mirror of
https://github.com/garrytan/gstack.git
synced 2026-07-15 12:07:23 +02:00
feat: Phase 3.5 — cookie import, QA testing, team retro (v0.3.1) (#29)
* Phase 2: Enhanced browser — dialog handling, upload, state checks, snapshots - CircularBuffer O(1) ring buffer for console/network/dialog (was O(n) array+shift) - Async buffer flush with Bun.write() (was appendFileSync) - Dialog auto-accept/dismiss with buffer + prompt text support - File upload command (upload <sel> <file...>) - Element state checks (is visible/hidden/enabled/disabled/checked/editable/focused) - Annotated screenshots with ref labels overlaid (-a flag) - Snapshot diffing against previous snapshot (-D flag) - Cursor-interactive element scan for non-ARIA clickables (-C flag) - Snapshot scoping depth limit (-d N flag) - Health check with page.evaluate + 2s timeout - Playwright error wrapping — actionable messages for AI agents - Fix useragent — context recreation preserves cookies/storage/URLs - wait --networkidle / --load / --domcontentloaded flags - console --errors filter (error + warning only) - cookie-import <json-file> with auto-fill domain from page URL - 166 integration tests (was ~63) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Phase 2: Rewrite SKILL.md as QA playbook + command reference Reorient SKILL.md files from raw command reference to QA-first playbook with 10 workflow patterns (test user flows, verify deployments, dogfood features, responsive layouts, file upload, forms, dialogs, compare pages). Compact command reference tables at the bottom. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Phase 3: /qa skill — systematic QA testing with health scores New /qa skill for systematic web app QA testing. Three modes: - full: 5-10 documented issues with screenshots and repro steps - quick: 30-second smoke test with health score - regression: compare against saved baseline Includes issue taxonomy (7 categories, 4 severity levels), structured report template, health score rubric (weighted across 7 categories), framework detection guidance (Next.js, Rails, WordPress, SPA). Also adds browse/bin/find-browse (DRY binary discovery using git rev-parse), .gstack/ to .gitignore, and updated TODO roadmap. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Bump to v0.3.0 — Phase 2 + Phase 3 changelog Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: cookie-import-browser — Chromium cookie decryption module + tests Pure logic module for reading and decrypting cookies from macOS Chromium browsers (Comet, Chrome, Arc, Brave, Edge). Supports v10 AES-128-CBC encryption with macOS Keychain access, PBKDF2 key derivation, and per-browser key caching. 18 unit tests with encrypted cookie fixtures. * feat: cookie picker web UI + route handler Two-panel dark-theme picker served from the browse server. Left panel shows source browser domains with search and import buttons. Right panel shows imported domains with trash buttons. No cookie values exposed. 6 API endpoints, importedDomains Set tracking, inline clearCookies. * feat: wire cookie-import-browser into browse server Add cookie-picker route dispatch (no auth, localhost-only), add cookie-import-browser to WRITE_COMMANDS and CHAIN_WRITE, add serverPort property to BrowserManager, add write command with two modes (picker UI vs --domain direct import), update CLI help text. * chore: /setup-browser-cookies skill + docs (Phase 3.5) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * chore: bump version and changelog (v0.3.1) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * security: redact sensitive values from command output (PR #21) type no longer echoes text (reports character count), cookie redacts value with ****, header redacts Authorization/Cookie/X-API-Key/X-Auth-Token, storage set drops value, forms redacts password fields. Prevents secrets from persisting in LLM transcripts. 7 new tests. Credit: fredluz (PR #21) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * security: path traversal prevention for screenshot/pdf/eval (PR #26) Add validateOutputPath() for screenshot/pdf/responsive (restricts to /tmp and cwd) and validateReadPath() for eval (blocks .. sequences and absolute paths outside safe dirs). 7 new tests. Credit: Jah-yee (PR #26) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: auto-install Playwright Chromium in setup (PR #22) Setup now verifies Playwright can launch Chromium, and auto-installs it via `bunx playwright install chromium` if missing. Exits non-zero if build or Chromium launch fails. Credit: AkbarDevop (PR #22) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * security: fix path validation bypass, CORS restriction, cookie-import path check - startsWith('/tmp') matched '/tmpevil' — now requires trailing slash - CORS Access-Control-Allow-Origin changed from * to http://127.0.0.1:<port> - cookie-import now validates file paths (was missing validateReadPath) - 3 new tests for prefix collision and cookie-import path traversal Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: address review informational issues + add regression tests - Add cookie-import to CHAIN_WRITE set for chain command routing - Add path validation to snapshot -a -o output path - Fix package.json version to match 0.3.1 - Use crypto.randomUUID() for temp DB paths (unpredictable filenames) - Add regression tests for chain cookie-import and snapshot path validation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs: add /qa, /setup-browser-cookies to README + update BROWSER.md - Add /qa and /setup-browser-cookies to skills table, install/update/uninstall blurbs - Add dedicated README sections for both new skills with usage examples - Update demo workflow to show cookie import → QA → browse flow - Update BROWSER.md: cookie import commands, new source files, test count (203) - Update skill count from 6 to 8 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: team-aware /retro v2.0 — per-person praise and growth opportunities - Identify current user via git config, orient narrative as "you" vs teammates - Add per-author metrics: commits, LOC, focus areas, commit type mix, sessions - New "Your Week" section with personal deep-dive for whoever runs the command - New "Team Breakdown" with per-person praise and growth opportunities - Track AI-assisted commits via Co-Authored-By trailers - Personal + team shipping streaks - Tone: praise like a 1:1, growth like investment advice, never compare negatively Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs: add Conductor parallel sessions section to README Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -7,24 +7,53 @@
|
||||
- [x] Snapshot command with ref-based element selection
|
||||
- [x] Snapshot tests
|
||||
|
||||
## Phase 2: Enhanced Browser
|
||||
- [ ] Annotated screenshots (--annotate flag, numbered labels on elements mapped to refs)
|
||||
- [ ] Snapshot diffing (compare before/after accessibility trees, verify actions worked)
|
||||
- [ ] Dialog handling (dialog accept/dismiss — prevents browser lockup)
|
||||
- [ ] File upload (upload <sel> <files>)
|
||||
- [ ] Cursor-interactive elements (-C flag, detect divs with cursor:pointer/onclick/tabindex)
|
||||
- [ ] Element state checks (is visible/enabled/checked <sel>)
|
||||
## Phase 2: Enhanced Browser (v0.2.0) ✅
|
||||
- [x] Annotated screenshots (--annotate flag, ref labels overlaid on screenshot)
|
||||
- [x] Snapshot diffing (--diff flag, unified diff against previous snapshot)
|
||||
- [x] Dialog handling (auto-accept/dismiss, dialog buffer, prevents browser lockup)
|
||||
- [x] File upload (upload <sel> <files>)
|
||||
- [x] Cursor-interactive elements (-C flag, cursor:pointer/onclick/tabindex scan)
|
||||
- [x] Element state checks (is visible/hidden/enabled/disabled/checked/editable/focused)
|
||||
- [x] CircularBuffer — O(1) ring buffer for console/network/dialog (was O(n) array+shift)
|
||||
- [x] Async buffer flush with Bun.write() (was appendFileSync)
|
||||
- [x] Health check with page.evaluate('1') + 2s timeout
|
||||
- [x] Playwright error wrapping — actionable messages for AI agents
|
||||
- [x] Fix useragent — context recreation preserves cookies/storage/URLs
|
||||
- [x] DRY: getCleanText exported, command sets in chain updated
|
||||
- [x] 148 integration tests (was ~63)
|
||||
|
||||
## Phase 3: QA Testing Agent (dogfood skill)
|
||||
- [ ] SKILL.md — 6-phase workflow: Initialize → Authenticate → Orient → Explore → Document → Wrap up
|
||||
- [ ] Issue taxonomy reference (7 categories: visual, functional, UX, content, performance, console, accessibility)
|
||||
- [ ] Severity classification (critical/high/medium/low)
|
||||
- [ ] Exploration checklist per page
|
||||
- [ ] Report template (structured markdown with per-issue evidence)
|
||||
- [ ] Repro-first philosophy: every issue gets evidence before moving on
|
||||
- [ ] Two evidence tiers: interactive bugs (video + step-by-step screenshots), static bugs (single annotated screenshot)
|
||||
- [ ] Video recording (record start/stop for WebM capture via Playwright)
|
||||
- [ ] Key guidance: 5-10 well-documented issues per session, depth over breadth, write incrementally
|
||||
## Phase 3: QA Testing Agent (v0.3.0)
|
||||
- [x] `/qa` SKILL.md — 6-phase workflow: Initialize → Authenticate → Orient → Explore → Document → Wrap up
|
||||
- [x] Issue taxonomy reference (7 categories: visual, functional, UX, content, performance, console, accessibility)
|
||||
- [x] Severity classification (critical/high/medium/low)
|
||||
- [x] Exploration checklist per page
|
||||
- [x] Report template (structured markdown with per-issue evidence)
|
||||
- [x] Repro-first philosophy: every issue gets evidence before moving on
|
||||
- [x] Two evidence tiers: interactive bugs (multi-step screenshots), static bugs (single annotated screenshot)
|
||||
- [x] Key guidance: 5-10 well-documented issues per session, depth over breadth, write incrementally
|
||||
- [x] Three modes: full (systematic), quick (30-second smoke test), regression (compare against baseline)
|
||||
- [x] Framework detection guidance (Next.js, Rails, WordPress, SPA)
|
||||
- [x] Health score rubric (7 categories, weighted average)
|
||||
- [x] `wait --networkidle` / `wait --load` / `wait --domcontentloaded`
|
||||
- [x] `console --errors` (filter to error/warning only)
|
||||
- [x] `cookie-import <json-file>` (bulk cookie import with auto-fill domain)
|
||||
- [x] `browse/bin/find-browse` (DRY binary discovery across skills)
|
||||
- [ ] Video recording (deferred to Phase 5 — recreateContext destroys page state)
|
||||
|
||||
## Phase 3.5: Browser Cookie Import (v0.3.x)
|
||||
- [x] `cookie-import-browser` command (Chromium cookie DB decryption)
|
||||
- [x] Cookie picker web UI (served from browse server)
|
||||
- [x] `/setup-browser-cookies` skill
|
||||
- [x] Unit tests with encrypted cookie fixtures (18 tests)
|
||||
- [x] Browser registry (Comet, Chrome, Arc, Brave, Edge)
|
||||
|
||||
## Phase 3.6: Visual PR Annotations + S3 Upload
|
||||
- [ ] `/setup-gstack-upload` skill (configure S3 bucket for image hosting)
|
||||
- [ ] `browse/bin/gstack-upload` helper (upload file to S3, return public URL)
|
||||
- [ ] `/ship` Step 7.5: visual verification with screenshots in PR body
|
||||
- [ ] `/review` Step 4.5: visual review with annotated screenshots in PR
|
||||
- [ ] WebM → GIF conversion (ffmpeg) for video evidence in PRs
|
||||
- [ ] README documentation for visual PR annotations
|
||||
|
||||
## Phase 4: Skill + Browser Integration
|
||||
- [ ] ship + browse: post-deploy verification
|
||||
@@ -48,9 +77,11 @@
|
||||
- Pass/fail with evidence
|
||||
|
||||
## Phase 5: State & Sessions
|
||||
- [ ] v20 encryption format support (AES-256-GCM) — future Chromium versions may change from v10
|
||||
- [ ] Sessions (isolated browser instances with separate cookies/storage/history)
|
||||
- [ ] State persistence (save/load cookies + localStorage to JSON files)
|
||||
- [ ] Auth vault (encrypted credential storage, referenced by name, LLM never sees passwords)
|
||||
- [ ] Video recording (record start/stop — needs sessions for clean context lifecycle)
|
||||
- [ ] retro + browse: deployment health tracking
|
||||
- Screenshot production state
|
||||
- Check perf metrics (page load times)
|
||||
@@ -67,6 +98,12 @@
|
||||
- [ ] Streaming (WebSocket live preview for pair browsing)
|
||||
- [ ] CDP mode (connect to already-running Chrome/Electron apps)
|
||||
|
||||
## Future Ideas
|
||||
- [ ] Linux/Windows cookie decryption (GNOME Keyring / kwallet / DPAPI)
|
||||
- [ ] Trend tracking across QA runs — compare baseline.json over time, detect regressions (P2, S)
|
||||
- [ ] CI/CD integration — `/qa` as GitHub Action step, fail PR if health score drops (P2, M)
|
||||
- [ ] Accessibility audit mode — `--a11y` flag for focused accessibility testing (P3, S)
|
||||
|
||||
## Ideas & Notes
|
||||
- Browser is the nervous system — every skill should be able to see, interact with, and verify the web
|
||||
- Skills are the product; the browser enables them
|
||||
|
||||
Reference in New Issue
Block a user