CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-01 19:25:10 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
f7b95329c1628524583031f6d4672c58a8d86e45
gstack/TODO.md
T
Garry Tan f7b95329c1 feat: Phase 3.5 — cookie import, QA testing, team retro (v0.3.1) (#29) 
* Phase 2: Enhanced browser — dialog handling, upload, state checks, snapshots

- CircularBuffer O(1) ring buffer for console/network/dialog (was O(n) array+shift)
- Async buffer flush with Bun.write() (was appendFileSync)
- Dialog auto-accept/dismiss with buffer + prompt text support
- File upload command (upload <sel> <file...>)
- Element state checks (is visible/hidden/enabled/disabled/checked/editable/focused)
- Annotated screenshots with ref labels overlaid (-a flag)
- Snapshot diffing against previous snapshot (-D flag)
- Cursor-interactive element scan for non-ARIA clickables (-C flag)
- Snapshot scoping depth limit (-d N flag)
- Health check with page.evaluate + 2s timeout
- Playwright error wrapping — actionable messages for AI agents
- Fix useragent — context recreation preserves cookies/storage/URLs
- wait --networkidle / --load / --domcontentloaded flags
- console --errors filter (error + warning only)
- cookie-import <json-file> with auto-fill domain from page URL
- 166 integration tests (was ~63)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Phase 2: Rewrite SKILL.md as QA playbook + command reference

Reorient SKILL.md files from raw command reference to QA-first playbook
with 10 workflow patterns (test user flows, verify deployments, dogfood
features, responsive layouts, file upload, forms, dialogs, compare pages).
Compact command reference tables at the bottom.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Phase 3: /qa skill — systematic QA testing with health scores

New /qa skill for systematic web app QA testing. Three modes:
- full: 5-10 documented issues with screenshots and repro steps
- quick: 30-second smoke test with health score
- regression: compare against saved baseline

Includes issue taxonomy (7 categories, 4 severity levels), structured
report template, health score rubric (weighted across 7 categories),
framework detection guidance (Next.js, Rails, WordPress, SPA).

Also adds browse/bin/find-browse (DRY binary discovery using git
rev-parse), .gstack/ to .gitignore, and updated TODO roadmap.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Bump to v0.3.0 — Phase 2 + Phase 3 changelog

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: cookie-import-browser — Chromium cookie decryption module + tests

Pure logic module for reading and decrypting cookies from macOS Chromium
browsers (Comet, Chrome, Arc, Brave, Edge). Supports v10 AES-128-CBC
encryption with macOS Keychain access, PBKDF2 key derivation, and
per-browser key caching. 18 unit tests with encrypted cookie fixtures.

* feat: cookie picker web UI + route handler

Two-panel dark-theme picker served from the browse server. Left panel
shows source browser domains with search and import buttons. Right panel
shows imported domains with trash buttons. No cookie values exposed.
6 API endpoints, importedDomains Set tracking, inline clearCookies.

* feat: wire cookie-import-browser into browse server

Add cookie-picker route dispatch (no auth, localhost-only), add
cookie-import-browser to WRITE_COMMANDS and CHAIN_WRITE, add serverPort
property to BrowserManager, add write command with two modes (picker UI
vs --domain direct import), update CLI help text.

* chore: /setup-browser-cookies skill + docs (Phase 3.5)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: bump version and changelog (v0.3.1)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* security: redact sensitive values from command output (PR #21)

type no longer echoes text (reports character count), cookie redacts
value with ****, header redacts Authorization/Cookie/X-API-Key/X-Auth-Token,
storage set drops value, forms redacts password fields. Prevents secrets
from persisting in LLM transcripts. 7 new tests.

Credit: fredluz (PR #21)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* security: path traversal prevention for screenshot/pdf/eval (PR #26)

Add validateOutputPath() for screenshot/pdf/responsive (restricts to
/tmp and cwd) and validateReadPath() for eval (blocks .. sequences and
absolute paths outside safe dirs). 7 new tests.

Credit: Jah-yee (PR #26)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: auto-install Playwright Chromium in setup (PR #22)

Setup now verifies Playwright can launch Chromium, and auto-installs
it via `bunx playwright install chromium` if missing. Exits non-zero
if build or Chromium launch fails.

Credit: AkbarDevop (PR #22)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* security: fix path validation bypass, CORS restriction, cookie-import path check

- startsWith('/tmp') matched '/tmpevil' — now requires trailing slash
- CORS Access-Control-Allow-Origin changed from * to http://127.0.0.1:<port>
- cookie-import now validates file paths (was missing validateReadPath)
- 3 new tests for prefix collision and cookie-import path traversal

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: address review informational issues + add regression tests

- Add cookie-import to CHAIN_WRITE set for chain command routing
- Add path validation to snapshot -a -o output path
- Fix package.json version to match 0.3.1
- Use crypto.randomUUID() for temp DB paths (unpredictable filenames)
- Add regression tests for chain cookie-import and snapshot path validation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: add /qa, /setup-browser-cookies to README + update BROWSER.md

- Add /qa and /setup-browser-cookies to skills table, install/update/uninstall blurbs
- Add dedicated README sections for both new skills with usage examples
- Update demo workflow to show cookie import → QA → browse flow
- Update BROWSER.md: cookie import commands, new source files, test count (203)
- Update skill count from 6 to 8

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: team-aware /retro v2.0 — per-person praise and growth opportunities

- Identify current user via git config, orient narrative as "you" vs teammates
- Add per-author metrics: commits, LOC, focus areas, commit type mix, sessions
- New "Your Week" section with personal deep-dive for whoever runs the command
- New "Team Breakdown" with per-person praise and growth opportunities
- Track AI-assisted commits via Co-Authored-By trailers
- Personal + team shipping streaks
- Tone: praise like a 1:1, growth like investment advice, never compare negatively

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: add Conductor parallel sessions section to README

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 00:31:41 -07:00

6.4 KiB
Raw Blame History

TODO — gstack roadmap

Phase 1: Foundations (v0.2.0)

  • Rename to gstack
  • Restructure to monorepo layout
  • Setup script for skill symlinks
  • Snapshot command with ref-based element selection
  • Snapshot tests

Phase 2: Enhanced Browser (v0.2.0)

  • Annotated screenshots (--annotate flag, ref labels overlaid on screenshot)
  • Snapshot diffing (--diff flag, unified diff against previous snapshot)
  • Dialog handling (auto-accept/dismiss, dialog buffer, prevents browser lockup)
  • File upload (upload )
  • Cursor-interactive elements (-C flag, cursor:pointer/onclick/tabindex scan)
  • Element state checks (is visible/hidden/enabled/disabled/checked/editable/focused)
  • CircularBuffer — O(1) ring buffer for console/network/dialog (was O(n) array+shift)
  • Async buffer flush with Bun.write() (was appendFileSync)
  • Health check with page.evaluate('1') + 2s timeout
  • Playwright error wrapping — actionable messages for AI agents
  • Fix useragent — context recreation preserves cookies/storage/URLs
  • DRY: getCleanText exported, command sets in chain updated
  • 148 integration tests (was ~63)

Phase 3: QA Testing Agent (v0.3.0)

  • /qa SKILL.md — 6-phase workflow: Initialize → Authenticate → Orient → Explore → Document → Wrap up
  • Issue taxonomy reference (7 categories: visual, functional, UX, content, performance, console, accessibility)
  • Severity classification (critical/high/medium/low)
  • Exploration checklist per page
  • Report template (structured markdown with per-issue evidence)
  • Repro-first philosophy: every issue gets evidence before moving on
  • Two evidence tiers: interactive bugs (multi-step screenshots), static bugs (single annotated screenshot)
  • Key guidance: 5-10 well-documented issues per session, depth over breadth, write incrementally
  • Three modes: full (systematic), quick (30-second smoke test), regression (compare against baseline)
  • Framework detection guidance (Next.js, Rails, WordPress, SPA)
  • Health score rubric (7 categories, weighted average)
  • wait --networkidle / wait --load / wait --domcontentloaded
  • console --errors (filter to error/warning only)
  • cookie-import <json-file> (bulk cookie import with auto-fill domain)
  • browse/bin/find-browse (DRY binary discovery across skills)
  • Video recording (deferred to Phase 5 — recreateContext destroys page state)

Phase 3.5: Browser Cookie Import (v0.3.x)

  • cookie-import-browser command (Chromium cookie DB decryption)
  • Cookie picker web UI (served from browse server)
  • /setup-browser-cookies skill
  • Unit tests with encrypted cookie fixtures (18 tests)
  • Browser registry (Comet, Chrome, Arc, Brave, Edge)

Phase 3.6: Visual PR Annotations + S3 Upload

  • /setup-gstack-upload skill (configure S3 bucket for image hosting)
  • browse/bin/gstack-upload helper (upload file to S3, return public URL)
  • /ship Step 7.5: visual verification with screenshots in PR body
  • /review Step 4.5: visual review with annotated screenshots in PR
  • WebM → GIF conversion (ffmpeg) for video evidence in PRs
  • README documentation for visual PR annotations

Phase 4: Skill + Browser Integration

  • ship + browse: post-deploy verification
    • Browse staging/preview URL after push
    • Screenshot key pages
    • Check console for JS errors
    • Compare staging vs prod via snapshot diff
    • Include verification screenshots in PR body
    • STOP if critical errors found
  • review + browse: visual diff review
    • Browse PR's preview deploy
    • Annotated screenshots of changed pages
    • Compare against production visually
    • Check responsive layouts (mobile/tablet/desktop)
    • Verify accessibility tree hasn't regressed
  • deploy-verify skill: lightweight post-deploy smoke test
    • Hit key URLs, verify 200s
    • Screenshot critical pages
    • Console error check
    • Compare against baseline snapshots
    • Pass/fail with evidence

Phase 5: State & Sessions

  • v20 encryption format support (AES-256-GCM) — future Chromium versions may change from v10
  • Sessions (isolated browser instances with separate cookies/storage/history)
  • State persistence (save/load cookies + localStorage to JSON files)
  • Auth vault (encrypted credential storage, referenced by name, LLM never sees passwords)
  • Video recording (record start/stop — needs sessions for clean context lifecycle)
  • retro + browse: deployment health tracking
    • Screenshot production state
    • Check perf metrics (page load times)
    • Count console errors across key pages
    • Track trends over retro window

Phase 6: Advanced Browser

  • Iframe support (frame , frame main)
  • Semantic locators (find role/label/text/placeholder/testid with actions)
  • Device emulation presets (set device "iPhone 16 Pro")
  • Network mocking/routing (intercept, block, mock requests)
  • Download handling (click-to-download with path control)
  • Content safety (--max-output truncation, --allowed-domains)
  • Streaming (WebSocket live preview for pair browsing)
  • CDP mode (connect to already-running Chrome/Electron apps)

Future Ideas

  • Linux/Windows cookie decryption (GNOME Keyring / kwallet / DPAPI)
  • Trend tracking across QA runs — compare baseline.json over time, detect regressions (P2, S)
  • CI/CD integration — /qa as GitHub Action step, fail PR if health score drops (P2, M)
  • Accessibility audit mode — --a11y flag for focused accessibility testing (P3, S)

Ideas & Notes

  • Browser is the nervous system — every skill should be able to see, interact with, and verify the web
  • Skills are the product; the browser enables them
  • One repo, one install, entire AI engineering workflow
  • Bun compiled binary matches Rust CLI performance for this use case (bottleneck is Chromium, not CLI parsing)
  • Accessibility tree snapshots use ~200-400 tokens vs ~3000-5000 for full DOM — critical for AI context efficiency
  • Locator map approach for refs: store Map<string, Locator> on BrowserManager, no DOM mutation, no CSP issues
  • Snapshot scoping (-i, -c, -d, -s flags) is critical for performance on large pages
  • All new commands follow existing pattern: add to command set, add switch case, return string
Reference in New Issue View Git Blame Copy Permalink