@apmantza/greedysearch-pi 1.9.0 → 1.9.1

package/CHANGELOG.md

@@ -2,6 +2,35 @@
 
 ## [Unreleased]
 
+## [1.9.1] — 2026-05-23
+
+### Fixed
+
+- **Visible Chrome launches minimized** (`bin/launch-visible.mjs`) — After Chrome's CDP endpoint becomes ready, `minimizeViaCDP` sends `Browser.setWindowBounds { windowState: "minimized" }` via the browser-level WebSocket. Chrome lands in the taskbar immediately instead of stealing focus from the user's active window. Closes [#20](https://github.com/apmantza/GreedySearch-pi/issues/20).
+
+- **Recovery path always returns to headless** (`bin/search.mjs`) — After a visible-mode retry (triggered by Cloudflare blocking headless), the pipeline now unconditionally kills visible Chrome and relaunches headless before running Gemini synthesis. Previously the switch-back only happened when zero engines were recovered (`recovered === 0`), so a partial recovery left visible Chrome alive and caused synthesis to open the Gemini tab in the visible window.
+
+- **ReDoS hotspots fixed** (`bin/launch.mjs`, `extractors/selectors.mjs`, `src/fetcher.mjs`, `src/search/sources.mjs`) — Four SonarCloud `javasecurity:S5852` hotspots resolved: (1) Chrome version directory regex bounded (`\d+` → `\d{1,10}` ×4 groups); (2) Perplexity citation name regex bounded (`\s+` → `\s{1,20}`, `[^.]+` → `[^.]{1,200}`); (3) seven suspicious-content regex patterns in `checkContentQuality` replaced with `String.includes` checks (faster and immune to backtracking on adversarial input); (4) trailing-slash removal regex bounded (`\/+$` → `\/{1,10}$`). Follow-up: string checks lowercased via a single `markdown.toLowerCase()` call to restore the case-insensitive matching the original regexes provided.
+
+- **Collapsed tool rendering: consensus label fixed** (`src/tools/greedy-search-handler.ts`) — The collapsed summary was reading `synthesis.consensus` which does not exist in the schema; the field is `synthesis.agreement.level`. Collapsed view now correctly shows e.g. `→ Synthesized · 5 sources · high`.
+
+- **`minimizeViaCDP` guard inverted in `launch.mjs`** (`bin/launch.mjs`) — The early-return guard was `if (isVisible()) return` which caused the function to exit immediately in the only case it was ever called (visible Chrome launch via `GREEDY_SEARCH_VISIBLE=1`). Changed to `if (isHeadless()) return`. Also removed the unnecessary 1s sleep (Chrome is already confirmed ready via `writePortFile()` before this is called) and applied the SonarCloud S8480 fix (`wsPath` extracted from `webSocketDebuggerUrl`, WebSocket URL reconstructed as `ws://localhost:${PORT}${wsPath}`).
+
+- **Gemini tab no longer steals focus during synthesis** (`bin/search.mjs`) — Removed the `activateTab` call on the pre-navigated Gemini tab. `Target.activateTarget` was restoring the minimized Chrome window mid-search; CDP synthesis operates on the target ID directly and has no need for the tab to be Chrome's active tab.
+
+### Changed
+
+- **Result file auto-purge** (`src/search/output.mjs`) — On each search run, files older than 7 days are deleted from the results directory. The 10 most recent files are always kept regardless of age. Runs inside `resultsDir()` so it's transparent and zero-overhead.
+
+- **`greedy_search` tool: collapsed rendering** (`src/tools/greedy-search-handler.ts`) — Added `renderCall` and `renderResult` hooks. The call line shows the query (truncated to 60 chars) and engine. The result collapses to a one-line summary: synthesis path shows source count + consensus label; single-engine path shows source count; human-verification path shows a warning. Full output is available via expand (Ctrl+O). Also migrated peer deps from `@mariozechner/pi-coding-agent` to `@earendil-works/pi-coding-agent` and added `@earendil-works/pi-tui` for the `Text` primitive.
+
+- **Headless stealth hardening** (`bin/launch.mjs`, `extractors/common.mjs`) — Four fingerprinting gaps closed:
+  - **UA version auto-detected** — `getChromeVersion` reads the versioned sub-directory inside the Chrome Application folder (e.g. `148.0.7778.168/`) to extract the real major version, then injects it into the `--user-agent` flag. Eliminates the TLS/UA mismatch that was caused by the hardcoded `Chrome/131` string (actual binary was `Chrome/148`).
+  - **`navigator.userAgentData`** — Spoofed to match the detected UA version and remove any `HeadlessChrome` brand entry. `getHighEntropyValues()` returns consistent architecture, platform, and full version list.
+  - **`window.outerWidth/Height`** — Patched from `0` (headless default) to mirror `innerWidth/Height`. A zero outer dimension is a well-known one-signal bot detector.
+  - **`screen.colorDepth/pixelDepth`** — Ensured to report `24` when unset.
+  - **GPU rendering re-enabled in headless** — Removed `--disable-gpu` and `--disable-software-rasterizer`. With `--headless=new`, Chrome uses hardware GPU acceleration (ANGLE/Direct3D on Windows), producing canvas and WebGL output identical to visible mode. Cloudflare Turnstile passes automatically on Perplexity without triggering visible-mode retry.
+
 ## [1.9.0] — 2026-05-22
 
 ### Added

package/bin/launch-visible.mjs

@@ -106,6 +106,69 @@ function httpGet(url, timeoutMs = 1000) {
 	});
 }
 
+async function minimizeViaCDP(port) {
+	try {
+		const version = await httpGet(`http://localhost:${port}/json/version`).then(
+			(r) => JSON.parse(r.body),
+		);
+		const targets = await httpGet(`http://localhost:${port}/json/list`).then(
+			(r) => JSON.parse(r.body),
+		);
+		const targetId = targets.find((t) => t.type === "page")?.id;
+		if (!targetId) return;
+
+		// Validate browser WebSocket URL to prevent SSRF (SonarCloud javasecurity:S5335)
+		const wsUrlStr = version.webSocketDebuggerUrl;
+		if (typeof wsUrlStr !== "string") return;
+		const wsUrl = new URL(wsUrlStr);
+		if (wsUrl.hostname !== "localhost" && wsUrl.hostname !== "127.0.0.1")
+			return;
+		if (!/^ws:\/\/localhost:\d+/.test(`ws://${wsUrl.host}`)) return;
+		const wsPath = wsUrl.pathname;
+		const ws = new WebSocket(`ws://localhost:${port}${wsPath}`);
+		await new Promise((resolve) => {
+			ws.onopen = () =>
+				ws.send(
+					JSON.stringify({
+						id: 1,
+						method: "Browser.getWindowForTarget",
+						params: { targetId },
+					}),
+				);
+			ws.onmessage = (ev) => {
+				const msg = JSON.parse(ev.data);
+				if (msg.id === 1 && msg.result?.windowId) {
+					ws.send(
+						JSON.stringify({
+							id: 2,
+							method: "Browser.setWindowBounds",
+							params: {
+								windowId: msg.result.windowId,
+								bounds: { windowState: "minimized" },
+							},
+						}),
+					);
+				} else if (msg.id === 2) {
+					ws.close();
+					resolve();
+				}
+			};
+			ws.onerror = () => {
+				ws.close();
+				resolve();
+			};
+			setTimeout(() => {
+				try {
+					ws.close();
+				} catch {}
+				resolve();
+			}, 5000);
+		});
+	} catch {
+		// best-effort — Chrome is still usable if minimize fails
+	}
+}
+
 async function waitForPort(timeoutMs = 15000) {
 	const deadline = Date.now() + timeoutMs;
 	while (Date.now() < deadline) {
@@ -226,6 +289,8 @@ async function main() {
 		process.exit(1);
 	}
 
+	await minimizeViaCDP(PORT);
+
 	console.log("Visible Chrome ready on port 9222.");
 	console.log("Keep this terminal open to keep Chrome alive.");
 }