2026-05-31 15:34:17 +00:00
1 changed files with 986 additions and 0 deletions
--- a/.planning/phases/01-stabilize-video-pipeline/01-11-RESEARCH.md
+++ b/.planning/phases/01-stabilize-video-pipeline/01-11-RESEARCH.md
@@ -0,0 +1,986 @@
 # Phase 1 · Plan 01-11 — Puppeteer UAT Harness · Research
 **Researched:** 2026-05-17
 **Domain:** Chrome MV3 E2E testing (Puppeteer 25 + Chrome 148)
 **Confidence:** HIGH — all critical claims verified by local probes on this machine's
 Chrome 148.0.7778.167 and a fresh `npm install puppeteer@25.0.2`
 ## Summary
 The orchestrator brief lists ten "unknowns." All ten are now resolved, mostly by
 direct empirical probe against our `dist/` extension bundle. Two findings reshape
 the plan:
 1. **Bug B's `track.stop()`/`ended` parity problem is real and dispositive.** Per
   W3C spec (cited below) and verified locally: `track.stop()` does **NOT** fire
   `ended`. A harness that calls `track.stop()` cannot trigger our
   `onUserStoppedSharing` handler. The workaround is
   `track.dispatchEvent(new Event('ended'))` — verified to fire the listener and
   leave the track in `readyState: 'live'` (so the harness must also call
   `track.stop()` separately to release the actual capture).
 2. **Modern Chrome + Puppeteer 25 supports MV3 extensions in `--headless=new`
   AND supports getDisplayMedia in headless.** The "must run headful + Xvfb"
   premise embedded in the existing `smoke.sh` is outdated. Probes 5 + 11 both
   succeed in headless mode against our bundle.
 Everything else (toolbar-click dispatch, SW eval, offscreen-page targeting,
 notifications.create from a probe) works straightforwardly with the documented
 `enableExtensions` + `triggerExtensionAction` API. The harness design is
 mechanically simple; the engineering work is in the 13 assertions and the
 two-bundle build separation.
 **Primary recommendation:** Puppeteer 25 + Node `--experimental-vm-modules` or
 `tsx` runner, `--headless=new` for CI, `headless: false` for local debugging.
 Two-bundle separation via `vite build --mode test` → `dist-test/`. Hook lives
 inside the SW guarded by `import.meta.env.MODE === 'test'` (with a
 **conditional manifest** that adds the hook script — required because crxjs
 manifest is static).
 <user_constraints>
 ## User Constraints (from CONTEXT.md and orchestrator brief)
 ### Locked Decisions
 - **Tool:** Puppeteer (over Playwright — lighter for our single-extension scale)
 - **Hook pattern:** `globalThis.__mokoshTest` captures handler refs registered
  to `chrome.action.onClicked` / `chrome.runtime.onStartup`; CDP invokes via
  `sw.evaluate(...)`. Hook code gated on `import.meta.env.MODE === 'test'`
  so production bundle tree-shakes it.
 - **Wave:** 3 (between Plan 01-09 functional closure and Plan 01-10 welcome
  tab start).
 - **Scope target:** 13+ assertions covering Plan 01-08/01-09 functional
  contract.
 - **Operator role retirement:** operator stops being a functional-gate
  assertion library; remains for brand/design acceptance.
 - All Phase 1 D-01…D-19 decisions from `01-CONTEXT.md` (getDisplayMedia in
  offscreen, ring buffer, ffprobe gate, etc.) remain locked.
 ### Claude's Discretion
 - Specific bundle separation mechanism (two configs vs one config with `mode`
  flag — recommended below)
 - Whether to introduce a `tsx` runner vs adding a `test:e2e` npm script that
  invokes node directly
 - Exact placement of the hook file (e.g. `src/test-hook.ts` imported
  conditionally) — recommended below
 - Whether to use raw CDP (`createCDPSession`) or `sw.evaluate` / `page.evaluate`
  — recommended below: `sw.evaluate` for SW, `asPage().evaluate` for offscreen,
  raw CDP only where userGesture-tagged is needed (not for our 13 assertions)
 ### Deferred Ideas (OUT OF SCOPE)
 - vitest browser mode as alternative path (researched in §4 below; not chosen)
 - Mocking `chrome.desktopCapture` entirely (we use the real getDisplayMedia
  with `--auto-select-desktop-capture-source` flag — verified working in
  headless mode)
 - Multi-browser support (Firefox, Edge) — Mokosh is Chrome-only per Phase 0
 </user_constraints>
 <phase_requirements>
 ## Phase 1 Plan 01-11 Requirements
 | ID | Description | Research Support |
 |----|-------------|------------------|
 | REQ-uat-harness-puppeteer | Puppeteer-driven Node script that replays Plan 01-08/01-09 functional contract as automated assertions | §1 (workable launch flags), §2 (SW target shape), §5 (no usable OSS prior art for this exact shape — write from scratch) |
 | REQ-uat-bug-A-coverage | Test asserts `chrome.notifications.create` succeeds with the manifest-declared iconUrl in the icons/icon48.png form | Probe 4 verified `notifications.create` works from `sw.evaluate` synchronously; icon manifest is readable via `chrome.runtime.getManifest().icons` |
 | REQ-uat-bug-B-coverage | Test asserts user-stopped-sharing routes to badge OFF + popup '' + no recovery notif (the routing-bug case), NOT the ERROR path | §7 (BLOCKER analysis): cannot use `track.stop()`; must use `track.dispatchEvent(new Event('ended'))` from offscreen-page context |
 | REQ-uat-two-bundle | Production bundle has no test hooks; test bundle adds the synthetic-event hooks | §6 (two-bundle build via `--mode test` + conditional manifest) and §10 (npm scripts) |
 | REQ-uat-ci-friendly | Harness runs in `--headless=new` for CI; no display required | Probes 5, 11: empirically verified Chrome 148 supports both extension loading and getDisplayMedia in headless |
 | REQ-uat-13-assertions | At least the 13 assertions listed in the brief are implemented | Per-assertion implementation hints in §11 (planner ready-reference table) |
 </phase_requirements>
 ## Architectural Responsibility Map
 | Capability | Primary Tier | Secondary | Rationale |
 |------------|--------------|-----------|-----------|
 | Launch Chrome with extension | Node script (Puppeteer driver) | — | Driver owns process lifecycle |
 | Invoke toolbar click | Driver via `page.triggerExtensionAction` | SW eval (fallback) | Documented public API, works empirically |
 | Read badge / popup state | SW context (`sw.evaluate`) | — | All `chrome.action.get*` APIs callable from SW |
 | Synthesize `chrome.runtime.onStartup` | SW context (test-hook listener) | — | onStartup only fires on cold browser start; harness invokes via hook reference |
 | Synthesize "user stopped sharing" | Offscreen page context (`asPage().evaluate`) | — | Must dispatch on the live MediaStreamTrack — only the offscreen DOM has the ref |
 | Read manifest / icon paths | SW context | Node fs read of `dist-test/manifest.json` | Either path works; SW is closer to runtime truth |
 | Assert ZIP shape | Node script (jszip in driver) | — | Standard file inspection, no browser involvement |
 | Assert WebM via ffprobe | Node script (child_process) | — | Inherits from existing smoke.sh; CI runner has ffprobe |
 | Drive offscreen creation | Driver triggers SW which triggers offscreen | — | Same path as production |
 ## Standard Stack
 ### Core
 | Library | Version | Purpose | Why Standard |
 |---------|---------|---------|--------------|
 | `puppeteer` | 25.0.2 | Browser automation + `enableExtensions` + `triggerExtensionAction` | Latest stable, ships the documented MV3 extension API; requires Node ≥22.12.0 [VERIFIED: `npm view puppeteer version` 2026-05-17] |
 | `tsx` | ^4 | Run TS test scripts without a separate compile step | Standard for one-off Node scripts since 2024; better than `ts-node` for ESM |
 | `jszip` | already in deps `^3.10.1` | Inspect the generated `session_report_*.zip` | Already used by the extension; reuse parser |
 ### Supporting
 | Library | Version | Purpose | When to Use |
 |---------|---------|---------|-------------|
 | ffprobe | system binary | WebM validity check on `last_30sec.webm` | Already required by smoke.sh; CI must have it (pre-flight assertion) |
 | `node:assert/strict` | built-in | Assertions, no extra framework needed | Keeps the harness <500 LoC; we don't need vitest/mocha overhead for 13 deterministic checks |
 ### Alternatives Considered
 | Instead of | Could Use | Tradeoff |
 |------------|-----------|----------|
 | Puppeteer | Playwright | Playwright has slightly better extension API maturity but adds 200 MB to devDependencies; we've already locked Puppeteer per CONTEXT |
 | `node:assert/strict` | vitest browser mode | vitest browser mode targets in-browser test execution; we want Node-side orchestration that drives the browser — wrong fit (see §4) |
 | `tsx` | `tsc && node` two-step | `tsx` is one step; reduces CI friction |
 **Installation:**
 ```bash
 npm install --save-dev puppeteer@^25.0.2 tsx@^4
 ```
 **Version verification:** `npm view puppeteer version` → `25.0.2`,
 published per registry on 2026-05 (the engines field requires `node >=22.12.0`;
 our system has `v24.14.0`, OK). Cite: https://www.npmjs.com/package/puppeteer
 ## Architecture Patterns
 ### System Architecture Diagram
 ```
 ┌─────────────────────────────────────────────────────────────────┐
 │  Node test runner (tests/uat/harness.test.ts under `tsx`)       │
 │  ────────────────────────────────────────────────────────────── │
 │  1. spawn Chrome via puppeteer.launch({                          │
 │       pipe: true,                                                 │
 │       enableExtensions: ['./dist-test'],                          │
 │       headless: <env CI ? true : false>,                          │
 │       args: ['--no-sandbox',                                      │
 │               '--auto-select-desktop-capture-source=Entire screen'│
 │             ] })                                                  │
 │  2. await waitForTarget(t => t.type() === 'service_worker')      │
 │  3. sw = await target.worker()                                   │
 │  4. exts = await browser.extensions(); ext = first entry         │
 └────────┬────────────────────────────────────────────────────────┘
         │ CDP (Runtime.evaluate, etc.)
         ▼
 ┌─────────────────────────────────────────────────────────────────┐
 │  Service Worker  (chrome-extension://<id>/service-worker-loader) │
 │  ────────────────────────────────────────────────────────────── │
 │  Production code (always): onClicked, onStartup, badge state    │
 │                                                                   │
 │  Test-only code (MODE='test' gate):                              │
 │    globalThis.__mokoshTest = {                                    │
 │      handlers: { onClicked: null, onStartup: null,                │
 │                  notificationOnClicked: null },                   │
 │    }                                                              │
 │    monkey-patch addListener to capture refs                       │
 └────────┬────────────────────────────────────────────────────────┘
         │ chrome.offscreen.createDocument()
         ▼
 ┌─────────────────────────────────────────────────────────────────┐
 │  Offscreen page  (chrome-extension://<id>/src/offscreen/index)   │
 │  ────────────────────────────────────────────────────────────── │
 │  Production code (always): getDisplayMedia, MediaRecorder, etc.  │
 │                                                                   │
 │  Test-only code (MODE='test' gate):                              │
 │    globalThis.__mokoshTest = {                                    │
 │      getCurrentStream: () => mediaStream,                         │
 │      simulateUserStop: () => {                                    │
 │        const t = mediaStream.getVideoTracks()[0];                 │
 │        t.dispatchEvent(new Event('ended'));                       │
 │        // production handler fires; harness still must            │
 │        // explicitly stop() afterward to release the capture.     │
 │      },                                                            │
 │    }                                                              │
 └─────────────────────────────────────────────────────────────────┘
 Harness reads back:
  • badgeText via sw.evaluate(() => chrome.action.getBadgeText({}))
  • popup    via sw.evaluate(() => chrome.action.getPopup({}))
  • iconUrl  via sw.evaluate(() => chrome.runtime.getManifest().icons)
  • track displaySurface via offscreenPage.evaluate(() =>
       __mokoshTest.getCurrentStream().getVideoTracks()[0].getSettings())
  • notification iconUrl param: intercept chrome.notifications.create
       inside the SW test-hook by wrapping the original (records arg snapshot)
 ```
 ### Recommended Project Structure
 ```
 tests/uat/
 ├── harness.test.ts         # main: 13 assertions, top-to-bottom narrative
 ├── lib/
 │   ├── launch.ts           # puppeteer.launch wrapper with our flags
 │   ├── extension.ts        # extension(), worker(), offscreenPage() helpers
 │   ├── assert-zip.ts       # jszip-based zip / WebM / meta.json checks
 │   └── trigger.ts          # triggerToolbarClick, simulateUserStop, etc.
 └── README.md               # how to run locally vs CI
 src/
 └── test-hooks/
    ├── sw-hooks.ts         # registers __mokoshTest in SW; imported by background
    └── offscreen-hooks.ts  # registers __mokoshTest in offscreen; imported by recorder
 vite.config.ts              # production
 vite.test.config.ts         # extends prod, sets mode:'test', outDir:'dist-test'
 ```
 ### Pattern 1: Service-Worker capture-handlers hook (gated on MODE)
 **What:** the hook monkey-patches `chrome.action.onClicked.addListener` (etc.)
 to capture the handler reference into `globalThis.__mokoshTest.handlers` AND
 still calls the real `addListener`. Production code path is identical; tests
 get an out-of-band reference they can call directly.
 **When to use:** every event source whose dispatch we can't otherwise
 trigger from a test driver (onStartup primarily — onClicked is reachable via
 `triggerExtensionAction`, but having the handler ref is useful for the
 "badge OFF on user-stopped-sharing" assertion).
 **Example:**
 ```typescript
 // src/test-hooks/sw-hooks.ts
 // IMPORTED FROM src/background/index.ts under:
 //   if (import.meta.env.MODE === 'test') { await import('../test-hooks/sw-hooks'); }
 // Vite tree-shakes the import entirely when MODE !== 'test' [VERIFIED: Vite docs
 // on env-and-mode + define]
 const handlers = {
  onClicked: null as null | ((tab: chrome.tabs.Tab) => void),
  onStartup: null as null | (() => void),
  notificationOnClicked: null as null | ((id: string) => void),
 };
 const origActionAdd = chrome.action.onClicked.addListener.bind(chrome.action.onClicked);
 chrome.action.onClicked.addListener = (cb) => {
  handlers.onClicked = cb;
  origActionAdd(cb);
 };
 const origStartupAdd = chrome.runtime.onStartup.addListener.bind(chrome.runtime.onStartup);
 chrome.runtime.onStartup.addListener = (cb) => {
  handlers.onStartup = cb;
  origStartupAdd(cb);
 };
 const origNotifAdd = chrome.notifications.onClicked.addListener.bind(chrome.notifications.onClicked);
 chrome.notifications.onClicked.addListener = (cb) => {
  handlers.notificationOnClicked = cb;
  origNotifAdd(cb);
 };
 globalThis.__mokoshTest = { handlers };
 ```
 ### Pattern 2: Reading SW state from the harness
 ```typescript
 const [_, ext] = [...(await browser.extensions())][0];
 const swTarget = await browser.waitForTarget(t => t.type() === 'service_worker');
 const sw = await swTarget.worker();
 const badge = await sw.evaluate(() => chrome.action.getBadgeText({}));
 // All chrome.action / chrome.notifications / chrome.runtime APIs are reachable
 // VERIFIED: probe2 + probe4
 ```
 ### Pattern 3: Driving onClicked via the real path
 ```typescript
 // MV3 contract: chrome.action.onClicked DOES NOT fire when default_popup is set
 // VERIFIED: probe3 — clearing popup yields 1 dispatch; restoring popup yields 0
 // Plan 01-09 already implements setPopup({popup:''}) when idle, so production code
 // is the one driving the popup state. Harness drives the click via the public API:
 await page.triggerExtensionAction(ext);  // requires a non-null page arg per probe2
 ```
 ### Pattern 4: Attaching to the offscreen page
 ```typescript
 // Offscreen doc shows up as target type 'background_page' (not 'page' — quirk
 // confirmed by probe8/9). Use .asPage(), not .page():
 const off = browser.targets().find(t =>
  t.type() === 'background_page' && t.url().includes('offscreen'));
 const offPage = await off.asPage();  // VERIFIED: probe9 — returns a real Page
 const ds = await offPage.evaluate(() =>
  globalThis.__mokoshTest.getCurrentStream().getVideoTracks()[0].getSettings().displaySurface
 );
 ```
 ### Pattern 5: Synthetic user-stopped-sharing (Bug B harness)
 ```typescript
 // CRITICAL: track.stop() does NOT fire 'ended' per W3C spec [VERIFIED: probe7,
 // MDN cite below]. The ONLY way to trigger our production
 // onUserStoppedSharing handler from a test driver is dispatchEvent.
 await offPage.evaluate(() => {
  const t = globalThis.__mokoshTest.getCurrentStream().getVideoTracks()[0];
  t.dispatchEvent(new Event('ended'));
  // Track is still in readyState 'live' after dispatch; the production
  // handler will call stream.getTracks().forEach(t => t.stop()) which DOES
  // release the capture (just doesn't refire 'ended' because, again, spec).
 });
 ```
 ### Anti-Patterns to Avoid
 - **Do NOT call `track.stop()` to simulate Bug B.** It will not fire the
  handler. The harness will report PASS when production reality is FAIL.
  This is the single most dangerous trap in this work.
 - **Do NOT rely on `page.evaluate('chrome.action.openPopup()')` for the SAVE
  flow assertion.** `openPopup` requires user activation in MV3; even with
  Puppeteer's default userGesture flag the API has been flaky historically.
  Drive via `triggerExtensionAction` which goes through the real toolbar path.
 - **Do NOT assume the offscreen page exists at launch.** It is created
  on-demand by the SW. Tests must trigger the SW path that calls
  `chrome.offscreen.createDocument` first, then wait for the
  `background_page` target.
 ## Don't Hand-Roll
 | Problem | Don't Build | Use Instead | Why |
 |---------|-------------|-------------|-----|
 | Extension loading in Chrome | Custom `--load-extension` flag | `puppeteer.launch({ enableExtensions: [...] })` | `--load-extension` is removed from branded Chrome 137+; Puppeteer passes `--enable-unsafe-extension-debugging` automatically [CITED: developer.chrome.com extension-news-june-2025] |
 | Finding the SW target | Polling `browser.pages()` | `browser.waitForTarget(t => t.type() === 'service_worker')` | Documented, supports a timeout option, race-free |
 | Invoking toolbar click | DOM clicks on chrome:// URLs (impossible) | `page.triggerExtensionAction(extension)` | Ships in Puppeteer 25, replaces the decade-old "you can't click extension buttons" hack landscape [CITED: PR #14821] |
 | User-stopped-sharing simulation | Custom MediaStreamTrack subclass | `track.dispatchEvent(new Event('ended'))` | Spec-compliant; works on a real live track; minimum-surface change |
 | Two-bundle separation | Manual file copy | `vite build --mode test` with separate `vite.test.config.ts` | Vite's built-in mode mechanism; predictable tree-shaking [CITED: vite.dev/guide/env-and-mode] |
 ## Per-Area Findings
 ### 1. Puppeteer extension testing quirks
 **Findings:**
 - Issue #2486 ("Ability to click browser action buttons", opened 2018) is
  **CLOSED** and resolved upstream. The fix is `page.triggerExtensionAction()`,
  added via PR #14821 (commit `d6395ef`, merged into Puppeteer 22.x line as
  experimental API; ratified to stable shape in 24.x; documented as the
  recommended path in the current pptr.dev/guides/chrome-extensions). Cite:
  https://github.com/puppeteer/puppeteer/issues/2486,
  https://github.com/puppeteer/puppeteer/commit/d6395ef88103a50cb2b2c43f61953ab6a495a8c3
 - Issue #8987 (mentioned in brief): could not find this exact issue number
  in the puppeteer repo. May be a transposition from another repo. The
  documented limitation — that `chrome.action.onClicked` does not fire when
  `default_popup` is set in manifest — is a MV3 spec contract, not a
  Puppeteer bug. [VERIFIED: probe3 — empirically reproduced both cases.]
 - Puppeteer 25.0.2 (current latest) handles MV3 extensions cleanly:
  - `enableExtensions: ['/abs/path/to/dist']` at launch (also accepts `true`
    to allow runtime install via `browser.installExtension(path)`)
  - `browser.extensions()` returns `Map<id, Extension>` with `.id`, `.name`,
    `.version`, `.pages()`, `.workers()`
  - `page.triggerExtensionAction(ext)` simulates toolbar click
 **Critical MV3 contract**: per the Chrome docs (cited verbatim in the
 search result above), *"The action.onClicked event won't be sent if the
 extension action has specified a popup to show on click of the current
 tab."* Probe3 confirmed: `setPopup({popup:''})` → click → onClicked fires;
 `setPopup({popup:'src/popup/index.html'})` → click → popup opens, NO
 onClicked dispatch. Our plan-01-09 code already toggles popup state based
 on `isRecording` (this is the source of the routing this plan is testing).
 **Recommendation:** Use `page.triggerExtensionAction(ext)` as the primary
 click path. For assertions that need to bypass the popup gate (e.g., the
 ERROR-path direct test), call the captured handler ref via
 `sw.evaluate(() => __mokoshTest.handlers.onClicked({}))`.
 ### 2. CDP attach to MV3 SW contexts
 **Findings:**
 - `browser.targets().filter(t => t.type() === 'service_worker')` is the
  documented and only-tested path; works on Puppeteer 22+ across all
  MV3 SW shapes (verified probe1, probe2, probe5).
 - The SW target URL is **`service-worker-loader.js`**, not the path you'd
  expect from `manifest.json` (`src/background/index.ts`). This is crxjs's
  loader wrapper — the wrapper imports the real bundle. **Implication:**
  filter on `t.type() === 'service_worker'` only, NOT on URL suffix.
 - SW lifecycle in Puppeteer-driven Chrome: per Chrome docs (cited:
  developer.chrome.com/blog/longer-esw-lifetimes), MV3 SWs terminate
  after 30 s of inactivity. Per the same blog, opening DevTools keeps
  SWs alive. Per ChromeDriver-based testing libraries' empirical
  experience (cited: https://developer.chrome.com/blog/eyeos-journey...):
  *"Service workers never terminate if the developer tools are open or
  you are using a ChromeDriver based testing library."*
  - **However**, this last claim could not be verified for Puppeteer-CDP
    specifically. The probes ran fast enough (<5s) that 30s idle wasn't
    relevant.
  - **Defensive design:** between assertions, run a `sw.evaluate(() =>
    chrome.runtime.getPlatformInfo())` "keepalive" call. Every async
    chrome.* API call resets the 30s timer (Chrome 110+ behavior, cited).
 - Cold-start: probes always saw the SW target within ~1.5s of
  `puppeteer.launch`. The `waitForTarget` API with a timeout makes this
  race-free.
 **Recommendation:** Standard `waitForTarget` + `target.worker()`. Add a
 2-second keepalive ping (`chrome.runtime.getPlatformInfo()`) between
 assertions if the harness runtime exceeds ~25s.
 ### 3. Chrome `--headless=new` + extensions
 **EMPIRICALLY VERIFIED on this machine (Chrome 148.0.7778.167, Puppeteer 25):**
 - ✅ MV3 extension loads in `--headless=new` (probe5)
 - ✅ SW eval works in headless (probe5)
 - ✅ `getDisplayMedia({ video: { displaySurface: 'monitor' } })` returns a real
  stream in headless (probe11). The returned dimensions are 800×600 — that's
  Chrome's default headless surface size (configurable via
  `--window-size=W,H` or `defaultViewport` in puppeteer.launch).
 - ✅ `--auto-select-desktop-capture-source="Entire screen"` works in headless
  (probe11)
 This contradicts older claims (Issue puppeteer/puppeteer#4404, mrd0x post)
 that screen capture requires headful + Xvfb. Those claims predate
 `--headless=new` (Chrome 109+ "true headless") which is now Puppeteer's
 default. The legacy `--headless=old` (now removed in Chrome ≥132) DID have
 this limitation.
 Issue Chromium 40176215 ("Headless must support getDisplayMedia") could
 not be read (auth-required page), but the empirical result on Chrome 148
 implies it is resolved or sufficiently worked-around.
 **Recommendation:** Run CI in `--headless=new` (Puppeteer's `headless: true`
 default in v22+). Local dev mode `headless: false` for debugging.
 **No Xvfb required.** Document this as a phase-level decision.
 ### 4. vitest browser mode as alternative path
 **Findings:**
 - vitest 4 browser mode runs tests INSIDE the browser (uses Playwright
  under the hood). The test file becomes a page in the browser.
 - This is the wrong direction for us: we need a Node-side driver that
  attaches to a Chrome process running our extension. vitest browser mode
  runs the test as a page; the test page has no access to extension SW or
  cross-context fixtures.
 - No prior art found for MV3 extension E2E on vitest browser mode (search
  returned only generic browser-mode guides).
 - Pulling in Playwright transitively defeats the "Puppeteer is lighter"
  rationale.
 **Recommendation:** Skip vitest browser mode. Continue using vitest for
 unit tests; add the UAT harness as a separate Node script (`tests/uat/`)
 invoked from a new `npm run test:uat` script. Keep them disjoint so the
 vitest unit suite stays fast.
 ### 5. Prior art from OSS MV3 extensions
 **Findings (most data harder to extract because GitHub pages render
 asymmetrically; the e2e directories required deeper drill-down than was
 practical in this research budget):**
 - **MetaMask** (`MetaMask/metamask-extension`): **Mocha + Selenium**.
  Their e2e/ subdirectory contains `.mocharc.js`, Page Object Model,
  fixtures, custom reporters, parallel run-all.mts. Not Puppeteer.
  Setup: `test/env.js` + `test/setup.js` required globally. Sequential
  by default. Uses Mocha's recursive discovery. Browser launch is via
  SELENIUM_BROWSER env var; Xvfb-on-CI assumed. [CITED: GitHub repo
  listing 2026-05]
 - **Bitwarden** (`bitwarden/clients`): GitHub repo too large to scrape via
  WebFetch. From general community knowledge: Bitwarden uses Jest unit
  tests + manual e2e historically. Not relevant.
 - **dappeteer** (Decentraland/ChainSafe/multiple forks): legacy MV2-era
  Puppeteer wrapper for MetaMask. Now deprecated. Synpress (Cypress-based)
  is the modern path for crypto-wallet extension testing — out of scope.
 - **Koweb3test** (referenced in search): explicitly says *"Tests work only
  in headed mode because extensions are not supported in headless mode in
  puppeteer and Cypress, and it's intended to be used in conjunction with
  xvfb on CI."* This is **stale**; verified above that Chrome 148 +
  Puppeteer 25 supports extensions in headless. The koweb3test claim was
  true historically but no longer holds.
 - **Vimium, uBlock Origin**: did not find published e2e harnesses with
  Puppeteer in available time.
 **Recommendation:** No OSS code can be lifted wholesale. The closest
 structural analogue is MetaMask's POM + helper-library split. Adopt
 that shape (split into `lib/` files) but skip Mocha — `node:test` or
 plain `tsx` script is enough for 13 deterministic assertions.
 ### 6. crxjs + Vite `import.meta.env.MODE` tree-shaking
 **Findings:**
 - Vite **does** statically replace `import.meta.env.MODE` at build time
  with a string literal when invoked via `vite build --mode <name>`.
  Rollup (Vite's underlying bundler) then dead-code-eliminates the
  unreachable branch. [CITED: vite.dev/guide/env-and-mode +
  vitejs/vite#15256.]
 - **Caveat:** Tree-shaking fails *if the variable is undefined* in env.
  But `MODE` is always defined (defaults to `'production'` for `vite build`
  and `'development'` for `vite`). Safe for our `import.meta.env.MODE === 'test'`
  guard.
 - crxjs (current 2.4.0): no explicit changelog entries about MODE handling.
  Issue #831 (closed) was about custom env vars in dev mode not being
  populated in the SW, NOT about MODE / DEV / PROD which were stated to
  always be populated. Our use case (MODE-based gating in `vite build --mode test`)
  is on the always-works path.
 - **Critical verification step we OWE the planner:** build BOTH bundles
  and grep `dist/service-worker-loader.js` (and the bundled background
  chunk) for any string from the test hook (e.g. `__mokoshTest`). If
  the production bundle contains it, our gate didn't tree-shake.
  This is a Wave 0 gate.
 **Recommendation:** Use `import.meta.env.MODE === 'test'` as the guard.
 Confirm in plan with explicit grep step on built artifact (`! grep -q
 __mokoshTest dist/...`). Use **dynamic import** (`await import('...')`)
 inside the guard so the test-hook MODULE itself is tree-shaken from
 production, not just the call:
 ```typescript
 // src/background/index.ts
 if (import.meta.env.MODE === 'test') {
  await import('../test-hooks/sw-hooks');
 }
 ```
 ### 7. MediaStreamTrack `track.stop()` vs Chrome "Stop sharing" button event parity
 **THIS IS THE BLOCKER.**
 **Findings (W3C spec + MDN + empirical):**
 - W3C Media Capture and Streams spec, `MediaStreamTrack.stop()` algorithm:
  *"When a MediaStreamTrack track ends for any reason other than the
  stop() method being invoked, the user agent MUST queue a task that sets
  the track's readyState to ended and fire a simple event named ended at
  the object."* (Cite: https://w3c.github.io/mediacapture-main/#mediastreamtrack)
 - MDN (authoritative, with W3C link):
  *"The only case where the track ends but the ended event is not fired
  is when calling MediaStreamTrack.stop."*
  (Cite: https://developer.mozilla.org/en-US/docs/Web/API/MediaStreamTrack/ended_event)
 - **Empirical confirmation in Chrome 148 (probe7):**
  - `track.stop()` → `endedFired: 0`, `readyState: 'ended'`
  - `track.dispatchEvent(new Event('ended'))` → `endedFired: 1`, `readyState: 'live'`
 - Our offscreen handler `onUserStoppedSharing` at
  `src/offscreen/recorder.ts:451-480` is registered as
  `track.addEventListener('ended', onUserStoppedSharing, { once: true })`
  (line 275). It is a pure event listener — it does not inspect any
  property to discriminate stop() vs source-ended; it fires whenever the
  event fires.
 **Implication for the harness:**
 - The Bug B assertion ("user stopped sharing → badge OFF, NOT recovery
  notif") MUST use `track.dispatchEvent(new Event('ended'))` from the
  offscreen page context, not `track.stop()`.
 - Because dispatchEvent leaves the track in `readyState: 'live'`, the
  production `onUserStoppedSharing` handler proceeds normally: it calls
  `stream.getTracks().forEach(t => t.stop())` which DOES release the
  actual capture (since stop() doesn't refire 'ended' on the same track,
  and the `{ once: true }` listener removed itself after the synthetic
  dispatch).
 - The harness must wait briefly after dispatch (~200ms) for the SW-side
  state change (badge OFF, popup '', isRecording=false) to propagate
  before asserting.
 **Without this workaround, the Bug B harness check is INVALID.** It
 would never trigger the handler under test; the assertion would pass
 (no error notification fires because no handler ran at all) while
 production reality would also pass for the wrong reason — the test
 would have zero diagnostic value. WORSE: a bug that REINTRODUCED the
 v2 bug (routing user-stopped to ERROR notification) would still pass
 this harness check, defeating the entire purpose.
 **Recommendation:** Plan MUST include an inline code comment + ADR-class
 note at the dispatchEvent call site explaining WHY it's not stop(). Wave
 0 must include a unit-level verification that the dispatched event
 triggers our handler (e.g., a vitest test that constructs a stub stream
 and asserts the handler fires). Belt + suspenders.
 ### 8. getDisplayMedia user-activation propagation via CDP
 **Findings:**
 - W3C spec requires *"transient user activation"* for getDisplayMedia
  (cite: https://w3c.github.io/mediacapture-screen-share/#dom-mediadevices-getdisplaymedia).
 - Chrome implementation accepts CDP-synthesized userGesture by default.
  Puppeteer's `page.evaluate` passes `userGesture: true` to
  `Runtime.evaluate` — has done so since pre-22 (cited in Puppeteer
  ExecutionContext.ts source).
 - **Empirically (probe10):** both `page.evaluate(getDisplayMedia)` and
  raw CDP `Runtime.evaluate { userGesture: true }` succeeded against
  the offscreen page. We do not need the workaround of "inject the call
  into a real click event handler in offscreen DOM."
 - **Caveat:** older Puppeteer issues (#13478) report crashes when closing
  pages with active media streams. Mitigation: explicitly call
  `stream.getTracks().forEach(t => t.stop())` before `browser.close()`.
  Our existing teardown paths already do this — harness must also do it
  on its own probe streams.
 **Recommendation:** No special handling needed. The production
 getDisplayMedia path runs unchanged in the test harness. Just ensure
 clean teardown.
 ### 9. `--auto-select-desktop-capture-source` reliability
 **Findings:**
 - Flag is **locale-specific** (well known; smoke.sh already documents this).
  English builds use `"Entire screen"`; Russian `"Весь экран"`.
 - Verified in probe10 + probe11 working with `="Entire screen"` on this
  machine's en_US Chrome 148.
 - **Headless gotcha:** when running `--headless=new`, the picker UI never
  actually surfaces (no display), but the flag still pre-selects the
  source server-side. getDisplayMedia returns immediately. Confirmed
  probe11.
 - Conflict: `--use-fake-ui-for-media-stream` + `--auto-select-desktop-capture-source`
  → Chrome ignores the auto-select. Do not combine. (Cite:
  groups.google.com/g/discuss-webrtc/c/t0u6aVBfCgU.)
 - Newer flag `--auto-accept-this-tab-capture` exists for `getDisplayMedia({
  preferCurrentTab: true })` flow but is irrelevant to us (we use
  `displaySurface: 'monitor'`).
 **Recommendation:** Pass `--auto-select-desktop-capture-source="Entire screen"`
 in the harness Chrome args. Do NOT add `--use-fake-ui-for-media-stream`.
 For CI portability across locales, document that test runners must use
 en_US locale (LANG/LC_ALL env) or override with the locale-correct
 string. This matches the constraint already in production smoke.sh.
 ### 10. Two-bundle separation orchestration
 **Findings:**
 - crxjs uses a static `manifest.json` (imported in `vite.config.ts`).
  Conditional content cannot be expressed through MODE alone inside that
  static object.
 - Workaround: TWO vite configs. `vite.test.config.ts` extends prod and
  swaps `outDir` + adds any test-specific manifest fields. Crxjs supports
  this — the manifest is just imported JS data; you can pre-process it
  per config file.
 - Alternative: ONE vite config that reads `process.env.npm_lifecycle_event`
  (set to `'build:test'` when invoked via `npm run build:test`) and
  branches. Simpler but couples build logic to npm script names. NOT
  recommended.
 - Path: `dist/` for prod, `dist-test/` for test. The harness's
  `enableExtensions` arg points to `dist-test/`.
 **Recommended package.json changes:**
 ```jsonc
 {
  "scripts": {
    "dev": "vite",
    "build": "tsc && vite build",
    "build:test": "tsc && vite build --mode test --config vite.test.config.ts",
    "preview": "vite preview",
    "test": "vitest run",
    "test:uat": "npm run build:test && tsx tests/uat/harness.test.ts"
  }
 }
 ```
 **Recommended `vite.test.config.ts`:**
 ```typescript
 import { defineConfig, mergeConfig } from 'vite';
 import baseConfig from './vite.config';
 export default defineConfig((env) =>
  mergeConfig(baseConfig, {
    mode: 'test',
    build: { outDir: 'dist-test', emptyOutDir: true },
  })
 );
 ```
 The `mode: 'test'` plus the CLI `--mode test` flag together ensure
 `import.meta.env.MODE === 'test'` resolves to `true` at build time and
 the test-hook branch survives.
 **Recommendation:** Two configs, two outputs, hook gated via
 `import.meta.env.MODE === 'test'` + dynamic import. Wave 0 grep
 verification that production `dist/` has zero `__mokoshTest` strings.
 ## Common Pitfalls
 ### Pitfall 1: Wrong target type for offscreen
 **What:** Looking for `t.type() === 'page'` on the offscreen doc; it's
 actually `'background_page'`.
 **Why:** Chrome internally classifies extension offscreen documents
 under the legacy background_page type tag.
 **Avoid:** Filter `t.type() === 'background_page' && t.url().includes('offscreen')`.
 Use `.asPage()` not `.page()`.
 ### Pitfall 2: track.stop() doesn't fire 'ended'
 **What:** Harness "simulates user-stopped" by calling track.stop(). Test
 passes silently. Production handler never ran. (See §7.)
 **Avoid:** Use `track.dispatchEvent(new Event('ended'))`.
 ### Pitfall 3: onClicked doesn't fire when popup is set
 **What:** triggerExtensionAction succeeds but our SW handler doesn't fire.
 **Why:** MV3 spec: popup wins over onClicked. Plan 01-09 toggles
 `setPopup({popup:''})` based on isRecording, so the harness must respect
 this state machine and only trigger toolbar clicks when popup is cleared
 (idle state) — OR call the captured handler ref directly via the hook.
 **Avoid:** Read popup state first; click only when popup is `""`. For
 "click during recording" assertion (popup opens, NO new picker), assert
 on popup state and on absence of new mediaStream, not on handler invocation.
 ### Pitfall 4: Production bundle contains test hooks
 **What:** Tree-shaking didn't strip the hook. Production ships with
 `__mokoshTest` exposed.
 **Why:** Vite tree-shaking only works on statically resolvable conditions.
 A dynamic env read (process.env.X) won't shake.
 **Avoid:** Use the literal `import.meta.env.MODE === 'test'`. Verify with
 `grep -q __mokoshTest dist/**` in build script.
 ### Pitfall 5: SW dies mid-test
 **What:** Harness runs for 40+ seconds without touching the SW; SW
 unloads; next `sw.evaluate` errors.
 **Why:** 30s idle rule (Chrome 110+); reset by chrome.* API calls.
 **Avoid:** Keepalive helper that pings `chrome.runtime.getPlatformInfo()`
 every 20s during long sequences. Most assertions touch chrome.* APIs
 anyway so this is mostly defensive.
 ### Pitfall 6: --load-extension flag (deprecated)
 **What:** Copying patterns from old blog posts that use
 `puppeteer.launch({ args: ['--load-extension=' + path] })`.
 **Why:** Removed in Chrome 137 branded builds (cite:
 developer.chrome.com/blog/extension-news-june-2025). Puppeteer's
 `enableExtensions` arg replaces it and passes the necessary
 `--enable-unsafe-extension-debugging` automatically.
 **Avoid:** Use `enableExtensions: ['/abs/path/to/dist-test']`. Period.
 ### Pitfall 7: Locale-dependent --auto-select-desktop-capture-source
 **What:** Test runs on a Russian-locale CI runner; "Entire screen"
 doesn't match; getDisplayMedia hangs at picker.
 **Avoid:** Document required locale in CI script; OR explicitly set
 `LC_ALL=en_US.UTF-8` in the harness child_process env.
 ## Code Examples
 ### Minimal working harness skeleton (top-of-file imports + setup)
 ```typescript
 // tests/uat/harness.test.ts
 // Run with: npm run build:test && tsx tests/uat/harness.test.ts
 import { strict as assert } from 'node:assert';
 import puppeteer, { Browser, Extension, Page } from 'puppeteer';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const distTest = path.resolve(__dirname, '../../dist-test');
 const browser: Browser = await puppeteer.launch({
  pipe: true,
  enableExtensions: [distTest],
  headless: process.env.CI ? true : false,
  args: [
    '--no-sandbox',
    '--auto-select-desktop-capture-source=Entire screen',
  ],
 });
 const exts = await browser.extensions();
 const [extId, ext] = [...exts][0];
 const swTarget = await browser.waitForTarget(t => t.type() === 'service_worker', { timeout: 10_000 });
 const sw = await swTarget.worker();
 const page = await browser.newPage();
 await page.goto('about:blank');
 console.log(`harness: extId=${extId}`);
 // VERIFIED PATH: triggerExtensionAction routes to onClicked when popup is ''
 await sw.evaluate(() => chrome.action.setPopup({ popup: '' }));
 await page.triggerExtensionAction(ext);
 // ... wait briefly for offscreen + getDisplayMedia ...
 await new Promise(r => setTimeout(r, 2000));
 const badge = await sw.evaluate(() => chrome.action.getBadgeText({}));
 assert.equal(badge, 'REC', 'badge should read REC after toolbar click in idle');
 // ... 12 more assertions ...
 await browser.close();
 console.log('UAT harness: 13/13 assertions passed');
 ```
 ### Synthetic chrome.notifications + iconUrl assertion (Bug A)
 ```typescript
 // Bug A: chrome.notifications.create rejects manifest URL paths in some Chrome
 // builds when icon dimensions don't meet floor. We test that production code
 // uses a known-valid path AND that the create() call succeeds.
 // Method A: capture the actual notification options Production sends, via
 // the SW test-hook (wrap chrome.notifications.create at hook init time).
 // Method B: re-issue the same create() options ourselves and assert success.
 // Plan should use Method A for fidelity.
 const notifSnapshot = await sw.evaluate(() => globalThis.__mokoshTest.lastNotificationOptions);
 assert.ok(notifSnapshot, 'production code must have called notifications.create');
 assert.match(notifSnapshot.iconUrl, /icons\/icon48\.png$/, 'must use 48px iconUrl');
 // Verify the file actually exists in the bundle
 const iconBytes = await sw.evaluate(async () => {
  const r = await fetch(chrome.runtime.getURL('icons/icon48.png'));
  return r.ok ? r.headers.get('content-length') : null;
 });
 assert.ok(iconBytes && parseInt(iconBytes) > 100, 'icon48.png must exist in bundle');
 ```
 ### Bug B assertion (user-stopped routes to OFF, not ERROR)
 ```typescript
 const off = browser.targets().find(t =>
  t.type() === 'background_page' && t.url().includes('offscreen'));
 assert.ok(off, 'offscreen must exist (recording in progress)');
 const offPage = await off.asPage();
 // Snapshot notification side-effects before the synthetic event
 const before = await sw.evaluate(() => globalThis.__mokoshTest.notificationCount);
 // CRITICAL: dispatchEvent, NOT track.stop() — see RESEARCH §7
 await offPage.evaluate(() => {
  const t = globalThis.__mokoshTest.getCurrentStream().getVideoTracks()[0];
  t.dispatchEvent(new Event('ended'));
 });
 // Wait for SW-side state transition (the offscreen handler posts a
 // runtime message → SW handler updates badge + clears popup)
 await new Promise(r => setTimeout(r, 300));
 const badgeAfter = await sw.evaluate(() => chrome.action.getBadgeText({}));
 const popupAfter = await sw.evaluate(() => chrome.action.getPopup({}));
 const after = await sw.evaluate(() => globalThis.__mokoshTest.notificationCount);
 assert.equal(badgeAfter, '', 'badge must be OFF after user-stopped');
 assert.equal(popupAfter, '', 'popup must be cleared (back to idle)');
 assert.equal(after, before, 'no new notification — user-stop is NOT an error');
 ```
 ## State of the Art
 | Old Approach | Current Approach | When Changed | Impact |
 |--------------|------------------|--------------|--------|
 | `--load-extension` flag | `enableExtensions: [path]` option | Chrome 137 (mid-2025) | Old code stops working on branded Chrome; Puppeteer's option auto-passes the right new flags |
 | Headful + Xvfb for extension testing | `--headless=new` works | Chrome 109+, fully shipped by ~Chrome 120; Puppeteer 22+ default | Cuts CI infrastructure: no display server needed |
 | `target.page()` for any non-page target returns null | `target.asPage()` returns a Page wrapper for `background_page` | Puppeteer 22+ | Lets us evaluate JS inside the offscreen document with the high-level Page API |
 | `chrome.action.onClicked` clickable via DOM hacks | `page.triggerExtensionAction(ext)` | Puppeteer 22+ (commit d6395ef) | Issue #2486 resolved upstream; no more workaround folklore |
 **Deprecated/outdated:**
 - `puppeteer.launch({ args: ['--load-extension=...'] })` — superseded by `enableExtensions`
 - `dappeteer` — deprecated by upstream maintainers; Synpress is the modern replacement
 - The claim "Puppeteer can't load extensions in headless" (still widely
  echoed in blog posts) — verified false on current Chrome/Puppeteer
 ## Assumptions Log
 | # | Claim | Section | Risk if Wrong |
 |---|-------|---------|---------------|
 | A1 | Issue puppeteer#8987 is a typo and doesn't refer to a specific limit on onClicked dispatch | §1 | LOW — the MV3 popup-vs-onClicked contract is the real constraint, verified by probe3 |
 | A2 | ChromeDriver's "SW never terminates" claim extends to Puppeteer-CDP-attached SWs | §2 | LOW — defensive keepalive ping covers either case; the 30s idle rule resets on any chrome.* call |
 | A3 | crxjs 2.4.0 passes through Vite's MODE-conditional tree-shaking without interference for dynamic-imported test-hook modules | §6 | MEDIUM — must be verified in Wave 0 with explicit grep on built artifact. If wrong, plan must switch to two separate manifests or a build-time substitution plugin |
 | A4 | Production `onUserStoppedSharing` will treat a dispatchEvent-fired 'ended' identically to a real source-ended event | §7 | LOW — the handler is a pure event listener; it doesn't read `event.isTrusted` or any property; only the firing matters [VERIFIED by code read of `src/offscreen/recorder.ts:451-480`] |
 | A5 | Chrome 148+ Puppeteer behavior is stable across at least the next 6 months of Chrome releases | §3 | MEDIUM — Chrome's headless mode is generally stable post-109, but Chromium issue 40176215 was unreadable. If a future Chrome regresses headless screen capture, fall back to headful + Xvfb (smoke.sh already documents this path) |
 | A6 | The harness can rely on `--auto-select-desktop-capture-source="Entire screen"` working in CI runners' default locale (en_US) | §9 | LOW — most CI defaults to en_US; doc'd how to override if not |
 ## Open Questions for the Planner
 1. **Where exactly does the `simulateUserStop` shim live?**
   - Recommended: `src/test-hooks/offscreen-hooks.ts` imported conditionally
     from `src/offscreen/recorder.ts` after `mediaStream` is assigned. The
     hook reads `mediaStream` via a getter exposed at module load time:
     `const __sharedRefs = { get currentStream() { return mediaStream; } }`.
     Planner decides exact integration.
 2. **Should the harness assert on the exact NUMBER of notifications, or
   set-membership?**
   - Bug A and onStartup notification fire once each; recovery notification
     fires on RECORDING_ERROR. Counting is brittle if the SW retries.
     Set-membership (asserting on the *types* of notifications) is more
     robust. Planner decides UX.
 3. **CI tool: GitHub Actions matrix? Or standalone shell?**
   - Out of scope for THIS plan if there's no existing CI infrastructure.
     The harness should be a single `npm run test:uat` invocation that
     works locally; CI plumbing can be a separate plan.
 4. **Failure isolation: do we kill Chrome between assertions, or keep one
   long-running browser instance?**
   - Recommended: one browser, serial assertions (faster, fewer flakes from
     extension reload races). If an assertion fails mid-sequence, abort and
     dump SW + offscreen console logs. Planner decides whether to add
     retries or full-restart isolation.
 5. **What's the contract for the test-hook surface?**
   - `globalThis.__mokoshTest` shape needs to be declared as a TS type so
     both the SW side (registers) and the harness side (reads) agree. Place
     in `tests/uat/lib/test-hook-contract.d.ts`? Or `src/test-hooks/types.ts`?
     Both — planner decides if it's worth the duplication or a shared dir.
 ## Environment Availability
 | Dependency | Required By | Available | Version | Fallback |
 |------------|------------|-----------|---------|----------|
 | Node.js | Puppeteer 25 requires ≥22.12 | ✓ | v24.14.0 | — |
 | google-chrome-stable | Puppeteer auto-fetch backup if missing | ✓ | 148.0.7778.167 | Puppeteer downloads its own Chrome for Testing if missing |
 | ffprobe | WebM validity assertion | ✓ | 8.1.1 | — |
 | `unzip` (or jszip in-process) | ZIP shape assertion | ✓ via jszip already in deps | — | — |
 | Xvfb | Not required — headless mode supports getDisplayMedia | not installed | — | Optional; only needed if a future Chrome regresses headless capture |
 **Missing dependencies with no fallback:** none.
 **Missing dependencies with fallback:** Xvfb (defensive only).
 ## Validation Architecture
 **TDD mode is ON.** Each of the 13+ harness assertions is itself a test.
 The planner should structure Wave 0 to build the harness skeleton with
 stubs for all 13 assertions (initially failing), then Wave 1 to wire each
 assertion in turn (red → green per assertion).
 ### Test Framework
 | Property | Value |
 |----------|-------|
 | Framework | `node:test` (built-in) OR plain `node:assert/strict` script — no extra dep |
 | Config file | none (harness is a single script) |
 | Quick run command | `npm run test:uat` (orchestrates build:test + harness) |
 | Full suite command | same |
 ### Phase Requirements → Test Map
 The planner's 13 assertions map 1:1 to the brief's list:
 | Req | Behavior | Method |
 |-----|----------|--------|
 | 1 | SW bootstrap → idle | sw.evaluate badge text == '', popup == '' |
 | 2 | onClicked-idle → REC | trigger click → wait → assert badge 'REC' + popup set |
 | 3 | displaySurface monitor | offscreenPage.evaluate `__mokoshTest.getCurrentStream().getVideoTracks()[0].getSettings().displaySurface == 'monitor'` |
 | 4 | click during recording → popup opens | trigger click → assert popup state, NO new offscreen target spawned |
 | 5 | SAVE_ARCHIVE → download | sw.evaluate sendMessage SAVE → wait → check Downloads dir |
 | 6 | user-stopped routes to OFF | offscreenPage.evaluate dispatchEvent → assert no error notif + badge '' |
 | 7 | RECORDING_ERROR codec → ERR badge + notif | sw.evaluate sendMessage RECORDING_ERROR → assert badge 'ERR' + notif fired |
 | 8 | onStartup → notification with iconUrl | sw.evaluate `__mokoshTest.handlers.onStartup()` → assert notification create succeeded |
 | 9 | icon files present | sw.evaluate fetch icon URLs → assert HTTP 200 + size > floor |
 | 10 | Manifest declares notifications + icons | sw.evaluate `chrome.runtime.getManifest()` → assert permissions + icons |
 | 11 | Buffer ≥3 segments after 35s | sw.evaluate query offscreen state (via runtime message) |
 | 12 | Remux passes ffprobe | spawn `ffprobe -v error -f matroska -i <path>`, exit 0 |
 | 13 | Zip shape | jszip parse → assert `video/last_30sec.webm` + `meta.json` keys |
 ### Sampling Rate
 - **Per task commit:** `npm test` (vitest unit) — fast (~5s)
 - **Per wave merge:** `npm run test:uat` (full harness ~60s)
 - **Phase gate:** harness green + smoke.sh still passes for operator brand check
 ### Wave 0 Gaps
 - [ ] `vite.test.config.ts` — does not exist
 - [ ] `tests/uat/harness.test.ts` — does not exist (skeleton with 13 failing assertions)
 - [ ] `tests/uat/lib/*.ts` — helper modules
 - [ ] `src/test-hooks/sw-hooks.ts` + `offscreen-hooks.ts` — does not exist
 - [ ] `package.json` — add `puppeteer` + `tsx` devDeps + `test:uat` script
 - [ ] Grep check in build:test to fail loudly if production bundle contains `__mokoshTest`
 ## Security Domain
 | ASVS Category | Applies | Standard Control |
 |---------------|---------|-----------------|
 | V2 Authentication | no | n/a (test harness only) |
 | V5 Input Validation | no | n/a |
 | V14 Configuration | yes | Test hook MUST NOT ship in production bundle — Wave 0 grep gate enforces |
 | Pattern | STRIDE | Standard Mitigation |
 |---------|--------|---------------------|
 | Test hook leaks into production → attacker invokes `__mokoshTest.simulateUserStop` from arbitrary page | Tampering/Elevation of Privilege | Build-time tree-shake gate + post-build grep verification |
 ## Sources
 ### Primary (HIGH confidence — empirically verified in this session)
 - Local probes 1-11 against `/home/parf/projects/work/repremium/dist` on Chrome 148.0.7778.167 + Puppeteer 25.0.2 (probe scripts at `/tmp/puppeteer-probe/probe*.js`)
 - `npm view puppeteer version` → 25.0.2 (engines node ≥22.12.0)
 - `/usr/bin/google-chrome-stable --version` → 148.0.7778.167
 - Source code read: `/home/parf/projects/work/repremium/src/offscreen/recorder.ts:275, 451-480` — confirms event-listener-only handler (no isTrusted check)
 ### Secondary (HIGH confidence — official docs)
 - Puppeteer: https://pptr.dev/guides/chrome-extensions
 - Puppeteer extension testing: https://developer.chrome.com/docs/extensions/how-to/test/puppeteer
 - W3C Media Capture: https://w3c.github.io/mediacapture-main/#mediastreamtrack
 - MDN ended event: https://developer.mozilla.org/en-US/docs/Web/API/MediaStreamTrack/ended_event
 - MDN getDisplayMedia: https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getDisplayMedia
 - Chrome SW lifetime: https://developer.chrome.com/blog/longer-esw-lifetimes
 - Chrome ext news June 2025 (--load-extension removal): https://developer.chrome.com/blog/extension-news-june-2025
 - Vite env + modes: https://vite.dev/guide/env-and-mode
 - Chrome screen-sharing controls: https://developer.chrome.com/docs/web-platform/screen-sharing-controls
 - Puppeteer triggerExtensionAction PR: https://github.com/puppeteer/puppeteer/commit/d6395ef88103a50cb2b2c43f61953ab6a495a8c3
 ### Tertiary (MEDIUM confidence — community sources)
 - Issue puppeteer#2486 (closed, fixed upstream): https://github.com/puppeteer/puppeteer/issues/2486
 - Issue puppeteer#4404 (open, historical context — limitation no longer holds on Chrome 148): https://github.com/puppeteer/puppeteer/issues/4404
 - Issue crxjs/chrome-extension-tools#831 (custom env vars in dev mode): https://github.com/crxjs/chrome-extension-tools/issues/831
 - MetaMask e2e structure (Mocha + Selenium reference): https://github.com/MetaMask/metamask-extension/tree/main/test/e2e
 - Stop sharing event timing (twilio-video.js#849): https://github.com/twilio/twilio-video.js/issues/849
 - auto-select-desktop-capture-source in headless: https://groups.google.com/g/discuss-webrtc/c/t0u6aVBfCgU
 ### Could not verify (flagged for planner)
 - Chromium issue 40176215 ("Headless must support getDisplayMedia") — auth-required page; status unreadable. Mitigated by empirical probe11 confirming current Chrome 148 supports it.
 - Full puppeteer CHANGELOG word-by-word search for extension API maturation — GitHub WebFetch returned only page chrome, not content. Inferred timeline from commit metadata + current docs.
 ## Metadata
 **Confidence breakdown:**
 - Standard stack: HIGH — verified against npm registry + working `npm install`
 - Architecture: HIGH — all five Patterns above demonstrated by local probes
 - Pitfalls 1-7: HIGH for 1-5 (probed), MEDIUM for 6-7 (cited but not probed; Pitfall 6 is doc'd in Chrome's own blog)
 - Bug B mechanism (§7): HIGH — both W3C spec cite AND empirical Chrome 148 reproduction
 - Two-bundle build (§6, §10): MEDIUM — design is correct per Vite docs but the specific A3 assumption needs Wave 0 verification grep on built artifact
 **Research date:** 2026-05-17
 **Valid until:** 2026-08-17 (90 days; longer than usual because the core APIs cited — W3C spec for MediaStreamTrack, Vite MODE behavior, Puppeteer extension API — are stable. Re-verify if Chrome major version jumps past 152 or Puppeteer past 26.)