Chrome Extension Web Clipper

Phase 5 Manifest V3 Developer mode install

What is the xbrain Web Clipper?

The xbrain Chrome Extension (Manifest V3) lets you send selected web content directly to your team's xbrain memory from any webpage. You choose the truth level before sending — making it easy to capture and classify information on the fly without leaving your browser.

The extension uses Chrome's native identity API (launchWebAuthFlow) for authentication with your Google account. No passwords are stored in the extension — only the Google ID token, which is sent as the Bearer token to memory-api.

Installation

The extension is not yet on the Chrome Web Store. Install it in developer mode from the source repository:

Clone the xbrain repo: git clone https://github.com/mrboups/xbrain.git
Open Chrome → Settings → Extensions → Enable Developer mode (toggle top right)
Click "Load unpacked" → Select the chrome-extension/ folder in the cloned repo
The xbrain icon appears in your Chrome toolbar

Team access

The extension requires a Google account that has been added to your xbrain team by an admin. Authenticate with the same Google account you use to sign in to LibreChat or Open WebUI.

Extension Manifest

The extension uses Manifest V3 with Chrome's Google Identity API. Below is the actual manifest.json from the chrome-extension/ directory:

chrome-extension/manifest.json{
  "manifest_version": 3,
  "name": "xbrain Web Clipper",
  "version": "1.0.0",
  "description": "Envoyez du contenu web dans le brain xbrain de votre équipe",
  "permissions": ["identity", "activeTab", "storage"],
  "background": {
    "service_worker": "background.js"
  },
  "action": {
    "default_popup": "popup.html",
    "default_icon": {
      "48": "icon48.png",
      "128": "icon128.png"
    }
  },
  "content_scripts": [
    {
      "matches": ["<all_urls>"],
      "js": ["content.js"]
    }
  ],
  "oauth2": {
    "client_id": "YOUR_GOOGLE_CLIENT_ID.apps.googleusercontent.com",
    "scopes": ["openid", "email", "profile"]
  },
  "host_permissions": [
    "https://api.grooveos.app/*"
  ]
}

Configuration required

Replace host_permissions with your actual memory-api URL (e.g. https://api.yourdomain.com/*) and set oauth2.client_id to your Google OAuth client ID before loading the extension.

How to Use

Step 1 — Authenticate

Click the xbrain icon in your Chrome toolbar. On first use, click "Sign in with Google". The extension uses Chrome's launchWebAuthFlow to obtain a Google ID token — this opens a secure auth popup without triggering popup blockers on regular pages.

Step 2 — Select content

On any webpage, select the text you want to save. Right-click and choose "Send to xbrain" — or open the popup directly and the current page URL and title are pre-filled automatically by content.js.

Step 3 — Choose truth level

In the popup, select the truth level that reflects your confidence in the clipped content:

EPHEMERAL — Quick notes, unverified snippets, transient information
WORKING — Actively useful, in progress, not yet validated
VALIDATED — Verified information, cross-checked
CANONICAL — Team-approved truth, the authoritative version

Step 4 — Send to Brain

Click "Send to Brain". The content is POSTed to memory-api with your team's scope. You'll see a success confirmation directly in the popup. The item is immediately searchable by your teammates.

Architecture

The extension follows a strict MV3 service worker model. All API calls are made from background.js — content scripts cannot make cross-origin requests.

Browser tab (content.js)
    │ selected text + URL + title
    ▼
popup.html (user selects truth level, clicks Send)
    │
    ▼
background.js (service worker)
    │ chrome.identity.launchWebAuthFlow → Google ID token
    │
    ▼
POST https://api.grooveos.app/v1/memory/upsert
Authorization: Bearer {google_id_token}
X-Team-Scope: {team_from_storage}
{
  "item": {
    "content": "selected text",
    "source": "chrome-extension:grooveos.app",
    "truth_level": "WORKING",
    "team_scope": "excalibur",
    "project_scope": "fundraising",
    "visibility": "team"
  }
}

CORS Configuration

The memory-api accepts requests from chrome-extension:// origins. This is configured in memory-api's CORS middleware using a regex pattern to allow any extension ID:

memory-api/app/main.pyfrom fastapi.middleware.cors import CORSMiddleware

app.add_middleware(
    CORSMiddleware,
    allow_origin_regex=r"chrome-extension://.*",
    allow_origins=["https://api.grooveos.app"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

Authentication via Bearer token (Google ID token) is the real security control — the wide chrome-extension://* CORS origin is acceptable because any request still requires a valid Google ID token that memory-api verifies against Google's public keys.

Configuring for Your Deployment

Three values in manifest.json must be updated before loading the extension:

Field	Where	What to set
`host_permissions`	manifest.json	Your memory-api URL, e.g. `https://api.yourdomain.com/*`
`oauth2.client_id`	manifest.json	Your Google OAuth client ID (same as `GOOGLE_CLIENT_ID` in `.env`)
team_scope	popup.html / storage	Saved automatically in Chrome local storage after first sign-in

OAuth client ID

The Google OAuth client_id in the manifest is a public value — it is safe to commit to the repository. It identifies your OAuth app to Google but contains no secret. The actual authentication is secured by the ID token signature verification in memory-api.