remorses/playwriter playwriter@0.2.0

on GitHub

New -f/--file flag — execute JavaScript from a file instead of inline -e strings:

playwriter -s 1 -f script.js

The file runs in the same sandbox as -e with all context variables (state, page, context, etc.) available. -e and -f are mutually exclusive.

React component inspection for pinned elements — call getReactComponentInfo({ locator }) to get the nearest React component name, parent hierarchy, sanitized props, and source file locations. Non-React elements return null.

Performance profiling guide — new performance-profiling.md resource covering TTFB, FCP, LCP, CLS measurement, heavy request detection, and interactivity blockers with concrete Playwriter + CDP snippets.

Shell tab completions — playwriter now supports shell completions via goke for tab completion on commands and flags.

Security: token required on all requests regardless of source — the previous loopback bypass on /cli/*, /recording/*, and /mcp-log let any request from 127.0.0.1 skip auth. Under tunnel setups (traforo/ngrok/cloudflared), every public request arrives from localhost, making the bypass equivalent to no auth. Fixed.

--token works on every remote subcommand — session new, session list, session delete, session reset, and browser list all forward Authorization: Bearer … to the relay. Previously only playwriter -e sent the token. Thanks @ivanleomk for the original fix.

POST /mcp-log is now token-protected — previously open to any reachable client.

Fixed Next.js webpack layer prefixes in React source paths — /(app-pages-browser)/, /(ssr)/, /(rsc)/ and other webpack layer prefixes are now stripped correctly.

Docs: absolute paths required for saved artifacts — page.screenshot({ path }), page.pdf({ path }), etc. must use absolute paths since Playwright resolves them outside the sandboxed fs.