feat: autonomous login

[andyMrtnzP]

Summary

• Fix a bug where skills detected on snapshot responses were never injected into the LLM's context — appendSkills(...) was missing on the snapshot return path in agent.ts, so triggers fired and markFired ran but the skill body was silently dropped.
• Make the autonomous-login skill load proactively across the cases that actually matter: added URL-match and sign-in-CTA triggers (in addition to the existing password-input trigger), and added an always-loaded ## Auth posture rule that tells the agent to load the skill before mentioning or suggesting sign-in — not just when a password field is on the page.

Test plan

• npm test passes locally
• npm run lint passes locally
• npm run coverage thresholds still met
• Manual smoke test against a real Browserless token (describe below)
• N/A — docs / chore / refactor only

Manual: reproduced the original failure (agent visiting amazon.com/gp/cart/view.html with an empty cart and not loading autonomous-login); after the fix, the skill auto-injects on the snapshot via the sign-in-CTA trigger, and the Terminal-Goal-Check section prevents the agent from returning the empty cart as an answer.

Checklist

• I have read CONTRIBUTING.md
• My commits follow the conventional-commit prefix convention
• I have updated documentation where relevant (README, CHANGELOG, etc.)
• I have not introduced new dependencies without flagging them in the summary

Summary by CodeRabbit

• New Features
  • Added autonomous login workflow capability that automatically detects and handles sign-in processes, including password field recognition.
  • Implemented multi-factor authentication (MFA) and one-time password (OTP) support within the login workflow.
  • System now provides standardized response format with success status and verification evidence.

[coderabbitai]

Walkthrough

This PR implements a new autonomous login skill for the browserless MCP agent. It adds the complete skill pipeline: a formal procedure specification, DOM detection logic, LLM integration guidance, and test coverage to verify skill activation triggers.

Changes

Autonomous Login Skill

Layer / File(s)	Summary
Skill specification and type contract src/@types/types.d.ts, src/skills/autonomous-login.md	SkillId type union now includes 'autonomous-login'. Markdown document defines two entry gates (login required, unambiguous credentials), form detection and validation rules, credential field selection and batched submission, success verification through URL change/field absence/auth state, and MFA handling with TOTP entry and stop-and-ask semantics. Terminal response format standardized as JSON with success, reason_code, final_url, evidence, and steps_taken. Prohibitions cover retry limits, credential safety, SSO handling, and session closure during OTP entry.
Skill detection predicates and registration src/skills/index.ts	LOGIN_URL_RE and LOGIN_NUDGE_RE regex constants detect login-related URLs and sign-in prompts. New snapshot.has-input-type predicate checks for input elements by type. Skill spec entry for autonomous-login fires when snapshot contains password input, matches login URL, and contains login nudge element.
LLM instruction updates src/tools/agent.ts	TOOL_DESCRIPTION gains Auth section requiring autonomous-login loading before auth-related guidance, Terminal-Goal Check section for precondition validation, and expanded Skills list. SKILL_TOOL_DESCRIPTION documents autonomous-login invocation conditions and JSON response contract. Snapshot result formatting reflowed for readability.
Detection tests and registry test/skills/skills.spec.ts	Registry test expects nine loaded skills including autonomous-login. New autonomous-login test suite verifies detection fires when password input present, does not fire when absent, and respects once-per-session constraint after marking as fired.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• browserless/browserless-mcp#82: Both PRs modify the src/tools/agent.ts inlined TOOL_DESCRIPTION and skill-injection prompt text, with overlapping changes to the same LLM instruction area.
• browserless/browserless-mcp#47: This PR extends the same skills framework introduced in #47, updating SkillId type union, skill detection logic in src/skills/index.ts, and LLM skill-auto-injection in src/tools/agent.ts.

Poem

🐰 A login quest unfolds with care,
Gates and fields and forms to check,
MFA flows through JSON's air,
No secrets leaked—this skill's no wreck!
The browser hops, success appears, ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: autonomous login' directly and clearly summarizes the main feature addition—implementing autonomous login functionality across multiple files and skill registration.
Description check	✅ Passed	The description covers the key changes (bug fix and feature additions), includes manual test verification, and completes most checklist items, though documentation updates were not performed.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/autonomous-login

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/skills/skills.spec.ts (1)

406-464: ⚡ Quick win

Add explicit tests for URL-match and sign-in-nudge triggers.

The new suite validates only the password-input path. Since the feature also adds URL and CTA trigger paths, add focused positives for those to prevent regressions.

🧪 Suggested test additions

 describe('skills/detectSkills - autonomous-login', () => {
+  it('fires when URL matches login/auth patterns', () => {
+    const ctx = {
+      snapshot: snapshot([], 'https://example.com/account/signin'),
+    };
+    expect(detectSkills(ctx, createSkillState())).to.include('autonomous-login');
+  });
+
+  it('fires on sign-in nudge CTA text', () => {
+    const ctx = {
+      snapshot: snapshot([
+        el({ ref: 1, role: 'button', name: 'Please sign in', selector: 'button#signin' }),
+      ]),
+    };
+    expect(detectSkills(ctx, createSkillState())).to.include('autonomous-login');
+  });
+
   it('fires when the snapshot contains a password input', () => {
     const ctx = {
       snapshot: snapshot([
         el({
@@
   it('does not fire when no password input is present', () => {
     const ctx = {
       snapshot: snapshot([
         el({
@@
-        el({ ref: 2, role: 'button', name: 'Sign in', selector: 'button#go' }),
+        el({ ref: 2, role: 'button', name: 'Continue browsing', selector: 'button#go' }),
       ]),
     };
     expect(detectSkills(ctx, createSkillState())).to.not.include(
       'autonomous-login',
     );
   });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/skills/skills.spec.ts` around lines 406 - 464, Add two focused positive
tests for the other autonomous-login trigger paths: one that ensures
detectSkills(ctx, createSkillState()) includes 'autonomous-login' when the
context contains a sign-in URL (set ctx.url or equivalent to a URL pattern your
code checks), and another that ensures it fires when the snapshot contains a
clear sign-in CTA (e.g., an el with role 'button' and name like 'Sign in' or a
link that your matcher recognizes); place these alongside the existing tests and
use the same helpers (detectSkills, createSkillState, snapshot, el) so they run
the same way as the password-input test.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/skills/index.ts`:
- Around line 23-24: The LOGIN_NUDGE_RE currently misses plain auth CTAs like
"Sign in" or "Log in"; update the regex for LOGIN_NUDGE_RE to also match simple
standalone phrases and common variants (e.g., "Sign in", "Sign-in", "SignIn",
"Log in", "Log-in", "LogIn", "signin", "login", "sign into", "log into") in a
case-insensitive way so autonomous-login triggers on basic auth CTAs in addition
to the existing longer phrases.

---

Nitpick comments:
In `@test/skills/skills.spec.ts`:
- Around line 406-464: Add two focused positive tests for the other
autonomous-login trigger paths: one that ensures detectSkills(ctx,
createSkillState()) includes 'autonomous-login' when the context contains a
sign-in URL (set ctx.url or equivalent to a URL pattern your code checks), and
another that ensures it fires when the snapshot contains a clear sign-in CTA
(e.g., an el with role 'button' and name like 'Sign in' or a link that your
matcher recognizes); place these alongside the existing tests and use the same
helpers (detectSkills, createSkillState, snapshot, el) so they run the same way
as the password-input test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7a17ca66-a864-498d-a69d-6e4826b49ac5

📥 Commits

Reviewing files that changed from the base of the PR and between 13de732 and 7525265.

📒 Files selected for processing (5)

• src/@types/types.d.ts
• src/skills/autonomous-login.md
• src/skills/index.ts
• src/tools/agent.ts
• test/skills/skills.spec.ts