serve + traforo tunnel through Cloudflare
- Host and remote machine setup with env vars
- Use cases: remote Mac mini, user support, multi-machine, VM/devcontainer
- Security model: non-guessable URLs, token auth, localhost-only extension
  endpoint, no open ports, visible automation, instant revocation
2026-02-14 16:31:04 +01:00
Tommy D. Rossi 5098154585 docs: avoid focus stealing in framer iframe workflow
Document the page-reuse pattern for the Framer project tab so repeated checks do not spawn duplicate tabs, and explicitly ban bringToFront in this guide to avoid interrupting the active browser window during local debugging.
2026-02-11 16:16:39 +01:00
Tommy D. Rossi 87188423b1 feat: reuse Playwright's internal CDP session instead of creating new WebSocket connections
Switch from getCDPSessionForPage (creates a new WS via Target.attachToTarget)
to getExistingCDPSessionForPage which reuses Playwright's internal CRSession.
This is critical for the relay server where Target.attachToTarget is intercepted
and cannot create real new sessions.

Also add FrameLocator support in accessibilitySnapshot — FrameLocator (from
locator.contentFrame()) is now auto-resolved to the real Frame object needed
for OOPIF CDP session attachment.

- New PlaywrightCDPSessionAdapter wrapping Playwright's CDPSession as ICDPSession
- New getExistingCDPSessionForPage() using context.getExistingCDPSession()
- resolveFrame() helper converts FrameLocator to Frame via elementHandle().contentFrame()
- getAriaSnapshot() frame param now accepts Frame | FrameLocator
- Executor CDP cache uses ICDPSession, borrowed sessions detach as no-op
- Test for getExistingCDPSession through the relay
- Updated framer iframe guide with alternative page.frames() example
- Bump playwright submodule to @xmorse/playwright-core@1.59.2
- Fix styles-api.md import path
2026-02-06 18:03:26 +01:00
Tommy D. Rossi 66cdb02dd9 refactor: simplify iframe handling - use frame: Frame instead of iframe: Locator 2026-02-06 10:32:39 +01:00
Tommy D. Rossi 0eaf771c57 docs: refine Framer MCP palette verification 2026-02-05 15:48:17 +01:00
Tommy D. Rossi c4a413efba fix iframe snapshots and document Framer MCP flow 2026-02-05 14:49:32 +01:00
Tommy D. Rossi 0b2ef17040 slop 2026-01-24 18:25:54 +01:00
Tommy D. Rossi 802e6768e2 add showAriaRefLabels/hideAriaRefLabels for Vimium-style visual labels
- getAriaSnapshot() discovers aria refs and caches ElementHandles
- showAriaRefLabels() overlays yellow badges on interactive elements
- hideAriaRefLabels() removes labels from page
- test captures screenshots from HN, Google, GitHub
2026-01-03 15:17:47 +01:00
Tommy D. Rossi e3cb7fd1fd add test to find out how to remove sleep after extension connect 2026-01-02 14:24:15 +01:00
Tommy D. Rossi 2b0a5db49e adding docs 2026-01-01 12:00:02 +01:00