@askjo/camofox-browser 1.7.2 → 1.7.3

package/lib/reporter.js

@@ -4,7 +4,7 @@
 
 import crypto from 'crypto';
 import fs from 'fs';
-import { execSync } from 'child_process';
+import { monitorEventLoopDelay } from 'perf_hooks';
 
 // ============================================================================
 // Anonymization
@@ -720,6 +720,15 @@ function formatIssueBody(type, detail) {
     const s = detail.stall;
     sections.push('', '## Stall Details');
     sections.push(`- **stall duration:** ${Math.round(s.driftMs / 1000)}s`);
+    if (s.classification) sections.push(`- **classification:** ${s.classification}`);
+    if (s.cpuElapsedS != null) sections.push(`- **CPU time during stall:** ${s.cpuElapsedS}s`);
+    if (s.cpuRatio != null) sections.push(`- **CPU/wall ratio:** ${s.cpuRatio}`);
+    if (s.sigcontInWindow != null) sections.push(`- **SIGCONT in window:** ${s.sigcontInWindow}`);
+    if (s.hrtimeWallDriftS != null) sections.push(`- **hrtime↔wall drift:** ${s.hrtimeWallDriftS}s`);
+    if (s.eventLoopDelay) {
+      const eld = s.eventLoopDelay;
+      sections.push(`- **event loop delay:** p50=${eld.p50Ms}ms p99=${eld.p99Ms}ms max=${eld.maxMs}ms`);
+    }
     if (s.lastRoute) sections.push(`- **last route:** ${s.lastRoute}`);
     if (s.activeHandles != null) sections.push(`- **active handles:** ${s.activeHandles}`);
     if (s.activeRequests != null) sections.push(`- **active requests:** ${s.activeRequests}`);
@@ -784,6 +793,7 @@ export function createReporter(config) {
   const version = config.version || 'unknown';
 
   let watchdogInterval = null;
+  let _resetNativeMemBaseline = false; // Set by resetNativeMemBaseline(), read by watchdog
   let lastTick = Date.now();
   const inFlight = new Set();
 
@@ -953,7 +963,31 @@ export function createReporter(config) {
 
     const checkMs = 1000;
     lastTick = Date.now();
+    let lastCpuUsage = process.cpuUsage();
+    let lastHrtime = process.hrtime.bigint();
     let lastHeapUsed = process.memoryUsage().heapUsed;
+
+    // --- Native memory leak tracking ---
+    // Track RSS minus JS heap over time to detect native/external memory leaks.
+    // Sample every 30s, alert if native memory grows by >200MB from baseline.
+    let nativeMemBaseline = null; // RSS - heapUsed at first measurement
+    let nativeMemHighWater = 0;
+    let lastNativeMemCheck = 0;
+    const NATIVE_MEM_CHECK_INTERVAL_MS = 30_000;
+    const NATIVE_MEM_LEAK_THRESHOLD_MB = 200; // alert if native mem exceeds baseline by this much
+    let nativeMemAlertFired = false;
+
+    // SIGCONT detection — macOS sends SIGCONT on wake from sleep/suspend
+    let lastSigcont = 0;
+    try { process.on('SIGCONT', () => { lastSigcont = Date.now(); }); } catch { /* unavailable */ }
+
+    // Event loop delay histogram (perf_hooks) — correlating evidence
+    let elHistogram = null;
+    try {
+      elHistogram = monitorEventLoopDelay({ resolution: 20 });
+      elHistogram.enable();
+    } catch { /* unavailable */ }
+
     // Suppress false positives from OS sleep/suspend (laptop lid close, VM pause).
     // Stalls > 120s are almost certainly not event-loop bugs.
     const MAX_REPORTABLE_DRIFT_MS = 120_000;
@@ -963,7 +997,13 @@ export function createReporter(config) {
     watchdogInterval = setInterval(() => {
       const now = Date.now();
       const drift = now - lastTick - checkMs;
+      const cpuDelta = process.cpuUsage(lastCpuUsage);
+      const hrtimeNow = process.hrtime.bigint();
+      const hrtimeDeltaMs = Number(hrtimeNow - lastHrtime) / 1e6;
+
       lastTick = now;
+      lastCpuUsage = process.cpuUsage();
+      lastHrtime = hrtimeNow;
 
       // After a long sleep/suspend, suppress the next few ticks (post-wake jitter)
       if (drift > MAX_REPORTABLE_DRIFT_MS) {
@@ -977,7 +1017,77 @@ export function createReporter(config) {
         return;
       }
 
+      // --- Native memory leak detection (runs every ~30s) ---
+      if (now - lastNativeMemCheck >= NATIVE_MEM_CHECK_INTERVAL_MS) {
+        lastNativeMemCheck = now;
+        try {
+          // Check if baseline should be reset (e.g. after browser close)
+          if (_resetNativeMemBaseline) {
+            nativeMemBaseline = null;
+            nativeMemHighWater = 0;
+            nativeMemAlertFired = false;
+            _resetNativeMemBaseline = false;
+          }
+          const mem = process.memoryUsage();
+          const nativeMemMb = Math.round((mem.rss - mem.heapUsed) / 1048576);
+          if (nativeMemBaseline === null) {
+            nativeMemBaseline = nativeMemMb;
+          }
+          nativeMemHighWater = Math.max(nativeMemHighWater, nativeMemMb);
+          const growth = nativeMemMb - nativeMemBaseline;
+
+          if (growth > NATIVE_MEM_LEAK_THRESHOLD_MB && !nativeMemAlertFired) {
+            nativeMemAlertFired = true;
+            let extra = {};
+            try { if (getContext) extra = getContext(); } catch { /* swallow */ }
+            const resources = collectResourceSnapshot(extra.resourceOpts || {});
+            delete extra.resourceOpts;
+
+            fileReport('leak:native-memory', ['auto-report', 'memory-leak'], {
+              message: `Native memory grew by ${growth}MB (baseline: ${nativeMemBaseline}MB, current: ${nativeMemMb}MB, high-water: ${nativeMemHighWater}MB)`,
+              uptimeMinutes: Math.round(process.uptime() / 60),
+              resources,
+              nativeMemory: {
+                baselineMb: nativeMemBaseline,
+                currentMb: nativeMemMb,
+                highWaterMb: nativeMemHighWater,
+                growthMb: growth,
+                rssMb: Math.round(mem.rss / 1048576),
+                heapUsedMb: Math.round(mem.heapUsed / 1048576),
+                externalMb: Math.round(mem.external / 1048576),
+              },
+              context: extra,
+            });
+          }
+        } catch { /* swallow */ }
+      }
+
       if (drift > thresholdMs) {
+        // CPU time consumed during the stall interval (user + system, in seconds)
+        const cpuElapsedS = (cpuDelta.user + cpuDelta.system) / 1e6;
+        const wallElapsedS = drift / 1000;
+        const cpuRatio = wallElapsedS > 0 ? cpuElapsedS / wallElapsedS : 0;
+
+        // SIGCONT within the stall window = OS sleep/resume
+        const sigcontInWindow = lastSigcont > 0 && (now - lastSigcont) < drift + 2000;
+
+        // hrtime vs wall clock drift (macOS: hrtime doesn't advance during sleep)
+        const hrtimeWallDriftS = Math.abs((drift - (hrtimeDeltaMs - checkMs))) / 1000;
+
+        // Classify: sleep vs real stall
+        let classification;
+        if (cpuRatio < 0.01 && sigcontInWindow) classification = 'sleep';
+        else if (cpuRatio < 0.001) classification = 'likely_sleep';
+        else if (cpuRatio < 0.01) classification = 'likely_sleep';
+        else if (cpuRatio > 0.1) classification = 'real_stall';
+        else classification = 'ambiguous';
+
+        // Don't file reports for definitive sleep
+        if (classification === 'sleep') {
+          lastHeapUsed = process.memoryUsage().heapUsed;
+          return;
+        }
+
         // Capture heap delta during stall (GC indicator)
         const currentHeap = process.memoryUsage().heapUsed;
         const heapDeltaMb = Math.round((currentHeap - lastHeapUsed) / 1048576);
@@ -990,7 +1100,23 @@ export function createReporter(config) {
         // Remove resourceOpts from extra so it doesn't end up in context
         delete extra.resourceOpts;
 
-        fileReport('stuck:event-loop', ['stuck', 'auto-report'], {
+        // Event loop delay histogram snapshot
+        let elDelay = null;
+        if (elHistogram) {
+          try {
+            elDelay = {
+              p50Ms: Math.round(elHistogram.percentile(50) / 1e6),
+              p99Ms: Math.round(elHistogram.percentile(99) / 1e6),
+              maxMs: Math.round(elHistogram.max / 1e6),
+            };
+            elHistogram.reset();
+          } catch { /* unavailable */ }
+        }
+
+        const labels = ['stuck', 'auto-report'];
+        if (classification === 'likely_sleep') labels.push('likely-sleep');
+
+        fileReport('stuck:event-loop', labels, {
           message: `Event loop stalled for ${Math.round(drift / 1000)}s (threshold: ${Math.round(thresholdMs / 1000)}s)`,
           uptimeMinutes: typeof process !== 'undefined'
             ? Math.round(process.uptime() / 60) : undefined,
@@ -998,10 +1124,20 @@ export function createReporter(config) {
           stall: {
             driftMs: drift,
             thresholdMs,
+            classification,
+            cpuElapsedS: Math.round(cpuElapsedS * 1000) / 1000,
+            cpuRatio: Math.round(cpuRatio * 10000) / 10000,
+            sigcontInWindow,
+            hrtimeWallDriftS: Math.round(hrtimeWallDriftS * 100) / 100,
+            eventLoopDelay: elDelay,
             lastRoute: _lastRoute,
             activeHandles: resources.activeHandles,
             activeRequests: resources.activeRequests,
             heapDeltaMb,
+            nativeMemGrowthMb: nativeMemBaseline !== null
+              ? Math.round((resources.nodeRssMb - resources.nodeHeapUsedMb) - nativeMemBaseline)
+              : null,
+            nativeMemBaselineMb: nativeMemBaseline,
           },
           context: extra,
         });
@@ -1021,6 +1157,16 @@ export function createReporter(config) {
     return Promise.allSettled([...inFlight]);
   }
 
+  /**
+   * Reset native memory baseline. Call after browser close so the next
+   * browser session measures from a fresh baseline, not the old one.
+   */
+  function resetNativeMemBaseline() {
+    // These are closure vars in startWatchdog — we need to reach them.
+    // Since this runs in the same module, we set a flag the watchdog reads.
+    _resetNativeMemBaseline = true;
+  }
+
   return {
     reportCrash,
     reportHang,
@@ -1028,6 +1174,7 @@ export function createReporter(config) {
     startWatchdog,
     trackRoute,
     stop,
+    resetNativeMemBaseline,
     _anonymize: anonymize,
     _stackSignature: stackSignature,
     _rateLimiter: rateLimiter,

package/lib/tmp-cleanup.js

@@ -1,11 +1,17 @@
 import fs from 'fs';
 import path from 'path';
+import os from 'os';
 
 const ORPHAN_PATTERNS = [
   /^\.fea5[a-f0-9]+\.so$/,
   /^\.5ef7[a-f0-9]+\.node$/,
 ];
 
+// Firefox temp profile directories created by Playwright/Camoufox
+const FIREFOX_PROFILE_PATTERN = /^playwright_firefoxdev_profile-/;
+// Camoufox also creates these
+const CAMOUFOX_TMP_PATTERN = /^camoufox[-_]/;
+
 export function cleanupOrphanedTempFiles({ tmpDir, minAgeMs = 5 * 60 * 1000, now = Date.now() } = {}) {
   const result = { scanned: 0, removed: 0, bytes: 0, skipped: 0 };
   if (!tmpDir) return result;
@@ -38,3 +44,65 @@ export function cleanupOrphanedTempFiles({ tmpDir, minAgeMs = 5 * 60 * 1000, now
 
   return result;
 }
+
+/**
+ * Clean up stale Firefox/Camoufox temp profile directories.
+ * These accumulate when browser.close() doesn't fully clean up
+ * (especially with enable_cache: true). Each profile can be 10-100MB+.
+ *
+ * Only removes profiles older than minAgeMs (default 2 minutes)
+ * to avoid killing profiles belonging to an actively launching browser.
+ */
+export function cleanupStaleFirefoxProfiles({ tmpDir, minAgeMs = 2 * 60 * 1000, now = Date.now() } = {}) {
+  const dir = tmpDir || os.tmpdir();
+  const result = { scanned: 0, removed: 0, bytes: 0, skipped: 0 };
+
+  let entries;
+  try {
+    entries = fs.readdirSync(dir);
+  } catch {
+    return result;
+  }
+
+  for (const name of entries) {
+    if (!FIREFOX_PROFILE_PATTERN.test(name) && !CAMOUFOX_TMP_PATTERN.test(name)) continue;
+    result.scanned++;
+    const full = path.join(dir, name);
+    try {
+      const st = fs.statSync(full);
+      if (!st.isDirectory()) continue;
+      if (now - st.mtimeMs < minAgeMs) {
+        result.skipped++;
+        continue;
+      }
+      // Calculate directory size before removing
+      const dirBytes = _dirSizeSync(full);
+      fs.rmSync(full, { recursive: true, force: true, maxRetries: 3 });
+      result.removed++;
+      result.bytes += dirBytes;
+    } catch {
+      // directory vanished, permission denied, or in-use — skip
+    }
+  }
+
+  return result;
+}
+
+/** Recursively calculate directory size (best effort, fast). */
+function _dirSizeSync(dirPath) {
+  let total = 0;
+  try {
+    const entries = fs.readdirSync(dirPath, { withFileTypes: true });
+    for (const entry of entries) {
+      const full = path.join(dirPath, entry.name);
+      try {
+        if (entry.isDirectory()) {
+          total += _dirSizeSync(full);
+        } else {
+          total += fs.statSync(full).size;
+        }
+      } catch { /* skip */ }
+    }
+  } catch { /* skip */ }
+  return total;
+}

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "camofox-browser",
   "name": "Camofox Browser",
   "description": "Anti-detection browser automation for AI agents using Camoufox (Firefox-based)",
-  "version": "1.7.2",
+  "version": "1.7.3",
   "configSchema": {
     "type": "object",
     "properties": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askjo/camofox-browser",
-  "version": "1.7.2",
+  "version": "1.7.3",
   "description": "Headless browser automation server and OpenClaw plugin for AI agents - anti-detection, element refs, and session isolation",
   "type": "module",
   "main": "server.js",
@@ -62,7 +62,7 @@
     "plugin": "node scripts/plugin.js",
     "generate-openapi": "node scripts/generate-openapi.js",
     "version:sync": "node scripts/sync-version.js",
-    "version": "node scripts/sync-version.js && git add openclaw.plugin.json",
+    "version": "node scripts/sync-version.js && node scripts/generate-openapi.js && git add openclaw.plugin.json openapi.json",
     "postinstall": "npx camoufox-js fetch || true"
   },
   "dependencies": {

package/server.js

@@ -31,7 +31,7 @@ import {
   startMemoryReporter, stopMemoryReporter,
 } from './lib/metrics.js';
 import { actionFromReq, classifyError } from './lib/request-utils.js';
-import { cleanupOrphanedTempFiles } from './lib/tmp-cleanup.js';
+import { cleanupOrphanedTempFiles, cleanupStaleFirefoxProfiles } from './lib/tmp-cleanup.js';
 import { coalesceInflight } from './lib/inflight.js';
 import { createReporter, createTabHealthTracker, collectResourceSnapshot, classifyProxyError } from './lib/reporter.js';
 import { mountDocs } from './lib/openapi.js';
@@ -56,7 +56,18 @@ function _resourceOpts() {
   return { sessionCount: sessions.size, tabCount: _countTabs(), browserPid: _browserPid() };
 }
 reporter.startWatchdog(5000, () => {
-  return { resourceOpts: _resourceOpts() };
+  const summary = [];
+  for (const [sid, session] of sessions) {
+    const tabUrls = [];
+    for (const [tid, tab] of session.tabs) {
+      try {
+        const url = tab.page?.url?.() || 'unknown';
+        tabUrls.push(url);
+      } catch { tabUrls.push('error'); }
+    }
+    if (tabUrls.length > 0) summary.push({ session: sid, tabs: tabUrls.length, urls: tabUrls });
+  }
+  return { resourceOpts: _resourceOpts(), sessions: summary.length, summary };
 });
 
 // --- Plugin event bus ---
@@ -349,6 +360,8 @@ app.post('/sessions/:userId/cookies', express.json({ limit: '512kb' }), async (r
 });
 
 let browser = null;
+let _lastBrowserPid = null; // Track PID independently for force-kill after close
+let _browserClosePromise = null; // Shared promise for concurrent close serialization
 // userId -> { context, tabGroups: Map<sessionKey, Map<tabId, TabState>>, lastAccess }
 // TabState = { page, refs: Map<refId, {role, name, nth}>, visitedUrls: Set, downloads: Array, toolCalls: number }
 // Note: sessionKey was previously called listItemId - both are accepted for backward compatibility
@@ -535,9 +548,7 @@ function scheduleBrowserIdleShutdown() {
     browserIdleTimer = setTimeout(async () => {
       if (sessions.size === 0 && browser) {
         log('info', 'browser idle shutdown (no sessions)');
-        const b = browser;
-        browser = null;
-        await b.close().catch(() => {});
+        await closeBrowserFully('idle_shutdown');
       }
     }, BROWSER_IDLE_TIMEOUT_MS);
   }
@@ -591,10 +602,7 @@ async function restartBrowser(reason) {
   pluginEvents.emit('browser:restart', { reason });
   try {
     await closeAllSessions(`browser_restart:${reason}`, { clearDownloads: true, clearLocks: true });
-    if (browser) {
-      await browser.close().catch(() => {});
-      browser = null;
-    }
+    await closeBrowserFully(`browser_restart:${reason}`);
     pluginEvents.emit('browser:closed', { reason });
     browserLaunchPromise = null;
     await ensureBrowser();
@@ -660,6 +668,167 @@ function attachBrowserCleanup(candidateBrowser, localVirtualDisplay) {
   };
 }
 
+/**
+ * Close browser with full process-tree cleanup. Handles the race where
+ * browser.close() fails/hangs but process tree survives.
+ *
+ * Serialized: concurrent callers await the same promise (no double-close).
+ *
+ * Order: capture PID → close browser → force-kill survivors →
+ * clean temp profiles → verify FD/handle drop.
+ */
+async function closeBrowserFully(reason) {
+  if (_browserClosePromise) return _browserClosePromise;
+  _browserClosePromise = _closeBrowserFullyImpl(reason);
+  try {
+    return await _browserClosePromise;
+  } finally {
+    _browserClosePromise = null;
+  }
+}
+
+async function _closeBrowserFullyImpl(reason) {
+  const b = browser;
+  if (!b) return;
+
+  // Capture PID before nulling browser ref — we need it for force-kill
+  const pid = _lastBrowserPid;
+  const preCloseFds = _countOpenFds();
+  const preCloseHandles = _countActiveHandles();
+
+  // Null the ref so new requests don't use a dying browser
+  browser = null;
+  _lastBrowserPid = null;
+
+  // Close through Playwright (sends CDP Browser.close, then SIGKILL process group)
+  let closeTimer;
+  try {
+    await Promise.race([
+      b.close(),
+      new Promise((_, reject) => { closeTimer = setTimeout(() => reject(new Error('browser.close() timeout')), 10000); }),
+    ]);
+  } catch (err) {
+    log('warn', 'browser.close() failed or timed out', { reason, error: err.message, pid });
+  } finally {
+    clearTimeout(closeTimer);
+  }
+
+  // Force-kill the entire process tree if any survivors
+  if (pid) {
+    await _forceKillProcessTree(pid, reason);
+  }
+
+  // Clean up stale Firefox temp profiles (enable_cache: true accumulates data)
+  try {
+    const cleaned = cleanupStaleFirefoxProfiles();
+    if (cleaned.removed > 0) {
+      log('info', 'cleaned stale firefox profiles after browser close', cleaned);
+    }
+  } catch { /* best effort */ }
+
+  // Reset native memory baseline so next browser measures from fresh
+  reporter.resetNativeMemBaseline();
+
+  // Verify cleanup: check FD/handle counts dropped (after force-kill completes)
+  const postCloseFds = _countOpenFds();
+  const postCloseHandles = _countActiveHandles();
+  if (postCloseFds !== null && preCloseFds !== null) {
+    const fdDelta = postCloseFds - preCloseFds;
+    // After close we expect fewer FDs. If more leaked, warn.
+    if (fdDelta > 10) {
+      log('warn', 'FD leak detected after browser close', {
+        reason, preCloseFds, postCloseFds, delta: fdDelta,
+        preCloseHandles, postCloseHandles,
+      });
+    }
+  }
+  log('info', 'browser closed fully', {
+    reason, pid, preCloseFds, postCloseFds, preCloseHandles, postCloseHandles,
+  });
+}
+
+/**
+ * Force-kill a browser process tree by PID. On Linux, kills the process group
+ * (SIGKILL -pid) then scans /proc for any orphaned children.
+ */
+async function _forceKillProcessTree(pid, reason) {
+  if (!pid || pid <= 1) return;
+
+  // Kill the specific browser process first (positive PID = single process)
+  try {
+    process.kill(pid, 'SIGKILL');
+    log('info', 'sent SIGKILL to browser process', { pid, reason });
+  } catch (err) {
+    if (err.code !== 'ESRCH') {
+      log('warn', 'failed to kill browser process', { pid, error: err.message });
+    }
+  }
+
+  // Then try the process group (Playwright launches with detached:true on Linux,
+  // making the browser a process group leader)
+  try {
+    process.kill(-pid, 'SIGKILL');
+  } catch {
+    // ESRCH = group doesn't exist (browser wasn't a group leader), which is fine
+  }
+
+  // Wait for kernel to reparent children to PID 1 before scanning
+  await new Promise(r => setTimeout(r, 200));
+
+  // On Linux: scan /proc for orphaned children that escaped the process group
+  // (reparented to PID 1 by init/systemd, common with Firefox content processes).
+  // Also checks PPid === Node PID for containerized environments without init.
+  if (process.platform === 'linux') {
+    const myPid = process.pid;
+    // Snapshot the current browser PID to avoid killing a newly launched browser
+    const currentBrowserPid = _lastBrowserPid;
+    try {
+      const procDirs = fs.readdirSync('/proc').filter(d => /^\d+$/.test(d));
+      const orphans = [];
+      for (const procPid of procDirs) {
+        const numPid = parseInt(procPid);
+        // Never kill ourselves, the old PID (already killed), or the new browser
+        if (numPid === myPid || numPid === pid || numPid === currentBrowserPid) continue;
+        try {
+          const status = fs.readFileSync(`/proc/${procPid}/status`, 'utf8');
+          const ppidMatch = status.match(/PPid:\s+(\d+)/);
+          const ppid = ppidMatch ? parseInt(ppidMatch[1]) : -1;
+          // Orphaned to init (PID 1) or reparented to us (Node is PID 1 in containers)
+          if (ppid === 1 || ppid === myPid) {
+            const cmdline = fs.readFileSync(`/proc/${procPid}/cmdline`, 'utf8');
+            // Firefox-specific: binary name or Gecko child process marker
+            if (/firefox-esr|firefox|camoufox|libxul\.so|GeckoChildProcess/i.test(cmdline)) {
+              orphans.push(numPid);
+            }
+          }
+        } catch { /* process vanished or permission denied */ }
+      }
+      if (orphans.length > 0) {
+        log('warn', 'killing orphaned browser child processes', { orphans, reason });
+        for (const orphanPid of orphans) {
+          try { process.kill(orphanPid, 'SIGKILL'); } catch { /* already dead */ }
+        }
+      }
+    } catch (err) {
+      log('warn', 'failed to scan for orphaned browser processes', { error: err.message });
+    }
+  }
+
+  // Give the OS a moment to reclaim resources
+  await new Promise(r => setTimeout(r, 300));
+}
+
+function _countOpenFds() {
+  try {
+    if (process.platform === 'linux') return fs.readdirSync('/proc/self/fd').length;
+  } catch { /* unavailable */ }
+  return null;
+}
+
+function _countActiveHandles() {
+  try { return process._getActiveHandles().length; } catch { return null; }
+}
+
 async function launchBrowserInstance() {
   const hostOS = getHostOS();
   const maxAttempts = proxyPool?.launchRetries ?? 1;
@@ -738,7 +907,8 @@ async function launchBrowserInstance() {
 
       virtualDisplay = localVirtualDisplay;
       browserLaunchProxy = launchProxy;
-      browser = candidateBrowser;
+      _lastBrowserPid = candidateBrowser.process?.()?.pid ?? null;
+      browser = candidateBrowser; // publish AFTER PID is captured
       attachBrowserCleanup(browser, localVirtualDisplay);
       pluginEvents.emit('browser:launched', { browser, display: vdDisplay });
 
@@ -775,13 +945,7 @@ async function ensureBrowser() {
       deadSessions: sessions.size,
     });
     await closeAllSessions('browser_disconnected', { clearDownloads: true, clearLocks: true });
-    // Clean up virtual display from dead browser before relaunching
-    if (virtualDisplay) {
-      virtualDisplay.kill();
-      virtualDisplay = null;
-    }
-    browserLaunchProxy = null;
-    browser = null;
+    await closeBrowserFully('browser_disconnected');
   }
   if (browser) return browser;
   if (browserLaunchPromise) return browserLaunchPromise;
@@ -1730,6 +1894,10 @@ app.get('/health', (req, res) => {
       ...(FLY_MACHINE_ID ? { machineId: FLY_MACHINE_ID } : {}),
     });
   }
+  const mem = process.memoryUsage();
+  const rssMb = Math.round(mem.rss / 1048576);
+  const heapUsedMb = Math.round(mem.heapUsed / 1048576);
+  const nativeMemMb = rssMb - heapUsedMb;
   res.json({ 
     ok: true, 
     engine: 'camoufox',
@@ -1738,6 +1906,7 @@ app.get('/health', (req, res) => {
     activeTabs: getTotalTabCount(),
     activeSessions: sessions.size,
     consecutiveFailures: healthState.consecutiveNavFailures,
+    memory: { rssMb, heapUsedMb, nativeMemMb },
     ...(FLY_MACHINE_ID ? { machineId: FLY_MACHINE_ID } : {}),
   });
 });
@@ -4390,11 +4559,8 @@ app.post('/stop', async (req, res) => {
     if (!adminKey || !timingSafeCompare(adminKey, CONFIG.adminKey)) {
       return res.status(403).json({ error: 'Forbidden' });
     }
-    if (browser) {
-      await browser.close().catch(() => {});
-      browser = null;
-    }
     await closeAllSessions('admin_stop', { clearDownloads: true, clearLocks: true });
+    await closeBrowserFully('admin_stop');
     res.json({ ok: true, stopped: true, profile: 'camoufox' });
   } catch (err) {
     res.status(500).json({ ok: false, error: safeError(err) });
@@ -4971,7 +5137,7 @@ async function gracefulShutdown(signal) {
     clearLocks: false,
   });
 
-  if (browser) await browser.close().catch(() => {});
+  await closeBrowserFully(`shutdown:${signal}`);
   process.exit(0);
 }
 
@@ -5031,6 +5197,20 @@ const server = app.listen(PORT, async () => {
   if (tmpCleanup.removed > 0) {
     log('info', 'cleaned up orphaned camoufox temp files', tmpCleanup);
   }
+  const profileCleanup = cleanupStaleFirefoxProfiles();
+  if (profileCleanup.removed > 0) {
+    log('info', 'cleaned up stale firefox profiles on startup', profileCleanup);
+  }
+
+  // Periodic temp profile cleanup every 10 minutes
+  setInterval(() => {
+    try {
+      const cleaned = cleanupStaleFirefoxProfiles();
+      if (cleaned.removed > 0) {
+        log('info', 'periodic firefox profile cleanup', cleaned);
+      }
+    } catch { /* best effort */ }
+  }, 10 * 60 * 1000).unref();
   const traceSweep = sweepOldTraces({
     baseDir: CONFIG.tracesDir,
     ttlMs: CONFIG.tracesTtlHours * 3600 * 1000,