Skip to content

fix: address 22 user-facing frictions#1

Merged
sheeki03 merged 7 commits intomainfrom
fix/22-user-frictions
Mar 23, 2026
Merged

fix: address 22 user-facing frictions#1
sheeki03 merged 7 commits intomainfrom
fix/22-user-frictions

Conversation

@sheeki03
Copy link
Copy Markdown
Owner

@sheeki03 sheeki03 commented Mar 20, 2026

Summary

Fixes 22 user-facing frictions identified during exhaustive manual testing of the CLI, REST API, MCP HTTP, and browser tools — ranging from blocking first-run issues to minor paper cuts.

Changes by area

CLI (src/index.ts)

  • Node >= 22 enforcement via bin/schrute.cjs launcher
  • skills delete --yes confirmation prompt
  • config get --reveal for sensitive values
  • skills list --status filter
  • --url/--token on all remote-capable subcommands
  • Rate-limit auto-retry for execute (both daemon and remote paths)
  • Progress indicators on long operations (explore, execute, stop, discover)
  • serve prints masked auth token, REST vs MCP auth note, SCHRUTE_DATA_DIR help

Import (src/app/import-service.ts — new)

  • Extracted from src/index.ts for testability
  • Preview before overwriting, --yes flag
  • Transactional site+skill writes via db.transaction()
  • Policy persistence via setSitePolicy()
  • Preserves existing createdAt on skill updates

REST Server

  • Empty JSON body no longer returns 400
  • Deprecation header on v0 routes

MCP HTTP

  • mcp-http: caller ID prefix for admin auth
  • Opt-in server.mcpHttpAdmin config flag (validated as boolean)

Tools

  • browser_fill_form explicit schema + better error message
  • schrute_capture_recent description clarifies CDP requirement
  • Skill search: lexical relevance filter (quality boosts are tie-breakers only)
  • Batch execute: rate-limit retry with capped wait (max 30s)

Infrastructure

  • Test isolation via SCHRUTE_DATA_DIR temp dir (vitest globalSetup)
  • config-env.test.ts env var save/restore to prevent cross-test leaks
  • Doctor audit chain downgraded from FAIL to WARNING
  • OpenAPI discovery: 5 additional probe paths
  • README: MCP HTTP Accept header note

Files changed

  • 26 files, ~1244 insertions, ~268 deletions
  • 4 new files: bin/schrute.cjs, src/app/import-service.ts, tests/global-setup.ts, tests/unit/import-service.test.ts

Test plan

  • npx tsc --noEmit — clean
  • npx vitest run — 177 files, 2850 tests pass
  • CodeRabbit review — 7 findings addressed (4 fixed, 3 pre-existing/out-of-scope)
  • Manual: schrute skills delete <id> prompts, --yes skips
  • Manual: schrute config get server.authToken masked, --reveal shows full
  • Manual: schrute import <file> shows preview, --yes skips prompt
  • Manual: schrute serve --http shows auth token hint
  • Manual: POST empty body to REST API returns 200
  • Manual: v0 routes return Deprecation: true header

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 20, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a90997014f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

src/browser/base-browser-adapter.ts Outdated
headers,
body: body ?? undefined,
redirect: 'manual', // Surface redirects to executor for per-hop validation
credentials: 'include', // Include cookies (cf_clearance, session tokens) on all requests
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep browser-proxied fetches uncredentialed unless cookies are required

Setting credentials: 'include' here turns every Tier-3 replay into a credentialed CORS request. That breaks any skill whose browser session is on one origin but the learned API lives on another (for example www.example.com calling api.example.com, or any public third-party API): browsers now require Access-Control-Allow-Credentials: true and reject the common Access-Control-Allow-Origin: * responses that worked before. The Cloudflare/session-cookie cases this change targets need credentials, but making it unconditional regresses cross-origin replays that previously succeeded.

Useful? React with 👍 / 👎.

src/server/tool-registry.ts Outdated
Comment on lines +73 to +74
// When intent is provided, require at least one lexical match
const relevant = scored.filter(s => s.relevance > 0);
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Don't discard FTS matches that only match after stemming

searchAndProjectSkills() still feeds FTS results through rankToolsByIntent(), and the FTS index uses the porter tokenizer in src/storage/database.ts. After this filter, queries like users can match user in FTS but still be dropped here because relevance only counts literal substring hits. In practice the REST/MCP search endpoints will now return no results for many singular/plural or stemmed queries even though SQLite already found valid matches.

Useful? React with 👍 / 👎.

@sheeki03
fix: address 22 user-facing frictions across CLI, REST, MCP, and brow…
a7e1beb 
…ser tools

Node version enforcement (bin/schrute.cjs), test DB isolation via
SCHRUTE_DATA_DIR, serve auth token hint, skills delete --yes, empty
body parser, CLI rate-limit auto-retry, MCP HTTP admin opt-in, import
preview with transactional writes + policy persistence, OpenAPI probe
paths, progress indicators, doctor audit chain downgraded to warning,
browser_fill_form schema, v0 deprecation header, --url/--token on
subcommands, search ranking lexical filter, config get --reveal,
skills list --status, batch execute rate-limit retry, README MCP note.
@sheeki03 sheeki03 force-pushed the fix/22-user-frictions branch from a909970 to a7e1beb Compare March 20, 2026 16:53
sheeki03 added 6 commits March 23, 2026 15:07
@sheeki03
feat: browser-required tier lock and Cloudflare challenge detection
27ddfc5 
Detect Cloudflare challenges during execution, apply permanent
browser_required tier lock, suppress direct probes, persist
browserRequired flag in site policy, and skip auto-validation
for browser-required skills.
@sheeki03
fix: browser process lifecycle — recovery session sweep and agent-bro…
e838993 
…wser idle cleanup

Recovery CDP sessions now auto-close after 60s idle. Agent-browser
exec sessions track lastUsedAt and are swept by the engine's periodic
session sweep using the configured browser idle timeout. Metadata
files on disk provide crash-recovery cleanup on startup. Chrome
process-tree termination uses both async and sync paths for normal
and exit-handler contexts.
@sheeki03
feat: five execution primitives — transforms, export, parallel batch,…
3b13f18 
… HTML extraction, workflows

Response transforms (jsonpath, regex with worker isolation, CSS via
cheerio). Export as curl/fetch.ts/requests.py/playwright.ts. Parallel
batch execution with write barriers and policy-driven concurrency.
HTML document classification in noise filter for server-rendered sites.
Linear workflow executor with preflight validation, param mapping,
per-step transforms, caching, and browser-handoff propagation.
@sheeki03
feat: rate limiter waitForPermit and per-site minGapMs
1e21eb2 
Add async waitForPermit() that sleeps until tokens refill or backoff
clears. Add minGapMs to SitePolicy (default 100ms) for minimum
inter-request spacing. Workflow steps use waitForPermit instead of
immediate fail-fast checkRate, fixing same-site rate-limit failures
in sequential workflows.
@sheeki03
test: comprehensive test updates for all new features
28a488f 
Update 30+ test files for browser-required, lifecycle, transforms,
export, batch, workflows, rate limiter, and HTML extraction. Add
tests/live/ integration suite (httpbin, coingecko, hackernews) with
dedicated vitest.live.config.ts. Live tests excluded from default
runs via vitest.config.ts exclude.
@sheeki03
docs: update README with CoinGecko E2E results and competitive compar…
8557b3d 
…ison

Update benchmarks with real CoinGecko data (310ms first, 63ms warm).
Add browser-required lock explanation. Update competitive comparison
with Browser-Use, Stagehand, Skyvern. Add CLI examples for new
commands (--status, --reveal, --yes, set-transform, export).
@sheeki03 sheeki03 merged commit d8d4a2d into main Mar 23, 2026
1 check failed
@sheeki03 sheeki03 deleted the fix/22-user-frictions branch March 23, 2026 18:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sheeki03