diff --git a/.github/banner.png b/.github/banner.png index 07a6673..968277f 100644 Binary files a/.github/banner.png and b/.github/banner.png differ diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0b14bcc..bf03cee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ jobs: name: Test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: dtolnay/rust-toolchain@stable - uses: Swatinem/rust-cache@v2 - run: cargo test --workspace @@ -23,7 +23,7 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: dtolnay/rust-toolchain@stable with: components: clippy, rustfmt @@ -31,11 +31,26 @@ jobs: - run: cargo fmt --check --all - run: cargo clippy --all -- -D warnings + wasm: + name: WASM + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + - uses: dtolnay/rust-toolchain@stable + with: + targets: wasm32-unknown-unknown + - uses: Swatinem/rust-cache@v2 + # webclaw-core must stay WASM-safe (zero network deps, no threads). + # Check both with and without default features so the quickjs gate + # can't regress. + - run: cargo check --target wasm32-unknown-unknown -p webclaw-core + - run: cargo check --target wasm32-unknown-unknown -p webclaw-core --no-default-features + docs: name: Docs runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: dtolnay/rust-toolchain@stable - uses: Swatinem/rust-cache@v2 - run: cargo doc --no-deps --workspace diff --git a/.github/workflows/deps.yml b/.github/workflows/deps.yml index 29e851b..7d455cc 100644 --- a/.github/workflows/deps.yml +++ b/.github/workflows/deps.yml @@ -14,7 +14,7 @@ jobs: name: Update webclaw-tls dependencies runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.SYNC_PAT }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4c4c241..cd77d01 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,16 +3,29 @@ name: Release on: push: tags: ["v*"] + # Manual re-publish of the Docker image for an existing release, without + # rebuilding binaries or cutting a new version. Runs only the docker (+ + # homebrew) jobs against the given tag's already-published release assets. + workflow_dispatch: + inputs: + tag: + description: "Existing release tag to (re)build + push the Docker image for, e.g. v0.6.9" + required: true + type: string permissions: - contents: write - packages: write + contents: read env: CARGO_TERM_COLOR: always jobs: build: + # Binaries are only built when a tag is pushed. A manual dispatch reuses + # the existing release's binaries, so it skips this job entirely. + if: github.event_name == 'push' + permissions: + contents: read name: Build ${{ matrix.target }} runs-on: ${{ matrix.os }} strategy: @@ -27,9 +40,11 @@ jobs: os: ubuntu-latest - target: aarch64-unknown-linux-gnu os: ubuntu-latest + - target: x86_64-pc-windows-msvc + os: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: dtolnay/rust-toolchain@stable with: @@ -57,6 +72,12 @@ jobs: if: matrix.target != 'aarch64-unknown-linux-gnu' && runner.os == 'Linux' run: sudo apt-get update && sudo apt-get install -y cmake + - name: Install NASM (Windows) + if: runner.os == 'Windows' + run: | + choco install nasm -y + echo "C:\Program Files\NASM" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append + - name: Build run: cargo build --release --target ${{ matrix.target }} @@ -71,27 +92,38 @@ jobs: # don't repeat that mistake. If a future binary gets renamed or # removed, this step should scream, not quietly publish an # incomplete release. - cp target/${{ matrix.target }}/release/webclaw "$staging/" - cp target/${{ matrix.target }}/release/webclaw-mcp "$staging/" - cp target/${{ matrix.target }}/release/webclaw-server "$staging/" - cp README.md LICENSE "$staging/" - tar czf "$staging.tar.gz" "$staging" - echo "ASSET=$staging.tar.gz" >> $GITHUB_ENV + + if [[ "${{ matrix.os }}" == "windows-latest" ]]; then + cp target/${{ matrix.target }}/release/webclaw.exe "$staging/" + cp target/${{ matrix.target }}/release/webclaw-mcp.exe "$staging/" + cp target/${{ matrix.target }}/release/webclaw-server.exe "$staging/" + cp README.md LICENSE "$staging/" + 7z a -tzip "$staging.zip" "$staging" + echo "ASSET=$staging.zip" >> $GITHUB_ENV + else + cp target/${{ matrix.target }}/release/webclaw "$staging/" + cp target/${{ matrix.target }}/release/webclaw-mcp "$staging/" + cp target/${{ matrix.target }}/release/webclaw-server "$staging/" + cp README.md LICENSE "$staging/" + tar czf "$staging.tar.gz" "$staging" + echo "ASSET=$staging.tar.gz" >> $GITHUB_ENV + fi - name: Upload artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: ${{ matrix.target }} path: ${{ env.ASSET }} release: name: Release + if: github.event_name == 'push' needs: build runs-on: ubuntu-latest + permissions: + contents: write steps: - - uses: actions/checkout@v4 - - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v5 with: path: artifacts @@ -99,23 +131,35 @@ jobs: run: | cd artifacts find . -name '*.tar.gz' -exec mv {} . \; - sha256sum *.tar.gz > SHA256SUMS + find . -name '*.zip' -exec mv {} . \; + sha256sum *.tar.gz *.zip > SHA256SUMS 2>/dev/null || sha256sum * > SHA256SUMS cat SHA256SUMS - name: Create GitHub Release - uses: softprops/action-gh-release@v2 - with: - generate_release_notes: true - files: | - artifacts/*.tar.gz - artifacts/SHA256SUMS + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + tag="${GITHUB_REF#refs/tags/}" + gh release create "$tag" \ + artifacts/*.tar.gz \ + artifacts/*.zip \ + artifacts/SHA256SUMS \ + --repo "$GITHUB_REPOSITORY" \ + --generate-notes docker: name: Docker needs: release + # Runs after a successful release on tag push, or standalone via + # workflow_dispatch to (re)publish an existing tag's image. `always()` lets + # it run even though `release` is skipped on a manual dispatch. + if: ${{ always() && (github.event_name == 'workflow_dispatch' || needs.release.result == 'success') }} runs-on: ubuntu-latest + permissions: + contents: read + packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: docker/setup-qemu-action@v3 with: @@ -129,59 +173,60 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # Download pre-built binaries for both architectures + # The pushed tag, or the workflow_dispatch input for a manual re-publish. + - name: Resolve tag + id: tag + run: echo "tag=${{ github.event.inputs.tag || github.ref_name }}" >> "$GITHUB_OUTPUT" + + # Download pre-built binaries into TARGETARCH-named dirs (amd64/arm64) so + # a single multi-platform build picks the matching binary per platform. - name: Download release binaries run: | - tag="${GITHUB_REF#refs/tags/}" + tag="${{ steps.tag.outputs.tag }}" + declare -A arch=( [x86_64-unknown-linux-gnu]=amd64 [aarch64-unknown-linux-gnu]=arm64 ) for target in x86_64-unknown-linux-gnu aarch64-unknown-linux-gnu; do dir="webclaw-${tag}-${target}" curl -sSL "https://github.com/0xMassi/webclaw/releases/download/${tag}/${dir}.tar.gz" -o "${target}.tar.gz" tar xzf "${target}.tar.gz" - mkdir -p "binaries-${target}" - cp "${dir}/webclaw" "binaries-${target}/webclaw" - cp "${dir}/webclaw-mcp" "binaries-${target}/webclaw-mcp" - cp "${dir}/webclaw-server" "binaries-${target}/webclaw-server" - chmod +x "binaries-${target}"/* + a="${arch[$target]}" + mkdir -p "binaries-${a}" + cp "${dir}/webclaw" "${dir}/webclaw-mcp" "${dir}/webclaw-server" "binaries-${a}/" + chmod +x "binaries-${a}"/* done ls -laR binaries-*/ - # Build per-arch images with plain docker build (no buildx manifest nesting) + # One atomic multi-platform build + push. buildx assembles a single + # manifest list and pushes it in one shot, so there is no separate + # `imagetools create` step to race GHCR's read-after-write (that is what + # failed before: "v0.6.9-arm64: not found"). Provenance/SBOM attestations + # are disabled so each platform entry stays a plain image manifest. - name: Build and push run: | - tag="${GITHUB_REF#refs/tags/}" - - # amd64 - docker build -f Dockerfile.ci --build-arg BINARY_DIR=binaries-x86_64-unknown-linux-gnu \ - --platform linux/amd64 -t ghcr.io/0xmassi/webclaw:${tag}-amd64 --push . - - # arm64 - docker build -f Dockerfile.ci --build-arg BINARY_DIR=binaries-aarch64-unknown-linux-gnu \ - --platform linux/arm64 -t ghcr.io/0xmassi/webclaw:${tag}-arm64 --push . - - # Multi-arch manifest - docker manifest create ghcr.io/0xmassi/webclaw:${tag} \ - ghcr.io/0xmassi/webclaw:${tag}-amd64 \ - ghcr.io/0xmassi/webclaw:${tag}-arm64 - docker manifest push ghcr.io/0xmassi/webclaw:${tag} - - docker manifest create ghcr.io/0xmassi/webclaw:latest \ - ghcr.io/0xmassi/webclaw:${tag}-amd64 \ - ghcr.io/0xmassi/webclaw:${tag}-arm64 - docker manifest push ghcr.io/0xmassi/webclaw:latest + tag="${{ steps.tag.outputs.tag }}" + docker buildx build -f Dockerfile.ci \ + --platform linux/amd64,linux/arm64 \ + --provenance=false --sbom=false \ + -t "ghcr.io/0xmassi/webclaw:${tag}" \ + -t ghcr.io/0xmassi/webclaw:latest \ + --push . homebrew: name: Update Homebrew needs: [release, docker] + # Runs once Docker succeeds, on both tag push and manual re-publish. + if: ${{ always() && needs.docker.result == 'success' }} runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Compute all checksums and update formula env: COMMITTER_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} run: | - tag="${GITHUB_REF#refs/tags/}" + tag="${{ github.event.inputs.tag || github.ref_name }}" base="https://github.com/0xMassi/webclaw/releases/download/${tag}" - # Download all 4 tarballs and compute SHAs + # Download all tarballs (Linux + macOS) and compute SHAs for target in aarch64-apple-darwin x86_64-apple-darwin aarch64-unknown-linux-gnu x86_64-unknown-linux-gnu; do curl -sSL "${base}/webclaw-${tag}-${target}.tar.gz" -o "${target}.tar.gz" done diff --git a/.mcp.json b/.mcp.json new file mode 100644 index 0000000..fabcd4f --- /dev/null +++ b/.mcp.json @@ -0,0 +1,7 @@ +{ + "mcpServers": { + "webclaw": { + "command": "~/.webclaw/webclaw-mcp" + } + } +} diff --git a/CHANGELOG.md b/CHANGELOG.md index afec609..f2bda69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,139 @@ All notable changes to webclaw are documented here. Format follows [Keep a Changelog](https://keepachangelog.com/). +## [Unreleased] + +## [0.6.13] - 2026-06-17 + +### Performance +- Faster content extraction with byte-identical output. The markdown noise filter no longer recompiles its CSS selectors on every element; the vertical extractors share a single Open Graph meta parse instead of re-scanning the page per field; the JavaScript sandbox is skipped entirely when a page has no JS-assigned data (and reuses the already-parsed document instead of re-parsing); and the HTTP client now tunes its connection pool (connect timeout, idle-pool reuse, keep-alive) for better connection reuse across requests. + +## [0.6.12] - 2026-06-17 + +### Added +- **Standalone web search** using your own [Serper.dev](https://serper.dev) key — no hosted webclaw account needed. Available across the CLI (`webclaw search "query" --num 5 --scrape`, key via `--serper-key` or `SERPER_API_KEY`), the MCP `search` tool (local-first when `SERPER_API_KEY` is set, hosted API otherwise), and the self-hosted REST server (`POST /v1/search`, enabled when started with `SERPER_API_KEY`). With `--scrape`, the top result pages are fetched and extracted to markdown. +- **Layered URL discovery for `--map`**: when a site has no sitemap or only a thin one, map now falls back to a bounded same-origin crawl and harvests links from every fetched page plus the unfetched frontier, returning far more URLs. Adds gzipped-sitemap (`.xml.gz`) support, deeper sitemap-index recursion, more fallback paths, and `--map-pages` / `--no-map-crawl` / `--map-limit` controls. Crawler logs now go to stderr so `--map --format json` stays machine-parseable. + +### Fixed +- MCP tools now accept boolean arguments whether the client sends them as JSON booleans or as the strings `"true"`/`"false"` (case-insensitive). Some MCP clients (e.g. Claude Desktop) send booleans as strings, which previously failed the call with a deserialization error. Affects `scrape` (only_main_content), `crawl` (use_sitemap), `research` (deep), and `search` (scrape). This completes the earlier numeric-parameter fix. + +## [0.6.11] - 2026-06-16 + +### Added +- New **Google Gemini** provider in the LLM provider chain. Set `GEMINI_API_KEY` (and optionally `GEMINI_MODEL`, default `gemini-2.5-flash`) to enable it; the chain tries Ollama → OpenAI → Gemini → Anthropic and uses the first available provider. + +### Fixed +- The Anthropic provider's default model pointed at a retired model id that now returns `404`, which could fail extraction/summarization when falling back to Anthropic. It now defaults to a current model and is overridable via `ANTHROPIC_MODEL`. + +## [0.6.10] - 2026-06-15 + +### Fixed +- MCP tools that take numeric arguments now accept those values whether the client sends them as numbers or as numeric strings. Some MCP clients (e.g. Claude Desktop) send `"5"` instead of `5`, which previously failed the call with a deserialization error. Affects `crawl` (depth, max_pages, concurrency), `batch` (concurrency), `search` (num_results), and `summarize` (max_sentences). + +## [0.6.9] - 2026-06-10 + +### Fixed +- The multi-arch Docker image (linux/amd64 + linux/arm64) now publishes reliably on each release. The build moved to Buildx so registry pushes no longer fail intermittently, and the Homebrew formula update that depends on it is no longer skipped. + +## [0.6.8] - 2026-06-10 + +### Fixed +- Pages with multibyte text (accented or CJK characters) no longer panic or get mangled during extraction. API-endpoint discovery now cuts oversized scripts on a character boundary instead of crashing mid-character, and structured-data parsing preserves non-ASCII string values instead of turning them into mojibake. +- LLM error messages from a provider no longer panic when the error body contains multibyte characters near the truncation point. +- LLM provider requests now have explicit connect and overall timeouts, so a stalled or unreachable provider fails fast instead of hanging. +- Batch extraction in the MCP server no longer aborts the whole batch when a single URL fails to resolve; bad URLs are reported as individual per-URL errors and the rest still run. +- CLI crawl and batch runs now wait for the completion webhook to actually send before exiting, replacing a fixed delay that could cut the request off or waste time. +- Homepage warm-up requests now include the port for hosts on a non-default port, so those sites are warmed correctly. + +--- + +## [0.6.7] — 2026-06-09 + +### Changed +- Updated the HTTP/TLS engine (wreq 6.0.0-rc.29, wreq-util 3.0.0-rc.12). This pulls in upstream robustness fixes: no more panic on responses with non-UTF8 header values, a fix for short reads when decoding large compressed bodies, and the TCP nodelay setting is restored. Browser TLS fingerprints are unchanged. + +--- + +## [0.6.6] — 2026-06-09 + +### Added +- Slow fetches now print a progress line to stderr every 10 seconds (`# webclaw: still fetching (Ns)`) so a long request no longer looks like the CLI hung. Fast fetches stay silent and stdout is untouched. +- New `--url-encoded` flag plus a warning when a URL looks like the shell split it on `&` or `?`. The warning suggests quoting the URL; pass `--url-encoded` to silence it when the URL is intentional. + +--- + +## [0.6.5] — 2026-06-04 + +### Changed +- Reddit threads extract reliably again. The old anonymous JSON endpoint is no longer available, so webclaw now reads old.reddit.com directly without an API key or JavaScript. You get the post plus the full nested comment tree, with authors, scores, timestamps, and reply nesting preserved. Comment text keeps its links and code blocks, hidden scores are reported as unknown rather than zero, and deleted comments stay in place so their replies aren't lost. + +--- + +## [0.6.4] — 2026-05-19 + +### Added +- API surface discovery: a new module extracts the API endpoints embedded in a page's inline scripts and linked JavaScript bundles. It surfaces relative REST paths, absolute URLs, GraphQL operations, and WebSocket endpoints that a sitemap alone cannot reveal. A built-in noise filter drops schema.org and json-schema.org references, bare framework paths, and other non-API matches so the result stays focused on the real surface. + +--- + +## [0.6.3] — 2026-05-19 + +### Fixed +- Hardened resource and path-safety limits across the CLI, MCP server, and self-hosted API: oversized or highly compressed responses are capped while streaming, deeply nested page data can no longer exhaust memory, output filenames stay inside the chosen directory, webhook URLs are validated like every other fetch, and multibyte search queries no longer crash slug generation. + +--- + +## [0.6.2] — 2026-05-18 + +### Fixed +- Cleaned up `--format llm` output on noisy news and documentation pages. Comment-count links, bare page-number paragraphs, pagination leftovers such as `0 Next`, and duplicated JSON-LD article bodies are now removed before they reach the LLM context. +- The CLI now recognizes common cookie-consent redirects and prints a clearer warning when a page returns a consent wall instead of usable content. +- The CLI keeps noisy parser warnings from real-world malformed HTML out of stderr by default. `WEBCLAW_LOG` still lets advanced users opt into deeper parser logs. + +Thanks to Nenad Oric (`@devnen`) for the report and patch work in PR #43. + +--- + +## [0.6.1] — 2026-05-12 + +### Fixed +- Hardened URL safety across the CLI, MCP server, and self-hosted API paths so local and private network targets are rejected more consistently, including after DNS resolution and redirects. +- Added a timeout around inline JavaScript data extraction so hostile pages cannot keep the extractor busy forever. +- Tightened Amazon and eBay URL recognition so deceptive hosts are rejected while common international marketplaces still work. +- Avoided unnecessary decoding work on large responses during bot-challenge detection. +- Reduced release workflow token permissions so build jobs run with narrower GitHub access. + +--- + +## [0.6.0] — 2026-05-10 + +### Fixed +- Improved `--format llm` output quality on modern news and documentation pages. Framework hydration blobs and low-value page chrome structured-data records are now filtered out before they can flood the LLM context, while content-bearing Schema.org records are preserved. Thanks and congrats to Nenad Oric (`@devnen`) for the contribution in PR #37. +- Fixed element-to-text spacing so adjacent inline nodes no longer smash words together, while punctuation stays attached on real pages such as docs, forums, and reference sites. +- Removed common screen-reader-only link chrome such as "opens new tab" from LLM body text and link labels without stripping ordinary prose that happens to mention external links. + +--- + +## [0.5.9] — 2026-05-06 + +### Fixed +- LLM providers now support `ANTHROPIC_BASE_URL` for Anthropic-compatible proxies, plus an `OPENAI_RESPONSE_FORMAT_TYPE` override for OpenAI-compatible backends such as LM Studio. Thanks to Toti (`@Toti330`) for the report. + +--- + +## [0.5.8] — 2026-05-04 + +### Added +- GitHub Releases now include a Windows x86_64 `.zip` with `webclaw.exe`, `webclaw-mcp.exe`, and `webclaw-server.exe`. Thanks to Suryansh Mishra (`@notrealsuryansh`) for the contribution. + +### Fixed +- Improved brand extraction results for modern sites with large app shells. Brand colors, fonts, and logos are now less likely to be polluted by login widgets, customer-logo grids, icon fonts, or generated CSS noise. + +### Docs +- Refreshed the README badges with a cleaner shieldcn style. Thanks to Justin Levine (`@jal-co`) for the contribution, and shout-out to his open-source [shieldcn](https://github.com/jal-co/shieldcn) project. + +--- + ## [0.5.7] — 2026-04-30 ### Security diff --git a/CLAUDE.md b/CLAUDE.md index b30bd84..387c2dd 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -15,6 +15,7 @@ webclaw/ # + proxy pool rotation (per-request) # + PDF content-type detection # + document parsing (DOCX, XLSX, CSV) + # + layered URL discovery (map) + Serper web search (BYO key) webclaw-llm/ # LLM provider chain (Ollama -> OpenAI -> Anthropic) # + JSON schema extraction, prompt extraction, summarization webclaw-pdf/ # PDF text extraction via pdf-extract @@ -30,25 +31,34 @@ Three binaries: `webclaw` (CLI), `webclaw-mcp` (MCP server), `webclaw-server` (R - `extractor.rs` — Readability-style scoring: text density, semantic tags, link density penalty - `noise.rs` — Shared noise filter: tags, ARIA roles, class/ID patterns. Tailwind-safe. - `data_island.rs` — JSON data island extraction for React SPAs, Next.js, Contentful CMS +- `structured_data.rs` — JSON-LD, Next.js `__NEXT_DATA__`, and SvelteKit data-island extraction +- `js_eval.rs` — QuickJS sandbox (rquickjs) that runs inline ` │ │ accuracy on cross-domain │ -│
│ │ reasoning benchmarks. │ -│ │ │ │ -│