- Split auth into focused package modules for agent keys, file keys,
signing, and post-quantum transport helpers while keeping the public
browser_cli.auth import surface intact.
- Move transport encoding internals into a package with separate codec and
binary-hoisting helpers, preserving browser_cli.transport compatibility.
- Extract remote TCP auth/socket helpers and serve challenge setup out of the
runtime paths to make connection handling easier to reason about.
- Move the extension markdown extractor into a dedicated content/markdown
folder with separate root selection, code normalization, renderer, and utils.
- Centralize CLI Rich rendering helpers for tab/window tree and table output,
and add rendering tests for the shared builders.
- Remove local typing ignores in SDK/decorator/script plumbing and bump the
package and extension version to 0.15.3.
- Add safe-by-default policy gates for raw command surfaces: command, script, and serve-http /command.
- Require explicit opt-ins for page reads, browser control, and high-risk commands such as dom.eval, storage.*, and screenshots.
- Remove all cookies support from CLI, SDK, extension commands, permissions, constants, docs, and tests.
- Add diagnostic, events, watch, workspace, remote, raw command, script, HTTP gateway, tree-view, session import/export, and extension info/capability commands.
- Add Chrome Web Store packaging that strips manifest.key while keeping local packages with a stable native-messaging extension ID.
- Bump browser-cli and extension version to 0.14.1 and cover the new behavior with pytest and extension packaging tests.
BREAKING CHANGE: cookies commands and the b.cookies SDK namespace have been removed; generic raw command execution now blocks non-safe commands unless explicitly allowed.
daniel156161
