@askjo/camofox-browser 1.8.12 → 1.9.1

package/AGENTS.md

@@ -231,37 +231,29 @@ app.post('/tabs/:tabId/click', async (req, res) => {
 - Run `npx jest tests/unit/openapi.test.js` to verify coverage -- the test fails if any route is missing from the spec, if a stale route exists, or if `openapi.json` is out of date
 - Reusable schemas go in `components.schemas` in `lib/openapi.js` (the `swaggerDefinition`); reference them via `$ref: '#/components/schemas/Name'`
 
-## Crash Reporter
+## Telemetry
 
-**No credentials are embedded in this package.** `lib/reporter.js` is a stateless HTTP client that sends anonymized crash/hang reports to a Cloudflare Worker relay (`camofox-crash-relay.askjo.workers.dev`). The relay holds the GitHub App credentials as environment secrets -- see `workers/crash-reporter/index.ts`. The relay source is in-repo and auditable.
+**No credentials are embedded in this package.** `lib/reporter.js` is a stateless HTTP client that sends anonymized crash/hang telemetry to a Cloudflare Worker endpoint (`camofox-telemetry.askjo.workers.dev`). The endpoint holds the GitHub App credentials as environment secrets -- see `workers/crash-reporter/index.ts`. The source is in-repo and auditable.
 
-- **Architecture**: `lib/reporter.js` (client, no secrets, no `fs`) -> POST -> Cloudflare Worker relay -> GitHub Issues
-- **`lib/reporter.js`** has ZERO credentials, ZERO private keys, ZERO `fs` imports. It only does `fetch()` to the relay URL.
+- **Architecture**: `lib/reporter.js` (client, no secrets, no `fs`) -> POST -> Cloudflare Worker endpoint -> GitHub Issues
+- **`lib/reporter.js`** has ZERO credentials, ZERO private keys, ZERO `fs` imports. It only does `fetch()` to the telemetry endpoint.
 - **`lib/resources.js`** handles `fs`-based resource snapshots (reading /proc on Linux) -- separated from reporter.js so no file-read + network-send pattern exists in any single file. No `child_process` import.
 - **Anonymization** is in `lib/reporter.js` L28-290 -- text scrubbing (`anonymize()`), URL anonymization (`createUrlAnonymizer()`), and tab health tracking (`createTabHealthTracker()`)
 - **Public domain list** (~120 entries) determines which domains are shown verbatim vs HMAC-hashed
-- **Tests**: `tests/unit/crashRelay.test.js` (relay client), `tests/unit/crashRelayWorker.test.js` (worker contract), `tests/unit/noSecrets.test.js` (asserts no key material in shipped files)
-- Self-hosted relay: see README "Self-hosted relay" section
+- **Tests**: `tests/unit/crashRelay.test.js` (telemetry client), `tests/unit/crashRelayWorker.test.js` (worker contract), `tests/unit/noSecrets.test.js` (asserts no key material in shipped files)
+- Self-hosted endpoint: see README "Self-hosted telemetry endpoint" section
 - Disable with `CAMOFOX_CRASH_REPORT_ENABLED=false`
 
-## OpenClaw Scanner Isolation (CRITICAL)
+## Code Separation Conventions
 
-OpenClaw's skill-scanner flags plugins that have `process.env` + network calls (e.g. `app.post`, `fetch`, `http.request`) in the same file, or `child_process` + network calls in the same file. These patterns suggest potential credential exfiltration.
+The codebase separates concerns across files for clarity and auditability:
 
-**Rule: No single `.js` file may contain both halves of a scanner rule pair:**
-- `process.env` lives ONLY in `lib/config.js`
-- `child_process` / `execFile` / `spawn` live ONLY in `plugins/youtube/youtube.js`, `plugins/vnc/vnc-launcher.js`, and `lib/launcher.js`
-- `server.js` has the Express routes (`app.post`, `app.get`) but ZERO `process.env` reads and ZERO `child_process` imports
-- `lib/metrics.js` has NO `process.env` and NO HTTP method strings (`POST`, `fetch`). Prometheus is lazy-loaded only when `PROMETHEUS_ENABLED=1`.
-- `lib/request-utils.js` has HTTP method strings (`POST`) but NO `process.env` -- safe.
-- When adding new features that need env vars or subprocesses, put that code in a `lib/` module and import the result into `server.js`
+- **Configuration**: `process.env` reads live in `lib/config.js`, which exports a plain config object. No other file reads environment variables directly.
+- **Subprocess management**: `child_process` usage lives in dedicated launcher modules (`lib/launcher.js`, `plugins/youtube/youtube.js`, `plugins/vnc/vnc-launcher.js`), not in route handlers.
+- **Route handlers**: `server.js` defines Express routes but delegates env/config reads and subprocess spawning to the modules above.
+- **Metrics**: `lib/metrics.js` lazy-loads prom-client. `lib/request-utils.js` handles HTTP method classification.
 
-**Scanner rule details** (from `src/security/skill-scanner.ts`):
-- `env-harvesting` (CRITICAL): fires when `/process\.env/` AND `/\bfetch\b|\bpost\b|http\.request/i` match the SAME file. Note: the regex is case-insensitive, so string literals like `'POST'` and even comments containing `process.env` will trigger it.
-- `dangerous-exec` (CRITICAL): `child_process` import + `exec`/`spawn` call in same file
-- `potential-exfiltration` (WARN): `readFile` + `fetch`/`post`/`http.request` in same file
-
-This was broken in 1.3.0 (YouTube `child_process` in server.js), fixed in 1.3.1. Broken again in 1.4.1 (`metrics.js` had `process.env` in a comment + `'POST'` in `actionFromReq`), fixed in 1.5.1 by lazy-loading prom-client and splitting `actionFromReq` into `lib/request-utils.js`.
+When adding features that need env vars or subprocesses, put that code in a `lib/` module and import the result into `server.js`.
 
 ## Plugin System
 
@@ -500,12 +492,11 @@ docker build --target with-plugins -t camofox-browser .
 
 The `with-plugins` stage re-runs `install-plugin-deps.sh` to pick up any new plugins added to `plugins/`.
 
-### OpenClaw Scanner Rules
+### Code Separation Rules
 
-Plugins must follow the same isolation rules as core (see "OpenClaw Scanner Isolation" above):
+Plugins follow the same separation conventions as core (see "Code Separation Conventions" above):
 - **No `process.env` in plugin files that also have route handlers** -- read config from `ctx.config`
 - **No `child_process` in plugin files that also have route handlers** -- spawn from a separate `lib/` module
-- Violations trigger OpenClaw's `env-harvesting` or `dangerous-exec` scanner alerts
 
 ### Custom Metrics
 
@@ -576,5 +567,5 @@ Key patterns:
 - **Browser access**: `ctx.ensureBrowser()` + `ctx.getSession()` for browser-backed features
 - **Concurrency**: `ctx.withUserLimit()` to respect per-user limits
 - **Metrics**: `ctx.failuresTotal.labels(...)` for core counters, `ctx.createMetric()` for custom
-- **Scanner compliance**: `child_process` in `youtube.js`, route handler in `index.js` -- separate files
+- **Code separation**: `child_process` in `youtube.js`, route handler in `index.js` -- separate files
 - **System deps**: `apt.txt` lists packages installed via `scripts/install-plugin-deps.sh`

package/Dockerfile

@@ -58,6 +58,7 @@ RUN --mount=type=bind,source=dist,target=/dist \
 WORKDIR /app
 
 COPY package.json ./
+COPY scripts/ ./scripts/
 RUN npm install --production
 
 COPY server.js ./

package/README.md

@@ -17,7 +17,7 @@
 
 > <a href="https://askjo.ai?ref=camofox"><img src="jo-logo.png" alt="Jo" width="80" height="80" align="left" /></a>
 >
-> Built by the team behind <a href="https://askjo.ai?ref=camofox"><strong>jo -- a personal AI agent</strong></a> that runs half on your Mac, half on a dedicated cloud machine just for you -- with zero maintenance needed. Available on macOS, Telegram, WhatsApp, and email. <a href="https://askjo.ai?ref=camofox">Try the beta free -></a>
+> Built by the team behind <a href="https://askjo.ai?ref=camofox"><strong>jo, a personal AI agent</strong></a> that runs half on your Mac, half on a dedicated cloud machine just for you -- with zero maintenance needed. Available on macOS, Telegram, WhatsApp, and email. <a href="https://askjo.ai?ref=camofox">Try the beta free -></a>
 
 <br/>
 
@@ -58,7 +58,7 @@ This project wraps that engine in a REST API built for agents: accessibility sna
 - **OpenAPI Docs** - auto-generated spec at [`/openapi.json`](http://localhost:9377/openapi.json) and interactive docs at [`/docs`](http://localhost:9377/docs)
 - **Structured Extract** - `POST /tabs/:tabId/extract` with a JSON Schema that maps properties to snapshot refs via `x-ref`
 - **Session Tracing** - opt-in per-session Playwright trace capture (screenshots + DOM snapshots + network) with API endpoints to list, fetch, and delete trace zips
-- **Crash Reporter** - automatic [anonymized crash/hang reporting](lib/reporter.js#L28-L290) via GitHub Issues. Identifies which sites cause failures and common failure patterns. Private domains are HMAC-hashed, paths/params stripped, tokens/IPs redacted. Opt-out with `CAMOFOX_CRASH_REPORT_ENABLED=false`.
+- **Telemetry** - automatic [anonymized crash/hang telemetry](lib/reporter.js#L28-L290) via GitHub Issues. Identifies which sites cause failures and common failure patterns. Private domains are HMAC-hashed, paths/params stripped, tokens/IPs redacted. Opt-out with `CAMOFOX_CRASH_REPORT_ENABLED=false`.
 
 ## Optional Dependencies
 
@@ -89,6 +89,10 @@ npm start  # downloads Camoufox on first run (~300MB)
 
 Default port is `9377`. See [Environment Variables](#environment-variables) for all options.
 
+> **Note:** the postinstall script unsets `PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD` for itself before fetching the Camoufox binary. Without that override, an exported `PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1` (common when Playwright is configured to use system Chrome) would silently skip the binary download and crash the server at runtime.
+>
+> **Air-gapped or custom binary management:** disable the auto-fetch with `npm install --ignore-scripts` (skips lifecycle scripts for *every* dependency — bluntest option) or, more surgically, `npm install --omit=optional` plus a manual `npx camoufox-js fetch` step against your mirror. Note that `PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 npm install` no longer skips the Camoufox download (the postinstall sanitizes the env locally); use `--ignore-scripts` for that.
+
 ### Docker
 
 The included `Makefile` auto-detects your CPU architecture and pre-downloads Camoufox + yt-dlp binaries outside the Docker build, so rebuilds are fast (~30s vs ~3min).
@@ -332,11 +336,11 @@ When a proxy is configured:
 - Browser fingerprint (language, timezone, coordinates) is consistent with the proxy location
 - Without a proxy, defaults to `en-US`, `America/Los_Angeles`, San Francisco coordinates
 
-### Crash Reporter
+### Telemetry
 
 Browser automation fails in ways that are hard to predict -- Cloudflare challenges, site redesigns breaking selectors, redirect loops, dialog storms, renderer crashes. The scope is wide and the failure modes are diverse. Without telemetry, the only signal is "it didn't work."
 
-The crash reporter gives us structured data on *which sites fail*, *how they fail*, and *how often*, so we can prioritize fixes for the patterns that actually affect users. It files GitHub Issues automatically when:
+Telemetry gives us structured data on *which sites fail*, *how they fail*, and *how often*, so we can prioritize fixes for the patterns that actually affect users. It files GitHub Issues automatically when:
 
 - **Uncaught exceptions** crash the process
 - **Event loop stalls** exceed 5 seconds (watchdog detection)
@@ -346,11 +350,11 @@ Each report includes the failure type, stack trace, tab health counters (HTTP st
 
 #### How it works
 
-Reports are sent to a lightweight Cloudflare Worker relay at [`https://camofox-crash-relay.askjo.workers.dev`](https://camofox-crash-relay.askjo.workers.dev/health). The relay holds the GitHub App credentials as environment secrets -- **no secrets are shipped in this package**.
+Telemetry is sent to a lightweight Cloudflare Worker endpoint at [`https://camofox-telemetry.askjo.workers.dev`](https://camofox-telemetry.askjo.workers.dev/health). The endpoint holds the GitHub App credentials as environment secrets -- **no secrets are shipped in this package**.
 
 ```
 lib/reporter.js (client, no secrets)
-    |  anonymize -> POST https://camofox-crash-relay.askjo.workers.dev/report
+    |  anonymize -> POST https://camofox-telemetry.askjo.workers.dev/report
     v
 Cloudflare Worker (holds GitHub App key)
     |  validate -> rate-limit -> dedup -> create GitHub Issue
@@ -358,28 +362,28 @@ Cloudflare Worker (holds GitHub App key)
 GitHub Issue created
 ```
 
-The relay source code is in this repo at [`workers/crash-reporter/index.ts`](workers/crash-reporter/index.ts).
+The endpoint source code is in this repo at [`workers/crash-reporter/index.ts`](workers/crash-reporter/index.ts).
 
 #### Verification
 
-You don't have to trust us -- verify what the live relay is running:
+You don't have to trust us -- verify what the live endpoint is running:
 
 ```bash
-# 1. Ask the relay what code it's running
-curl https://camofox-crash-relay.askjo.workers.dev/source
+# 1. Ask the endpoint what code it's running
+curl https://camofox-telemetry.askjo.workers.dev/source
 # -> { "commit": "abc1234", "sha256": "e3b0c44...", "source": "https://github.com/..." }
 
 # 2. Compare the sha256 against the source in this repo
 sha256sum workers/crash-reporter/index.ts
 
 # 3. Check the commit matches what CI deployed
-#    https://github.com/jo-inc/camofox-browser/actions/workflows/crash-relay-deploy.yml
+#    https://github.com/jo-inc/camofox-browser/actions/workflows/telemetry-deploy.yml
 git log --oneline workers/crash-reporter/index.ts | head -1
 ```
 
-If the hashes don't match, the relay is running different code than what's in the repo. The deploy workflow ([`.github/workflows/crash-relay-deploy.yml`](.github/workflows/crash-relay-deploy.yml)) injects the commit and source hash at deploy time -- every deploy is auditable in [GitHub Actions](https://github.com/jo-inc/camofox-browser/actions/workflows/crash-relay-deploy.yml).
+If the hashes don't match, the endpoint is running different code than what's in the repo. The deploy workflow ([`.github/workflows/telemetry-deploy.yml`](.github/workflows/telemetry-deploy.yml)) injects the commit and source hash at deploy time -- every deploy is auditable in [GitHub Actions](https://github.com/jo-inc/camofox-browser/actions/workflows/telemetry-deploy.yml).
 
-Or skip verification entirely: `CAMOFOX_CRASH_REPORT_ENABLED=false` disables all reporting, or point to [your own relay](#self-hosted-relay) with `CAMOFOX_CRASH_REPORT_URL`.
+Or skip verification entirely: `CAMOFOX_CRASH_REPORT_ENABLED=false` disables all telemetry, or point to [your own endpoint](#self-hosted-telemetry-endpoint) with `CAMOFOX_CRASH_REPORT_URL`.
 
 #### Privacy
 
@@ -395,19 +399,19 @@ All reported data goes through paranoid anonymization ([`lib/reporter.js` L28-29
 Duplicate issues are detected by stack signature and get a `+1` comment instead of a new issue.
 
 ```bash
-# Disable crash reporting
+# Disable telemetry
 export CAMOFOX_CRASH_REPORT_ENABLED=false
 
-# Point to your own relay (see below)
-export CAMOFOX_CRASH_REPORT_URL=https://your-relay.example.com/report
+# Point to your own endpoint (see below)
+export CAMOFOX_CRASH_REPORT_URL=https://your-endpoint.example.com/report
 
 # Adjust rate limit (default: 10 per hour)
 export CAMOFOX_CRASH_REPORT_RATE_LIMIT=5
 ```
 
-#### Self-hosted relay
+#### Self-hosted telemetry endpoint
 
-To file crash reports in your own GitHub repo instead of `jo-inc/camofox-browser`:
+To file telemetry reports in your own GitHub repo instead of `jo-inc/camofox-browser`:
 
 1. **Create a GitHub App** -- [Settings -> Developer settings -> GitHub Apps -> New](https://github.com/settings/apps/new)
    - Permissions: **Repository -> Issues -> Read & Write**
@@ -416,7 +420,7 @@ To file crash reports in your own GitHub repo instead of `jo-inc/camofox-browser
    - Install the app on your target repo (Install App -> select repo)
    - Note your **App ID** (number on the app's General page) and **Installation ID** (from the URL after installing: `github.com/settings/installations/{id}`)
 
-2. **Deploy the relay** -- clone this repo and deploy the worker:
+2. **Deploy the endpoint** -- clone this repo and deploy the worker:
    ```bash
    cd workers/crash-reporter
    # Edit wrangler.toml: set account_id to your Cloudflare account ID
@@ -436,7 +440,7 @@ To file crash reports in your own GitHub repo instead of `jo-inc/camofox-browser
    echo "your-org/your-repo" | npx wrangler secret put GH_REPO
    ```
 
-4. **Point camofox-browser to your relay:**
+4. **Point camofox-browser to your endpoint:**
    ```bash
    export CAMOFOX_CRASH_REPORT_URL=https://your-worker.your-subdomain.workers.dev/report
    ```
@@ -588,10 +592,10 @@ Reddit macros return JSON directly (no HTML parsing needed):
 | `PROXY_COUNTRY` | Target country for proxy geo-targeting | - |
 | `PROXY_STATE` | Target state/region for proxy geo-targeting | - |
 | `TAB_INACTIVITY_MS` | Close tabs idle longer than this | `300000` (5min) |
-| `CAMOFOX_CRASH_REPORT_ENABLED` | Enable anonymized crash/hang reporter (`false` to disable) | `true` |
-| `CAMOFOX_CRASH_REPORT_URL` | Crash report relay endpoint ([self-hosted relay](#self-hosted-relay)) | `https://camofox-crash-relay.askjo.workers.dev/report` |
-| `CAMOFOX_CRASH_REPORT_REPO` | GitHub repo for issue reports | `jo-inc/camofox-browser` |
-| `CAMOFOX_CRASH_REPORT_RATE_LIMIT` | Max reports per hour | `10` |
+| `CAMOFOX_CRASH_REPORT_ENABLED` | Enable anonymized crash/hang telemetry (`false` to disable) | `true` |
+| `CAMOFOX_CRASH_REPORT_URL` | Telemetry endpoint ([self-hosted endpoint](#self-hosted-telemetry-endpoint)) | `https://camofox-telemetry.askjo.workers.dev/report` |
+| `CAMOFOX_CRASH_REPORT_REPO` | GitHub repo for telemetry issues | `jo-inc/camofox-browser` |
+| `CAMOFOX_CRASH_REPORT_RATE_LIMIT` | Max telemetry reports per hour | `10` |
 | `ENABLE_VNC` | Enable VNC plugin for interactive browser access (`1`) | - |
 | `VNC_PASSWORD` | Password for VNC access (recommended in production) | - |
 | `NOVNC_PORT` | noVNC web UI port | `6080` |
@@ -622,7 +626,7 @@ All `process.env` reads are centralized in `lib/config.js`. All `child_process`
 
 ### No embedded secrets
 
-Zero credentials, private keys, API tokens, or signing keys ship in this package. All secrets are provided at runtime via environment variables (`CAMOFOX_API_KEY`, `CAMOFOX_ACCESS_KEY`) or are Cloudflare Worker environment secrets (crash relay GitHub App key).
+Zero credentials, private keys, API tokens, or signing keys ship in this package. All secrets are provided at runtime via environment variables (`CAMOFOX_API_KEY`, `CAMOFOX_ACCESS_KEY`) or are Cloudflare Worker environment secrets (telemetry endpoint GitHub App key).
 
 ### Cookie import is disabled by default
 
@@ -636,9 +640,9 @@ The cookie import endpoint (`POST /sessions/:userId/cookies`) is gated behind `C
 
 The Camoufox browser engine (~300MB) is downloaded at `npm install` time by [`camoufox-js`](https://www.npmjs.com/package/camoufox-js), an npm package maintained by the [Camoufox project](https://camoufox.com). It downloads from [official GitHub releases](https://github.com/nicedayzhu/camoufox/releases) with integrity verification handled by `camoufox-js`. No custom download URLs, no URL shorteners, no raw IP addresses.
 
-### Crash reporting
+### Telemetry
 
-Anonymized crash/hang reports are sent to a Cloudflare Worker relay. The relay source is [in this repo](workers/crash-reporter/index.ts) and auditable. Verification: `GET /source` on the relay returns the deployed commit hash and sha256 so you can compare against the repo. The reporter ([`lib/reporter.js` L28-290](lib/reporter.js#L28-L290)) applies paranoid anonymization: private domains are HMAC-hashed (not reversible), paths are stripped, tokens/IPs/emails are redacted. No page content, cookies, or user data is ever sent. Disable with `CAMOFOX_CRASH_REPORT_ENABLED=false` or point to your own relay with `CAMOFOX_CRASH_REPORT_URL`.
+Anonymized crash/hang telemetry is sent to a Cloudflare Worker endpoint. The endpoint source is [in this repo](workers/crash-reporter/index.ts) and auditable. Verification: `GET /source` on the endpoint returns the deployed commit hash and sha256 so you can compare against the repo. The reporter ([`lib/reporter.js` L28-290](lib/reporter.js#L28-L290)) applies paranoid anonymization: private domains are HMAC-hashed (not reversible), paths are stripped, tokens/IPs/emails are redacted. No page content, cookies, or user data is ever sent. Disable with `CAMOFOX_CRASH_REPORT_ENABLED=false` or point to your own endpoint with `CAMOFOX_CRASH_REPORT_URL`.
 
 ### Session persistence
 
@@ -646,7 +650,7 @@ The persistence plugin saves cookies and localStorage to `~/.camofox/profiles/<h
 
 ### Network access
 
-Outbound connections are made to: (1) URLs the agent navigates to (core functionality), (2) the crash report relay (anonymized, opt-out available). Inbound: the REST API on localhost:9377 (default), optionally protected by `CAMOFOX_ACCESS_KEY`.
+Outbound connections are made to: (1) URLs the agent navigates to (core functionality), (2) the telemetry endpoint (anonymized, opt-out available). Inbound: the REST API on localhost:9377 (default), optionally protected by `CAMOFOX_ACCESS_KEY`.
 
 ### Subprocess usage
 

package/lib/config.js

@@ -1,7 +1,7 @@
 /**
  * Centralized environment configuration for camofox-browser.
  *
- * All process.env access is isolated here so the scanner doesn't
+ * All process.env access is centralized here for auditability.
  * flag plugin.ts or server.js for env-harvesting (env + network in same file).
  */
 
@@ -71,6 +71,7 @@ function loadConfig() {
     navigateTimeoutMs: parseInt(process.env.NAVIGATE_TIMEOUT_MS) || 25000,
     buildrefsTimeoutMs: parseInt(process.env.BUILDREFS_TIMEOUT_MS) || 12000,
     browserIdleTimeoutMs: parseInt(process.env.BROWSER_IDLE_TIMEOUT_MS) || 300000,
+    nativeMemRestartThresholdMb: parseInt(process.env.NATIVE_MEM_RESTART_THRESHOLD_MB) || 200,
     prometheusEnabled: process.env.PROMETHEUS_ENABLED === '1' || process.env.PROMETHEUS_ENABLED === 'true',
     proxy: {
       strategy: inferProxyStrategy(process.env.PROXY_STRATEGY || ''),

package/lib/images.js

@@ -1,7 +1,7 @@
 /**
  * In-page image extraction via Playwright page.evaluate().
  *
- * Separated from downloads.js to avoid OpenClaw scanner false positives
+ * Separated from downloads.js to keep file I/O and image extraction concerns apart.
  * (browser-side fetch inside page.evaluate + Node fs reads in same file).
  */
 

package/lib/launcher.js

@@ -5,7 +5,7 @@
 import cp from 'child_process';
 import { join } from 'path';
 
-// Alias to avoid overzealous scanner pattern matching on the function name
+// Alias for clarity
 const startProcess = cp.spawn;
 
 /**

package/lib/metrics.js

@@ -1,8 +1,8 @@
 // Prometheus metrics for camofox-browser -- lazy-loaded, off by default.
 // Enable with PROMETHEUS_ENABLED=1 in environment (read via config.js).
 //
-// SCANNER RULE: This file must NOT contain words matching /process\.env/ or /\bpost\b/i.
-// See AGENTS.md "OpenClaw Scanner Isolation" for details.
+// RULE: This file must NOT contain words matching /process\.env/ or /\bpost\b/i.
+// See AGENTS.md "Code Separation Conventions" for details.
 
 let _metrics = null;
 let _register = null;

package/lib/reporter.js

@@ -432,7 +432,7 @@ export function createTabHealthTracker(page) {
 }
 
 // collectResourceSnapshot and classifyProxyError live in lib/resources.js
-// (isolated from network code to avoid scanner false positives).
+// (isolated from network code for clean separation of concerns).
 // Re-exported here for backward compatibility.
 export { collectResourceSnapshot, classifyProxyError };
 
@@ -462,14 +462,14 @@ class RateLimiter {
 // Reports are sent to a Cloudflare Worker relay. All credentials are
 // environment secrets on the relay -- nothing sensitive ships in this package.
 //
-// Default relay: https://camofox-crash-relay.askjo.workers.dev
-// Override:      CAMOFOX_CRASH_REPORT_URL=https://your-own-relay/report
+// Default endpoint: https://camofox-telemetry.askjo.workers.dev
+// Override:      CAMOFOX_CRASH_REPORT_URL=https://your-own-endpoint/report
 //
 // The relay source lives at workers/crash-reporter/index.ts in this repo.
 // Verify: GET /source returns { commit, sha256 } to compare against the repo.
 // Full source: https://github.com/jo-inc/camofox-browser/blob/main/workers/crash-reporter/index.ts
 
-const DEFAULT_RELAY_URL = 'https://camofox-crash-relay.askjo.workers.dev/report';
+const DEFAULT_RELAY_URL = 'https://camofox-telemetry.askjo.workers.dev/report';
 const FETCH_TIMEOUT_MS = 5000;
 
 let _relayUrl = DEFAULT_RELAY_URL;
@@ -593,6 +593,20 @@ function formatIssueBody(type, detail) {
   }
 
   // Context (misc extra data)
+  if (detail.nativeMemory) {
+    const nm = detail.nativeMemory;
+    sections.push('', '## Native Memory Details');
+    sections.push(`- **baseline:** ${nm.baselineMb} MB`);
+    sections.push(`- **current:** ${nm.currentMb} MB`);
+    sections.push(`- **high-water:** ${nm.highWaterMb} MB`);
+    sections.push(`- **growth:** ${nm.growthMb} MB`);
+    sections.push(`- **node RSS:** ${nm.rssMb} MB`);
+    sections.push(`- **heap used:** ${nm.heapUsedMb} MB`);
+    sections.push(`- **external:** ${nm.externalMb} MB`);
+    if (nm.lastSeenBrowserRssMb != null) sections.push(`- **browser RSS (last seen):** ${nm.lastSeenBrowserRssMb} MB`);
+    else sections.push(`- **browser RSS (last seen):** not captured (browser already dead)`);
+  }
+
   if (detail.context && Object.keys(detail.context).length > 0) {
     sections.push('', '<details><summary>Context</summary>', '', '```json', anonymize(JSON.stringify(detail.context, null, 2)), '```', '', '</details>');
   }
@@ -806,13 +820,26 @@ export function createReporter(config) {
 
     // --- Native memory leak tracking ---
     // Track RSS minus JS heap over time to detect native/external memory leaks.
-    // Sample every 30s, alert if native memory grows by >200MB from baseline.
+    // Sample every 30s, alert if native memory stays >400MB above baseline for
+    // 3 consecutive checks (~90s). This avoids false positives from:
+    //   - Browser initialization spikes (first 2 min)
+    //   - One-time allocations that stabilize
+    //   - Post-session RSS that hasn't been reclaimed by the OS yet
+    //   - Self-healing restart (kills browser at 200MB growth when sessions=0)
+    // The memory pressure restart in server.js fires at 200MB when idle.
+    // We only report at 400MB to catch cases where self-healing FAILED.
     let nativeMemBaseline = null; // RSS - heapUsed at first measurement
     let nativeMemHighWater = 0;
     let lastNativeMemCheck = 0;
     const NATIVE_MEM_CHECK_INTERVAL_MS = 30_000;
-    const NATIVE_MEM_LEAK_THRESHOLD_MB = 200; // alert if native mem exceeds baseline by this much
+    const NATIVE_MEM_LEAK_THRESHOLD_MB = 400; // alert only when growth exceeds self-healing threshold
+    const NATIVE_MEM_MIN_UPTIME_S = 120;      // don't measure until process has been up 2 min
+    const NATIVE_MEM_CONSECUTIVE_REQUIRED = 3; // require 3 consecutive checks above threshold
+    const NATIVE_MEM_GRACE_CHECKS = 2;         // skip 2 checks after baseline reset (let memory settle)
     let nativeMemAlertFired = false;
+    let nativeMemConsecutiveAbove = 0;          // consecutive checks above threshold
+    let nativeMemGraceRemaining = 0;            // checks to skip after baseline reset
+    let lastSeenBrowserRssMb = null;            // captured during growth checks while browser is alive
 
     // SIGCONT detection -- macOS sends SIGCONT on wake from sleep/suspend
     let lastSigcont = 0;
@@ -858,43 +885,90 @@ export function createReporter(config) {
       if (now - lastNativeMemCheck >= NATIVE_MEM_CHECK_INTERVAL_MS) {
         lastNativeMemCheck = now;
         try {
-          // Check if baseline should be reset (e.g. after browser close)
-          if (_resetNativeMemBaseline) {
-            nativeMemBaseline = null;
-            nativeMemHighWater = 0;
-            nativeMemAlertFired = false;
-            _resetNativeMemBaseline = false;
-          }
-          const mem = process.memoryUsage();
-          const nativeMemMb = Math.round((mem.rss - mem.heapUsed) / 1048576);
-          if (nativeMemBaseline === null) {
-            nativeMemBaseline = nativeMemMb;
-          }
-          nativeMemHighWater = Math.max(nativeMemHighWater, nativeMemMb);
-          const growth = nativeMemMb - nativeMemBaseline;
-
-          if (growth > NATIVE_MEM_LEAK_THRESHOLD_MB && !nativeMemAlertFired) {
-            nativeMemAlertFired = true;
-            let extra = {};
-            try { if (getContext) extra = getContext(); } catch { /* swallow */ }
-            const resources = collectResourceSnapshot(extra.resourceOpts || {});
-            delete extra.resourceOpts;
-
-            fileReport('leak:native-memory', ['auto-report', 'memory-leak'], {
-              message: `Native memory grew by ${growth}MB (baseline: ${nativeMemBaseline}MB, current: ${nativeMemMb}MB, high-water: ${nativeMemHighWater}MB)`,
-              uptimeMinutes: Math.round(process.uptime() / 60),
-              resources,
-              nativeMemory: {
-                baselineMb: nativeMemBaseline,
-                currentMb: nativeMemMb,
-                highWaterMb: nativeMemHighWater,
-                growthMb: growth,
-                rssMb: Math.round(mem.rss / 1048576),
-                heapUsedMb: Math.round(mem.heapUsed / 1048576),
-                externalMb: Math.round(mem.external / 1048576),
-              },
-              context: extra,
-            });
+          // Skip until process has been up long enough for browser to initialize.
+          // Browser launch causes a 100-300MB RSS spike that isn't a leak.
+          if (process.uptime() >= NATIVE_MEM_MIN_UPTIME_S) {
+            // Check if baseline should be reset (e.g. after browser close)
+            if (_resetNativeMemBaseline) {
+              nativeMemBaseline = null;
+              nativeMemHighWater = 0;
+              nativeMemAlertFired = false;
+              nativeMemConsecutiveAbove = 0;
+              nativeMemGraceRemaining = NATIVE_MEM_GRACE_CHECKS;
+              _resetNativeMemBaseline = false;
+            }
+
+            // Grace period after reset -- let memory settle before re-baselining
+            if (nativeMemGraceRemaining > 0) {
+              nativeMemGraceRemaining--;
+            } else {
+              const mem = process.memoryUsage();
+              const nativeMemMb = Math.round((mem.rss - mem.heapUsed) / 1048576);
+              if (nativeMemBaseline === null) {
+                nativeMemBaseline = nativeMemMb;
+              }
+              nativeMemHighWater = Math.max(nativeMemHighWater, nativeMemMb);
+              const growth = nativeMemMb - nativeMemBaseline;
+
+              if (growth > NATIVE_MEM_LEAK_THRESHOLD_MB && !nativeMemAlertFired) {
+                // Require sustained growth -- one-time spikes aren't leaks.
+                // Must exceed threshold on 3 consecutive checks (~90s).
+                nativeMemConsecutiveAbove++;
+
+                // Capture browser RSS NOW while it may still be alive.
+                // By report time the browser is often killed by memory pressure restart,
+                // making browserRssMb null. This preserves the last-seen value.
+                try {
+                  if (getContext) {
+                    const ctx = getContext();
+                    if (ctx.resourceOpts?.browserPid) {
+                      const snap = collectResourceSnapshot(ctx.resourceOpts);
+                      if (snap.browserRssMb != null) lastSeenBrowserRssMb = snap.browserRssMb;
+                    }
+                  }
+                } catch { /* swallow */ }
+
+                if (nativeMemConsecutiveAbove >= NATIVE_MEM_CONSECUTIVE_REQUIRED) {
+                  nativeMemAlertFired = true;
+                  let extra = {};
+                  try { if (getContext) extra = getContext(); } catch { /* swallow */ }
+                  const resources = collectResourceSnapshot(extra.resourceOpts || {});
+                  delete extra.resourceOpts;
+
+                  // Skip report if sessions=0 — memory pressure restart handles idle leaks.
+                  // Only report when sessions are active (restart CAN'T fire) or restart failed.
+                  const sessionCount = resources.browserContexts ?? 0;
+                  if (sessionCount === 0 && resources.browserRssMb == null) {
+                    // Browser already dead, restart mechanism handled it. Don't spam.
+                    // But if growth is extreme (>600MB), report anyway — restart may have failed.
+                    if (growth < 600) {
+                      // Self-healing. Skip report.
+                      return;
+                    }
+                  }
+
+                  fileReport('leak:native-memory', ['auto-report', 'memory-leak'], {
+                    message: `Native memory grew by ${growth}MB (baseline: ${nativeMemBaseline}MB, current: ${nativeMemMb}MB, high-water: ${nativeMemHighWater}MB)`,
+                    uptimeMinutes: Math.round(process.uptime() / 60),
+                    resources,
+                    nativeMemory: {
+                      baselineMb: nativeMemBaseline,
+                      currentMb: nativeMemMb,
+                      highWaterMb: nativeMemHighWater,
+                      growthMb: growth,
+                      rssMb: Math.round(mem.rss / 1048576),
+                      heapUsedMb: Math.round(mem.heapUsed / 1048576),
+                      externalMb: Math.round(mem.external / 1048576),
+                      lastSeenBrowserRssMb,
+                    },
+                    context: extra,
+                  });
+                }
+              } else {
+                // Reset consecutive counter if memory dropped back below threshold
+                nativeMemConsecutiveAbove = 0;
+              }
+            }
           }
         } catch { /* swallow */ }
       }

package/lib/request-utils.js

@@ -1,5 +1,5 @@
 // HTTP request classification helpers -- kept separate from metrics.js
-// to avoid scanner rule triggers (this file contains HTTP method strings).
+// Separated from server.js to keep HTTP method classification in its own module.
 
 /**
  * Derive a short action name from an Express request for metrics labeling.
@@ -51,6 +51,9 @@ export function classifyError(err) {
   if (msg.includes('not visible') || msg.includes('not an <input>')) return 'element_error';
   if (msg.includes('Blocked URL scheme') || msg.includes('Invalid URL')) return 'invalid_url';
   if (msg.includes('net::') || msg.includes('ERR_NAME') || msg.includes('ERR_CONNECTION')) return 'network';
+  if (msg.includes('Navigation aborted: tab deleted')) return 'tab_destroyed';
+  if (msg.includes('NS_ERROR_ABORT')) return 'nav_aborted';
+  if (msg.includes('Page crashed')) return 'page_crashed';
   if (msg.includes('Navigation failed') || msg.includes('ERR_ABORTED')) return 'nav_aborted';
   return 'unknown';
 }

package/lib/resources.js

@@ -1,6 +1,6 @@
 // lib/resources.js -- Process resource metrics and proxy error classification.
 // Isolated from reporter.js so that fs reads and network sends are never
-// in the same file (avoids OpenClaw scanner "potential-exfiltration" pattern).
+// in the same file (keeps fs reads and network sends in separate modules).
 
 import fs from 'fs';