Releases: fullselfbrowsing/FSB
Release list
extension-v0.9.90
FSB extension v0.9.90
FSB Automation Beta v0.9.90 - Native Capability Catalog + MCP 0.10.0
Automation-branch beta for testing the Native Capability Catalog, MCP 0.10.0 surface, upload_file, and PhantomStream 0.2.1 media mirroring.
Target branch/commit: automation @ 46d2b6f
Versions:
- Extension: 0.9.90
- MCP server: 0.10.0
What changed:
- Adds the Native Capability Catalog preview with the two public MCP capability tools: search_capabilities and invoke_capability.
- Keeps capability tools out of TOOL_REGISTRY while exposing them on the MCP runtime surface; runtime now reports 66 MCP tools and the extension registry remains at 56 tools.
- Adds upload_file(selector, file_path, tab_id?) for real file inputs and styled dropzones, with absolute-path validation and sensitive-path denylist handling.
- Updates PhantomStream to the 0.2.1 DOM streaming boundary with reference-mode media mirroring for progressive video/audio nodes. Adaptive HLS/DASH discovery remains deferred because it would require a new webRequest permission.
- Keeps Lattice 1.3.0 in place from the prior automation beta.
- Tightens known-site API capability behavior: unverified GitHub issue creation and Slack missing-token paths now fail closed with RECIPE_DOM_FALLBACK_PENDING so callers continue through DOM tools instead of treating the task as complete or fatally failed.
- Normalizes capability search result sideEffectClass values to read, mutate, or destructive.
- Refreshes README, MCP README, and extension README for the public beta surface and safety boundaries.
Tester install:
- Extension: download fsb-extension-v0.9.90-automation-beta-native-capability.1.zip, unzip it, open chrome://extensions, enable Developer mode, choose Load unpacked, and select the unzipped folder.
- MCP beta tarball: download fsb-mcp-server-v0.10.0-automation-beta-native-capability.1.tgz and install locally with:
npm i -g ./fsb-mcp-server-v0.10.0-automation-beta-native-capability.1.tgzThis is a GitHub prerelease only. It is not a Chrome Web Store release and does not publish fsb-mcp-server@0.10.0 to npm.
Known beta boundaries:
- Capability Catalog is still preview-scoped.
- Unverified first-party write recipes should continue through DOM fallback.
- No Discord production recipes or handlers are included in this beta.
- Live authenticated-site UAT remains tester-driven.
Verification:
- PR #90 merged cleanly into automation.
- GitHub CI passed: extension, MCP, showcase, all-green.
- Local package checks completed: npm run package:extension and npm pack for mcp.
SHA-256:
- ce7dc31ea721c371ed6f3052a0d954f15ef8c52be0475ff0613a38be4d310e3d fsb-extension-v0.9.90-automation-beta-native-capability.1.zip
- 23032ff81b346fb2353addf78bcc98cf7fc01eb7b0d4d65afebadd406ef7bf59 fsb-mcp-server-v0.10.0-automation-beta-native-capability.1.tgz
FSB Automation Beta v0.9.90 - Lattice 1.3.0
Automation-branch beta for testing the public Lattice package integration.
Target branch/commit: automation @ 8681afa
What changed:
- Replugs the extension runtime from the local Lattice checkout to @full-self-browsing/lattice@1.3.0 via the existing lattice alias.
- Includes @full-self-browsing/lattice-cli@1.3.0 verification guardrails.
- Includes the regenerated offscreen Lattice host bundle in the extension package.
- Keeps this out of main, Chrome Web Store, and the public extension release stream.
Verification run before release:
- npm run test:lattice
- npm run validate:extension
- npm run package:extension
- ZIP contents verified to include offscreen/lattice-host.html and dist/offscreen/lattice-host.js.
Manual test install:
- Download fsb-extension-v0.9.90-automation-beta-lattice.1.zip.
- Unzip it locally.
- Open chrome://extensions.
- Enable Developer mode.
- Click Load unpacked and select the unzipped folder.
SHA-256:
6b0ec633430808b844015da800acb146506f0be6040d53874fbef4d258603a9e
v0.9.72 Stats refresh, presence telemetry, and owner-chip client names
Highlights
This release polishes the public Stats page, broadens the active users metric so installed extensions count even when idle, brings the chrome client name into the owner chip, and locks the chat input when a tab is being driven by an external agent. It also closes four P2 Codex review findings on the same code paths.
/stats page
The Average agents per user tab now renders a real chart inside the chart card. Previously a large headline number escaped the container and overlapped the footer. The chart shows a daily series of agents active divided by unique installs over the last thirty days.
The Issues tab Sankey labels now sit fully inside the diagram. The two outside the node labels were being clipped by the SVG viewBox edges. Nodes shifted inward symmetrically so Opened and Closed labels stay visible at any width.
The Commits and Cumulative commits tabs collapsed into a single Commits tab. The cumulative line is the more informative of the pair so it kept the slot and inherited the shorter label.
The page heading now reads Stats for nerds. The FSB prefix and the dot were dropped from the visible H1. The browser tab title still shows FSB plus Stats for share and tab brand context.
Active right now metric
Idle installed extensions are now counted as active. Previously the metric only counted installs that were currently running MCP agent sessions. With this release the telemetry collector emits a presence event on each five minute beat when there is no other activity to report, so an extension that is installed and connected to the server shows up as active even when no agent is running. A new guard suppresses the presence event when retry events are still pending in the queue, so the heartbeat never causes telemetry loss at queue cap.
Owner chip and chat input lock
When a tab is owned by an external agent, the chip in the popup and sidepanel header now reads owned by Claude or owned by Codex or whichever client is driving the tab. The chip previously showed a six character hex prefix of the internal agent id. The MCP client label is sourced from the same allowlist the telemetry server enforces.
The chat input is now locked while the chip is visible. Typing is disabled with a tooltip explaining the lock, and the send button is greyed out. The lock composes cleanly with the existing send button enable and disable logic, so the normal lifecycle is preserved when ownership is released. The popup now subscribes to storage changes so ownership flips while the popup is open are picked up live, matching the sidepanel.
Per agent client labels are now serialized through a promise chain mutex when written to chrome storage. Concurrent dispatches in hub mode no longer clobber each other, and a reconnect cannot resurrect a stale label even if a fire and forget write was already in flight.
Codex review
The four P2 findings raised by Codex on the original PR are all addressed in this release. The fixes cover the label storage race, the reconnect stale write window, the heartbeat backlog interaction, and the missing popup ownership listener.
Tests
The full CI suite is green on the merge commit. Telemetry collector coverage went from 105 to 116, owner chip coverage from 39 to 50, MCP dispatcher client label coverage from 45 to 51, and the wire payload internal fields test stays at 15. The MCP smoke and showcase build and crawler smoke jobs all pass.
Install
Drop the attached fsb-extension-v0.9.72.zip into chrome://extensions and load unpacked, or wait for the Chrome Web Store listing to roll the new version.
FSB v0.9.67: stats overhaul + telemetry attribution + MCP numeric coercion
Highlights
This release rolls everything since v0.9.65 (2026-05-14) into one extension package. Three threads landed in parallel:
Telemetry attribution (mcp_client field)
- PR #57 (
cd07d9b6) — Fixed the WS dispatcher leak that recorded everytelemetry_events.mcp_clientasunknown. The dispatcher was passing the bridge-instance object into the recorder where a string label was expected. Now extracts the canonical client label frompayload.visualSession.client. - PR #59 (
ca95f919) — Closed the second half of the leak: non-action message routes (agent:register,mcp:get-tabs,mcp:get-dom,mcp:get-diagnostics,mcp:read-page) never carry avisualSession.clientsidecar, so they kept writingunknowneven after PR #57. Added a per-agent label cache in the dispatcher so subsequent non-action calls from a known agent inherit its label.
/stats dashboard
- PR #58 (
bde9dcc0) — Replaced 8 chart views with richer visualizations: lollipop (weekly stars), sankey (issues), dual-axis (forks), streamgraph (PRs), punchcard bubble matrix (commits over time), gantt strip (maintenance), radial gauge, sparkline ring buffer, big-number tile. - PR #53 (
3e1f7d16) — Codex P1 follow-ups on PR #50: serializedrecordDispatchr-m-w against concurrent dispatches, strippedattemptsfrom the POST body. - PR #61 (
d587a599) — Moved all GitHub API calls off the Angular client onto a server-side 5-min poller backed by SQLite./statsnow reads from same-origin/api/public-stats/github/:endpoint_id. Stops every visitor's browser from burning the shared 60-req/hr GitHub rate limit; one authenticated server poller can use the 5000-req/hr quota instead. CSP tightened toconnect-src 'self'. - PR #62 (
0bdbfd77) — Lowered the housekeeper k-anonymity floor from5to2so/statsactually surfaces real MCP client names. At single-digit total install counts, no real label could mathematically clear k=5 and the chart stayed atOther (uniq=6)forever. Raise back to5once installs exceed~50.
MCP server (fsb-mcp-server)
- PR #63 (
9c25405b) — Coerced string-encoded numeric tool params (tabId,tab_id,count,limit,topN). Some MCP clients (observed: Claude Code) serialize integers as JSON strings on the wire, which the server's barez.number()rejected withExpected number, received string. Single fix point at thejsonSchemaToZodtranslator plus 7 hand-rolled Zod sites. Note: this fix ships withfsb-mcp-server@0.9.2(release pending).
Plumbing
- PR #51, #52, #54, #55, #56 —
/statsSPA route wiring, CSP for GitHub API (later removed by #61), CI showcase deps, cumulative-commits chart,0.9.65 → 0.9.66version bump.
Install
Download fsb-extension-v0.9.67.zip from the assets below, unzip, and load the unpacked directory at chrome://extensions (Developer mode → Load unpacked).
Validation
node scripts/validate-extension.mjs→ OK (manifest valid, 245 JS files parsed clean)npm test→ all suites green- Manifest V3, name
FSB v0.9.67, version0.9.67, 362 files, 13 MB on disk
fsb-mcp-server v0.9.2
Install / Update
npx -y fsb-mcp-server@0.9.2Or install globally:
npm i -g fsb-mcp-server@0.9.2Install into MCP clients:
npx fsb-mcp-server install --allWhat's Changed
- chore(mcp): bump fsb-mcp-server 0.9.1 -> 0.9.2 to ship numeric-param coercion by @LakshmanTurlapati in #64
Full Changelog: v0.9.67...mcp-v0.9.2
fsb-mcp-server v0.9.1
Install / Update
npx -y fsb-mcp-server@0.9.1Or install globally:
npm i -g fsb-mcp-server@0.9.1Install into MCP clients:
npx fsb-mcp-server install --allWhat's Changed
- v0.9.69 — Anonymous Telemetry Pipeline + Showcase Dashboard Streaming Fix by @LakshmanTurlapati in #50
- hotfix: serve /stats SPA shell on showcase server (was 404 in prod) by @LakshmanTurlapati in #51
- fix(showcase-csp): allow api.github.com so /stats charts populate by @LakshmanTurlapati in #52
- fix(telemetry): address Codex PR #50 P1 review findings (recordDispatch race + attempts wire leak) by @LakshmanTurlapati in #53
- ci(chrome-extension): install showcase/server + showcase/angular deps so npm test passes by @LakshmanTurlapati in #54
- feat(stats): add cumulative-commits all-time line chart to /stats by @LakshmanTurlapati in #55
- chore(release): bump version 0.9.65 -> 0.9.66 by @LakshmanTurlapati in #56
- fix(telemetry): record real mcp_client label instead of 'unknown' (extension WS dispatcher leak) by @LakshmanTurlapati in #57
- feat(stats): replace 8 chart views with richer visualizations (lollipop, sankey, punchcard, streamgraph, dual-axis, gantt, radial gauge, sparkline, big-number tile) by @LakshmanTurlapati in #58
- fix(telemetry): populate mcp_client on non-action MCP message routes by @LakshmanTurlapati in #59
- chore(mcp): bump fsb-mcp-server 0.9.0 -> 0.9.1 to ship Hermes allowlist fix by @LakshmanTurlapati in #60
Full Changelog: v0.9.65...mcp-v0.9.1
FSB v0.9.65: Hermes MCP client allowlist + version bump
Highlights
Adds Hermes to the trusted MCP visual-session client allowlist. Prior to this release, every action-tool call from a Hermes-labeled MCP client was rejected with Visual session contract / Client label "Hermes" is not on the trusted v0.9.36 badge allowlist. Closes #47.
Also bumps the project version 0.9.64 → 0.9.65 across the Chrome extension, root package, showcase Angular app, README badges, and Chrome Web Store listing copy.
What's fixed
mcp/src/tools/visual-session.ts— Added'Hermes'toMCP_VISUAL_CLIENT_LABELS.extension/utils/mcp-visual-session.js— Added'Hermes'to the extension-side mirror so the dispatcher's allowlist check matches the MCP side. The shared allowlist now contains 13 canonical client labels: Claude, Codex, ChatGPT, Perplexity, Windsurf, Cursor, Antigravity, OpenCode, OpenClaw, OpenClaw 🦀, Grok, Gemini, Hermes.
Version bump
Bumped 0.9.64 → 0.9.65 in:
package.json(version, zip script, badge URL)extension/manifest.json(name + version)README.md(title, badge, status banner)extension/README.mdstore-assets/chrome-web-store/listing-copy.mdmcp/README.md(cross-reference parenthetical)showcase/angular/package.json+package-lock.jsonshowcase/angular/src/app/core/seo/version.ts+public/llms-full.txt+public/sitemap.xml(regenerated byscripts/build-crawler-files.mjs)
The MCP package version (fsb-mcp-server@0.9.0) is independent and unchanged. Frozen contract anchors (v0.9.36, v0.9.60, v0.9.61, v0.9.62) referenced in source comments and tests are historical phase markers, also unchanged.
Compatibility
- No protocol or schema changes. Existing agents and MCP clients continue to work unmodified.
- To pick up the Hermes allowlist fix, reload the FSB Chrome extension. No MCP server redeploy is required (the MCP server's allowlist was already updated server-side as part of this release).
Verification
mcp-visual-session-contract: 116/116 passvisual-session-schema-lock: 314/314 passmcp-version-parity: 10/10 passskill-fsb-spec: 48/48 pass- CI on both release PRs (#48, #49): extension ✅, mcp ✅, showcase ✅
Download
The packaged Chrome extension (fsb-extension-v0.9.65.zip) is attached below. To install:
- Download and unzip.
- Open
chrome://extensions, enable Developer mode. - Click Load unpacked and select the unzipped directory.
Or get it from the Chrome Web Store once the store review completes.
Pull Requests
FSB v0.9.64: Implicit Visual Session Contract - navigate bootstrap fix
Highlights
Closes a contract-consistency gap in the v0.9.62 Implicit Visual Session Contract (Codex P2 from PR #33). The navigate recovery branch for NO_OWNED_TAB now records the implicit visual-session lifecycle tick on success, matching the existing open_tab / switch_tab bootstrap paths. Before this fix, an agent's very first navigate call (no owned tab yet) would proceed without ever starting or refreshing the implicit visual session, even though visual_reason and client were required on the call.
This is a Chrome-extension-only patch. The MCP server (fsb-mcp-server@0.9.0) and the showcase site are unchanged from v0.9.63.
What's fixed
extension/ws/mcp-bridge-client.js— Thenavigate+NO_OWNED_TABrecovery branch now mirrors theopen_tab/switch_tabpost-dispatch pattern: await the dispatch, onsuccess === trueextractdispatched.tabId, then call_recordVisualSessionTickIfPresentand_clearVisualSessionIfFinal. Failed dispatches do not record a tick (no overlay for a failed action). Result: all three bootstrap entry points (open_tab,switch_tab,navigate-bootstrap) now uniformly start / refresh the implicit visual session.
What changed in tests
tests/mcp-visual-session-contract.test.jsandtests/visual-session-schema-lock.test.jsnow fail loud with an actionable remediation message (npm --prefix mcp run build) whenmcp/build/tools/manual.jsis older thanmcp/src/tools/manual.ts. A stale build had previously masquerade as a "contract hole" by running pre-Phase-255 compiled code that lackedvalidateVisualSessionFields.
Version bump
v0.9.63 was a showcase-only release; the Chrome extension stayed at 0.9.62. This release lifts the extension surfaces to 0.9.64:
package.jsonextension/manifest.json(name + version)showcase/angular/package.json(lockstep, no showcase code change)
Compatibility
- No protocol or schema changes. Existing agents and MCP clients continue to work unmodified.
- To see the fix, reload the FSB Chrome extension. No MCP server redeploy is required.
Verification
- 79/79
mcp-visual-tick-lifecycle, 66/66recovery-tools-bootstrap, 16/16visual-session-agent-scoped, 30/30agent-tab-resolver, 23/23ownership-error-codes, 116/116mcp-visual-session-contract, 314/314visual-session-schema-lock. - Staleness guard verified: touched build mtime to 2020 → both tests bail with actionable error; after
npm --prefix mcp run buildboth pass. - CI on the release commit: extension ✅, mcp ✅, showcase ✅.
FSB Showcase v0.9.63: Marketing Site i18n
Highlights
This release internationalizes the FSB marketing site (showcase/angular) across six locales: English, Spanish, German, Japanese, Simplified Chinese, and Traditional Chinese. English remains the source of truth. Copy drift is locked by hard-fail CI gates. Every marketing route renders at prerender time with correct hreflang and canonical fan-out, and a first-visit user landing on / is auto-redirected to the locale subpath that best matches their browser's Accept-Language header.
This is a showcase-only milestone. The Chrome extension, MCP server, and FSB Skill packages are unchanged from v0.9.62 and v0.9.0 respectively.
What's new
- Shared 6-locale registry (
en,es,de,ja,zh-CN,zh-TW) mirrored across the Angular ESM front-end and the Express CJS server, with averify-locale-sync.mjsCI invariant that fails the build on any drift. - 420 translatable strings across seven namespaces (
shell,picker,home,about,agents,privacy,support) marked viai18nattributes and$localizetagged templates, including TS-sideTitleandMetafor SEO. - AI-filled target XLIFFs for all five non-English locales.
i18nMissingTranslationis set toerrorinangular.json, so any unfilled<trans-unit>fails the build. - 30 prerendered
index.htmlfiles emitted per build (six marketing routes across five locale subpaths plus the English root). Each carries<link rel="alternate" hreflang>fan-out (includingx-default), a single locale-specific<link rel="canonical">, and<html lang>matching the served locale. - Server-side Accept-Language auto-detection middleware on
/. BCP-47 q-value parsing, alias resolution (e.g.zh-Hant-TW→zh-TW), cookie-respecting (existingfsb-localepicker choice wins), bot-safe (noAccept-Languageheader means no redirect, preserving the Googlebot crawl path). - Standalone
LanguagePickerComponentmounted in the desktop nav, mobile nav, and footer on every prerendered route. CJK font stacks scoped via:lang()selectors using system fonts only (no webfont download).
What changed in CI
lint:i18n(@angular-eslint/template/i18nwithcheckId/checkText/checkAttributes) promoted to a hard-fail step in the website job.extract-i18n-cleangate asserts the committedmessages.xlfis byte-equal to a freshng extract-i18noutput.verify-locale-syncruns pre-build and enforces parity between the Angular and Express locale registries.verify:hreflangruns post-build and asserts hreflang plus canonical correctness across all 30 prerendered HTMLs.verify-bundle-budgetschecks per-locale gzipped main-bundle sizes against the locked budget.
The full website CI chain runs install → verify-locale-sync → lint:i18n → extract-i18n-clean → ng build → verify:hreflang → verify-bundle-budgets on every push.
Compatibility
- Marketing site users see new locale subpaths (
/es/,/de/,/ja/,/zh-CN/,/zh-TW/). The English root canonical stays at the bare path, so existing SEO surfaces are preserved. - Server behavior change: a
GET /request with anAccept-Languageheader preferring a non-English supported locale now returns a302redirect to the matching subpath instead of serving the English root. Cookie-driven explicit picks (fsb-locale) override this. Bots and other clients with noAccept-Languageheader continue to receive the English root. - The Chrome extension, MCP server (
fsb-mcp-server@0.9.0), and FSB Skill packages are unchanged.
Verification
Milestone audit summary:
- 14 of 14 v0.9.63 requirements satisfied.
- 7 of 7 phases shipped with
VERIFICATION.mdartifacts (status: passed). - 12 of 12 cross-phase integration points verified.
- 3 of 3 end-to-end flows passing (first-visit Accept-Language redirect, picker cookie persistence, full CI gate chain).
- Full CI green on the merge commit: extension, MCP, and showcase jobs plus the
all-greengate.
Audit artifacts: .planning/milestones/v0.9.63-MILESTONE-AUDIT.md, .planning/phases/v0.9.63-INTEGRATION-CHECK.md, six per-phase VERIFICATION.md files under .planning/phases/{261,262,264,265,266,267}-*/.
Known caveats
- Picker cookie short-circuits the bare-
/redirect. Returning users whosefsb-localecookie is set will see the English prerender at the root on a fresh tab or shared link rather than being re-redirected to their preferred locale. This is intentional under the v0.9.63 cookie-wins rule (locked in267-CONTEXT.mdD-02 / T-267-03); revisit candidate for a future UX milestone. - Dashboard surface is intentionally untranslated in v0.9.63.
showcase/angular/src/app/pages/dashboard/**is carved out by--ignore-patterninpackage.json:lint:i18n; deferred to v0.9.65. - Extension UI, popup, and MCP server / skills text remain English-only by design.
Milestone scope
7 phases (261, 262, 264, 265, 266, 267, 268) -- 263 was dropped (dashboard deferred). Phase 268 was a post-audit cleanup that deduplicated the server.js supported-locale literal against the CJS registry and backfilled the six per-phase VERIFICATION.md artifacts the milestone template expects.
Branch feat/showcase-i18n merged to main via #42.