Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions docs/EXTENSION_RELEASE_RUNBOOK.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ Configure in public GitHub repo secrets:
- [ ] `package.json` version equals intended release version.
- [ ] `npm run extension:sync` keeps `extension/manifest.json` and `extension/package.json` aligned with the root package version.
- [ ] `npm run extension:build` passes.
- [ ] `node scripts/generate-store-assets.mjs` refreshes `extension/store-assets/` from the current icon set and popup surfaces.
- [ ] Review `extension/store-assets/LISTING.md` for current homepage, privacy URL, upload copy, and permission/privacy answers.
- [ ] `node scripts/chrome-store-compliance-check.mjs` passes.
- [ ] `npm run extension:pack` creates `opendevbrowser-extension.zip`.
- [ ] `npm run version:check` passes.
Expand Down Expand Up @@ -67,6 +69,7 @@ Workflow behavior:

```bash
npm run extension:build
node scripts/generate-store-assets.mjs
npm run extension:pack
npm run extension:store -- --zip opendevbrowser-extension.zip --publish-target default --publish
```
Expand Down
31 changes: 19 additions & 12 deletions docs/privacy.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,42 +2,43 @@

**OpenDevBrowser Chrome Extension**

Last updated: February 8, 2026
Last updated: March 13, 2026

## Overview

OpenDevBrowser is a browser automation extension that bridges the OpenDevBrowser plugin with Chrome for local development and testing purposes. This privacy policy explains how the extension handles your data.

## Data Collection

**We do not collect, store, or transmit any personal data.**
**We do not send your browsing data or page content to the developer or any third-party service.**

The extension:
- Does NOT collect browsing history
- Does NOT collect personal information
- Does NOT send browsing history to external servers
- Does NOT send personal information to external servers
- Does NOT track user behavior
- Does NOT use analytics or telemetry
- Does NOT communicate with external servers
- May access page URLs, titles, and page content locally when you use automation or annotation features
- May store relay settings and the last user-triggered annotation payload locally on-device so the popup can reconnect and reopen recent annotation results

## How the Extension Works

The extension operates entirely on your local machine:

1. **Local Relay Connection**: The extension connects to a local relay server running on your machine (default: `localhost:8787`). This connection never leaves your computer.
1. **Local Relay Connection**: The extension connects to a local relay server running on your machine (default: `127.0.0.1:8787`). This connection never leaves your computer.

2. **Chrome DevTools Protocol (CDP)**: The extension uses the `debugger` permission to interact with browser tabs via CDP. This enables automation features like clicking, typing, and capturing page snapshots.

3. **Tab Access**: The `tabs` permission is used to identify and manage browser tabs during automation sessions.

4. **Local Storage**: The `storage` permission stores your relay configuration (port, pairing token, pairing toggle) locally in Chrome. This data never leaves your browser.
4. **Local Storage**: The `storage` permission stores your relay configuration (port, pairing token, pairing toggle) and the last annotation payload metadata locally in Chrome. When you explicitly capture or send annotation results, the extension can also persist a local copy of the last annotation payload without screenshots so the popup can reopen it. This data stays on-device.

## Data Flow

```
[OpenDevBrowser Plugin] <--localhost--> [Extension] <--CDP--> [Browser Tabs]
[OpenDevBrowser Plugin] <--127.0.0.1--> [Extension] <--CDP--> [Browser Tabs]
```

All communication occurs locally on your machine. No data is sent to external servers.
The relay and optional native-host transport stay local to your machine. OpenDevBrowser does not send browsing data, page content, or annotation payloads to the developer or to third-party analytics services. Websites you open in Chrome continue to exchange their own normal network traffic.

## Permissions Justification

Expand All @@ -46,16 +47,22 @@ All communication occurs locally on your machine. No data is sent to external se
| `debugger` | Required for CDP access to automate browser tabs |
| `tabs` | Required to list and manage tabs during automation |
| `activeTab` | Required for user-initiated active-tab actions |
| `storage` | Required to persist relay configuration locally |
| `storage` | Required to persist relay configuration and the last local annotation payload metadata |
| `scripting` | Required to inject annotation/runtime scripts into pages during automation |
| `alarms` | Required for background reconnect and retry scheduling |
| `nativeMessaging` | Required for optional local native-host fallback |
| `http://127.0.0.1/*`, `http://localhost/*` | Required to reach the local relay/discovery endpoints on your machine |
| `http://127.0.0.1/*` | Required to reach the local relay/discovery endpoints on your machine |
| `<all_urls>` | Required to run automation/annotation flows across user-opened sites during local sessions |

## What Stays Local

- Relay configuration, pairing state, and health metadata stored in `chrome.storage.local`
- The last annotation payload metadata, plus a local copy of the last annotation payload without screenshots when you explicitly capture or send annotation results
- Full screenshots remain in memory for the active extension session unless you explicitly copy or send them through the local tooling flow

## Third-Party Services

The extension does not integrate with any third-party services, analytics platforms, or external APIs.
The extension does not transmit browsing data or page content to analytics platforms or third-party APIs operated by OpenDevBrowser. It interacts only with the sites you choose to open in Chrome plus the local relay and optional local native host on your machine.

## Open Source

Expand Down
1 change: 0 additions & 1 deletion extension/manifest.json
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
],
"host_permissions": [
"http://127.0.0.1/*",
"http://localhost/*",
"<all_urls>"
],
"icons": {
Expand Down
2 changes: 1 addition & 1 deletion extension/src/popup.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ if (
throw new Error("Popup DOM missing required elements");
}

const defaultNote = "Local relay only. Tokens stay on-device.";
const defaultNote = "Local relay only. Page data and tokens stay on-device.";
const defaultAnnotationNote = "No annotations captured yet.";
const LAST_ANNOTATION_META_KEY = "annotationLastMeta";
let lastAnnotationPayload: AnnotationPayload | null = null;
Expand Down
269 changes: 173 additions & 96 deletions extension/store-assets/LISTING.md
Original file line number Diff line number Diff line change
@@ -1,110 +1,187 @@
# Chrome Web Store Listing

## Title (45 chars max)
OpenDevBrowser Relay
## Official URLs

## Summary (132 chars max)
Connect OpenCode AI to your browser for automated testing, web scraping, and development workflows via Chrome DevTools Protocol.
- Homepage URL: `https://opendevbrowser.dev`
- Privacy policy URL: `https://github.com/freshtechbro/opendevbrowser/blob/main/docs/privacy.md`
- Support / source URL: `https://github.com/freshtechbro/opendevbrowser`

## Description
## Primary Store Fields

### Overview
OpenDevBrowser Relay bridges the OpenDevBrowser plugin with your Chrome browser, enabling AI-powered browser automation for local development and testing.
### Title

### Key Features
- **Zero Config**: Works out of the box with sensible defaults
- **Local Only**: All communication stays on your machine (localhost)
- **Secure**: Token-based pairing prevents unauthorized access
- **Lightweight**: Permissions scoped to local relay + automation workflows, with background alarms used only for reconnect retries
- Limit: `45` chars
- Count: `20`
- Value: `OpenDevBrowser Relay`

### How It Works
1. Install the extension
2. Start OpenDevBrowser in OpenCode
3. The extension automatically connects to the local relay
4. AI can now interact with your browser tabs
### Summary

### Use Cases
- Automated testing of web applications
- Web scraping and data extraction
- Form filling and validation testing
- Screenshot capture and visual regression
- Interactive debugging with AI assistance
- Limit: `132` chars
- Count: `108`
- Value: `Attach OpenDevBrowser to logged-in Chrome tabs so agents can inspect, automate, annotate, and debug locally.`

### Privacy First
- No data collection or telemetry
- No external server communication
- All automation happens locally
- Open source and auditable
### Single Purpose Description

### Privacy Policy URL
https://github.com/freshtechbro/opendevbrowser/blob/main/docs/privacy.md
- Count: `105`
- Value: `Connect OpenDevBrowser to existing Chrome tabs so it can inspect and automate them through a local relay.`

### Detailed Description

OpenDevBrowser Relay connects OpenDevBrowser to the Chrome tabs you already have open. It lets the runtime attach to a real headed browser session, reuse logged-in state, inspect the page, drive actions, and capture annotations without launching a separate browser.

What it delivers today:
- Reuses existing Chrome tabs through a local relay on `127.0.0.1`
- Attaches Chrome DevTools Protocol with `debugger` for inspect and action loops
- Injects page-side helpers with `scripting` for annotation, DOM capture, and in-tab automation
- Stores relay settings plus the last local annotation payload metadata so the popup can reconnect and reopen recent results
- Shows relay, handshake, annotate, injected, `CDP`, pairing, and native fallback health directly in the popup

Important behavior notes:
- The relay and optional native host stay on-device
- OpenDevBrowser does not send browsing data, page content, or annotation payloads to the developer or third-party analytics services
- The extension can act on user-opened sites because it needs `<all_urls>` for automation, annotation, DOM capture, and screenshot fallback
- Restricted pages such as `chrome://`, `chrome-extension://`, and Chrome Web Store pages are not supported targets

## Category
Developer Tools

- `Developer Tools`

## Language
English (United States)

## Permission Justifications

| Permission | Justification |
|------------|---------------|
| **debugger** | Required to access Chrome DevTools Protocol (CDP) for browser automation. Enables clicking, typing, screenshots, and DOM access. |
| **alarms** | Required to schedule reconnect retries when the relay is temporarily unavailable. |
| **tabs** | Required to list available browser tabs and identify targets for automation. |
| **storage** | Required to persist user preferences (relay port, pairing token) locally in Chrome. |
| **scripting** | Required to inject runtime/annotation scripts into active pages. |
| **activeTab** | Required for user-initiated actions against the currently active tab. |
| **nativeMessaging** | Required for optional local native-host fallback integration. |

## Host Permissions

| Host | Justification |
|------|---------------|
| `http://127.0.0.1/*` | Connect to local relay server running on your machine |
| `http://localhost/*` | Alternative localhost binding for relay connection |
| `<all_urls>` | Required to run automation and annotation flows across user-opened websites during local sessions |

## Screenshots Required

1. **screenshot-popup-disconnected.png** (1280x800)
- Extension popup showing "Disconnected" state
- Relay settings visible (port, token fields)

2. **screenshot-popup-connected.png** (1280x800)
- Extension popup showing "Connected" state
- Active target information displayed

3. **screenshot-automation-demo.png** (1280x800)
- Split view: terminal with OpenCode on left, browser on right
- Shows automation command and resulting browser action

## Promotional Images Required

1. **promo-small-440x280.png**
- OpenDevBrowser logo centered
- Tagline: "AI-Powered Browser Automation"
- Clean, professional design

2. **promo-marquee-1400x560.png** (optional)
- Feature showcase with icons
- Logo + tagline + key benefits

## Store Icon
- **icon-store-128.png**: 128x128 PNG with square corners, no padding
- Use existing icon128.png from extension/icons/

## Additional Notes

### Review Expectations
- `debugger` permission triggers manual review (3-7 extra business days)
- Ensure privacy policy URL is accessible before submission
- All permissions are justified with clear use cases

### Compliance Checklist
- [x] Manifest V3 compliant
- [x] No eval() or remote code execution
- [x] No keyword stuffing in listing
- [x] Privacy policy hosted and accessible
- [x] All permissions are minimal and justified
- [x] Host permissions documented with localhost relay endpoints plus `<all_urls>` for automation scope

- `English (United States)`

## Upload Justifications

### Single Purpose Justification

The extension has one purpose: bridge OpenDevBrowser to the Chrome tabs the user already has open so the runtime can inspect, automate, and annotate those tabs through the local relay.

### Permission Justification

The permission set is limited to three needs: attach to Chrome tabs, inject page helpers for automation/annotation, and reach the local relay or optional local native host that keeps the workflow on-device.

### `debugger` Justification

`debugger` is required to attach Chrome DevTools Protocol to the selected tab and forward inspect, snapshot, click, type, and screenshot commands from OpenDevBrowser.

### `alarms` Justification

`alarms` is required for background reconnect and retry scheduling when the local relay is temporarily unavailable.

### `tabs` Justification

`tabs` is required to read, activate, update, create, and close Chrome tabs so OpenDevBrowser can attach to the right user-opened page and keep that target in sync.

### `storage` Justification

`storage` is required to keep relay settings, pairing state, relay identity metadata, and the last local annotation payload metadata on-device in `chrome.storage.local`.

### `scripting` Justification

`scripting` is required to inject annotation and runtime helpers into the active page for DOM capture, overlay rendering, and in-tab automation tasks.

### `activeTab` Justification

`activeTab` is required for user-triggered actions from the popup or command shortcut against the current tab, including attach fallback and visible-tab capture flows.

### `nativeMessaging` Justification

`nativeMessaging` is required only for the optional local native-host fallback path when the relay is unavailable.

### Host Permission Justification

`http://127.0.0.1/*` is required for local relay discovery, pairing, and extension transport on the user’s machine. `<all_urls>` is required so the extension can inject helpers, inspect DOM state, capture annotations, and automate whichever user-opened site is the active target.

## Recommended Privacy Questionnaire Answers

Use these answers as the starting point for the current Chrome Web Store dashboard wording.

### Data Handling Summary

- The extension may access page URLs, titles, page content, and screenshots locally when the user runs automation or annotation flows.
- The extension stores relay settings, pairing state, relay identity metadata, and the last local annotation payload metadata on-device.
- The extension does not sell browsing data.
- The extension does not send browsing data, page content, or annotation payloads to the developer or third-party analytics services.

### Recommended Responses

- Does the extension sell user data? `No`
- Does the extension use user data for unrelated purposes such as ads or profiling? `No`
- Does the developer receive browsing data, page content, or annotation payloads from the extension? `No`
- Does the extension access website content or user-opened pages to provide its feature? `Yes, locally on-device as part of automation and annotation`
- Is the retained extension state stored locally? `Yes`
- Is remote transmission to OpenDevBrowser-operated servers required for the extension feature to work? `No`

### Data Types To Disclose If The Form Asks For Accessed Data

- Website content
- Page URLs and titles
- User-triggered screenshots / visible-tab captures
- Extension settings and pairing state
- Local annotation payload metadata

## Reviewer Test Instructions

### Prerequisites

- Chrome `125+`
- Node.js `18+`
- A normal `http` or `https` tab open in Chrome

### Steps

1. Clone the repo and run `npm install`.
2. Build the package and extension:
- `npm run build`
- `npm run extension:build`
3. In Chrome, open `chrome://extensions`, enable Developer Mode, and load the unpacked `extension/` directory from this repo.
4. Start the local relay:
- `npx opendevbrowser serve`
5. Open a normal `http` or `https` tab.
6. Open the extension popup and keep the default settings:
- Relay port `8787`
- Auto-connect `on`
- Auto-pair `on`
- Require pairing token `on`
- Native fallback `off`
7. Click `Connect`.
8. Expected result:
- Status pill changes to `Connected`
- Status note shows `Connected to 127.0.0.1:8787`
- Diagnostics populate for relay / handshake / `CDP`
- The annotation panel remains visible
9. To verify the disconnected state, stop the relay or click `Disconnect`, then reopen the popup.

### Reviewer Notes

- The extension cannot attach to `chrome://`, `chrome-extension://`, or Chrome Web Store pages.
- The extension’s relay/native-host paths are local-only.
- `<all_urls>` is needed because the feature works on whichever user-opened site is the current automation target.

## Asset Checklist

### Screenshots

1. `screenshot-popup-connected.png`
- Full current popup
- `Connected` status pill
- Settings, diagnostics, annotation panel, and `Disconnect` CTA visible

2. `screenshot-popup-disconnected.png`
- Full current popup
- `Disconnected` status pill
- Default relay settings visible
- Diagnostics and annotation panel still visible

3. `screenshot-automation-demo.png`
- OpenDevBrowser driving a real Chrome tab through the local relay
- OpenCode / terminal action on one side and the browser outcome on the other

### Promo Images

1. `promo-small-440x280.png`
2. `promo-marquee-1400x560.png`

### Store Icon

- `icon-store-128.png` should match `extension/icons/icon128.png`
Binary file modified extension/store-assets/icon-store-128.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified extension/store-assets/promo-marquee-1400x560.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified extension/store-assets/promo-small-440x280.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified extension/store-assets/screenshot-automation-demo.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified extension/store-assets/screenshot-popup-connected.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified extension/store-assets/screenshot-popup-disconnected.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Loading