Compare commits

...

27 commits
v1.1.0 ... main

Author SHA1 Message Date
dependabot[bot]
6923ae77ca
chore(ci-deps): bump actions/setup-node from 4 to 6 (#47)
Some checks failed
CI / MCP server (push) Has been cancelled
CI / Browser extension (push) Has been cancelled
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-06 09:21:30 -04:00
dependabot[bot]
ee6dad0af1
chore(ci-deps): bump actions/checkout from 4 to 7 (#46)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-06 09:16:17 -04:00
@aaronjmars
761835c5ae
fix: move LICENSE back to repo root so GitHub detects it (#45)
Some checks failed
CI / MCP server (push) Has been cancelled
CI / Browser extension (push) Has been cancelled
GitHub's license detection (licensee) only scans the repo root, so a LICENSE under .github/ leaves the repo showing no license. Move it back to root and repoint the .github doc links to ../LICENSE. README/SECURITY/CONTRIBUTING stay under .github/.
2026-07-03 13:54:45 -04:00
@aaronjmars
755680f96c
chore: add SECURITY + CONTRIBUTING, consolidate community docs under .github/ (#44)
Standardize community-health files across the repo:

- Add a tailored SECURITY.md (private vulnerability reporting via GitHub PVR, response targets, per-repo threat model + scope).
- Add/replace CONTRIBUTING.md (real dev setup, test/CI commands, PR conventions).
- Move README + LICENSE under .github/ and rebase relative links so they still resolve.
- Fix inbound links that pointed at the old root paths.

Generated from a shared global template, adapted per repo.
2026-07-03 13:42:50 -04:00
@aaronjmars
ce05c495b9
fix(deps): bump node-forge to 1.4.0 and brace-expansion to 1.1.15 (#43)
Resolves all 8 Dependabot alerts (transitive dev deps via web-ext):
- node-forge 1.3.1 -> 1.4.0 (alerts #1-#7): signature forgery, cert
  chain bypass, ASN.1 issues, modInverse DoS
- brace-expansion 1.1.12 -> 1.1.15 (alert #8): process hang / memory
  exhaustion on zero-step sequence

Lockfile-only change; both bumps are within existing semver ranges.
npm audit reports 0 vulnerabilities.
2026-07-03 11:58:31 -04:00
@aaronjmars
bf6fa4f846
chore: npm auto-publish (provenance) + sync version to 1.1.1 (#42)
Some checks are pending
CI / MCP server (push) Waiting to run
CI / Browser extension (push) Waiting to run
* chore: add provenance npm auto-publish on tag

* chore: sync version to 1.1.1 (matches npm)
2026-07-02 22:14:56 -04:00
dependabot[bot]
a624beecfe
chore(ext-deps): bump fs-extra (#40)
Bumps the ext-minor-and-patch group in /opendia-extension with 1 update: [fs-extra](https://github.com/jprichardson/node-fs-extra).


Updates `fs-extra` from 11.3.5 to 11.3.6
- [Changelog](https://github.com/jprichardson/node-fs-extra/blob/master/CHANGELOG.md)
- [Commits](https://github.com/jprichardson/node-fs-extra/compare/11.3.5...11.3.6)

---
updated-dependencies:
- dependency-name: fs-extra
  dependency-version: 11.3.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: ext-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-02 19:17:30 -04:00
dependabot[bot]
9f851b97ac
chore(mcp-deps): bump express from 4.21.2 to 5.2.1 in /opendia-mcp (#37)
Some checks failed
CI / MCP server (push) Has been cancelled
CI / Browser extension (push) Has been cancelled
* chore(mcp-deps): bump express from 4.21.2 to 5.2.1 in /opendia-mcp

Bumps [express](https://github.com/expressjs/express) from 4.21.2 to 5.2.1.
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](https://github.com/expressjs/express/compare/4.21.2...v5.2.1)

---
updated-dependencies:
- dependency-name: express
  dependency-version: 5.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix(mcp): use named wildcard for OPTIONS route (Express 5 compat)

Express 5 ships path-to-regexp 8, which rejects the bare '*' route
pattern with "Missing parameter name at index 1". Use '/*splat' so the
CORS preflight handler keeps matching every path. Verified the server
boots cleanly under express 5.2.1.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: aaronjmars <aaronjmars@proton.me>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 09:48:12 -04:00
dependabot[bot]
94502495a4
chore(ext-deps): bump web-ext from 8.8.0 to 10.4.0 in /opendia-extension (#39)
Bumps [web-ext](https://github.com/mozilla/web-ext) from 8.8.0 to 10.4.0.
- [Release notes](https://github.com/mozilla/web-ext/releases)
- [Commits](https://github.com/mozilla/web-ext/compare/8.8.0...10.4.0)

---
updated-dependencies:
- dependency-name: web-ext
  dependency-version: 10.4.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-22 09:47:45 -04:00
dependabot[bot]
5efdfca5fb
chore(ci-deps): bump actions/checkout from 4 to 7 (#35)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-22 09:47:41 -04:00
dependabot[bot]
a3ede3ac3a
chore(ext-deps): bump fs-extra (#38)
Bumps the ext-minor-and-patch group in /opendia-extension with 1 update: [fs-extra](https://github.com/jprichardson/node-fs-extra).


Updates `fs-extra` from 11.3.0 to 11.3.5
- [Changelog](https://github.com/jprichardson/node-fs-extra/blob/master/CHANGELOG.md)
- [Commits](https://github.com/jprichardson/node-fs-extra/compare/11.3.0...11.3.5)

---
updated-dependencies:
- dependency-name: fs-extra
  dependency-version: 11.3.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: ext-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-22 09:42:44 -04:00
dependabot[bot]
387fa85f50
chore(mcp-deps): bump the mcp-minor-and-patch group (#36)
Bumps the mcp-minor-and-patch group in /opendia-mcp with 2 updates: [cors](https://github.com/expressjs/cors) and [ws](https://github.com/websockets/ws).


Updates `cors` from 2.8.5 to 2.8.6
- [Release notes](https://github.com/expressjs/cors/releases)
- [Changelog](https://github.com/expressjs/cors/blob/master/HISTORY.md)
- [Commits](https://github.com/expressjs/cors/compare/v2.8.5...v2.8.6)

Updates `ws` from 8.18.2 to 8.21.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](https://github.com/websockets/ws/compare/8.18.2...8.21.0)

---
updated-dependencies:
- dependency-name: cors
  dependency-version: 2.8.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: mcp-minor-and-patch
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: mcp-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-22 09:42:40 -04:00
dependabot[bot]
cb94bf2e16
chore(ci-deps): bump actions/setup-node from 4 to 6 (#34)
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-22 09:42:34 -04:00
@aaronjmars
d58a584e7e
chore: add Dependabot config for npm + GitHub Actions (#33)
Adds .github/dependabot.yml covering the two npm packages (opendia-mcp, opendia-extension) and the GitHub Actions used in CI. Weekly schedule with minor/patch grouping to keep PR noise low; this also surfaces the checkout/setup-node major bumps the CI currently warns about.

Co-authored-by: aaronjmars <aaronjmars@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 08:07:21 -04:00
@aaronjmars
cfbc3aa83b
chore: add CI workflow for MCP server and browser extension (#32)
Some checks failed
CI / Browser extension (push) Has been cancelled
CI / MCP server (push) Has been cancelled
Adds .github/workflows/ci.yml running on push to main and on PRs:
- MCP server: npm ci + node --check server.js
- Extension: npm ci, build chrome+firefox, validate builds,
  structure tests, and web-ext lint on the Firefox build.

All steps verified locally against the current tree.

Co-authored-by: aaronjmars <aaronjmars@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-14 12:05:07 -04:00
@aaronjmars
1c38dc2d0e
fix(mcp): reject pending tool calls when Browser Extension disconnects (#31)
When the extension's WebSocket closed mid-call, every in-flight tool
call was left dangling in `pendingCalls` until its 30s timeout fired —
so the MCP client (Claude Desktop, Cursor, etc.) would hang for up to
30 seconds after a disconnect before getting an error.

Track the timeout on the pending entry, clear it when a response
arrives, and on socket close iterate `pendingCalls` to reject every
in-flight call with "Browser Extension disconnected mid-call" and
clear its timer. This also fixes a pre-existing leak where every
successful call left its 30s timeout running until it eventually
fired against a `pendingCalls.has(callId)` that was already false.

Symmetric with #26 (stale-close guard) and #28 (unique call ids) —
same call-lifecycle surface, no behaviour change on the happy path.

Co-authored-by: aeonframework <aeonframework@proton.me>
2026-06-11 08:57:18 -04:00
@aaronjmars
a7a803bd16
fix(firefox): set background persistent:true so heartbeat/reconnect actually fire (#30)
manifest-firefox.json had `persistent: false`, which lets Firefox suspend the
background script after a short idle period. Once suspended, the `setInterval`
heartbeat (15s) and the exponential-backoff reconnect scheduler in
src/background/background.js stop firing — there is no alarms-based wake path,
so a WebSocket drop leaves the extension in "Extension not connected" until
the user reloads or reopens the popup.

The Firefox MV2 branch of ConnectionManager is built around a persistent
background page (setupHeartbeat / scheduleReconnect both use setInterval and
are explicitly gated on `!this.isServiceWorker`). Setting persistent:true makes
that branch reachable and matches the design.

Closes #29

Co-authored-by: aeonframework <aeon@aaronjmars.com>
2026-06-03 10:03:39 -04:00
@aaronjmars
eccd201b96
fix(mcp): guarantee unique call ids for concurrent tool calls (#28)
Tool call ids were generated with Date.now().toString(), which collides
when two calls fire in the same millisecond. This happens in normal
operation: Express handles SSE POSTs concurrently, hybrid mode runs
stdio + SSE side by side, and AI clients routinely issue parallel tool
calls. On collision, the second call overwrites the first's entry in
pendingCalls, so the extension's response cross-wires onto the wrong
promise and the losing call hangs until its 30s timeout fires.

Append a monotonic counter to the timestamp so every call gets a unique
id. The extension treats the id as opaque and echoes it back verbatim,
so the format change is safe.

Co-authored-by: aeon <aeon@aeon.fun>
2026-05-26 09:51:28 -04:00
@aaronjmars
fbe4d29353
fix(mcp): use resolved HTTP_PORT in tunnel-mode local URL hint (#27)
Default HTTP port migrated from 3001 → 5556, but the post-tunnel
"Local access still available" message still hard-coded
http://localhost:3001/sse. Every `npx opendia --tunnel` user saw a
stale URL pointing at a port nothing was bound to. Use the resolved
HTTP_PORT (matching the non-tunnel branch a few lines below).

Co-authored-by: aeonframework <aeon@aaronjmars.com>
2026-05-17 17:57:41 -04:00
@aaronjmars
1559625803
fix(mcp): guard extension reconnect against stale close events (#26)
When the browser extension reconnects (Chrome reload, extension toggle,
network blip), the old WebSocket's close event sometimes fires *after*
the new connection's open event. Today the close handler unconditionally
nulls out chromeExtensionSocket, so the server falsely reports
"extension not connected" until the user fully restarts.

Two related fixes:
- On new connection, if a previous socket is still tracked, close it so
  its close handler runs before we overwrite the reference.
- In the close handler, only clear chromeExtensionSocket / availableTools
  if the closing socket is still the active one. Stale closes log and
  no-op.

Co-authored-by: Aeon <aeon@aaronjmars.com>
2026-05-08 09:26:41 -04:00
@aaronjmars
488c4e1c37
docs: add compatible AI clients list to README (#25)
MCP-compatible clients have multiplied since v1.1.0 (July 2025) — Claude Code, Cursor, Windsurf, Zed, Continue, Cline, Goose, Open WebUI all speak the protocol now, plus ChatGPT via Auto-Tunnel.

The README claimed "Universal AI Support" but never said which clients actually work. Adding a short, scannable list right before Quick Start so users know what works with their setup before installing.

Part of a periodic maintenance pass — repo is at 1.8k★ and worth keeping fresh.

Co-authored-by: aeon-bot <aeon-bot@aaronjmars.com>
2026-05-03 09:19:56 -04:00
@aaronjmars
dfdb822255
fix(mcp): stop double-wrapping JSON-RPC responses on SSE POST (#24)
The /sse POST handler was wrapping handleMCPRequest's return value
inside another { jsonrpc, id, result } envelope. handleMCPRequest
already returns a complete JSON-RPC response, so SSE clients were
receiving { jsonrpc, id, result: { jsonrpc, id, result: <real_result> } }
on success and silently swallowing internal errors (those came back
as { jsonrpc, id, error } inside the outer "result" field).

Forward the response as-is — matching the stdio path at L1701-1703 —
and return 204 for JSON-RPC notifications (response === null) per spec.

Co-authored-by: aeonframework <noreply@github.com>
2026-04-28 08:56:20 -04:00
@aaronjmars
8d3c2dc9fc
Merge pull request #18 from felixrieseberg/felixr/fix-manifest
fix: manifest.json for dxt
2025-10-21 13:46:10 -04:00
@aaronjmars
eede8cdee5
Update README.md 2025-10-09 17:14:15 +02:00
Felix Rieseberg
8783ae0dc2
fix: manifest.json for dxt 2025-07-28 21:26:16 +02:00
@aaronjmars
9ad89e7248
Update README.md 2025-07-27 16:36:51 +02:00
@aaronjmars
9dcbd230c5
Update README.md 2025-07-20 23:51:26 +02:00
14 changed files with 1496 additions and 1373 deletions

93
.github/CONTRIBUTING.md vendored Normal file
View file

@ -0,0 +1,93 @@
# Contributing to OpenDia
Love to have your help making OpenDia better. It has two moving parts — a local
**MCP server** (`opendia-mcp/`) and a **browser extension** (`opendia-extension/`)
that talk to each other over a local WebSocket — and this guide covers building
both and landing a PR.
## Ways to contribute
- **MCP server** fixes/features (`opendia-mcp/` — Node, exposes the browser tools).
- **Extension** work (`opendia-extension/` — MV3 background/content scripts, popup;
builds for Chrome and Firefox).
- **New browser tools / site support** — bridging a new capability across the
server and extension.
- **Docs** — setup, tunnel mode, client compatibility.
## Before you start
- **Fork and branch from `main`.** Use a descriptive branch name (`feat/…`,
`fix/…`, `docs/…`).
- **One change per PR.** Keep server and extension changes coherent — if a new tool
needs both sides, that's one PR; unrelated refactors are separate.
- **Title as a [Conventional Commit](https://www.conventionalcommits.org/)**
`feat: …`, `fix: …`, `docs: …`. PRs are squash-merged, so the title becomes the
commit subject.
- **Mind the security surface.** The extension holds broad permissions and the
server can be tunneled publicly — read [`SECURITY.md`](SECURITY.md) before
touching the bridge, permissions, or tunnel code.
## Development setup
**Prerequisites:** Node.js 20+.
```bash
git clone https://github.com/aaronjmars/opendia.git && cd opendia
# 1. Start the MCP server
cd opendia-mcp
npm install
npm start # ws://localhost:5555, sse http://localhost:5556
# 2. Build + load the extension (in another shell)
cd ../opendia-extension
npm install
npm run build # builds dist/chrome and dist/firefox
```
Load the built extension:
- **Chrome**`chrome://extensions/` → enable Developer mode → **Load unpacked**
`opendia-extension/dist/chrome`
- **Firefox**`about:debugging#/runtime/this-firefox` → **Load Temporary Add-on**
`opendia-extension/dist/firefox/manifest.json`
The extension auto-connects to the server on `localhost:5555`.
## Testing & CI
CI (`.github/workflows/ci.yml`) runs on every push and PR. Reproduce it locally
before pushing:
```bash
# MCP server
cd opendia-mcp && npm ci && node --check server.js
# Extension
cd opendia-extension && npm ci
npm run build # Chrome + Firefox builds
node build.js validate # validate the builds
node test-extension.js # structure tests
npx web-ext lint --source-dir=dist/firefox --self-hosted # Firefox lint
```
## Submitting a pull request
- Keep the diff focused and the title conventional; it becomes the squash commit.
- Explain **what** changed and **why**; link the issue (`Fixes #123`).
- Reproduce the CI steps above locally and confirm they pass.
- If you changed permissions, the tunnel, or the message bridge, call it out
explicitly in the description — those touch the trust boundary.
## Reporting bugs & requesting features
Open an issue with repro steps, your browser + version, OpenDia version, whether
you ran in default or `--tunnel` mode, and what you expected vs. what happened.
**Found a security problem?** Don't open an issue — follow
[`SECURITY.md`](SECURITY.md) and report it privately.
## License
By contributing, you agree that your contributions are licensed under the
repository's [LICENSE](../LICENSE) (MIT).

View file

@ -1,7 +1,9 @@
# OpenDia <img src="opendia-extension/icons/icon-128.png" alt="OpenDia" width="32" height="32">
# OpenDia <img src="../opendia-extension/icons/icon-128.png" alt="OpenDia" width="32" height="32">
**The open alternative to Dia**
Connect your browser to AI models. No browser switching needed—works seamlessly with Chrome, Firefox, and any Chromium browser.
**The open alternative to Dia / Perplexity Comet**
Connect your browser to AI models.
No browser switching needed—works seamlessly with Chrome, Firefox, and any Chromium browser. Private, local-first & MCP focused.
If you are not technical / never used MCPs before, we recommend using **[Perplexity Comet](https://pplx.ai/leosimon)**.
[![npm version](https://img.shields.io/npm/v/opendia)](https://www.npmjs.com/package/opendia)
[![GitHub release](https://img.shields.io/github/release/aaronjmars/opendia.svg)](https://github.com/aaronjmars/opendia/releases/latest)
@ -9,7 +11,7 @@ Connect your browser to AI models. No browser switching needed—works seamlessl
## 📺 See it in Action
![OpenDia Demo](./preview.gif)
![OpenDia Demo](../preview.gif)
## 🚀 What is OpenDia?
@ -32,15 +34,29 @@ OpenDia lets AI models control your browser automatically. **The key advantage?
## 🌐 Browser Support
Works with **Chrome, Firefox, and any Chromium-based browser**:
- ✅ **Mozilla Firefox** (Manifest V2)
- ✅ **Google Chrome** (Manifest V3)
- ✅ **Arc**
- ✅ **Google Chrome**
- ✅ **Arc**
- ✅ **Mozilla Firefox**
- ✅ **Microsoft Edge**
- ✅ **Brave**
- ✅ **Opera**
- ✅ **Any Chromium based browser**
Perfect for **Cursor users** who want to automate their local testing and development workflows!
Also perfect for **Cursor users** who want to automate their local testing and development workflows!
## 🔌 Compatible AI Clients
OpenDia exposes a standard MCP server, so it works with any client that speaks the protocol.
**Tested:**
- **Claude Desktop** — paste the config below, restart.
- **Claude Code** — same MCP config, runs from any terminal.
- **Cursor** — add via Settings → MCP, or paste the same JSON.
- **ChatGPT** — works with Auto-Tunnel mode (`npx opendia --tunnel`), then add the ngrok URL as a connector.
**Should work** (any MCP-compatible client): Windsurf, Zed, Continue, Cline, Goose, Open WebUI.
Wired it up with something else? Open a PR — the list grows as MCP grows.
## 🎬 What You Can Do
@ -82,14 +98,14 @@ Perfect for **Cursor users** who want to automate their local testing and develo
### 1. Install the Browser Extension
**For Chrome/Chromium browsers:**
1. Download `opendia-chrome-1.0.6.zip` from [releases](https://github.com/aaronjmars/opendia/releases)
1. Download `opendia-chrome-1.1.0.zip` from [releases](https://github.com/aaronjmars/opendia/releases)
2. Extract the zip file to a folder
3. Go to `chrome://extensions/` (or your browser's extension page)
4. Enable "Developer mode"
5. Click "Load unpacked" and select the extracted folder
**For Firefox:**
1. Download `opendia-firefox-1.0.6.zip` from [releases](https://github.com/aaronjmars/opendia/releases)
1. Download `opendia-firefox-1.1.0.zip` from [releases](https://github.com/aaronjmars/opendia/releases)
2. Extract the zip file to a folder
3. Go to `about:debugging#/runtime/this-firefox`
4. Click "Load Temporary Add-on..."
@ -299,7 +315,7 @@ npm start
## 📝 License
MIT License - see [LICENSE](LICENSE) for details.
MIT License - see [LICENSE](../LICENSE) for details.
---

111
.github/SECURITY.md vendored Normal file
View file

@ -0,0 +1,111 @@
# Security Policy
OpenDia connects an AI model to your real browser. The extension holds broad
permissions — `<all_urls>` host access, plus `tabs`, `history`, `bookmarks`,
`cookies`/sessions, `scripting`, and `webNavigation` — and a local MCP server
exposes browser control over `ws://localhost:5555` (and `http://localhost:5556/sse`),
optionally tunneled to the public internet. That is a large, sensitive attack
surface, so this policy is deliberate about what's in scope and how to report a
problem privately.
## Reporting a vulnerability
**Please don't open a public issue for a security problem.** Use GitHub's
**Private Vulnerability Reporting (PVR)** instead:
➡️ **[Report a vulnerability](https://github.com/aaronjmars/opendia/security/advisories/new)**
(Repo → **Security** tab → **Report a vulnerability**.) This opens a private
advisory that only the maintainers can see — never a public issue, so a fix can
ship before the details are out.
Please include what you can:
- Which component is affected — the **extension** (`opendia-extension/`:
`background.js`, `content.js`, popup) or the **MCP server** (`opendia-mcp/`).
- A minimal reproduction or proof of concept.
- The impact you can demonstrate — a web page or another extension driving the
browser through the MCP bridge, exfiltration of cookies/history/bookmarks,
cross-origin action with the user's live sessions, or exposure of the local
server beyond the intended trust boundary.
- Browser + version (Chrome/Firefox/Chromium), OpenDia version, and whether you
were running in default or `--tunnel` mode.
**Response targets** — best effort; this is a small project:
| Stage | Target |
|-------|--------|
| Acknowledge the report | within 7 days |
| Initial assessment / severity | within 14 days |
| Fix or mitigation on `main` | as fast as the severity warrants |
We follow **coordinated disclosure**: please give us a reasonable window to ship
a fix before you disclose publicly. We'll credit you in the advisory unless you'd
rather stay anonymous.
## Supported versions
Security fixes land on the `main` branch of
[`aaronjmars/opendia`](https://github.com/aaronjmars/opendia) and the latest
published [`opendia`](https://www.npmjs.com/package/opendia) npm release + extension
build.
| Version | Supported |
|---------|-----------|
| `main` / latest npm + extension build | ✅ Yes |
| Older releases | ❌ No — update to latest |
## Security model
The trust boundary is **your machine**. The MCP server and extension are designed
to talk only to each other, locally.
- **The local server is localhost-scoped by default.** The extension auto-connects
to `ws://localhost:5555`; SSE is on `http://localhost:5556`. Anything that lets an
arbitrary web page or a *different* extension reach that bridge and issue browser
actions is a serious finding.
- **`--tunnel` mode is opt-in and public.** `npx opendia --tunnel` publishes the
local server through an ngrok tunnel so a remote client (e.g. ChatGPT) can reach
it. **Anyone who learns that URL can drive your browser with your logged-in
sessions.** Treat the tunnel URL as a secret, only enable it when you need it, and
shut it down afterward. Weaknesses in how the tunnel is exposed or authenticated
are in scope.
- **The extension acts as you.** Because it uses your existing cookies, sessions,
and saved credentials, every action runs with your authority. Only pair OpenDia
with an AI client you trust — a malicious or prompt-injected model can ask the
browser to do anything you can.
- **Untrusted page content is data, not instructions.** Page text the model reads
can contain injection attempts; content that escalates into unintended browser
actions or data exfiltration is in scope.
- **Nothing is sent to us.** OpenDia does no cloud processing and no telemetry —
your browsing data stays local. A code path that ships browser data to a
third party is a bug, report it.
## Scope
**In scope:**
- A web page or third-party extension issuing MCP/browser actions through the
local bridge (e.g. via `externally_connectable` or an unauthenticated WS/SSE).
- Exfiltration of cookies, history, bookmarks, stored credentials, or open-tab
content beyond the intended local flow.
- The `--tunnel` path exposing the server without adequate protection.
- Prompt injection from page content that crosses into unintended actions.
- Code execution or privilege escalation in the extension or server.
**Out of scope:**
- Intended behavior of a **trusted** AI client you connected — OpenDia deliberately
gives it broad browser control (this is documented; only use trusted models).
- Running `--tunnel` and sharing the URL publicly yourself.
- The anti-detection bypasses functioning as designed on Twitter/X, LinkedIn,
Facebook (a site's own ToS/detection is between you and that site).
- Vulnerabilities in the browser, ngrok, or the AI client — report to that vendor.
---
> **Maintainers:** the Report-a-vulnerability link only works once PVR is enabled
> — **Settings → Code security and analysis → Private vulnerability reporting →
> Enable**.
Thanks for helping keep OpenDia and the people who run it safe.

43
.github/dependabot.yml vendored Normal file
View file

@ -0,0 +1,43 @@
version: 2
updates:
# MCP server (Node.js)
- package-ecosystem: npm
directory: /opendia-mcp
schedule:
interval: weekly
open-pull-requests-limit: 5
commit-message:
prefix: chore(mcp-deps)
groups:
mcp-minor-and-patch:
update-types:
- minor
- patch
# Browser extension (Node.js)
- package-ecosystem: npm
directory: /opendia-extension
schedule:
interval: weekly
open-pull-requests-limit: 5
commit-message:
prefix: chore(ext-deps)
groups:
ext-minor-and-patch:
update-types:
- minor
- patch
# GitHub Actions used by the CI workflow
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
open-pull-requests-limit: 5
commit-message:
prefix: chore(ci-deps)
groups:
actions-minor-and-patch:
update-types:
- minor
- patch

47
.github/workflows/ci.yml vendored Normal file
View file

@ -0,0 +1,47 @@
name: CI
on:
push:
branches: [main]
pull_request:
jobs:
mcp:
name: MCP server
runs-on: ubuntu-latest
defaults:
run:
working-directory: opendia-mcp
steps:
- uses: actions/checkout@v7
- uses: actions/setup-node@v6
with:
node-version: 20
cache: npm
cache-dependency-path: opendia-mcp/package-lock.json
- run: npm ci
- name: Syntax-check server
run: node --check server.js
extension:
name: Browser extension
runs-on: ubuntu-latest
defaults:
run:
working-directory: opendia-extension
steps:
- uses: actions/checkout@v7
- uses: actions/setup-node@v6
with:
node-version: 20
cache: npm
cache-dependency-path: opendia-extension/package-lock.json
- run: npm ci
- name: Build Chrome + Firefox
run: npm run build
- name: Validate builds
run: node build.js validate
- name: Structure tests
run: node test-extension.js
- name: Lint Firefox build (web-ext)
run: npx web-ext lint --source-dir=dist/firefox --self-hosted

22
.github/workflows/publish.yml vendored Normal file
View file

@ -0,0 +1,22 @@
name: publish
on:
push:
tags: ["v*"]
permissions:
contents: read
id-token: write
jobs:
publish:
runs-on: ubuntu-latest
defaults:
run:
working-directory: opendia-mcp
steps:
- uses: actions/checkout@v7
- uses: actions/setup-node@v6
with:
node-version: 20
registry-url: https://registry.npmjs.org
- run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

View file

@ -127,9 +127,6 @@ cat > dist/opendia-dxt/manifest.json << 'EOF'
"license": "MIT",
"keywords": ["browser", "automation", "mcp", "ai", "claude", "chrome", "firefox", "extension", "twitter", "linkedin", "facebook", "anti-detection"],
"icon": "icon.png",
"icons": {
"128": "icon.png"
},
"server": {
"type": "node",
@ -153,16 +150,16 @@ cat > dist/opendia-dxt/manifest.json << 'EOF'
"title": "WebSocket Port",
"description": "Port for Chrome/Firefox extension connection",
"default": 5555,
"minimum": 1024,
"maximum": 65535
"min": 1024,
"max": 65535
},
"http_port": {
"type": "number",
"title": "HTTP Port",
"description": "Port for HTTP/SSE server",
"default": 5556,
"minimum": 1024,
"maximum": 65535
"min": 1024,
"max": 65535
},
"enable_tunnel": {
"type": "boolean",
@ -251,30 +248,7 @@ cat > dist/opendia-dxt/manifest.json << 'EOF'
"name": "page_style",
"description": "🎨 Transform page appearance with themes and effects"
}
],
"capabilities": {
"browser_automation": true,
"anti_detection": true,
"background_tabs": true,
"multi_tab_workflows": true,
"content_extraction": true,
"form_filling": true,
"social_media_posting": true,
"page_styling": true,
"bookmark_management": true,
"history_search": true,
"tab_management": true
},
"requirements": {
"browser_extension": {
"name": "OpenDia Browser Extension",
"description": "Required Chrome/Firefox extension for browser automation by Aaron Elijah Mars",
"version": "1.1.0",
"auto_install": false
}
}
]
}
EOF

View file

@ -32,7 +32,7 @@
"src/polyfill/browser-polyfill.min.js",
"src/background/background.js"
],
"persistent": false
"persistent": true
},
"browser_action": {
"default_popup": "src/popup/popup.html",

File diff suppressed because it is too large Load diff

View file

@ -22,7 +22,7 @@
"webextension-polyfill": "^0.12.0"
},
"devDependencies": {
"fs-extra": "^11.3.0",
"web-ext": "^8.8.0"
"fs-extra": "^11.3.6",
"web-ext": "^10.4.0"
}
}

View file

@ -201,7 +201,7 @@ npm start
## 📝 License
MIT License - see [LICENSE](LICENSE) for details.
MIT License - see [LICENSE](../LICENSE) for details.
---

View file

@ -1,16 +1,16 @@
{
"name": "opendia",
"version": "1.0.6",
"version": "1.1.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "opendia",
"version": "1.0.6",
"version": "1.1.0",
"license": "MIT",
"dependencies": {
"cors": "^2.8.5",
"express": "^4.21.2",
"express": "^5.2.1",
"ws": "^8.18.0"
},
"bin": {
@ -21,46 +21,53 @@
}
},
"node_modules/accepts": {
"version": "1.3.8",
"resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
"integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/accepts/-/accepts-2.0.0.tgz",
"integrity": "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==",
"license": "MIT",
"dependencies": {
"mime-types": "~2.1.34",
"negotiator": "0.6.3"
"mime-types": "^3.0.0",
"negotiator": "^1.0.0"
},
"engines": {
"node": ">= 0.6"
}
},
"node_modules/array-flatten": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
"integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==",
"license": "MIT"
},
"node_modules/body-parser": {
"version": "1.20.3",
"resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.3.tgz",
"integrity": "sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==",
"version": "2.3.0",
"resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.3.0.tgz",
"integrity": "sha512-2cGmJupaNgg+QUwVLAucDuWuoMZ6EX9iHDRswZ5lsNYEmwPaRknMPCLZz07yTzVq/83p4o/wzbDZbBrTvGGTIw==",
"license": "MIT",
"dependencies": {
"bytes": "3.1.2",
"content-type": "~1.0.5",
"debug": "2.6.9",
"depd": "2.0.0",
"destroy": "1.2.0",
"http-errors": "2.0.0",
"iconv-lite": "0.4.24",
"on-finished": "2.4.1",
"qs": "6.13.0",
"raw-body": "2.5.2",
"type-is": "~1.6.18",
"unpipe": "1.0.0"
"bytes": "^3.1.2",
"content-type": "^2.0.0",
"debug": "^4.4.3",
"http-errors": "^2.0.1",
"iconv-lite": "^0.7.2",
"on-finished": "^2.4.1",
"qs": "^6.15.2",
"raw-body": "^3.0.2",
"type-is": "^2.1.0"
},
"engines": {
"node": ">= 0.8",
"npm": "1.2.8000 || >= 1.4.16"
"node": ">=18"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/body-parser/node_modules/content-type": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/content-type/-/content-type-2.0.0.tgz",
"integrity": "sha512-j/O/d7GcZCyNl7/hwZAb606rzqkyvaDctLmckbxLzHvFBzTJHuGEdodATcP3yIRoDrLHkIATJuvzbFlp/ki2cQ==",
"license": "MIT",
"engines": {
"node": ">=18"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/bytes": {
@ -86,7 +93,7 @@
}
},
"node_modules/call-bound": {
"version": "1.0.5",
"version": "1.0.4",
"resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz",
"integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==",
"license": "MIT",
@ -102,15 +109,16 @@
}
},
"node_modules/content-disposition": {
"version": "0.5.4",
"resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.4.tgz",
"integrity": "sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==",
"version": "1.1.0",
"resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.1.0.tgz",
"integrity": "sha512-5jRCH9Z/+DRP7rkvY83B+yGIGX96OYdJmzngqnw2SBSxqCFPd0w2km3s5iawpGX8krnwSGmF0FW5Nhr0Hfai3g==",
"license": "MIT",
"dependencies": {
"safe-buffer": "5.2.1"
},
"engines": {
"node": ">= 0.6"
"node": ">=18"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/content-type": {
@ -132,15 +140,18 @@
}
},
"node_modules/cookie-signature": {
"version": "1.0.6",
"resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
"integrity": "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ==",
"license": "MIT"
"version": "1.2.2",
"resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz",
"integrity": "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==",
"license": "MIT",
"engines": {
"node": ">=6.6.0"
}
},
"node_modules/cors": {
"version": "2.8.5",
"resolved": "https://registry.npmjs.org/cors/-/cors-2.8.5.tgz",
"integrity": "sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==",
"version": "2.8.6",
"resolved": "https://registry.npmjs.org/cors/-/cors-2.8.6.tgz",
"integrity": "sha512-tJtZBBHA6vjIAaF6EnIaq6laBBP9aq/Y3ouVJjEfoHbRBcHBAHYcMh/w8LDrk2PvIMMq8gmopa5D4V8RmbrxGw==",
"license": "MIT",
"dependencies": {
"object-assign": "^4",
@ -148,15 +159,27 @@
},
"engines": {
"node": ">= 0.10"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/debug": {
"version": "2.6.9",
"resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
"integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
"version": "4.4.3",
"resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
"integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
"license": "MIT",
"dependencies": {
"ms": "2.0.0"
"ms": "^2.1.3"
},
"engines": {
"node": ">=6.0"
},
"peerDependenciesMeta": {
"supports-color": {
"optional": true
}
}
},
"node_modules/depd": {
@ -168,16 +191,6 @@
"node": ">= 0.8"
}
},
"node_modules/destroy": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
"integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==",
"license": "MIT",
"engines": {
"node": ">= 0.8",
"npm": "1.2.8000 || >= 1.4.16"
}
},
"node_modules/dunder-proto": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
@ -226,9 +239,9 @@
}
},
"node_modules/es-object-atoms": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
"integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
"version": "1.1.2",
"resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.2.tgz",
"integrity": "sha512-HWcBoN6NileqtSydK2FqHbS/LoDd2pqrnQHLyJzBj4kOp/ky2MWMN694xOfkK8/SnUsW2DH7EfyVlydKCsm1Zw==",
"license": "MIT",
"dependencies": {
"es-errors": "^1.3.0"
@ -253,45 +266,42 @@
}
},
"node_modules/express": {
"version": "4.21.2",
"resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz",
"integrity": "sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==",
"version": "5.2.1",
"resolved": "https://registry.npmjs.org/express/-/express-5.2.1.tgz",
"integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==",
"license": "MIT",
"dependencies": {
"accepts": "~1.3.8",
"array-flatten": "1.1.1",
"body-parser": "1.20.3",
"content-disposition": "0.5.4",
"content-type": "~1.0.4",
"cookie": "0.7.1",
"cookie-signature": "1.0.6",
"debug": "2.6.9",
"depd": "2.0.0",
"encodeurl": "~2.0.0",
"escape-html": "~1.0.3",
"etag": "~1.8.1",
"finalhandler": "1.3.1",
"fresh": "0.5.2",
"http-errors": "2.0.0",
"merge-descriptors": "1.0.3",
"methods": "~1.1.2",
"on-finished": "2.4.1",
"parseurl": "~1.3.3",
"path-to-regexp": "0.1.12",
"proxy-addr": "~2.0.7",
"qs": "6.13.0",
"range-parser": "~1.2.1",
"safe-buffer": "5.2.1",
"send": "0.19.0",
"serve-static": "1.16.2",
"setprototypeof": "1.2.0",
"statuses": "2.0.1",
"type-is": "~1.6.18",
"utils-merge": "1.0.1",
"vary": "~1.1.2"
"accepts": "^2.0.0",
"body-parser": "^2.2.1",
"content-disposition": "^1.0.0",
"content-type": "^1.0.5",
"cookie": "^0.7.1",
"cookie-signature": "^1.2.1",
"debug": "^4.4.0",
"depd": "^2.0.0",
"encodeurl": "^2.0.0",
"escape-html": "^1.0.3",
"etag": "^1.8.1",
"finalhandler": "^2.1.0",
"fresh": "^2.0.0",
"http-errors": "^2.0.0",
"merge-descriptors": "^2.0.0",
"mime-types": "^3.0.0",
"on-finished": "^2.4.1",
"once": "^1.4.0",
"parseurl": "^1.3.3",
"proxy-addr": "^2.0.7",
"qs": "^6.14.0",
"range-parser": "^1.2.1",
"router": "^2.2.0",
"send": "^1.1.0",
"serve-static": "^2.2.0",
"statuses": "^2.0.1",
"type-is": "^2.0.1",
"vary": "^1.1.2"
},
"engines": {
"node": ">= 0.10.0"
"node": ">= 18"
},
"funding": {
"type": "opencollective",
@ -299,21 +309,24 @@
}
},
"node_modules/finalhandler": {
"version": "1.3.1",
"resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.1.tgz",
"integrity": "sha512-6BN9trH7bp3qvnrRyzsBz+g3lZxTNZTbVO2EV1CS0WIcDbawYVdYvGflME/9QP0h0pYlCDBCTjYa9nZzMDpyxQ==",
"version": "2.1.1",
"resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.1.tgz",
"integrity": "sha512-S8KoZgRZN+a5rNwqTxlZZePjT/4cnm0ROV70LedRHZ0p8u9fRID0hJUZQpkKLzro8LfmC8sx23bY6tVNxv8pQA==",
"license": "MIT",
"dependencies": {
"debug": "2.6.9",
"encodeurl": "~2.0.0",
"escape-html": "~1.0.3",
"on-finished": "2.4.1",
"parseurl": "~1.3.3",
"statuses": "2.0.1",
"unpipe": "~1.0.0"
"debug": "^4.4.0",
"encodeurl": "^2.0.0",
"escape-html": "^1.0.3",
"on-finished": "^2.4.1",
"parseurl": "^1.3.3",
"statuses": "^2.0.1"
},
"engines": {
"node": ">= 0.8"
"node": ">= 18.0.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/forwarded": {
@ -326,12 +339,12 @@
}
},
"node_modules/fresh": {
"version": "0.5.2",
"resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
"integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==",
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/fresh/-/fresh-2.0.0.tgz",
"integrity": "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A==",
"license": "MIT",
"engines": {
"node": ">= 0.6"
"node": ">= 0.8"
}
},
"node_modules/function-bind": {
@ -405,9 +418,9 @@
}
},
"node_modules/hasown": {
"version": "2.0.2",
"resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
"integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
"version": "2.0.4",
"resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.4.tgz",
"integrity": "sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==",
"license": "MIT",
"dependencies": {
"function-bind": "^1.1.2"
@ -417,31 +430,39 @@
}
},
"node_modules/http-errors": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz",
"integrity": "sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ==",
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
"integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==",
"license": "MIT",
"dependencies": {
"depd": "2.0.0",
"inherits": "2.0.4",
"setprototypeof": "1.2.0",
"statuses": "2.0.1",
"toidentifier": "1.0.1"
"depd": "~2.0.0",
"inherits": "~2.0.4",
"setprototypeof": "~1.2.0",
"statuses": "~2.0.2",
"toidentifier": "~1.0.1"
},
"engines": {
"node": ">= 0.8"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/iconv-lite": {
"version": "0.4.24",
"resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
"integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
"version": "0.7.2",
"resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.2.tgz",
"integrity": "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw==",
"license": "MIT",
"dependencies": {
"safer-buffer": ">= 2.1.2 < 3"
"safer-buffer": ">= 2.1.2 < 3.0.0"
},
"engines": {
"node": ">=0.10.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/inherits": {
@ -459,6 +480,12 @@
"node": ">= 0.10"
}
},
"node_modules/is-promise": {
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz",
"integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==",
"license": "MIT"
},
"node_modules/math-intrinsics": {
"version": "1.1.0",
"resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
@ -469,75 +496,61 @@
}
},
"node_modules/media-typer": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
"integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==",
"version": "1.1.0",
"resolved": "https://registry.npmjs.org/media-typer/-/media-typer-1.1.0.tgz",
"integrity": "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==",
"license": "MIT",
"engines": {
"node": ">= 0.6"
"node": ">= 0.8"
}
},
"node_modules/merge-descriptors": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz",
"integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==",
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-2.0.0.tgz",
"integrity": "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g==",
"license": "MIT",
"engines": {
"node": ">=18"
},
"funding": {
"url": "https://github.com/sponsors/sindresorhus"
}
},
"node_modules/methods": {
"version": "1.1.2",
"resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
"integrity": "sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==",
"license": "MIT",
"engines": {
"node": ">= 0.6"
}
},
"node_modules/mime": {
"version": "1.6.0",
"resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
"integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==",
"license": "MIT",
"bin": {
"mime": "cli.js"
},
"engines": {
"node": ">=4"
}
},
"node_modules/mime-db": {
"version": "1.52.0",
"resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
"integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
"version": "1.54.0",
"resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz",
"integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==",
"license": "MIT",
"engines": {
"node": ">= 0.6"
}
},
"node_modules/mime-types": {
"version": "2.1.35",
"resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
"integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
"version": "3.0.2",
"resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.2.tgz",
"integrity": "sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A==",
"license": "MIT",
"dependencies": {
"mime-db": "1.52.0"
"mime-db": "^1.54.0"
},
"engines": {
"node": ">= 0.6"
"node": ">=18"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/ms": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
"integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
"version": "2.1.3",
"resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
"integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
"license": "MIT"
},
"node_modules/negotiator": {
"version": "0.6.3",
"resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
"integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==",
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/negotiator/-/negotiator-1.0.0.tgz",
"integrity": "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==",
"license": "MIT",
"engines": {
"node": ">= 0.6"
@ -576,6 +589,15 @@
"node": ">= 0.8"
}
},
"node_modules/once": {
"version": "1.4.0",
"resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
"integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
"license": "ISC",
"dependencies": {
"wrappy": "1"
}
},
"node_modules/parseurl": {
"version": "1.3.3",
"resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
@ -586,10 +608,14 @@
}
},
"node_modules/path-to-regexp": {
"version": "0.1.12",
"resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz",
"integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==",
"license": "MIT"
"version": "8.4.2",
"resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.4.2.tgz",
"integrity": "sha512-qRcuIdP69NPm4qbACK+aDogI5CBDMi1jKe0ry5rSQJz8JVLsC7jV8XpiJjGRLLol3N+R5ihGYcrPLTno6pAdBA==",
"license": "MIT",
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/proxy-addr": {
"version": "2.0.7",
@ -605,12 +631,12 @@
}
},
"node_modules/qs": {
"version": "6.13.0",
"resolved": "https://registry.npmjs.org/qs/-/qs-6.13.0.tgz",
"integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==",
"version": "6.15.2",
"resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz",
"integrity": "sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==",
"license": "BSD-3-Clause",
"dependencies": {
"side-channel": "^1.0.6"
"side-channel": "^1.1.0"
},
"engines": {
"node": ">=0.6"
@ -629,39 +655,35 @@
}
},
"node_modules/raw-body": {
"version": "2.5.2",
"resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz",
"integrity": "sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==",
"version": "3.0.2",
"resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.2.tgz",
"integrity": "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==",
"license": "MIT",
"dependencies": {
"bytes": "3.1.2",
"http-errors": "2.0.0",
"iconv-lite": "0.4.24",
"unpipe": "1.0.0"
"bytes": "~3.1.2",
"http-errors": "~2.0.1",
"iconv-lite": "~0.7.0",
"unpipe": "~1.0.0"
},
"engines": {
"node": ">= 0.8"
"node": ">= 0.10"
}
},
"node_modules/safe-buffer": {
"version": "5.2.1",
"resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
"integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/feross"
},
{
"type": "patreon",
"url": "https://www.patreon.com/feross"
},
{
"type": "consulting",
"url": "https://feross.org/support"
}
],
"license": "MIT"
"node_modules/router": {
"version": "2.2.0",
"resolved": "https://registry.npmjs.org/router/-/router-2.2.0.tgz",
"integrity": "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==",
"license": "MIT",
"dependencies": {
"debug": "^4.4.0",
"depd": "^2.0.0",
"is-promise": "^4.0.0",
"parseurl": "^1.3.3",
"path-to-regexp": "^8.0.0"
},
"engines": {
"node": ">= 18"
}
},
"node_modules/safer-buffer": {
"version": "2.1.2",
@ -670,57 +692,48 @@
"license": "MIT"
},
"node_modules/send": {
"version": "0.19.0",
"resolved": "https://registry.npmjs.org/send/-/send-0.19.0.tgz",
"integrity": "sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw==",
"version": "1.2.1",
"resolved": "https://registry.npmjs.org/send/-/send-1.2.1.tgz",
"integrity": "sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ==",
"license": "MIT",
"dependencies": {
"debug": "2.6.9",
"depd": "2.0.0",
"destroy": "1.2.0",
"encodeurl": "~1.0.2",
"escape-html": "~1.0.3",
"etag": "~1.8.1",
"fresh": "0.5.2",
"http-errors": "2.0.0",
"mime": "1.6.0",
"ms": "2.1.3",
"on-finished": "2.4.1",
"range-parser": "~1.2.1",
"statuses": "2.0.1"
"debug": "^4.4.3",
"encodeurl": "^2.0.0",
"escape-html": "^1.0.3",
"etag": "^1.8.1",
"fresh": "^2.0.0",
"http-errors": "^2.0.1",
"mime-types": "^3.0.2",
"ms": "^2.1.3",
"on-finished": "^2.4.1",
"range-parser": "^1.2.1",
"statuses": "^2.0.2"
},
"engines": {
"node": ">= 0.8.0"
"node": ">= 18"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/send/node_modules/encodeurl": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz",
"integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==",
"license": "MIT",
"engines": {
"node": ">= 0.8"
}
},
"node_modules/send/node_modules/ms": {
"version": "2.1.3",
"resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
"integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
"license": "MIT"
},
"node_modules/serve-static": {
"version": "1.16.2",
"resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.2.tgz",
"integrity": "sha512-VqpjJZKadQB/PEbEwvFdO43Ax5dFBZ2UECszz8bQ7pi7wt//PWe1P6MN7eCnjsatYtBT6EuiClbjSWP2WrIoTw==",
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/serve-static/-/serve-static-2.2.1.tgz",
"integrity": "sha512-xRXBn0pPqQTVQiC8wyQrKs2MOlX24zQ0POGaj0kultvoOCstBQM5yvOhAVSUwOMjQtTvsPWoNCHfPGwaaQJhTw==",
"license": "MIT",
"dependencies": {
"encodeurl": "~2.0.0",
"escape-html": "~1.0.3",
"parseurl": "~1.3.3",
"send": "0.19.0"
"encodeurl": "^2.0.0",
"escape-html": "^1.0.3",
"parseurl": "^1.3.3",
"send": "^1.2.0"
},
"engines": {
"node": ">= 0.8.0"
"node": ">= 18"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/setprototypeof": {
@ -730,14 +743,14 @@
"license": "ISC"
},
"node_modules/side-channel": {
"version": "1.1.0",
"resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz",
"integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==",
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.1.tgz",
"integrity": "sha512-6x6dK6zJdpTzF4sQeNYxwtvBzf6Eg4GtlesS94HOvTudUeyK2WXAaIfmDgsyslYrRBeFIlsi54AYsFGUuhmvrQ==",
"license": "MIT",
"dependencies": {
"es-errors": "^1.3.0",
"object-inspect": "^1.13.3",
"side-channel-list": "^1.0.0",
"object-inspect": "^1.13.4",
"side-channel-list": "^1.0.1",
"side-channel-map": "^1.0.1",
"side-channel-weakmap": "^1.0.2"
},
@ -749,13 +762,13 @@
}
},
"node_modules/side-channel-list": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz",
"integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==",
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.1.tgz",
"integrity": "sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w==",
"license": "MIT",
"dependencies": {
"es-errors": "^1.3.0",
"object-inspect": "^1.13.3"
"object-inspect": "^1.13.4"
},
"engines": {
"node": ">= 0.4"
@ -802,9 +815,9 @@
}
},
"node_modules/statuses": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.1.tgz",
"integrity": "sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==",
"version": "2.0.2",
"resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
"integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==",
"license": "MIT",
"engines": {
"node": ">= 0.8"
@ -820,16 +833,34 @@
}
},
"node_modules/type-is": {
"version": "1.6.18",
"resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
"integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
"version": "2.1.0",
"resolved": "https://registry.npmjs.org/type-is/-/type-is-2.1.0.tgz",
"integrity": "sha512-faYHw0anBbc/kWF3zFTEnxSFOAGUX9GFbOBthvDdLsIlEoWOFOtS0zgCiQYwIskL9iGXZL3kAXD8OoZ4GmMATA==",
"license": "MIT",
"dependencies": {
"media-typer": "0.3.0",
"mime-types": "~2.1.24"
"content-type": "^2.0.0",
"media-typer": "^1.1.0",
"mime-types": "^3.0.0"
},
"engines": {
"node": ">= 0.6"
"node": ">= 18"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/type-is/node_modules/content-type": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/content-type/-/content-type-2.0.0.tgz",
"integrity": "sha512-j/O/d7GcZCyNl7/hwZAb606rzqkyvaDctLmckbxLzHvFBzTJHuGEdodATcP3yIRoDrLHkIATJuvzbFlp/ki2cQ==",
"license": "MIT",
"engines": {
"node": ">=18"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/express"
}
},
"node_modules/unpipe": {
@ -841,15 +872,6 @@
"node": ">= 0.8"
}
},
"node_modules/utils-merge": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
"integrity": "sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==",
"license": "MIT",
"engines": {
"node": ">= 0.4.0"
}
},
"node_modules/vary": {
"version": "1.1.2",
"resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
@ -859,10 +881,16 @@
"node": ">= 0.8"
}
},
"node_modules/wrappy": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
"integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==",
"license": "ISC"
},
"node_modules/ws": {
"version": "8.18.2",
"resolved": "https://registry.npmjs.org/ws/-/ws-8.18.2.tgz",
"integrity": "sha512-DMricUmwGZUVr++AEAe2uiVM7UoO9MAVZMDu05UQOaUII0lp+zOzLLU4Xqh/JvTqklB1T4uELaaPBKyjE1r4fQ==",
"version": "8.21.0",
"resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz",
"integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==",
"license": "MIT",
"engines": {
"node": ">=10.0.0"

View file

@ -1,6 +1,6 @@
{
"name": "opendia",
"version": "1.1.0",
"version": "1.1.1",
"description": "🎯 OpenDia - The open alternative to Dia. Connect your browser to AI models with anti-detection bypass for Twitter/X, LinkedIn, Facebook",
"main": "server.js",
"bin": {
@ -38,7 +38,7 @@
},
"dependencies": {
"cors": "^2.8.5",
"express": "^4.21.2",
"express": "^5.2.1",
"ws": "^8.18.0"
},
"engines": {
@ -48,4 +48,4 @@
"server.js",
"README.md"
]
}
}

View file

@ -153,6 +153,8 @@ let availableTools = [];
// Tool call tracking
const pendingCalls = new Map();
// Monotonic counter so concurrent tool calls can never share a call id.
let callIdCounter = 0;
// Simple MCP protocol implementation over stdio
async function handleMCPRequest(request) {
@ -1526,10 +1528,24 @@ async function callBrowserTool(toolName, args) {
);
}
const callId = Date.now().toString();
// Date.now() alone collides when two calls fire in the same millisecond
// (concurrent SSE POSTs, hybrid stdio+SSE, or parallel tool calls). A
// collision overwrites the pending resolver, cross-wiring one call's
// response onto another and leaving the loser to hit the 30s timeout.
const callId = `${Date.now()}-${++callIdCounter}`;
return new Promise((resolve, reject) => {
pendingCalls.set(callId, { resolve, reject });
// Track the timeout on the pending entry so it can be cleared when a
// response arrives or the extension disconnects — otherwise every call
// leaks a 30s timer until it fires.
const timeout = setTimeout(() => {
if (pendingCalls.has(callId)) {
pendingCalls.delete(callId);
reject(new Error("Tool call timeout"));
}
}, 30000);
pendingCalls.set(callId, { resolve, reject, timeout });
chromeExtensionSocket.send(
JSON.stringify({
@ -1538,14 +1554,6 @@ async function callBrowserTool(toolName, args) {
params: args,
})
);
// Timeout after 30 seconds
setTimeout(() => {
if (pendingCalls.has(callId)) {
pendingCalls.delete(callId);
reject(new Error("Tool call timeout"));
}
}, 30000);
});
}
@ -1553,6 +1561,7 @@ async function callBrowserTool(toolName, args) {
function handleToolResponse(message) {
const pending = pendingCalls.get(message.id);
if (pending) {
clearTimeout(pending.timeout);
pendingCalls.delete(message.id);
if (message.error) {
pending.reject(new Error(message.error.message));
@ -1565,6 +1574,17 @@ function handleToolResponse(message) {
// Setup WebSocket connection handlers
function setupWebSocketHandlers() {
wss.on("connection", (ws) => {
// If an old extension socket is still tracked, close it before replacing
// so the previous connection's close handler can't later null out the new one.
if (chromeExtensionSocket && chromeExtensionSocket !== ws) {
console.error("Replacing existing Browser Extension connection");
try {
chromeExtensionSocket.close();
} catch (e) {
// ignore — socket may already be half-closed
}
}
console.error("Browser Extension connected");
chromeExtensionSocket = ws;
@ -1602,10 +1622,33 @@ function setupWebSocketHandlers() {
});
ws.on("close", () => {
console.error("Browser Extension disconnected");
chromeExtensionSocket = null;
availableTools = []; // Clear tools when extension disconnects
clearInterval(pingInterval);
// Only clear tracked state if THIS socket is still the active one.
// Without this guard, a stale close event from a previous connection
// can null out a freshly reconnected extension and make the server
// falsely report "extension not connected" until the user restarts.
if (chromeExtensionSocket === ws) {
console.error("Browser Extension disconnected");
chromeExtensionSocket = null;
availableTools = []; // Clear tools when extension disconnects
// Reject any in-flight tool calls immediately so the MCP client
// sees a real error instead of hanging for up to 30s waiting on
// a socket that's gone.
if (pendingCalls.size > 0) {
console.error(
`Rejecting ${pendingCalls.size} in-flight tool call(s) due to extension disconnect`
);
for (const pending of pendingCalls.values()) {
clearTimeout(pending.timeout);
pending.reject(
new Error("Browser Extension disconnected mid-call")
);
}
pendingCalls.clear();
}
} else {
console.error("Stale Browser Extension socket closed (already replaced)");
}
});
ws.on("error", (error) => {
@ -1656,25 +1699,28 @@ app.route('/sse')
.post(async (req, res) => {
// MCP requests from online AI
console.error('MCP request received via SSE:', req.body);
try {
const result = await handleMCPRequest(req.body);
res.json({
jsonrpc: "2.0",
id: req.body.id,
result: result
});
// handleMCPRequest already returns a complete JSON-RPC response
// (or null for notifications) — forward as-is, matching the stdio path.
const response = await handleMCPRequest(req.body);
if (response === null) {
// JSON-RPC notification: no response body per spec
res.status(204).end();
} else {
res.json(response);
}
} catch (error) {
res.status(500).json({
jsonrpc: "2.0",
id: req.body.id,
id: req.body?.id ?? null,
error: { code: -32603, message: error.message }
});
}
});
// ADD: CORS preflight handler
app.options('*', (req, res) => {
app.options('/*splat', (req, res) => {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
res.header('Access-Control-Allow-Headers', 'Content-Type, Cache-Control');
@ -1840,7 +1886,7 @@ async function startServer() {
console.error('💡 Claude Web: Add as external MCP server (if supported)');
console.error('');
console.error('🏠 Local access still available:');
console.error('🔗 http://localhost:3001/sse');
console.error(`🔗 http://localhost:${HTTP_PORT}/sse`);
console.error('');
// Store ngrok process for cleanup