Integration-Automation
diff --git a/‎README.md‎
Lines changed: 224 additions & 0 deletions b/‎README.md‎
Lines changed: 224 additions & 0 deletions
diff --git a/‎README/README_zh-CN.md‎
Lines changed: 87 additions & 0 deletions b/‎README/README_zh-CN.md‎
Lines changed: 87 additions & 0 deletions
@@ -43,6 +43,7 @@ WebRunner (`je_web_runner`) started as a Selenium wrapper and grew into a full a
 - [Observability](#observability)
 - [Test Orchestration](#test-orchestration)
 - [Quality & Security](#quality--security)
+- [Specialized Modules](#specialized-modules)
 - [Advanced WebDriverWrapper](#advanced-webdriverwrapper)
 - [Browser Internals](#browser-internals)
 - [Test Data](#test-data)
@@ -845,6 +846,229 @@ Test orchestration:
 
 - **Test impact analysis** — `impact_analysis.build_index("./actions")` walks every action JSON file and projects locator names, URLs, template names, and `WR_*` commands into a reverse index; `affected_action_files(index, locators=["primary_cta"])` answers "which tests touch this?" so diff-aware shards can go beyond filename matching.
 
+## Specialized Modules
+
+A second wave of utility modules, each in its own subpackage under
+`je_web_runner/utils/`, organised by capability area. Each module is
+fully unit-tested and ships independent of the core executor (import
+only what you use).
+
+### Web Platform APIs
+
+- **`webtransport_assert`** — HTTP/3 WebTransport datagram + stream
+  frame recorder with count / payload / JSON-shape / stream-complete
+  assertions (mirror of `websocket_assert` and `sse_assert`).
+- **`indexed_db_explorer`** — Browser-side harvest JS + typed
+  `IdbSnapshot`; assertions cover store existence, record count, key
+  presence, index presence, plus per-store diff.
+- **`file_system_access`** — JS shim mocking `showOpenFilePicker` /
+  `showSaveFilePicker` / `showDirectoryPicker`; records every write
+  performed against the fake handle for later assertion.
+- **`notifications_audit`** — Tracks `Notification.requestPermission`
+  call timing (user-gesture check, min page age) and policy violations
+  (re-prompt after deny, notification spam after deny, tag reuse).
+- **`sse_assert`** — Server-Sent Events stream recorder + chunk-buffer
+  feed + count / data-contains / JSON-shape / strictly-increasing-id
+  assertions.
+- **`websocket_assert`** — WebSocket frame recorder + count / payload /
+  pubsub-pattern / JSON-shape assertions.
+- **`webrtc_assert`** — `PeerSnapshot.from_dict`, `aggregate_stats`
+  (getStats), and connected / track-present / SDP-codec / packet-loss /
+  min-bytes assertions.
+- **`view_transitions`** — Instrumentation snippet for the View
+  Transitions API + duration budget / CLS budget / group-name asserts.
+
+### Security & Headers
+
+- **`mixed_content_audit`** — HAR + console-message scan for HTTP
+  resources on HTTPS pages (active vs passive vs HSTS-upgrade).
+- **`clickjacking_audit`** — X-Frame-Options + `frame-ancestors` parser
+  + iframe-probe page generator; STRICT / SAMEORIGIN / ALLOWED / MISSING
+  verdict.
+- **`open_redirect_detector`** — Eight-payload probe set (`//evil`,
+  `@userinfo`, `javascript:`, `data:`, mixed-case bypass…) +
+  classifier (BLOCKED / ALLOWED / AMBIGUOUS).
+- **`sri_verify`** — Parse `<script>` / `<link rel=stylesheet>` tags →
+  validate `integrity=` strength + crossorigin requirement +
+  recompute hash from a caller-supplied payload provider.
+- **`coop_coep_audit`** — `crossOriginIsolated` page-header check (COOP
+  `same-origin` + COEP `require-corp` / `credentialless`) + per-resource
+  CORP / CORS validator.
+- **`token_leak_detector`** — Scan response bodies / HAR / log lines for
+  leaked JWTs (with header validation), AWS / GitHub / Slack / Stripe /
+  Google / generic-bearer tokens. Deduped by token suffix.
+- **`consent_audit`** — Cookie catalogue (GA / FB pixel / Hotjar /
+  LinkedIn / Mixpanel / Stripe / Intercom / CSRF / session) + pre-consent
+  + post-reject reintroduction detector.
+- **`pii_in_screenshot`** — OCR + PII regex (Luhn-validated card, SSN,
+  ROC ID, IBAN, IPv4, phone, email) over screenshots; reuses
+  `ocr_assert` for the OCR layer.
+
+### Performance Budgets
+
+- **`inp_tracker`** — Interaction-to-Next-Paint instrumentation +
+  p98-INP + good/needs-work/poor rating per Google's thresholds.
+- **`hydration_check`** — SSR hydration mismatch detection (DOM diff
+  with framework-attr/comment stripping + console-marker scan covering
+  React / Vue / Svelte / Astro / Nuxt).
+- **`bundle_budget`** — HAR → per-AssetKind transfer totals (script /
+  stylesheet / image / font / media) + breach detail + biggest-asset
+  ranking.
+- **`third_party_budget`** — Vendor catalogue (GA / FB Pixel / Hotjar /
+  Intercom / Stripe / Segment / Mixpanel / Amplitude / Sentry / etc.) +
+  req / byte / blocking-ms / vendor-count budgets.
+- **`long_animation_frame`** — `long-animation-frame` PerformanceObserver
+  listener + per-script attribution (forced reflow time, pause time).
+- **`console_error_budget`** — JS console / unhandled-rejection budget
+  with regex ignore patterns; Selenium and CDP adapters.
+
+### Backend Integration
+
+- **`grpc_tester`** — gRPC stub method wrapper + gRPC-Web framing
+  (length-prefix encode/decode + trailer parser) + status assertions.
+- **`webhook_receiver`** — Stdlib threaded HTTP server (random port) +
+  `wait_for(predicate)` polling + path / header / JSON-predicate
+  assertion helpers. Drop-in for "did the app POST a webhook?" tests.
+- **`idempotency_check`** — Run a request twice + compare
+  status / body / state / side-effect count. `ignore_body_keys`,
+  `allow_status_change_to` for legitimate 409-on-second.
+- **`pagination_audit`** — Walk all pages via caller-supplied fetcher;
+  detects duplicates across pages, cursor-loop, off-by-one totals, and
+  sort-order violations.
+- **`backend_log_correlator`** — W3C traceparent → fetch matching log
+  lines from Loki / Elasticsearch / JSON-lines file → attach to a
+  failure bundle.
+- **`email_render`** — MailHog / Mailpit / `.eml` capture →
+  cross-viewport screenshot via pluggable render driver.
+
+### AI / Workflow
+
+- **`failure_narrator`** — Load failure-bundle directory → LLM-driven
+  natural-language "why this failed" summary → strict JSON envelope →
+  markdown report. LLM client pluggable.
+- **`repro_minimizer`** — Classic delta-debugging (ddmin) shrinking a
+  failing action list to its smallest still-failing subsequence.
+- **`locator_hardener`** — Heuristic fragility score (nth-of-type /
+  text-xpath / hashed-class / deep-descendant) → LLM-suggested stable
+  selectors with safety filter on the response.
+- **`test_categorizer`** — Regex rules over action-name patterns → auto
+  tag: smoke / regression / perf / a11y / security / payment /
+  data_driven / visual / api.
+- **`exploratory_ai`** — Agentic exploratory tester with `PageObserver`
+  + `ActionPlanner` protocols; ships a deterministic `RandomPlanner` as
+  fuzz fallback, collects `BugSignal`s from observed errors.
+- **`story_to_actions`** — LLM-driven translation of a user story +
+  optional Figma frame hints into validated WR action JSON; validator
+  rejects unsafe action names and bad locator strategies.
+- **`session_to_test`** — rrweb / generic-event-stream → WR action JSON;
+  auto-detects input format.
+- **`test_auto_repair`** — LLM-driven test rewrite from a failure bundle
+  + git diff context.
+- **`edge_case_generator`** — LLM edge-case variant generator
+  (complement to `mutation_testing`).
+- **`multimodal_qa`** — Send screenshot + question to a vision LLM,
+  parse pass/fail/uncertain verdict with confidence floor; useful for
+  UI "is this correct?" checks beyond pixel diff.
+- **`prompt_drift_monitor`** — Track an app-internal LLM feature's
+  output drift via baseline embeddings + must_include / must_exclude
+  lexical anchors.
+- **`test_dedup_ai`** — Structural (canonical fingerprint) + semantic
+  (cosine clustering with pluggable embedder) dedupe of action JSON
+  files.
+- **`walkthrough_docs`** — Generate step-by-step SOP / Confluence-style
+  docs from recorded runs.
+
+### a11y / i18n / Visual
+
+- **`ocr_assert`** — OCR-based text assertion (`contains` / `fuzzy` /
+  `any`) for canvas / WebGL / image content; whitespace + accent
+  normalisation built in.
+- **`screen_reader_runner`** — Walk an accessibility tree to simulate
+  NVDA / VoiceOver reading order + flag unnamed interactive elements,
+  heading-level skips, missing alt, generic link text.
+- **`pseudo_localization`** — Pseudo-localise strings
+  (`__éxámplé strîng__`) + scan rendered page for hard-coded text
+  leaks. Preserves `{name}` / `%d` / `<tag>` placeholders.
+- **`forced_colors_mode`** — CDP-features builder for the four CSS
+  media queries (color-scheme / reduced-motion / forced-colors /
+  contrast) + computed-style diff with "became invisible" detection.
+- **`visual_ai`** — aHash / dHash / pHash + SSIM-proxy for canvas /
+  chart visual diff.
+
+### Governance & Reporting
+
+- **`pr_risk_score`** — Fuses flake / impact-analysis / locator-health /
+  coverage signals into a 0-100 PR risk score with markdown report and
+  is_blocking gate.
+- **`flag_matrix`** — Feature-flag combination matrix with
+  forbid / require constraints, pinned baselines, deterministic
+  sampling, and greedy smallest-failing-subset cover.
+- **`chaos_hooks`** — Seeded chaos injection (offline / throttle /
+  mid-flow reload / tab-background) with deterministic schedule per
+  action list.
+- **`db_snapshot`** — Per-test DB savepoint/rollback isolation with
+  pluggable backend protocol; ships an `InMemoryBackend` for
+  unit-testing the workflow itself.
+- **`time_freezer`** — CDP injection script that overrides
+  `Date` / `Date.now` / `performance.now`; freeze or slow-motion modes
+  for deterministic time-bound tests.
+- **`persona_runner`** — Same suite × N personas (admin / free /
+  enterprise / guest) matrix; summary flags persona-specific vs
+  file-specific regressions.
+- **`git_bisect_flake`** — Ledger-only or probe-driven bisect for the
+  regression commit that caused a test to start failing.
+- **`test_cost_estimator`** — Per-runner rate-card (Sauce / BrowserStack /
+  LambdaTest / GitHub Actions) × ledger minutes → USD + CO₂ estimate
+  per suite / runner / test.
+- **`slack_digest`** — Render Slack Block-Kit + Teams Adaptive Card +
+  plain-text test digest with quarantine activity, top-risk PRs, cost
+  trend, and pass-rate delta.
+- **`quarantine_age_report`** — Add fresh / lingering / stale /
+  abandoned tier per quarantined test + escalation alerts.
+- **`test_debt_dashboard`** — Scan pytest skip / xfail / TODO + JSON
+  `_skip` markers + age + CODEOWNERS-derived owner mapping.
+- **`sla_tracker`** — Weekly / daily bucketed % of suites finishing
+  under an SLA duration threshold + trend.
+- **`bug_repro_stability`** — Repeat a failing probe N times → classify
+  deterministic / flaky / non-reproducible + error-signature grouping +
+  longest pass / fail streak.
+- **`test_owners_map`** — CODEOWNERS parser (last-match-wins glob
+  semantics) + per-test override layer + unowned-test audit.
+- **`failure_triage`** — AI failure root-cause analysis on failure
+  bundles.
+- **`flake_detector`** — Time-decayed flake scoring + quarantine
+  registry.
+- **`locator_health`** — Project-wide locator audit + upgrade
+  suggestions.
+- **`mutation_testing`** — Action JSON mutation testing (kill-rate /
+  score).
+- **`live_dashboard`** — Aggregated web UI: runs + flake + quarantine +
+  locators.
+- **`test_scheduler`** — Value-density scheduler under time + cloud
+  budget.
+
+### Other Specialised Modules
+
+- **`chrome_profile`** — Persistent Chrome profile + stealth +
+  snapshot / sync-back.
+- **`device_cloud`** — Real-device cloud (BrowserStack / Sauce /
+  LambdaTest) connector.
+- **`otel_bridge`** — W3C traceparent injection for distributed
+  tracing.
+- **`otp_interceptor`** — MailHog / Mailpit / IMAP / SMS OTP polling
+  for 2FA flows.
+- **`download_verify`** — PDF / CSV / Excel / JSON / SHA256 download
+  assertions.
+- **`openapi_to_e2e`** — OpenAPI / Swagger spec → `WR_http_*` action
+  JSON generator.
+- **`cross_tab_sync`** — Multi-page BroadcastChannel / storage
+  propagation asserts.
+
+For per-module reference also see [`CLAUDE.md`](CLAUDE.md), the
+auto-generated [`docs/reference/command_reference.md`](docs/reference/command_reference.md),
+and the Sphinx chapter under
+`docs/source/Eng/doc/specialized_modules/`.
+
 ## Advanced WebDriverWrapper
 
 The Selenium wrapper is now composed via mixins under
 
@@ -48,6 +48,7 @@ WebRunner（`je_web_runner`）是一款跨平台网页自动化框架，旨在
 - [日志记录](#日志记录)
 - [支持的浏览器](#支持的浏览器)
 - [支持的平台](#支持的平台)
+- [进阶模块](#进阶模块)
 - [许可证](#许可证)
 
 ## 核心功能
@@ -784,6 +785,92 @@ WebRunner 使用轮转式文件处理器记录日志。
 - Ubuntu / Linux
 - Raspberry Pi
 
+## 进阶模块
+
+除核心 WebDriver / 动作执行器外,WebRunner 还提供大量专用模块,每个
+模块都在 `je_web_runner/utils/<area>/` 下独立成包,并附完整单元测试。
+按能力分类:
+
+### Web 平台 API
+
+- **`webtransport_assert`** — HTTP/3 WebTransport datagram + stream 断言
+- **`indexed_db_explorer`** — IndexedDB 快照与对象 / 索引断言
+- **`file_system_access`** — 模拟 `showOpenFilePicker` / `showSaveFilePicker` 并记录写入
+- **`notifications_audit`** — 追踪 `Notification.requestPermission` 调用时机与策略
+- **`sse_assert`** — Server-Sent Events 流录制 + count / data / id 断言
+- **`websocket_assert`** — WebSocket frame 录制 + count / payload / pubsub 断言
+- **`webrtc_assert`** — PeerConnection 状态 / ICE / track / RTP 断言
+- **`view_transitions`** — View Transitions API duration / CLS / group 断言
+
+### 安全 / Headers
+
+- **`mixed_content_audit`** — HTTPS 页面中的 HTTP 资源检测
+- **`clickjacking_audit`** — X-Frame-Options + frame-ancestors + iframe 探测
+- **`open_redirect_detector`** — 八种 payload 检测 ?redirect= 类漏洞
+- **`sri_verify`** — Subresource Integrity hash 存在性 + 正确性验证
+- **`coop_coep_audit`** — crossOriginIsolated COOP / COEP + 子资源 CORP/CORS 检查
+- **`token_leak_detector`** — 扫描 HAR / log / response 中的 JWT / AWS / GitHub token 等
+- **`consent_audit`** — GDPR / CCPA cookie 分类 + 同意前泄漏 / 拒绝后重新植入检测
+- **`pii_in_screenshot`** — Screenshot OCR + 隐私 (信用卡 / 身份证 / SSN) 扫描
+
+### 性能预算
+
+- **`inp_tracker`** — Interaction to Next Paint 测量 + p98 + 预算
+- **`hydration_check`** — SSR hydration mismatch (DOM diff + console marker)
+- **`bundle_budget`** — 每种资源 (script/css/image/font/media) 大小预算
+- **`third_party_budget`** — 第三方厂商请求数 / 大小 / 阻塞时间预算
+- **`long_animation_frame`** — Long Animation Frame API + 每 script 归因
+- **`console_error_budget`** — JS console / unhandled rejection 预算
+
+### 后端集成
+
+- **`grpc_tester`** — gRPC stub 调用录制 + gRPC-Web framing / trailer
+- **`webhook_receiver`** — 临时 HTTP server 接收 app 对外 webhook + 断言
+- **`idempotency_check`** — 同一请求发送两次,比对 status / body / state / 副作用
+- **`pagination_audit`** — 遍历所有页,检测重复 / 漏抓 / cursor loop / 排序错误
+- **`backend_log_correlator`** — W3C trace_id → Loki / Elasticsearch / 文件 log 拉取
+- **`email_render`** — MailHog / Mailpit / `.eml` 拦截 → 多 viewport 截图
+
+### AI / 工作流
+
+- **`failure_narrator`** — LLM 将 failure bundle 转为自然语言失败摘要
+- **`repro_minimizer`** — Delta-debugging (ddmin) 缩减失败 action list
+- **`locator_hardener`** — Fragility 评分 + LLM 建议更稳定的 selector
+- **`test_categorizer`** — 自动标记 smoke / regression / perf / a11y / security
+- **`exploratory_ai`** — Agent 式探索测试员 + 确定性 RandomPlanner
+- **`story_to_actions`** — 用户故事 / Figma frame → 验证后的 WR action JSON
+- **`session_to_test`** — rrweb / 通用 event stream → WR action JSON
+- **`multimodal_qa`** — Screenshot + 问题送 vision LLM 取得 pass/fail 判定
+- **`prompt_drift_monitor`** — 追踪 app 内 LLM 功能的输出漂移
+- **`test_dedup_ai`** — 结构性 + 语义 embedding 去重 action JSON
+
+### 无障碍 / 国际化 / 视觉
+
+- **`ocr_assert`** — Canvas / WebGL / 图片内 OCR 文本断言
+- **`screen_reader_runner`** — 遍历 a11y tree 模拟 NVDA / VoiceOver 朗读顺序
+- **`pseudo_localization`** — 字符串伪本地化 + 检测硬编码字符串
+- **`forced_colors_mode`** — Dark / reduced-motion / forced-colors / 高对比矩阵
+
+### 治理与报告
+
+- **`pr_risk_score`** — 融合 flake / impact / locator / coverage 信号为 0-100 分
+- **`flag_matrix`** — Feature flag 组合矩阵 + 失败最小子集分析
+- **`chaos_hooks`** — 种子化 chaos 注入 (离线 / throttle / 中途 reload)
+- **`db_snapshot`** — 每个 test 自动 DB savepoint / rollback
+- **`time_freezer`** — CDP 注入脚本冻结 `Date` / `performance.now`
+- **`persona_runner`** — 同一份 suite × N 种角色矩阵
+- **`git_bisect_flake`** — Ledger / probe 两种模式 bisect 出回归 commit
+- **`test_cost_estimator`** — 云端分钟 × 费率 → USD + CO₂ 估算
+- **`slack_digest`** — Slack Block Kit / Teams Card / 纯文本测试周报
+- **`quarantine_age_report`** — Quarantine 条目 + age + 升级 tier
+- **`test_debt_dashboard`** — skip / xfail / TODO 盘点 + age + 负责人
+- **`sla_tracker`** — 「Y% suite 在 X 分钟内跑完」周 / 日趋势
+- **`bug_repro_stability`** — N 次重复 + 分类 deterministic / flaky / 无法重现
+- **`test_owners_map`** — CODEOWNERS 解析 + 覆盖层 + 无人认领审计
+
+完整模块树见 [`CLAUDE.md`](../CLAUDE.md);完整命令清单见英文版
+[README.md](../README.md) 与 `docs/source/Zh/doc/specialized_modules/`。
+
 ## 许可证
 
 本项目采用 [MIT 许可证](../LICENSE)。