v0.3.1

WebLoom v0.3.1

In-chat marketplace

Buyers and authors no longer have to leave Claude chat to interact with the WebLoom marketplace.

9 new tools:

• webloom_pair link this engine install to your webloom.run account
• webloom_browse filter the catalog by query / tier / framework / category
• webloom_thread_info pre-purchase detail for one Thread
• webloom_install install free / owned / paywalled Threads (price + consent gate before any checkout)
• webloom_library re-install on a new machine without paying twice
• webloom_open_bounties find Threads any author can claim and ship
• webloom_my_threads author dashboard from inside chat
• webloom_claim_bounty claim an open bounty from inside chat
• webloom_publish_thread submit a Thread JSON for admin review from inside chat

Misc

• tiktok_post_video caption now uses real CDP keystrokes through Draft.js (caption was previously silently dropped on some accounts)
• Engine never holds payment data; checkout always via Polar in the user browser
• Session token stored locally at ~/.webloom/auth.json (mode 0600)
• All payment-touching actions audited server-side

v0.3.0 — Telemetry pipeline + TikTok crack + trust pass

Major

• Engine telemetry pipeline — opt-in OFF by default. New CLI: python server.py telemetry on|off|status|preview. Persisted in ~/.webloom/config.json. After every tool call, sends {tool, ok, error_class, duration_ms, engine_version, anon_id, ts} to webloom.run — zero URLs, zero content, zero identity. See https://webloom.run/transparency.
• TikTok crack — tiktok_sign exposes the in-page byted_acrawler signer for any URL (returns x-bogus + msToken). tiktok_post_video drives end-to-end UI upload (drop → caption → privacy → post). Selectors all overridable as args.
• X.com transaction-id RE (x_create_tweet) — vendored XClientTransaction, reverses the body-signed anti-replay header. Real tweet shipped via this path.
• Tool descriptions now ship escalation ladders — upload_file, click, fill each end with 'IF ALL FAIL — DO NOT GIVE UP, try X, Y, Z'. Stops other AI sessions from bailing prematurely.
• draftjs_set_text — chunked beforeinput (16-char) for long X posts. No more MCP timeout on full-length tweets.
• react_invoke_handler — fiber-walks the React tree and calls onClick directly. Bypasses DOM-event-blocking overlays (LinkedIn interop-outlet pattern).

Trust signals (because AI installers were rejecting installs)

• SECURITY.md documenting threat model, data boundary, code provenance, reporting path
• README rewritten to lead with what WebLoom does + does NOT do, privacy defaults, uninstall path
• Install doc at webloom.run/install rewritten — no more 'do this without asking', every step explained

Other

• Engine version bumped 0.2.0 → 0.3.0
• vendor/x_client_transaction/ for X signing math (MIT, ~424 LOC)
• Multi-handler click fallback now records which handler succeeded to playbook
• New shadow-DOM-aware upload_file Strategy E for LinkedIn composer + Lit-based dashboards

License

MIT — same as 0.2.0.