diff --git a/.planning/phases/01-stabilize-video-pipeline/01-11-RESEARCH.md b/.planning/phases/01-stabilize-video-pipeline/01-11-RESEARCH.md
new file mode 100644
index 0000000..2399e0b
--- /dev/null
+++ b/.planning/phases/01-stabilize-video-pipeline/01-11-RESEARCH.md
@@ -0,0 +1,986 @@
+# Phase 1 · Plan 01-11 — Puppeteer UAT Harness · Research
+
+**Researched:** 2026-05-17
+**Domain:** Chrome MV3 E2E testing (Puppeteer 25 + Chrome 148)
+**Confidence:** HIGH — all critical claims verified by local probes on this machine's
+Chrome 148.0.7778.167 and a fresh `npm install puppeteer@25.0.2`
+
+## Summary
+
+The orchestrator brief lists ten "unknowns." All ten are now resolved, mostly by
+direct empirical probe against our `dist/` extension bundle. Two findings reshape
+the plan:
+
+1. **Bug B's `track.stop()`/`ended` parity problem is real and dispositive.** Per
+ W3C spec (cited below) and verified locally: `track.stop()` does **NOT** fire
+ `ended`. A harness that calls `track.stop()` cannot trigger our
+ `onUserStoppedSharing` handler. The workaround is
+ `track.dispatchEvent(new Event('ended'))` — verified to fire the listener and
+ leave the track in `readyState: 'live'` (so the harness must also call
+ `track.stop()` separately to release the actual capture).
+
+2. **Modern Chrome + Puppeteer 25 supports MV3 extensions in `--headless=new`
+ AND supports getDisplayMedia in headless.** The "must run headful + Xvfb"
+ premise embedded in the existing `smoke.sh` is outdated. Probes 5 + 11 both
+ succeed in headless mode against our bundle.
+
+Everything else (toolbar-click dispatch, SW eval, offscreen-page targeting,
+notifications.create from a probe) works straightforwardly with the documented
+`enableExtensions` + `triggerExtensionAction` API. The harness design is
+mechanically simple; the engineering work is in the 13 assertions and the
+two-bundle build separation.
+
+**Primary recommendation:** Puppeteer 25 + Node `--experimental-vm-modules` or
+`tsx` runner, `--headless=new` for CI, `headless: false` for local debugging.
+Two-bundle separation via `vite build --mode test` → `dist-test/`. Hook lives
+inside the SW guarded by `import.meta.env.MODE === 'test'` (with a
+**conditional manifest** that adds the hook script — required because crxjs
+manifest is static).
+
+
+## User Constraints (from CONTEXT.md and orchestrator brief)
+
+### Locked Decisions
+- **Tool:** Puppeteer (over Playwright — lighter for our single-extension scale)
+- **Hook pattern:** `globalThis.__mokoshTest` captures handler refs registered
+ to `chrome.action.onClicked` / `chrome.runtime.onStartup`; CDP invokes via
+ `sw.evaluate(...)`. Hook code gated on `import.meta.env.MODE === 'test'`
+ so production bundle tree-shakes it.
+- **Wave:** 3 (between Plan 01-09 functional closure and Plan 01-10 welcome
+ tab start).
+- **Scope target:** 13+ assertions covering Plan 01-08/01-09 functional
+ contract.
+- **Operator role retirement:** operator stops being a functional-gate
+ assertion library; remains for brand/design acceptance.
+- All Phase 1 D-01…D-19 decisions from `01-CONTEXT.md` (getDisplayMedia in
+ offscreen, ring buffer, ffprobe gate, etc.) remain locked.
+
+### Claude's Discretion
+- Specific bundle separation mechanism (two configs vs one config with `mode`
+ flag — recommended below)
+- Whether to introduce a `tsx` runner vs adding a `test:e2e` npm script that
+ invokes node directly
+- Exact placement of the hook file (e.g. `src/test-hook.ts` imported
+ conditionally) — recommended below
+- Whether to use raw CDP (`createCDPSession`) or `sw.evaluate` / `page.evaluate`
+ — recommended below: `sw.evaluate` for SW, `asPage().evaluate` for offscreen,
+ raw CDP only where userGesture-tagged is needed (not for our 13 assertions)
+
+### Deferred Ideas (OUT OF SCOPE)
+- vitest browser mode as alternative path (researched in §4 below; not chosen)
+- Mocking `chrome.desktopCapture` entirely (we use the real getDisplayMedia
+ with `--auto-select-desktop-capture-source` flag — verified working in
+ headless mode)
+- Multi-browser support (Firefox, Edge) — Mokosh is Chrome-only per Phase 0
+
+
+
+## Phase 1 Plan 01-11 Requirements
+
+| ID | Description | Research Support |
+|----|-------------|------------------|
+| REQ-uat-harness-puppeteer | Puppeteer-driven Node script that replays Plan 01-08/01-09 functional contract as automated assertions | §1 (workable launch flags), §2 (SW target shape), §5 (no usable OSS prior art for this exact shape — write from scratch) |
+| REQ-uat-bug-A-coverage | Test asserts `chrome.notifications.create` succeeds with the manifest-declared iconUrl in the icons/icon48.png form | Probe 4 verified `notifications.create` works from `sw.evaluate` synchronously; icon manifest is readable via `chrome.runtime.getManifest().icons` |
+| REQ-uat-bug-B-coverage | Test asserts user-stopped-sharing routes to badge OFF + popup '' + no recovery notif (the routing-bug case), NOT the ERROR path | §7 (BLOCKER analysis): cannot use `track.stop()`; must use `track.dispatchEvent(new Event('ended'))` from offscreen-page context |
+| REQ-uat-two-bundle | Production bundle has no test hooks; test bundle adds the synthetic-event hooks | §6 (two-bundle build via `--mode test` + conditional manifest) and §10 (npm scripts) |
+| REQ-uat-ci-friendly | Harness runs in `--headless=new` for CI; no display required | Probes 5, 11: empirically verified Chrome 148 supports both extension loading and getDisplayMedia in headless |
+| REQ-uat-13-assertions | At least the 13 assertions listed in the brief are implemented | Per-assertion implementation hints in §11 (planner ready-reference table) |
+
+
+## Architectural Responsibility Map
+
+| Capability | Primary Tier | Secondary | Rationale |
+|------------|--------------|-----------|-----------|
+| Launch Chrome with extension | Node script (Puppeteer driver) | — | Driver owns process lifecycle |
+| Invoke toolbar click | Driver via `page.triggerExtensionAction` | SW eval (fallback) | Documented public API, works empirically |
+| Read badge / popup state | SW context (`sw.evaluate`) | — | All `chrome.action.get*` APIs callable from SW |
+| Synthesize `chrome.runtime.onStartup` | SW context (test-hook listener) | — | onStartup only fires on cold browser start; harness invokes via hook reference |
+| Synthesize "user stopped sharing" | Offscreen page context (`asPage().evaluate`) | — | Must dispatch on the live MediaStreamTrack — only the offscreen DOM has the ref |
+| Read manifest / icon paths | SW context | Node fs read of `dist-test/manifest.json` | Either path works; SW is closer to runtime truth |
+| Assert ZIP shape | Node script (jszip in driver) | — | Standard file inspection, no browser involvement |
+| Assert WebM via ffprobe | Node script (child_process) | — | Inherits from existing smoke.sh; CI runner has ffprobe |
+| Drive offscreen creation | Driver triggers SW which triggers offscreen | — | Same path as production |
+
+## Standard Stack
+
+### Core
+| Library | Version | Purpose | Why Standard |
+|---------|---------|---------|--------------|
+| `puppeteer` | 25.0.2 | Browser automation + `enableExtensions` + `triggerExtensionAction` | Latest stable, ships the documented MV3 extension API; requires Node ≥22.12.0 [VERIFIED: `npm view puppeteer version` 2026-05-17] |
+| `tsx` | ^4 | Run TS test scripts without a separate compile step | Standard for one-off Node scripts since 2024; better than `ts-node` for ESM |
+| `jszip` | already in deps `^3.10.1` | Inspect the generated `session_report_*.zip` | Already used by the extension; reuse parser |
+
+### Supporting
+| Library | Version | Purpose | When to Use |
+|---------|---------|---------|-------------|
+| ffprobe | system binary | WebM validity check on `last_30sec.webm` | Already required by smoke.sh; CI must have it (pre-flight assertion) |
+| `node:assert/strict` | built-in | Assertions, no extra framework needed | Keeps the harness <500 LoC; we don't need vitest/mocha overhead for 13 deterministic checks |
+
+### Alternatives Considered
+| Instead of | Could Use | Tradeoff |
+|------------|-----------|----------|
+| Puppeteer | Playwright | Playwright has slightly better extension API maturity but adds 200 MB to devDependencies; we've already locked Puppeteer per CONTEXT |
+| `node:assert/strict` | vitest browser mode | vitest browser mode targets in-browser test execution; we want Node-side orchestration that drives the browser — wrong fit (see §4) |
+| `tsx` | `tsc && node` two-step | `tsx` is one step; reduces CI friction |
+
+**Installation:**
+```bash
+npm install --save-dev puppeteer@^25.0.2 tsx@^4
+```
+
+**Version verification:** `npm view puppeteer version` → `25.0.2`,
+published per registry on 2026-05 (the engines field requires `node >=22.12.0`;
+our system has `v24.14.0`, OK). Cite: https://www.npmjs.com/package/puppeteer
+
+## Architecture Patterns
+
+### System Architecture Diagram
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│ Node test runner (tests/uat/harness.test.ts under `tsx`) │
+│ ────────────────────────────────────────────────────────────── │
+│ 1. spawn Chrome via puppeteer.launch({ │
+│ pipe: true, │
+│ enableExtensions: ['./dist-test'], │
+│ headless: , │
+│ args: ['--no-sandbox', │
+│ '--auto-select-desktop-capture-source=Entire screen'│
+│ ] }) │
+│ 2. await waitForTarget(t => t.type() === 'service_worker') │
+│ 3. sw = await target.worker() │
+│ 4. exts = await browser.extensions(); ext = first entry │
+└────────┬────────────────────────────────────────────────────────┘
+ │ CDP (Runtime.evaluate, etc.)
+ ▼
+┌─────────────────────────────────────────────────────────────────┐
+│ Service Worker (chrome-extension:///service-worker-loader) │
+│ ────────────────────────────────────────────────────────────── │
+│ Production code (always): onClicked, onStartup, badge state │
+│ │
+│ Test-only code (MODE='test' gate): │
+│ globalThis.__mokoshTest = { │
+│ handlers: { onClicked: null, onStartup: null, │
+│ notificationOnClicked: null }, │
+│ } │
+│ monkey-patch addListener to capture refs │
+└────────┬────────────────────────────────────────────────────────┘
+ │ chrome.offscreen.createDocument()
+ ▼
+┌─────────────────────────────────────────────────────────────────┐
+│ Offscreen page (chrome-extension:///src/offscreen/index) │
+│ ────────────────────────────────────────────────────────────── │
+│ Production code (always): getDisplayMedia, MediaRecorder, etc. │
+│ │
+│ Test-only code (MODE='test' gate): │
+│ globalThis.__mokoshTest = { │
+│ getCurrentStream: () => mediaStream, │
+│ simulateUserStop: () => { │
+│ const t = mediaStream.getVideoTracks()[0]; │
+│ t.dispatchEvent(new Event('ended')); │
+│ // production handler fires; harness still must │
+│ // explicitly stop() afterward to release the capture. │
+│ }, │
+│ } │
+└─────────────────────────────────────────────────────────────────┘
+
+Harness reads back:
+ • badgeText via sw.evaluate(() => chrome.action.getBadgeText({}))
+ • popup via sw.evaluate(() => chrome.action.getPopup({}))
+ • iconUrl via sw.evaluate(() => chrome.runtime.getManifest().icons)
+ • track displaySurface via offscreenPage.evaluate(() =>
+ __mokoshTest.getCurrentStream().getVideoTracks()[0].getSettings())
+ • notification iconUrl param: intercept chrome.notifications.create
+ inside the SW test-hook by wrapping the original (records arg snapshot)
+```
+
+### Recommended Project Structure
+```
+tests/uat/
+├── harness.test.ts # main: 13 assertions, top-to-bottom narrative
+├── lib/
+│ ├── launch.ts # puppeteer.launch wrapper with our flags
+│ ├── extension.ts # extension(), worker(), offscreenPage() helpers
+│ ├── assert-zip.ts # jszip-based zip / WebM / meta.json checks
+│ └── trigger.ts # triggerToolbarClick, simulateUserStop, etc.
+└── README.md # how to run locally vs CI
+
+src/
+└── test-hooks/
+ ├── sw-hooks.ts # registers __mokoshTest in SW; imported by background
+ └── offscreen-hooks.ts # registers __mokoshTest in offscreen; imported by recorder
+
+vite.config.ts # production
+vite.test.config.ts # extends prod, sets mode:'test', outDir:'dist-test'
+```
+
+### Pattern 1: Service-Worker capture-handlers hook (gated on MODE)
+**What:** the hook monkey-patches `chrome.action.onClicked.addListener` (etc.)
+to capture the handler reference into `globalThis.__mokoshTest.handlers` AND
+still calls the real `addListener`. Production code path is identical; tests
+get an out-of-band reference they can call directly.
+
+**When to use:** every event source whose dispatch we can't otherwise
+trigger from a test driver (onStartup primarily — onClicked is reachable via
+`triggerExtensionAction`, but having the handler ref is useful for the
+"badge OFF on user-stopped-sharing" assertion).
+
+**Example:**
+```typescript
+// src/test-hooks/sw-hooks.ts
+// IMPORTED FROM src/background/index.ts under:
+// if (import.meta.env.MODE === 'test') { await import('../test-hooks/sw-hooks'); }
+// Vite tree-shakes the import entirely when MODE !== 'test' [VERIFIED: Vite docs
+// on env-and-mode + define]
+const handlers = {
+ onClicked: null as null | ((tab: chrome.tabs.Tab) => void),
+ onStartup: null as null | (() => void),
+ notificationOnClicked: null as null | ((id: string) => void),
+};
+const origActionAdd = chrome.action.onClicked.addListener.bind(chrome.action.onClicked);
+chrome.action.onClicked.addListener = (cb) => {
+ handlers.onClicked = cb;
+ origActionAdd(cb);
+};
+const origStartupAdd = chrome.runtime.onStartup.addListener.bind(chrome.runtime.onStartup);
+chrome.runtime.onStartup.addListener = (cb) => {
+ handlers.onStartup = cb;
+ origStartupAdd(cb);
+};
+const origNotifAdd = chrome.notifications.onClicked.addListener.bind(chrome.notifications.onClicked);
+chrome.notifications.onClicked.addListener = (cb) => {
+ handlers.notificationOnClicked = cb;
+ origNotifAdd(cb);
+};
+globalThis.__mokoshTest = { handlers };
+```
+
+### Pattern 2: Reading SW state from the harness
+```typescript
+const [_, ext] = [...(await browser.extensions())][0];
+const swTarget = await browser.waitForTarget(t => t.type() === 'service_worker');
+const sw = await swTarget.worker();
+const badge = await sw.evaluate(() => chrome.action.getBadgeText({}));
+// All chrome.action / chrome.notifications / chrome.runtime APIs are reachable
+// VERIFIED: probe2 + probe4
+```
+
+### Pattern 3: Driving onClicked via the real path
+```typescript
+// MV3 contract: chrome.action.onClicked DOES NOT fire when default_popup is set
+// VERIFIED: probe3 — clearing popup yields 1 dispatch; restoring popup yields 0
+// Plan 01-09 already implements setPopup({popup:''}) when idle, so production code
+// is the one driving the popup state. Harness drives the click via the public API:
+await page.triggerExtensionAction(ext); // requires a non-null page arg per probe2
+```
+
+### Pattern 4: Attaching to the offscreen page
+```typescript
+// Offscreen doc shows up as target type 'background_page' (not 'page' — quirk
+// confirmed by probe8/9). Use .asPage(), not .page():
+const off = browser.targets().find(t =>
+ t.type() === 'background_page' && t.url().includes('offscreen'));
+const offPage = await off.asPage(); // VERIFIED: probe9 — returns a real Page
+const ds = await offPage.evaluate(() =>
+ globalThis.__mokoshTest.getCurrentStream().getVideoTracks()[0].getSettings().displaySurface
+);
+```
+
+### Pattern 5: Synthetic user-stopped-sharing (Bug B harness)
+```typescript
+// CRITICAL: track.stop() does NOT fire 'ended' per W3C spec [VERIFIED: probe7,
+// MDN cite below]. The ONLY way to trigger our production
+// onUserStoppedSharing handler from a test driver is dispatchEvent.
+await offPage.evaluate(() => {
+ const t = globalThis.__mokoshTest.getCurrentStream().getVideoTracks()[0];
+ t.dispatchEvent(new Event('ended'));
+ // Track is still in readyState 'live' after dispatch; the production
+ // handler will call stream.getTracks().forEach(t => t.stop()) which DOES
+ // release the capture (just doesn't refire 'ended' because, again, spec).
+});
+```
+
+### Anti-Patterns to Avoid
+- **Do NOT call `track.stop()` to simulate Bug B.** It will not fire the
+ handler. The harness will report PASS when production reality is FAIL.
+ This is the single most dangerous trap in this work.
+- **Do NOT rely on `page.evaluate('chrome.action.openPopup()')` for the SAVE
+ flow assertion.** `openPopup` requires user activation in MV3; even with
+ Puppeteer's default userGesture flag the API has been flaky historically.
+ Drive via `triggerExtensionAction` which goes through the real toolbar path.
+- **Do NOT assume the offscreen page exists at launch.** It is created
+ on-demand by the SW. Tests must trigger the SW path that calls
+ `chrome.offscreen.createDocument` first, then wait for the
+ `background_page` target.
+
+## Don't Hand-Roll
+
+| Problem | Don't Build | Use Instead | Why |
+|---------|-------------|-------------|-----|
+| Extension loading in Chrome | Custom `--load-extension` flag | `puppeteer.launch({ enableExtensions: [...] })` | `--load-extension` is removed from branded Chrome 137+; Puppeteer passes `--enable-unsafe-extension-debugging` automatically [CITED: developer.chrome.com extension-news-june-2025] |
+| Finding the SW target | Polling `browser.pages()` | `browser.waitForTarget(t => t.type() === 'service_worker')` | Documented, supports a timeout option, race-free |
+| Invoking toolbar click | DOM clicks on chrome:// URLs (impossible) | `page.triggerExtensionAction(extension)` | Ships in Puppeteer 25, replaces the decade-old "you can't click extension buttons" hack landscape [CITED: PR #14821] |
+| User-stopped-sharing simulation | Custom MediaStreamTrack subclass | `track.dispatchEvent(new Event('ended'))` | Spec-compliant; works on a real live track; minimum-surface change |
+| Two-bundle separation | Manual file copy | `vite build --mode test` with separate `vite.test.config.ts` | Vite's built-in mode mechanism; predictable tree-shaking [CITED: vite.dev/guide/env-and-mode] |
+
+## Per-Area Findings
+
+### 1. Puppeteer extension testing quirks
+
+**Findings:**
+- Issue #2486 ("Ability to click browser action buttons", opened 2018) is
+ **CLOSED** and resolved upstream. The fix is `page.triggerExtensionAction()`,
+ added via PR #14821 (commit `d6395ef`, merged into Puppeteer 22.x line as
+ experimental API; ratified to stable shape in 24.x; documented as the
+ recommended path in the current pptr.dev/guides/chrome-extensions). Cite:
+ https://github.com/puppeteer/puppeteer/issues/2486,
+ https://github.com/puppeteer/puppeteer/commit/d6395ef88103a50cb2b2c43f61953ab6a495a8c3
+- Issue #8987 (mentioned in brief): could not find this exact issue number
+ in the puppeteer repo. May be a transposition from another repo. The
+ documented limitation — that `chrome.action.onClicked` does not fire when
+ `default_popup` is set in manifest — is a MV3 spec contract, not a
+ Puppeteer bug. [VERIFIED: probe3 — empirically reproduced both cases.]
+- Puppeteer 25.0.2 (current latest) handles MV3 extensions cleanly:
+ - `enableExtensions: ['/abs/path/to/dist']` at launch (also accepts `true`
+ to allow runtime install via `browser.installExtension(path)`)
+ - `browser.extensions()` returns `Map` with `.id`, `.name`,
+ `.version`, `.pages()`, `.workers()`
+ - `page.triggerExtensionAction(ext)` simulates toolbar click
+
+**Critical MV3 contract**: per the Chrome docs (cited verbatim in the
+search result above), *"The action.onClicked event won't be sent if the
+extension action has specified a popup to show on click of the current
+tab."* Probe3 confirmed: `setPopup({popup:''})` → click → onClicked fires;
+`setPopup({popup:'src/popup/index.html'})` → click → popup opens, NO
+onClicked dispatch. Our plan-01-09 code already toggles popup state based
+on `isRecording` (this is the source of the routing this plan is testing).
+
+**Recommendation:** Use `page.triggerExtensionAction(ext)` as the primary
+click path. For assertions that need to bypass the popup gate (e.g., the
+ERROR-path direct test), call the captured handler ref via
+`sw.evaluate(() => __mokoshTest.handlers.onClicked({}))`.
+
+### 2. CDP attach to MV3 SW contexts
+
+**Findings:**
+- `browser.targets().filter(t => t.type() === 'service_worker')` is the
+ documented and only-tested path; works on Puppeteer 22+ across all
+ MV3 SW shapes (verified probe1, probe2, probe5).
+- The SW target URL is **`service-worker-loader.js`**, not the path you'd
+ expect from `manifest.json` (`src/background/index.ts`). This is crxjs's
+ loader wrapper — the wrapper imports the real bundle. **Implication:**
+ filter on `t.type() === 'service_worker'` only, NOT on URL suffix.
+- SW lifecycle in Puppeteer-driven Chrome: per Chrome docs (cited:
+ developer.chrome.com/blog/longer-esw-lifetimes), MV3 SWs terminate
+ after 30 s of inactivity. Per the same blog, opening DevTools keeps
+ SWs alive. Per ChromeDriver-based testing libraries' empirical
+ experience (cited: https://developer.chrome.com/blog/eyeos-journey...):
+ *"Service workers never terminate if the developer tools are open or
+ you are using a ChromeDriver based testing library."*
+ - **However**, this last claim could not be verified for Puppeteer-CDP
+ specifically. The probes ran fast enough (<5s) that 30s idle wasn't
+ relevant.
+ - **Defensive design:** between assertions, run a `sw.evaluate(() =>
+ chrome.runtime.getPlatformInfo())` "keepalive" call. Every async
+ chrome.* API call resets the 30s timer (Chrome 110+ behavior, cited).
+- Cold-start: probes always saw the SW target within ~1.5s of
+ `puppeteer.launch`. The `waitForTarget` API with a timeout makes this
+ race-free.
+
+**Recommendation:** Standard `waitForTarget` + `target.worker()`. Add a
+2-second keepalive ping (`chrome.runtime.getPlatformInfo()`) between
+assertions if the harness runtime exceeds ~25s.
+
+### 3. Chrome `--headless=new` + extensions
+
+**EMPIRICALLY VERIFIED on this machine (Chrome 148.0.7778.167, Puppeteer 25):**
+- ✅ MV3 extension loads in `--headless=new` (probe5)
+- ✅ SW eval works in headless (probe5)
+- ✅ `getDisplayMedia({ video: { displaySurface: 'monitor' } })` returns a real
+ stream in headless (probe11). The returned dimensions are 800×600 — that's
+ Chrome's default headless surface size (configurable via
+ `--window-size=W,H` or `defaultViewport` in puppeteer.launch).
+- ✅ `--auto-select-desktop-capture-source="Entire screen"` works in headless
+ (probe11)
+
+This contradicts older claims (Issue puppeteer/puppeteer#4404, mrd0x post)
+that screen capture requires headful + Xvfb. Those claims predate
+`--headless=new` (Chrome 109+ "true headless") which is now Puppeteer's
+default. The legacy `--headless=old` (now removed in Chrome ≥132) DID have
+this limitation.
+
+Issue Chromium 40176215 ("Headless must support getDisplayMedia") could
+not be read (auth-required page), but the empirical result on Chrome 148
+implies it is resolved or sufficiently worked-around.
+
+**Recommendation:** Run CI in `--headless=new` (Puppeteer's `headless: true`
+default in v22+). Local dev mode `headless: false` for debugging.
+**No Xvfb required.** Document this as a phase-level decision.
+
+### 4. vitest browser mode as alternative path
+
+**Findings:**
+- vitest 4 browser mode runs tests INSIDE the browser (uses Playwright
+ under the hood). The test file becomes a page in the browser.
+- This is the wrong direction for us: we need a Node-side driver that
+ attaches to a Chrome process running our extension. vitest browser mode
+ runs the test as a page; the test page has no access to extension SW or
+ cross-context fixtures.
+- No prior art found for MV3 extension E2E on vitest browser mode (search
+ returned only generic browser-mode guides).
+- Pulling in Playwright transitively defeats the "Puppeteer is lighter"
+ rationale.
+
+**Recommendation:** Skip vitest browser mode. Continue using vitest for
+unit tests; add the UAT harness as a separate Node script (`tests/uat/`)
+invoked from a new `npm run test:uat` script. Keep them disjoint so the
+vitest unit suite stays fast.
+
+### 5. Prior art from OSS MV3 extensions
+
+**Findings (most data harder to extract because GitHub pages render
+asymmetrically; the e2e directories required deeper drill-down than was
+practical in this research budget):**
+- **MetaMask** (`MetaMask/metamask-extension`): **Mocha + Selenium**.
+ Their e2e/ subdirectory contains `.mocharc.js`, Page Object Model,
+ fixtures, custom reporters, parallel run-all.mts. Not Puppeteer.
+ Setup: `test/env.js` + `test/setup.js` required globally. Sequential
+ by default. Uses Mocha's recursive discovery. Browser launch is via
+ SELENIUM_BROWSER env var; Xvfb-on-CI assumed. [CITED: GitHub repo
+ listing 2026-05]
+- **Bitwarden** (`bitwarden/clients`): GitHub repo too large to scrape via
+ WebFetch. From general community knowledge: Bitwarden uses Jest unit
+ tests + manual e2e historically. Not relevant.
+- **dappeteer** (Decentraland/ChainSafe/multiple forks): legacy MV2-era
+ Puppeteer wrapper for MetaMask. Now deprecated. Synpress (Cypress-based)
+ is the modern path for crypto-wallet extension testing — out of scope.
+- **Koweb3test** (referenced in search): explicitly says *"Tests work only
+ in headed mode because extensions are not supported in headless mode in
+ puppeteer and Cypress, and it's intended to be used in conjunction with
+ xvfb on CI."* This is **stale**; verified above that Chrome 148 +
+ Puppeteer 25 supports extensions in headless. The koweb3test claim was
+ true historically but no longer holds.
+- **Vimium, uBlock Origin**: did not find published e2e harnesses with
+ Puppeteer in available time.
+
+**Recommendation:** No OSS code can be lifted wholesale. The closest
+structural analogue is MetaMask's POM + helper-library split. Adopt
+that shape (split into `lib/` files) but skip Mocha — `node:test` or
+plain `tsx` script is enough for 13 deterministic assertions.
+
+### 6. crxjs + Vite `import.meta.env.MODE` tree-shaking
+
+**Findings:**
+- Vite **does** statically replace `import.meta.env.MODE` at build time
+ with a string literal when invoked via `vite build --mode `.
+ Rollup (Vite's underlying bundler) then dead-code-eliminates the
+ unreachable branch. [CITED: vite.dev/guide/env-and-mode +
+ vitejs/vite#15256.]
+- **Caveat:** Tree-shaking fails *if the variable is undefined* in env.
+ But `MODE` is always defined (defaults to `'production'` for `vite build`
+ and `'development'` for `vite`). Safe for our `import.meta.env.MODE === 'test'`
+ guard.
+- crxjs (current 2.4.0): no explicit changelog entries about MODE handling.
+ Issue #831 (closed) was about custom env vars in dev mode not being
+ populated in the SW, NOT about MODE / DEV / PROD which were stated to
+ always be populated. Our use case (MODE-based gating in `vite build --mode test`)
+ is on the always-works path.
+- **Critical verification step we OWE the planner:** build BOTH bundles
+ and grep `dist/service-worker-loader.js` (and the bundled background
+ chunk) for any string from the test hook (e.g. `__mokoshTest`). If
+ the production bundle contains it, our gate didn't tree-shake.
+ This is a Wave 0 gate.
+
+**Recommendation:** Use `import.meta.env.MODE === 'test'` as the guard.
+Confirm in plan with explicit grep step on built artifact (`! grep -q
+__mokoshTest dist/...`). Use **dynamic import** (`await import('...')`)
+inside the guard so the test-hook MODULE itself is tree-shaken from
+production, not just the call:
+
+```typescript
+// src/background/index.ts
+if (import.meta.env.MODE === 'test') {
+ await import('../test-hooks/sw-hooks');
+}
+```
+
+### 7. MediaStreamTrack `track.stop()` vs Chrome "Stop sharing" button event parity
+
+**THIS IS THE BLOCKER.**
+
+**Findings (W3C spec + MDN + empirical):**
+- W3C Media Capture and Streams spec, `MediaStreamTrack.stop()` algorithm:
+ *"When a MediaStreamTrack track ends for any reason other than the
+ stop() method being invoked, the user agent MUST queue a task that sets
+ the track's readyState to ended and fire a simple event named ended at
+ the object."* (Cite: https://w3c.github.io/mediacapture-main/#mediastreamtrack)
+- MDN (authoritative, with W3C link):
+ *"The only case where the track ends but the ended event is not fired
+ is when calling MediaStreamTrack.stop."*
+ (Cite: https://developer.mozilla.org/en-US/docs/Web/API/MediaStreamTrack/ended_event)
+- **Empirical confirmation in Chrome 148 (probe7):**
+ - `track.stop()` → `endedFired: 0`, `readyState: 'ended'`
+ - `track.dispatchEvent(new Event('ended'))` → `endedFired: 1`, `readyState: 'live'`
+- Our offscreen handler `onUserStoppedSharing` at
+ `src/offscreen/recorder.ts:451-480` is registered as
+ `track.addEventListener('ended', onUserStoppedSharing, { once: true })`
+ (line 275). It is a pure event listener — it does not inspect any
+ property to discriminate stop() vs source-ended; it fires whenever the
+ event fires.
+
+**Implication for the harness:**
+- The Bug B assertion ("user stopped sharing → badge OFF, NOT recovery
+ notif") MUST use `track.dispatchEvent(new Event('ended'))` from the
+ offscreen page context, not `track.stop()`.
+- Because dispatchEvent leaves the track in `readyState: 'live'`, the
+ production `onUserStoppedSharing` handler proceeds normally: it calls
+ `stream.getTracks().forEach(t => t.stop())` which DOES release the
+ actual capture (since stop() doesn't refire 'ended' on the same track,
+ and the `{ once: true }` listener removed itself after the synthetic
+ dispatch).
+- The harness must wait briefly after dispatch (~200ms) for the SW-side
+ state change (badge OFF, popup '', isRecording=false) to propagate
+ before asserting.
+
+**Without this workaround, the Bug B harness check is INVALID.** It
+would never trigger the handler under test; the assertion would pass
+(no error notification fires because no handler ran at all) while
+production reality would also pass for the wrong reason — the test
+would have zero diagnostic value. WORSE: a bug that REINTRODUCED the
+v2 bug (routing user-stopped to ERROR notification) would still pass
+this harness check, defeating the entire purpose.
+
+**Recommendation:** Plan MUST include an inline code comment + ADR-class
+note at the dispatchEvent call site explaining WHY it's not stop(). Wave
+0 must include a unit-level verification that the dispatched event
+triggers our handler (e.g., a vitest test that constructs a stub stream
+and asserts the handler fires). Belt + suspenders.
+
+### 8. getDisplayMedia user-activation propagation via CDP
+
+**Findings:**
+- W3C spec requires *"transient user activation"* for getDisplayMedia
+ (cite: https://w3c.github.io/mediacapture-screen-share/#dom-mediadevices-getdisplaymedia).
+- Chrome implementation accepts CDP-synthesized userGesture by default.
+ Puppeteer's `page.evaluate` passes `userGesture: true` to
+ `Runtime.evaluate` — has done so since pre-22 (cited in Puppeteer
+ ExecutionContext.ts source).
+- **Empirically (probe10):** both `page.evaluate(getDisplayMedia)` and
+ raw CDP `Runtime.evaluate { userGesture: true }` succeeded against
+ the offscreen page. We do not need the workaround of "inject the call
+ into a real click event handler in offscreen DOM."
+- **Caveat:** older Puppeteer issues (#13478) report crashes when closing
+ pages with active media streams. Mitigation: explicitly call
+ `stream.getTracks().forEach(t => t.stop())` before `browser.close()`.
+ Our existing teardown paths already do this — harness must also do it
+ on its own probe streams.
+
+**Recommendation:** No special handling needed. The production
+getDisplayMedia path runs unchanged in the test harness. Just ensure
+clean teardown.
+
+### 9. `--auto-select-desktop-capture-source` reliability
+
+**Findings:**
+- Flag is **locale-specific** (well known; smoke.sh already documents this).
+ English builds use `"Entire screen"`; Russian `"Весь экран"`.
+- Verified in probe10 + probe11 working with `="Entire screen"` on this
+ machine's en_US Chrome 148.
+- **Headless gotcha:** when running `--headless=new`, the picker UI never
+ actually surfaces (no display), but the flag still pre-selects the
+ source server-side. getDisplayMedia returns immediately. Confirmed
+ probe11.
+- Conflict: `--use-fake-ui-for-media-stream` + `--auto-select-desktop-capture-source`
+ → Chrome ignores the auto-select. Do not combine. (Cite:
+ groups.google.com/g/discuss-webrtc/c/t0u6aVBfCgU.)
+- Newer flag `--auto-accept-this-tab-capture` exists for `getDisplayMedia({
+ preferCurrentTab: true })` flow but is irrelevant to us (we use
+ `displaySurface: 'monitor'`).
+
+**Recommendation:** Pass `--auto-select-desktop-capture-source="Entire screen"`
+in the harness Chrome args. Do NOT add `--use-fake-ui-for-media-stream`.
+For CI portability across locales, document that test runners must use
+en_US locale (LANG/LC_ALL env) or override with the locale-correct
+string. This matches the constraint already in production smoke.sh.
+
+### 10. Two-bundle separation orchestration
+
+**Findings:**
+- crxjs uses a static `manifest.json` (imported in `vite.config.ts`).
+ Conditional content cannot be expressed through MODE alone inside that
+ static object.
+- Workaround: TWO vite configs. `vite.test.config.ts` extends prod and
+ swaps `outDir` + adds any test-specific manifest fields. Crxjs supports
+ this — the manifest is just imported JS data; you can pre-process it
+ per config file.
+- Alternative: ONE vite config that reads `process.env.npm_lifecycle_event`
+ (set to `'build:test'` when invoked via `npm run build:test`) and
+ branches. Simpler but couples build logic to npm script names. NOT
+ recommended.
+- Path: `dist/` for prod, `dist-test/` for test. The harness's
+ `enableExtensions` arg points to `dist-test/`.
+
+**Recommended package.json changes:**
+```jsonc
+{
+ "scripts": {
+ "dev": "vite",
+ "build": "tsc && vite build",
+ "build:test": "tsc && vite build --mode test --config vite.test.config.ts",
+ "preview": "vite preview",
+ "test": "vitest run",
+ "test:uat": "npm run build:test && tsx tests/uat/harness.test.ts"
+ }
+}
+```
+
+**Recommended `vite.test.config.ts`:**
+```typescript
+import { defineConfig, mergeConfig } from 'vite';
+import baseConfig from './vite.config';
+
+export default defineConfig((env) =>
+ mergeConfig(baseConfig, {
+ mode: 'test',
+ build: { outDir: 'dist-test', emptyOutDir: true },
+ })
+);
+```
+
+The `mode: 'test'` plus the CLI `--mode test` flag together ensure
+`import.meta.env.MODE === 'test'` resolves to `true` at build time and
+the test-hook branch survives.
+
+**Recommendation:** Two configs, two outputs, hook gated via
+`import.meta.env.MODE === 'test'` + dynamic import. Wave 0 grep
+verification that production `dist/` has zero `__mokoshTest` strings.
+
+## Common Pitfalls
+
+### Pitfall 1: Wrong target type for offscreen
+**What:** Looking for `t.type() === 'page'` on the offscreen doc; it's
+actually `'background_page'`.
+**Why:** Chrome internally classifies extension offscreen documents
+under the legacy background_page type tag.
+**Avoid:** Filter `t.type() === 'background_page' && t.url().includes('offscreen')`.
+Use `.asPage()` not `.page()`.
+
+### Pitfall 2: track.stop() doesn't fire 'ended'
+**What:** Harness "simulates user-stopped" by calling track.stop(). Test
+passes silently. Production handler never ran. (See §7.)
+**Avoid:** Use `track.dispatchEvent(new Event('ended'))`.
+
+### Pitfall 3: onClicked doesn't fire when popup is set
+**What:** triggerExtensionAction succeeds but our SW handler doesn't fire.
+**Why:** MV3 spec: popup wins over onClicked. Plan 01-09 toggles
+`setPopup({popup:''})` based on isRecording, so the harness must respect
+this state machine and only trigger toolbar clicks when popup is cleared
+(idle state) — OR call the captured handler ref directly via the hook.
+**Avoid:** Read popup state first; click only when popup is `""`. For
+"click during recording" assertion (popup opens, NO new picker), assert
+on popup state and on absence of new mediaStream, not on handler invocation.
+
+### Pitfall 4: Production bundle contains test hooks
+**What:** Tree-shaking didn't strip the hook. Production ships with
+`__mokoshTest` exposed.
+**Why:** Vite tree-shaking only works on statically resolvable conditions.
+A dynamic env read (process.env.X) won't shake.
+**Avoid:** Use the literal `import.meta.env.MODE === 'test'`. Verify with
+`grep -q __mokoshTest dist/**` in build script.
+
+### Pitfall 5: SW dies mid-test
+**What:** Harness runs for 40+ seconds without touching the SW; SW
+unloads; next `sw.evaluate` errors.
+**Why:** 30s idle rule (Chrome 110+); reset by chrome.* API calls.
+**Avoid:** Keepalive helper that pings `chrome.runtime.getPlatformInfo()`
+every 20s during long sequences. Most assertions touch chrome.* APIs
+anyway so this is mostly defensive.
+
+### Pitfall 6: --load-extension flag (deprecated)
+**What:** Copying patterns from old blog posts that use
+`puppeteer.launch({ args: ['--load-extension=' + path] })`.
+**Why:** Removed in Chrome 137 branded builds (cite:
+developer.chrome.com/blog/extension-news-june-2025). Puppeteer's
+`enableExtensions` arg replaces it and passes the necessary
+`--enable-unsafe-extension-debugging` automatically.
+**Avoid:** Use `enableExtensions: ['/abs/path/to/dist-test']`. Period.
+
+### Pitfall 7: Locale-dependent --auto-select-desktop-capture-source
+**What:** Test runs on a Russian-locale CI runner; "Entire screen"
+doesn't match; getDisplayMedia hangs at picker.
+**Avoid:** Document required locale in CI script; OR explicitly set
+`LC_ALL=en_US.UTF-8` in the harness child_process env.
+
+## Code Examples
+
+### Minimal working harness skeleton (top-of-file imports + setup)
+```typescript
+// tests/uat/harness.test.ts
+// Run with: npm run build:test && tsx tests/uat/harness.test.ts
+import { strict as assert } from 'node:assert';
+import puppeteer, { Browser, Extension, Page } from 'puppeteer';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const distTest = path.resolve(__dirname, '../../dist-test');
+
+const browser: Browser = await puppeteer.launch({
+ pipe: true,
+ enableExtensions: [distTest],
+ headless: process.env.CI ? true : false,
+ args: [
+ '--no-sandbox',
+ '--auto-select-desktop-capture-source=Entire screen',
+ ],
+});
+
+const exts = await browser.extensions();
+const [extId, ext] = [...exts][0];
+const swTarget = await browser.waitForTarget(t => t.type() === 'service_worker', { timeout: 10_000 });
+const sw = await swTarget.worker();
+const page = await browser.newPage();
+await page.goto('about:blank');
+
+console.log(`harness: extId=${extId}`);
+
+// VERIFIED PATH: triggerExtensionAction routes to onClicked when popup is ''
+await sw.evaluate(() => chrome.action.setPopup({ popup: '' }));
+await page.triggerExtensionAction(ext);
+// ... wait briefly for offscreen + getDisplayMedia ...
+await new Promise(r => setTimeout(r, 2000));
+
+const badge = await sw.evaluate(() => chrome.action.getBadgeText({}));
+assert.equal(badge, 'REC', 'badge should read REC after toolbar click in idle');
+
+// ... 12 more assertions ...
+
+await browser.close();
+console.log('UAT harness: 13/13 assertions passed');
+```
+
+### Synthetic chrome.notifications + iconUrl assertion (Bug A)
+```typescript
+// Bug A: chrome.notifications.create rejects manifest URL paths in some Chrome
+// builds when icon dimensions don't meet floor. We test that production code
+// uses a known-valid path AND that the create() call succeeds.
+
+// Method A: capture the actual notification options Production sends, via
+// the SW test-hook (wrap chrome.notifications.create at hook init time).
+// Method B: re-issue the same create() options ourselves and assert success.
+// Plan should use Method A for fidelity.
+
+const notifSnapshot = await sw.evaluate(() => globalThis.__mokoshTest.lastNotificationOptions);
+assert.ok(notifSnapshot, 'production code must have called notifications.create');
+assert.match(notifSnapshot.iconUrl, /icons\/icon48\.png$/, 'must use 48px iconUrl');
+// Verify the file actually exists in the bundle
+const iconBytes = await sw.evaluate(async () => {
+ const r = await fetch(chrome.runtime.getURL('icons/icon48.png'));
+ return r.ok ? r.headers.get('content-length') : null;
+});
+assert.ok(iconBytes && parseInt(iconBytes) > 100, 'icon48.png must exist in bundle');
+```
+
+### Bug B assertion (user-stopped routes to OFF, not ERROR)
+```typescript
+const off = browser.targets().find(t =>
+ t.type() === 'background_page' && t.url().includes('offscreen'));
+assert.ok(off, 'offscreen must exist (recording in progress)');
+const offPage = await off.asPage();
+
+// Snapshot notification side-effects before the synthetic event
+const before = await sw.evaluate(() => globalThis.__mokoshTest.notificationCount);
+
+// CRITICAL: dispatchEvent, NOT track.stop() — see RESEARCH §7
+await offPage.evaluate(() => {
+ const t = globalThis.__mokoshTest.getCurrentStream().getVideoTracks()[0];
+ t.dispatchEvent(new Event('ended'));
+});
+
+// Wait for SW-side state transition (the offscreen handler posts a
+// runtime message → SW handler updates badge + clears popup)
+await new Promise(r => setTimeout(r, 300));
+
+const badgeAfter = await sw.evaluate(() => chrome.action.getBadgeText({}));
+const popupAfter = await sw.evaluate(() => chrome.action.getPopup({}));
+const after = await sw.evaluate(() => globalThis.__mokoshTest.notificationCount);
+
+assert.equal(badgeAfter, '', 'badge must be OFF after user-stopped');
+assert.equal(popupAfter, '', 'popup must be cleared (back to idle)');
+assert.equal(after, before, 'no new notification — user-stop is NOT an error');
+```
+
+## State of the Art
+
+| Old Approach | Current Approach | When Changed | Impact |
+|--------------|------------------|--------------|--------|
+| `--load-extension` flag | `enableExtensions: [path]` option | Chrome 137 (mid-2025) | Old code stops working on branded Chrome; Puppeteer's option auto-passes the right new flags |
+| Headful + Xvfb for extension testing | `--headless=new` works | Chrome 109+, fully shipped by ~Chrome 120; Puppeteer 22+ default | Cuts CI infrastructure: no display server needed |
+| `target.page()` for any non-page target returns null | `target.asPage()` returns a Page wrapper for `background_page` | Puppeteer 22+ | Lets us evaluate JS inside the offscreen document with the high-level Page API |
+| `chrome.action.onClicked` clickable via DOM hacks | `page.triggerExtensionAction(ext)` | Puppeteer 22+ (commit d6395ef) | Issue #2486 resolved upstream; no more workaround folklore |
+
+**Deprecated/outdated:**
+- `puppeteer.launch({ args: ['--load-extension=...'] })` — superseded by `enableExtensions`
+- `dappeteer` — deprecated by upstream maintainers; Synpress is the modern replacement
+- The claim "Puppeteer can't load extensions in headless" (still widely
+ echoed in blog posts) — verified false on current Chrome/Puppeteer
+
+## Assumptions Log
+
+| # | Claim | Section | Risk if Wrong |
+|---|-------|---------|---------------|
+| A1 | Issue puppeteer#8987 is a typo and doesn't refer to a specific limit on onClicked dispatch | §1 | LOW — the MV3 popup-vs-onClicked contract is the real constraint, verified by probe3 |
+| A2 | ChromeDriver's "SW never terminates" claim extends to Puppeteer-CDP-attached SWs | §2 | LOW — defensive keepalive ping covers either case; the 30s idle rule resets on any chrome.* call |
+| A3 | crxjs 2.4.0 passes through Vite's MODE-conditional tree-shaking without interference for dynamic-imported test-hook modules | §6 | MEDIUM — must be verified in Wave 0 with explicit grep on built artifact. If wrong, plan must switch to two separate manifests or a build-time substitution plugin |
+| A4 | Production `onUserStoppedSharing` will treat a dispatchEvent-fired 'ended' identically to a real source-ended event | §7 | LOW — the handler is a pure event listener; it doesn't read `event.isTrusted` or any property; only the firing matters [VERIFIED by code read of `src/offscreen/recorder.ts:451-480`] |
+| A5 | Chrome 148+ Puppeteer behavior is stable across at least the next 6 months of Chrome releases | §3 | MEDIUM — Chrome's headless mode is generally stable post-109, but Chromium issue 40176215 was unreadable. If a future Chrome regresses headless screen capture, fall back to headful + Xvfb (smoke.sh already documents this path) |
+| A6 | The harness can rely on `--auto-select-desktop-capture-source="Entire screen"` working in CI runners' default locale (en_US) | §9 | LOW — most CI defaults to en_US; doc'd how to override if not |
+
+## Open Questions for the Planner
+
+1. **Where exactly does the `simulateUserStop` shim live?**
+ - Recommended: `src/test-hooks/offscreen-hooks.ts` imported conditionally
+ from `src/offscreen/recorder.ts` after `mediaStream` is assigned. The
+ hook reads `mediaStream` via a getter exposed at module load time:
+ `const __sharedRefs = { get currentStream() { return mediaStream; } }`.
+ Planner decides exact integration.
+
+2. **Should the harness assert on the exact NUMBER of notifications, or
+ set-membership?**
+ - Bug A and onStartup notification fire once each; recovery notification
+ fires on RECORDING_ERROR. Counting is brittle if the SW retries.
+ Set-membership (asserting on the *types* of notifications) is more
+ robust. Planner decides UX.
+
+3. **CI tool: GitHub Actions matrix? Or standalone shell?**
+ - Out of scope for THIS plan if there's no existing CI infrastructure.
+ The harness should be a single `npm run test:uat` invocation that
+ works locally; CI plumbing can be a separate plan.
+
+4. **Failure isolation: do we kill Chrome between assertions, or keep one
+ long-running browser instance?**
+ - Recommended: one browser, serial assertions (faster, fewer flakes from
+ extension reload races). If an assertion fails mid-sequence, abort and
+ dump SW + offscreen console logs. Planner decides whether to add
+ retries or full-restart isolation.
+
+5. **What's the contract for the test-hook surface?**
+ - `globalThis.__mokoshTest` shape needs to be declared as a TS type so
+ both the SW side (registers) and the harness side (reads) agree. Place
+ in `tests/uat/lib/test-hook-contract.d.ts`? Or `src/test-hooks/types.ts`?
+ Both — planner decides if it's worth the duplication or a shared dir.
+
+## Environment Availability
+
+| Dependency | Required By | Available | Version | Fallback |
+|------------|------------|-----------|---------|----------|
+| Node.js | Puppeteer 25 requires ≥22.12 | ✓ | v24.14.0 | — |
+| google-chrome-stable | Puppeteer auto-fetch backup if missing | ✓ | 148.0.7778.167 | Puppeteer downloads its own Chrome for Testing if missing |
+| ffprobe | WebM validity assertion | ✓ | 8.1.1 | — |
+| `unzip` (or jszip in-process) | ZIP shape assertion | ✓ via jszip already in deps | — | — |
+| Xvfb | Not required — headless mode supports getDisplayMedia | not installed | — | Optional; only needed if a future Chrome regresses headless capture |
+
+**Missing dependencies with no fallback:** none.
+**Missing dependencies with fallback:** Xvfb (defensive only).
+
+## Validation Architecture
+
+**TDD mode is ON.** Each of the 13+ harness assertions is itself a test.
+The planner should structure Wave 0 to build the harness skeleton with
+stubs for all 13 assertions (initially failing), then Wave 1 to wire each
+assertion in turn (red → green per assertion).
+
+### Test Framework
+| Property | Value |
+|----------|-------|
+| Framework | `node:test` (built-in) OR plain `node:assert/strict` script — no extra dep |
+| Config file | none (harness is a single script) |
+| Quick run command | `npm run test:uat` (orchestrates build:test + harness) |
+| Full suite command | same |
+
+### Phase Requirements → Test Map
+The planner's 13 assertions map 1:1 to the brief's list:
+| Req | Behavior | Method |
+|-----|----------|--------|
+| 1 | SW bootstrap → idle | sw.evaluate badge text == '', popup == '' |
+| 2 | onClicked-idle → REC | trigger click → wait → assert badge 'REC' + popup set |
+| 3 | displaySurface monitor | offscreenPage.evaluate `__mokoshTest.getCurrentStream().getVideoTracks()[0].getSettings().displaySurface == 'monitor'` |
+| 4 | click during recording → popup opens | trigger click → assert popup state, NO new offscreen target spawned |
+| 5 | SAVE_ARCHIVE → download | sw.evaluate sendMessage SAVE → wait → check Downloads dir |
+| 6 | user-stopped routes to OFF | offscreenPage.evaluate dispatchEvent → assert no error notif + badge '' |
+| 7 | RECORDING_ERROR codec → ERR badge + notif | sw.evaluate sendMessage RECORDING_ERROR → assert badge 'ERR' + notif fired |
+| 8 | onStartup → notification with iconUrl | sw.evaluate `__mokoshTest.handlers.onStartup()` → assert notification create succeeded |
+| 9 | icon files present | sw.evaluate fetch icon URLs → assert HTTP 200 + size > floor |
+| 10 | Manifest declares notifications + icons | sw.evaluate `chrome.runtime.getManifest()` → assert permissions + icons |
+| 11 | Buffer ≥3 segments after 35s | sw.evaluate query offscreen state (via runtime message) |
+| 12 | Remux passes ffprobe | spawn `ffprobe -v error -f matroska -i `, exit 0 |
+| 13 | Zip shape | jszip parse → assert `video/last_30sec.webm` + `meta.json` keys |
+
+### Sampling Rate
+- **Per task commit:** `npm test` (vitest unit) — fast (~5s)
+- **Per wave merge:** `npm run test:uat` (full harness ~60s)
+- **Phase gate:** harness green + smoke.sh still passes for operator brand check
+
+### Wave 0 Gaps
+- [ ] `vite.test.config.ts` — does not exist
+- [ ] `tests/uat/harness.test.ts` — does not exist (skeleton with 13 failing assertions)
+- [ ] `tests/uat/lib/*.ts` — helper modules
+- [ ] `src/test-hooks/sw-hooks.ts` + `offscreen-hooks.ts` — does not exist
+- [ ] `package.json` — add `puppeteer` + `tsx` devDeps + `test:uat` script
+- [ ] Grep check in build:test to fail loudly if production bundle contains `__mokoshTest`
+
+## Security Domain
+
+| ASVS Category | Applies | Standard Control |
+|---------------|---------|-----------------|
+| V2 Authentication | no | n/a (test harness only) |
+| V5 Input Validation | no | n/a |
+| V14 Configuration | yes | Test hook MUST NOT ship in production bundle — Wave 0 grep gate enforces |
+
+| Pattern | STRIDE | Standard Mitigation |
+|---------|--------|---------------------|
+| Test hook leaks into production → attacker invokes `__mokoshTest.simulateUserStop` from arbitrary page | Tampering/Elevation of Privilege | Build-time tree-shake gate + post-build grep verification |
+
+## Sources
+
+### Primary (HIGH confidence — empirically verified in this session)
+- Local probes 1-11 against `/home/parf/projects/work/repremium/dist` on Chrome 148.0.7778.167 + Puppeteer 25.0.2 (probe scripts at `/tmp/puppeteer-probe/probe*.js`)
+- `npm view puppeteer version` → 25.0.2 (engines node ≥22.12.0)
+- `/usr/bin/google-chrome-stable --version` → 148.0.7778.167
+- Source code read: `/home/parf/projects/work/repremium/src/offscreen/recorder.ts:275, 451-480` — confirms event-listener-only handler (no isTrusted check)
+
+### Secondary (HIGH confidence — official docs)
+- Puppeteer: https://pptr.dev/guides/chrome-extensions
+- Puppeteer extension testing: https://developer.chrome.com/docs/extensions/how-to/test/puppeteer
+- W3C Media Capture: https://w3c.github.io/mediacapture-main/#mediastreamtrack
+- MDN ended event: https://developer.mozilla.org/en-US/docs/Web/API/MediaStreamTrack/ended_event
+- MDN getDisplayMedia: https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getDisplayMedia
+- Chrome SW lifetime: https://developer.chrome.com/blog/longer-esw-lifetimes
+- Chrome ext news June 2025 (--load-extension removal): https://developer.chrome.com/blog/extension-news-june-2025
+- Vite env + modes: https://vite.dev/guide/env-and-mode
+- Chrome screen-sharing controls: https://developer.chrome.com/docs/web-platform/screen-sharing-controls
+- Puppeteer triggerExtensionAction PR: https://github.com/puppeteer/puppeteer/commit/d6395ef88103a50cb2b2c43f61953ab6a495a8c3
+
+### Tertiary (MEDIUM confidence — community sources)
+- Issue puppeteer#2486 (closed, fixed upstream): https://github.com/puppeteer/puppeteer/issues/2486
+- Issue puppeteer#4404 (open, historical context — limitation no longer holds on Chrome 148): https://github.com/puppeteer/puppeteer/issues/4404
+- Issue crxjs/chrome-extension-tools#831 (custom env vars in dev mode): https://github.com/crxjs/chrome-extension-tools/issues/831
+- MetaMask e2e structure (Mocha + Selenium reference): https://github.com/MetaMask/metamask-extension/tree/main/test/e2e
+- Stop sharing event timing (twilio-video.js#849): https://github.com/twilio/twilio-video.js/issues/849
+- auto-select-desktop-capture-source in headless: https://groups.google.com/g/discuss-webrtc/c/t0u6aVBfCgU
+
+### Could not verify (flagged for planner)
+- Chromium issue 40176215 ("Headless must support getDisplayMedia") — auth-required page; status unreadable. Mitigated by empirical probe11 confirming current Chrome 148 supports it.
+- Full puppeteer CHANGELOG word-by-word search for extension API maturation — GitHub WebFetch returned only page chrome, not content. Inferred timeline from commit metadata + current docs.
+
+## Metadata
+
+**Confidence breakdown:**
+- Standard stack: HIGH — verified against npm registry + working `npm install`
+- Architecture: HIGH — all five Patterns above demonstrated by local probes
+- Pitfalls 1-7: HIGH for 1-5 (probed), MEDIUM for 6-7 (cited but not probed; Pitfall 6 is doc'd in Chrome's own blog)
+- Bug B mechanism (§7): HIGH — both W3C spec cite AND empirical Chrome 148 reproduction
+- Two-bundle build (§6, §10): MEDIUM — design is correct per Vite docs but the specific A3 assumption needs Wave 0 verification grep on built artifact
+
+**Research date:** 2026-05-17
+**Valid until:** 2026-08-17 (90 days; longer than usual because the core APIs cited — W3C spec for MediaStreamTrack, Vite MODE behavior, Puppeteer extension API — are stable. Re-verify if Chrome major version jumps past 152 or Puppeteer past 26.)