@agenticmail/enterprise 0.5.77 → 0.5.79

package/src/browser/http-auth.ts

@@ -0,0 +1,63 @@
+import type { IncomingMessage } from "node:http";
+import { safeEqualSecret } from "./enterprise-compat.js";
+
+function firstHeaderValue(value: string | string[] | undefined): string {
+  return Array.isArray(value) ? (value[0] ?? "") : (value ?? "");
+}
+
+function parseBearerToken(authorization: string): string | undefined {
+  if (!authorization || !authorization.toLowerCase().startsWith("bearer ")) {
+    return undefined;
+  }
+  const token = authorization.slice(7).trim();
+  return token || undefined;
+}
+
+function parseBasicPassword(authorization: string): string | undefined {
+  if (!authorization || !authorization.toLowerCase().startsWith("basic ")) {
+    return undefined;
+  }
+  const encoded = authorization.slice(6).trim();
+  if (!encoded) {
+    return undefined;
+  }
+  try {
+    const decoded = Buffer.from(encoded, "base64").toString("utf8");
+    const sep = decoded.indexOf(":");
+    if (sep < 0) {
+      return undefined;
+    }
+    const password = decoded.slice(sep + 1).trim();
+    return password || undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+export function isAuthorizedBrowserRequest(
+  req: IncomingMessage,
+  auth: { token?: string; password?: string },
+): boolean {
+  const authorization = firstHeaderValue(req.headers.authorization).trim();
+
+  if (auth.token) {
+    const bearer = parseBearerToken(authorization);
+    if (bearer && safeEqualSecret(bearer, auth.token)) {
+      return true;
+    }
+  }
+
+  if (auth.password) {
+    const passwordHeader = firstHeaderValue(req.headers["x-openclaw-password"]).trim();
+    if (passwordHeader && safeEqualSecret(passwordHeader, auth.password)) {
+      return true;
+    }
+
+    const basicPassword = parseBasicPassword(authorization);
+    if (basicPassword && safeEqualSecret(basicPassword, auth.password)) {
+      return true;
+    }
+  }
+
+  return false;
+}

package/src/browser/navigation-guard.ts

@@ -0,0 +1,50 @@
+import { resolvePinnedHostnameWithPolicy } from "./enterprise-compat.js";
+import type { LookupFn, SsrFPolicy } from "./enterprise-compat.js";
+
+
+const NETWORK_NAVIGATION_PROTOCOLS = new Set(["http:", "https:"]);
+
+export class InvalidBrowserNavigationUrlError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "InvalidBrowserNavigationUrlError";
+  }
+}
+
+export type BrowserNavigationPolicyOptions = {
+  ssrfPolicy?: SsrFPolicy;
+};
+
+export function withBrowserNavigationPolicy(
+  ssrfPolicy?: SsrFPolicy,
+): BrowserNavigationPolicyOptions {
+  return ssrfPolicy ? { ssrfPolicy } : {};
+}
+
+export async function assertBrowserNavigationAllowed(
+  opts: {
+    url: string;
+    lookupFn?: LookupFn;
+  } & BrowserNavigationPolicyOptions,
+): Promise<void> {
+  const rawUrl = String(opts.url ?? "").trim();
+  if (!rawUrl) {
+    throw new InvalidBrowserNavigationUrlError("url is required");
+  }
+
+  let parsed: URL;
+  try {
+    parsed = new URL(rawUrl);
+  } catch {
+    throw new InvalidBrowserNavigationUrlError(`Invalid URL: ${rawUrl}`);
+  }
+
+  if (!NETWORK_NAVIGATION_PROTOCOLS.has(parsed.protocol)) {
+    return;
+  }
+
+  await resolvePinnedHostnameWithPolicy(parsed.hostname, {
+    lookupFn: opts.lookupFn,
+    policy: opts.ssrfPolicy,
+  });
+}

package/src/browser/paths.ts

@@ -0,0 +1,49 @@
+import path from "node:path";
+import { resolvePreferredOpenClawTmpDir } from "./enterprise-compat.js";
+
+export const DEFAULT_BROWSER_TMP_DIR = resolvePreferredOpenClawTmpDir();
+export const DEFAULT_TRACE_DIR = DEFAULT_BROWSER_TMP_DIR;
+export const DEFAULT_DOWNLOAD_DIR = path.join(DEFAULT_BROWSER_TMP_DIR, "downloads");
+export const DEFAULT_UPLOAD_DIR = path.join(DEFAULT_BROWSER_TMP_DIR, "uploads");
+
+export function resolvePathWithinRoot(params: {
+  rootDir: string;
+  requestedPath: string;
+  scopeLabel: string;
+  defaultFileName?: string;
+}): { ok: true; path: string } | { ok: false; error: string } {
+  const root = path.resolve(params.rootDir);
+  const raw = params.requestedPath.trim();
+  if (!raw) {
+    if (!params.defaultFileName) {
+      return { ok: false, error: "path is required" };
+    }
+    return { ok: true, path: path.join(root, params.defaultFileName) };
+  }
+  const resolved = path.resolve(root, raw);
+  const rel = path.relative(root, resolved);
+  if (!rel || rel.startsWith("..") || path.isAbsolute(rel)) {
+    return { ok: false, error: `Invalid path: must stay within ${params.scopeLabel}` };
+  }
+  return { ok: true, path: resolved };
+}
+
+export function resolvePathsWithinRoot(params: {
+  rootDir: string;
+  requestedPaths: string[];
+  scopeLabel: string;
+}): { ok: true; paths: string[] } | { ok: false; error: string } {
+  const resolvedPaths: string[] = [];
+  for (const raw of params.requestedPaths) {
+    const pathResult = resolvePathWithinRoot({
+      rootDir: params.rootDir,
+      requestedPath: raw,
+      scopeLabel: params.scopeLabel,
+    });
+    if (!pathResult.ok) {
+      return { ok: false, error: pathResult.error };
+    }
+    resolvedPaths.push(pathResult.path);
+  }
+  return { ok: true, paths: resolvedPaths };
+}

package/src/browser/profiles-service.ts

@@ -0,0 +1,187 @@
+import fs from "node:fs";
+import path from "node:path";
+
+import { resolveOpenClawUserDataDir } from "./chrome.js";
+import { parseHttpUrl, resolveProfile } from "./config.js";
+import { DEFAULT_BROWSER_DEFAULT_PROFILE_NAME } from "./constants.js";
+import {
+  allocateCdpPort,
+  allocateColor,
+  getUsedColors,
+  getUsedPorts,
+  isValidProfileName,
+} from "./profiles.js";
+import type { BrowserRouteContext, ProfileStatus } from "./server-context.js";
+import { movePathToTrash } from "./trash.js";
+import { deriveDefaultBrowserCdpPortRange, loadConfig, writeConfigFile } from "./enterprise-compat.js";
+import type { BrowserProfileConfig, OpenClawConfig } from "./enterprise-compat.js";
+
+export type CreateProfileParams = {
+  name: string;
+  color?: string;
+  cdpUrl?: string;
+  driver?: "openclaw" | "extension";
+};
+
+export type CreateProfileResult = {
+  ok: true;
+  profile: string;
+  cdpPort: number;
+  cdpUrl: string;
+  color: string;
+  isRemote: boolean;
+};
+
+export type DeleteProfileResult = {
+  ok: true;
+  profile: string;
+  deleted: boolean;
+};
+
+const HEX_COLOR_RE = /^#[0-9A-Fa-f]{6}$/;
+
+export function createBrowserProfilesService(ctx: BrowserRouteContext) {
+  const listProfiles = async (): Promise<ProfileStatus[]> => {
+    return await ctx.listProfiles();
+  };
+
+  const createProfile = async (params: CreateProfileParams): Promise<CreateProfileResult> => {
+    const name = params.name.trim();
+    const rawCdpUrl = params.cdpUrl?.trim() || undefined;
+    const driver = params.driver === "extension" ? "extension" : undefined;
+
+    if (!isValidProfileName(name)) {
+      throw new Error("invalid profile name: use lowercase letters, numbers, and hyphens only");
+    }
+
+    const state = ctx.state();
+    const resolvedProfiles = state.resolved.profiles;
+    if (name in resolvedProfiles) {
+      throw new Error(`profile "${name}" already exists`);
+    }
+
+    const cfg = loadConfig();
+    const rawProfiles = cfg.browser?.profiles ?? {};
+    if (name in rawProfiles) {
+      throw new Error(`profile "${name}" already exists`);
+    }
+
+    const usedColors = getUsedColors(resolvedProfiles);
+    const profileColor =
+      params.color && HEX_COLOR_RE.test(params.color) ? params.color : allocateColor(usedColors);
+
+    let profileConfig: BrowserProfileConfig;
+    if (rawCdpUrl) {
+      const parsed = parseHttpUrl(rawCdpUrl, "browser.profiles.cdpUrl");
+      profileConfig = {
+        cdpUrl: parsed.normalized,
+        ...(driver ? { driver } : {}),
+        color: profileColor,
+      };
+    } else {
+      const usedPorts = getUsedPorts(resolvedProfiles);
+      const range = deriveDefaultBrowserCdpPortRange(state.resolved.controlPort);
+      const cdpPort = allocateCdpPort(usedPorts, range);
+      if (cdpPort === null) {
+        throw new Error("no available CDP ports in range");
+      }
+      profileConfig = {
+        cdpPort,
+        ...(driver ? { driver } : {}),
+        color: profileColor,
+      };
+    }
+
+    const nextConfig: OpenClawConfig = {
+      ...cfg,
+      browser: {
+        ...cfg.browser,
+        profiles: {
+          ...rawProfiles,
+          [name]: profileConfig,
+        },
+      },
+    };
+
+    await writeConfigFile(nextConfig);
+
+    state.resolved.profiles[name] = profileConfig;
+    const resolved = resolveProfile(state.resolved, name);
+    if (!resolved) {
+      throw new Error(`profile "${name}" not found after creation`);
+    }
+
+    return {
+      ok: true,
+      profile: name,
+      cdpPort: resolved.cdpPort,
+      cdpUrl: resolved.cdpUrl,
+      color: resolved.color,
+      isRemote: !resolved.cdpIsLoopback,
+    };
+  };
+
+  const deleteProfile = async (nameRaw: string): Promise<DeleteProfileResult> => {
+    const name = nameRaw.trim();
+    if (!name) {
+      throw new Error("profile name is required");
+    }
+    if (!isValidProfileName(name)) {
+      throw new Error("invalid profile name");
+    }
+
+    const cfg = loadConfig();
+    const profiles = cfg.browser?.profiles ?? {};
+    if (!(name in profiles)) {
+      throw new Error(`profile "${name}" not found`);
+    }
+
+    const defaultProfile = cfg.browser?.defaultProfile ?? DEFAULT_BROWSER_DEFAULT_PROFILE_NAME;
+    if (name === defaultProfile) {
+      throw new Error(
+        `cannot delete the default profile "${name}"; change browser.defaultProfile first`,
+      );
+    }
+
+    let deleted = false;
+    const state = ctx.state();
+    const resolved = resolveProfile(state.resolved, name);
+
+    if (resolved?.cdpIsLoopback) {
+      try {
+        await ctx.forProfile(name).stopRunningBrowser();
+      } catch {
+        // ignore
+      }
+
+      const userDataDir = resolveOpenClawUserDataDir(name);
+      const profileDir = path.dirname(userDataDir);
+      if (fs.existsSync(profileDir)) {
+        await movePathToTrash(profileDir);
+        deleted = true;
+      }
+    }
+
+    const { [name]: _removed, ...remainingProfiles } = profiles;
+    const nextConfig: OpenClawConfig = {
+      ...cfg,
+      browser: {
+        ...cfg.browser,
+        profiles: remainingProfiles,
+      },
+    };
+
+    await writeConfigFile(nextConfig);
+
+    delete state.resolved.profiles[name];
+    state.profiles.delete(name);
+
+    return { ok: true, profile: name, deleted };
+  };
+
+  return {
+    listProfiles,
+    createProfile,
+    deleteProfile,
+  };
+}

package/src/browser/profiles.ts

@@ -0,0 +1,113 @@
+/**
+ * CDP port allocation for browser profiles.
+ *
+ * Default port range: 18800-18899 (100 profiles max)
+ * Ports are allocated once at profile creation and persisted in config.
+ * Multi-instance: callers may pass an explicit range to avoid collisions.
+ *
+ * Reserved ports (do not use for CDP):
+ *   18789 - Gateway WebSocket
+ *   18790 - Bridge
+ *   18791 - Browser control server
+ *   18792-18799 - Reserved for future one-off services (canvas at 18793)
+ */
+
+export const CDP_PORT_RANGE_START = 18800;
+export const CDP_PORT_RANGE_END = 18899;
+
+export const PROFILE_NAME_REGEX = /^[a-z0-9][a-z0-9-]*$/;
+
+export function isValidProfileName(name: string): boolean {
+  if (!name || name.length > 64) {
+    return false;
+  }
+  return PROFILE_NAME_REGEX.test(name);
+}
+
+export function allocateCdpPort(
+  usedPorts: Set<number>,
+  range?: { start: number; end: number },
+): number | null {
+  const start = range?.start ?? CDP_PORT_RANGE_START;
+  const end = range?.end ?? CDP_PORT_RANGE_END;
+  if (!Number.isFinite(start) || !Number.isFinite(end) || start <= 0 || end <= 0) {
+    return null;
+  }
+  if (start > end) {
+    return null;
+  }
+  for (let port = start; port <= end; port++) {
+    if (!usedPorts.has(port)) {
+      return port;
+    }
+  }
+  return null;
+}
+
+export function getUsedPorts(
+  profiles: Record<string, { cdpPort?: number; cdpUrl?: string }> | undefined,
+): Set<number> {
+  if (!profiles) {
+    return new Set();
+  }
+  const used = new Set<number>();
+  for (const profile of Object.values(profiles)) {
+    if (typeof profile.cdpPort === "number") {
+      used.add(profile.cdpPort);
+      continue;
+    }
+    const rawUrl = profile.cdpUrl?.trim();
+    if (!rawUrl) {
+      continue;
+    }
+    try {
+      const parsed = new URL(rawUrl);
+      const port =
+        parsed.port && Number.parseInt(parsed.port, 10) > 0
+          ? Number.parseInt(parsed.port, 10)
+          : parsed.protocol === "https:"
+            ? 443
+            : 80;
+      if (!Number.isNaN(port) && port > 0 && port <= 65535) {
+        used.add(port);
+      }
+    } catch {
+      // ignore invalid URLs
+    }
+  }
+  return used;
+}
+
+export const PROFILE_COLORS = [
+  "#FF4500", // Orange-red (openclaw default)
+  "#0066CC", // Blue
+  "#00AA00", // Green
+  "#9933FF", // Purple
+  "#FF6699", // Pink
+  "#00CCCC", // Cyan
+  "#FF9900", // Orange
+  "#6666FF", // Indigo
+  "#CC3366", // Magenta
+  "#339966", // Teal
+];
+
+export function allocateColor(usedColors: Set<string>): string {
+  // Find first unused color from palette
+  for (const color of PROFILE_COLORS) {
+    if (!usedColors.has(color.toUpperCase())) {
+      return color;
+    }
+  }
+  // All colors used, cycle based on count
+  const index = usedColors.size % PROFILE_COLORS.length;
+  return PROFILE_COLORS[index] ?? PROFILE_COLORS[0];
+}
+
+export function getUsedColors(
+  profiles: Record<string, { color: string }> | undefined,
+): Set<string> {
+  if (!profiles) {
+    return new Set();
+  }
+  return new Set(Object.values(profiles).map((p) => p.color.toUpperCase()));
+}

package/src/browser/proxy-files.ts

@@ -0,0 +1,41 @@
+import { saveMediaBuffer } from "./enterprise-compat.js";
+
+
+export type BrowserProxyFile = {
+  path: string;
+  base64: string;
+  mimeType?: string;
+};
+
+export async function persistBrowserProxyFiles(files: BrowserProxyFile[] | undefined) {
+  if (!files || files.length === 0) {
+    return new Map<string, string>();
+  }
+  const mapping = new Map<string, string>();
+  for (const file of files) {
+    const buffer = Buffer.from(file.base64, "base64");
+    const saved = await saveMediaBuffer(buffer, file.mimeType, "browser", buffer.byteLength);
+    mapping.set(file.path, saved.path);
+  }
+  return mapping;
+}
+
+export function applyBrowserProxyPaths(result: unknown, mapping: Map<string, string>) {
+  if (!result || typeof result !== "object") {
+    return;
+  }
+  const obj = result as Record<string, unknown>;
+  if (typeof obj.path === "string" && mapping.has(obj.path)) {
+    obj.path = mapping.get(obj.path);
+  }
+  if (typeof obj.imagePath === "string" && mapping.has(obj.imagePath)) {
+    obj.imagePath = mapping.get(obj.imagePath);
+  }
+  const download = obj.download;
+  if (download && typeof download === "object") {
+    const d = download as Record<string, unknown>;
+    if (typeof d.path === "string" && mapping.has(d.path)) {
+      d.path = mapping.get(d.path);
+    }
+  }
+}

package/src/browser/pw-ai-module.ts

@@ -0,0 +1,52 @@
+import { extractErrorCode, formatErrorMessage } from "./enterprise-compat.js";
+
+
+export type PwAiModule = typeof import("./pw-ai.js");
+
+type PwAiLoadMode = "soft" | "strict";
+
+let pwAiModuleSoft: Promise<PwAiModule | null> | null = null;
+let pwAiModuleStrict: Promise<PwAiModule | null> | null = null;
+
+function isModuleNotFoundError(err: unknown): boolean {
+  const code = extractErrorCode(err);
+  if (code === "ERR_MODULE_NOT_FOUND") {
+    return true;
+  }
+  const msg = formatErrorMessage(err);
+  return (
+    msg.includes("Cannot find module") ||
+    msg.includes("Cannot find package") ||
+    msg.includes("Failed to resolve import") ||
+    msg.includes("Failed to resolve entry for package") ||
+    msg.includes("Failed to load url")
+  );
+}
+
+async function loadPwAiModule(mode: PwAiLoadMode): Promise<PwAiModule | null> {
+  try {
+    return await import("./pw-ai.js");
+  } catch (err) {
+    if (mode === "soft") {
+      return null;
+    }
+    if (isModuleNotFoundError(err)) {
+      return null;
+    }
+    throw err;
+  }
+}
+
+export async function getPwAiModule(opts?: { mode?: PwAiLoadMode }): Promise<PwAiModule | null> {
+  const mode: PwAiLoadMode = opts?.mode ?? "soft";
+  if (mode === "soft") {
+    if (!pwAiModuleSoft) {
+      pwAiModuleSoft = loadPwAiModule("soft");
+    }
+    return await pwAiModuleSoft;
+  }
+  if (!pwAiModuleStrict) {
+    pwAiModuleStrict = loadPwAiModule("strict");
+  }
+  return await pwAiModuleStrict;
+}

package/src/browser/pw-ai-state.ts

@@ -0,0 +1,9 @@
+let pwAiLoaded = false;
+
+export function markPwAiLoaded(): void {
+  pwAiLoaded = true;
+}
+
+export function isPwAiLoaded(): boolean {
+  return pwAiLoaded;
+}

package/src/browser/pw-ai.ts

@@ -0,0 +1,65 @@
+import { markPwAiLoaded } from "./pw-ai-state.js";
+
+markPwAiLoaded();
+
+export {
+  type BrowserConsoleMessage,
+  closePageByTargetIdViaPlaywright,
+  closePlaywrightBrowserConnection,
+  createPageViaPlaywright,
+  ensurePageState,
+  forceDisconnectPlaywrightForTarget,
+  focusPageByTargetIdViaPlaywright,
+  getPageForTargetId,
+  listPagesViaPlaywright,
+  refLocator,
+  type WithSnapshotForAI,
+} from "./pw-session.js";
+
+export {
+  armDialogViaPlaywright,
+  armFileUploadViaPlaywright,
+  clickViaPlaywright,
+  closePageViaPlaywright,
+  cookiesClearViaPlaywright,
+  cookiesGetViaPlaywright,
+  cookiesSetViaPlaywright,
+  downloadViaPlaywright,
+  dragViaPlaywright,
+  emulateMediaViaPlaywright,
+  evaluateViaPlaywright,
+  fillFormViaPlaywright,
+  getConsoleMessagesViaPlaywright,
+  getNetworkRequestsViaPlaywright,
+  getPageErrorsViaPlaywright,
+  highlightViaPlaywright,
+  hoverViaPlaywright,
+  navigateViaPlaywright,
+  pdfViaPlaywright,
+  pressKeyViaPlaywright,
+  resizeViewportViaPlaywright,
+  responseBodyViaPlaywright,
+  scrollIntoViewViaPlaywright,
+  selectOptionViaPlaywright,
+  setDeviceViaPlaywright,
+  setExtraHTTPHeadersViaPlaywright,
+  setGeolocationViaPlaywright,
+  setHttpCredentialsViaPlaywright,
+  setInputFilesViaPlaywright,
+  setLocaleViaPlaywright,
+  setOfflineViaPlaywright,
+  setTimezoneViaPlaywright,
+  snapshotAiViaPlaywright,
+  snapshotAriaViaPlaywright,
+  snapshotRoleViaPlaywright,
+  screenshotWithLabelsViaPlaywright,
+  storageClearViaPlaywright,
+  storageGetViaPlaywright,
+  storageSetViaPlaywright,
+  takeScreenshotViaPlaywright,
+  traceStartViaPlaywright,
+  traceStopViaPlaywright,
+  typeViaPlaywright,
+  waitForDownloadViaPlaywright,
+  waitForViaPlaywright,
+} from "./pw-tools-core.js";