Security hardening and improved private browsing.

Security:
- Block dependency lifecycle scripts (ignore-scripts=true)
- Timing-safe auth token comparison
- Explicit Content Security Policy
- Install scripts hardened with --ignore-scripts
- Upgraded @modelcontextprotocol/sdk to 1.29.0

Improvements:
- Private window auto-fallback: if incognito permission isn't granted, automatically falls back to non-private mode with a clear warning instead of failing
- New "private" parameter on firefox_create_window for explicit mode control
- firefox_activate now reports private window availability upfront
- Mode mismatch detection prevents silent wrong-mode tab creation

Fixed critical bug where the native host fails to start on macOS (Homebrew) and Linux (nvm/non-system Node paths). Firefox GUI apps don't inherit shell PATH, so the #!/usr/bin/env node shebang couldn't find Node.js. The installer now resolves the absolute node path and generates a wrapper script. Also cleaned up stale files from the extension package.

Bug fixes for socket path reliability and Windows support, thanks to generous community contributions!

• macOS: Fixed socket path mismatch caused by per-process TMPDIR values. Now uses ~/.claudezilla/ as stable fallback. (Thanks w3cdotorg)
• Windows: Fixed silent connection failure — installer creates a bat wrapper instead of using non-spec args manifest field. (Thanks DerekL)
• CLI now uses centralized socket path resolution instead of hardcoded /tmp/claudezilla.sock.

v0.6.1 — Security hardening + two new features

NEW FEATURES:
• Cookie/consent auto-dismissal — Automatically detects and dismisses GDPR overlays across major CMP platforms (OneTrust, Cookiebot, Quantcast, Didomi, Google). 4-pass detection: CMP selectors → text matching → Shadow DOM traversal → ARIA dialog fallback.
• Lazy tool loading — Only exposes a single activation tool (~50 tokens) at session start instead of all 31 tools (~6,500 tokens). Call firefox_activate() to load tools by category on demand. Saves context for sessions that don't need browser automation.
• Linux support — Portable shebang, headless Firefox profile, XPI sideloading, systemd service unit, and install script. Tested on Ubuntu (aarch64).

SECURITY (15 red-team findings resolved):
• Activation guard prevents tool execution before firefox_activate is called
• Category-scoped enforcement at call time, not just at listing time
• Consent auto-trigger now targets the navigated tab, not the active tab
• Overly broad consent selectors scoped to consent containers
• Generic "OK" button pattern removed from consent text matching
• Domain allowlist regex properly escapes dots to prevent bypass
• goodbye and handleConsent added to host command whitelist
• canNavigate logic inversion fixed

RELIABILITY (9 audit batches):
• Socket listener cleanup prevents file descriptor leaks
• Screenshot mutex uses finally block — can no longer deadlock
• Process-level unhandled rejection handler added
• Domain pattern ReDoS prevention (length + charset validation)
• Installer npm pre-check with clear error messaging

PERFORMANCE:
• Screenshot mutex threshold tightened (3s → 2.5s) for faster error feedback
• Consent detection delay reduced (800ms → 600ms)
• Watermark injection delay reduced (500ms → 350ms)
• Socket idle timeout added (60s) to prevent abandoned connections

v0.6.0 — Annotated Screenshots, Domain Allowlists, Smarter Waiting

NEW:
• Annotated screenshots — firefox_screenshot with annotate:true overlays numbered badges
on interactive elements. Response includes a label map so agents can say "click element
3".
• Domain allowlist — firefox_set_config lets agents restrict navigation to approved
domains with wildcard support. Unauthorized URLs return DOMAIN_BLOCKED.
• Expanded waitFor — now supports text (substring match on page text), url (glob match on
location), and selector modes.
• Page state diff — firefox_diff_page_state compares two snapshots and returns structured
diffs (added/removed/changed elements). No extension round-trip needed.

FIXES:
• Orphan tab timeout increased from 2min to 10min (fewer false positives during long
operations)
• pressKey returns actionable errors for invalid key names
• scroll returns noEffect flag when viewport didn't move
• Watermark and focus glow hidden during screenshot capture
• Fixed CONTENT_SCRIPT_ERROR false positives on JSON/XML/binary tabs
• Network headers stripped from getNetworkRequests (60% smaller payloads)

DOCS:
• Full documentation now live at docs.claudezilla.com

This release fixes four bugs that combined to cause agents to get stuck on stale or non-existent tabs, requiring a full extension
reload to recover.

Bug fixes:

• Session nuke on empty tabs (Critical) — When the last Claudezilla tab was closed externally, the entire session was wiped,
  requiring a full extension reload to resume. The error recovery is now scoped correctly: losing all tabs returns a NO_TABS error
  without destroying the window session.
• Infinite retry on closed tab (Serious) — When a tab was closed while a command was in-flight, the extension returned
  CONTENT_SCRIPT_UNAVAILABLE, causing agents in loops to retry indefinitely on a tab that no longer existed. The extension now
  detects this case and returns TAB_CLOSED with actionable guidance.
• Heartbeat timeout during long operations (Moderate) — The agent heartbeat was only refreshed at command arrival. Long-running
  operations (screenshots, waitFor) could exceed the 120-second orphan threshold during execution, causing the extension to
  prematurely reclaim the agent's tabs. The heartbeat now also refreshes immediately before the operation begins.
• Overly broad error catch in session management (Moderate) — A single try/catch wrapped both window-level and tab-level failures.
  Both paths reset the session state, making recovery impossible without a reload. The scopes are now split: window failures reset
  state; tab failures return a targeted error without destroying the session.

Bug fixes for macOS users.

• Fixed native messaging host path on macOS — installer was writing the manifest to the Linux location
(~/.mozilla/...) instead of ~/Library/Application Support/Mozilla/NativeMessagingHosts/. Caused "No
such native application" error on first launch.
• Fixed missing MCP dependencies — installer now runs npm install in the mcp/ directory automatically.
Fresh clones no longer fail to start the MCP server.
• Fixed tabId type coercion — all tab-targeting tools now accept tabId as either a string or number.
Passing a string (as JSON sometimes does) previously caused "Incorrect argument types" errors from the
Firefox tabs API.

Version 0.5.7 - Critical Bug Fixes + Timeout Flexibility

This release fixes critical bugs and adds timeout configuration for better reliability.

BUG FIXES:
• Screenshot error handling - Errors during capture now properly report to Claude instead of being silently ignored
• Multi-agent coordination - Fixed race condition where multiple agents could claim the same reserved tab slot
• Message ID overflow protection - Replaced numeric IDs with UUIDs to eliminate collision risk

IMPROVEMENTS:
• Per-operation timeout support - All browser automation tools now accept optional timeout parameter (5s-300s range, default: 150s)
• Better error messages - Timeout errors now include operation name and duration for easier debugging

This is a stability and reliability update with no breaking changes. All existing functionality remains backward compatible.

Full changelog: https://github.com/boot-industries/claudezilla/blob/main/CHANGELOG.md

Autonomous installation, bug fixes, and multi-agent improvements.

New:
- Autonomous permissions — Installers auto-configure Claude Code settings and MCP server
- Expanded tab pool — 12 tabs shared across agents (up from 10)
- Screenshot purpose presets — quick-glance, read-text, inspect-ui, full-detail

Fixed:
- Tab ID type mismatch — Tab operations no longer fail with "Tab not found" on valid tabs
- Session cleanup on exit — Tabs are cleaned up immediately when a Claude session ends
- Mercy system slot reservation — Freed slots are now reserved for the waiting agent (30s
TTL)
- Request timeouts extended to 150s for long-running browser operations
- file:// URLs now allowed for local development
- Improved error messages for content script failures

v0.5.5 - Windows Support

New:
• Windows 10/11 support - Now works on Windows with named pipes for IPC
• Path security validation - Prevents injection attacks via null bytes and path traversal

Fixed:
• Support link in popup now opens correctly

Security:
• Environment variable validation for temp directories
• PowerShell installer uses safe JSON serialization

v0.5.4 - Security hardening + performance optimization

Security:
• Expression validation - firefox_evaluate now blocks dangerous patterns (fetch, eval, document.cookie,
localStorage, XMLHttpRequest)
• Agent ID truncation - Privacy-enhanced logging shows truncated IDs in all outputs
• Loop prompt sanitization - Preview field limited to 100 characters

Performance:
• Selector search optimization - 100 element limit per category with early exit
• Screenshot mutex timeout reduced from 5s to 3s for faster multi-agent feedback

v0.5.3: Reconnection resilience + diagnostics

Features:
• Auto-reconnect - Extension automatically reconnects when the native host disconnects (exponential backoff from 1s to 30s, max 10 attempts)
• New firefox_diagnose tool - Comprehensive connection health check that validates socket, auth token, and provides actionable fix recommendations
• MCP retry logic - Automatic retry with exponential backoff for transient connection failures

Improvements:
• Better error messages - Connection errors now show diagnostic info (socket/auth token state) with specific fix instructions
• Updated MCP SDK (0.5.0 → 1.25.2) for Claude Code 2.1.x compatibility

Bug fix:
- Fixed Support link to open https://claudezilla.com/support instead of local page