@f5xc-salesdemos/xcsh 19.35.1 → 19.36.0

package/package.json

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@f5xc-salesdemos/xcsh",
-	"version": "19.35.1",
+	"version": "19.36.0",
 	"description": "Coding agent CLI with read, bash, edit, write tools and session management",
 	"homepage": "https://github.com/f5xc-salesdemos/xcsh",
 	"author": "Can Boluk",
@@ -51,13 +51,13 @@
 	"dependencies": {
 		"@agentclientprotocol/sdk": "0.16.1",
 		"@mozilla/readability": "^0.6",
-		"@f5xc-salesdemos/xcsh-stats": "19.35.1",
-		"@f5xc-salesdemos/pi-agent-core": "19.35.1",
-		"@f5xc-salesdemos/pi-ai": "19.35.1",
-		"@f5xc-salesdemos/pi-natives": "19.35.1",
-		"@f5xc-salesdemos/pi-resource-management": "19.35.1",
-		"@f5xc-salesdemos/pi-tui": "19.35.1",
-		"@f5xc-salesdemos/pi-utils": "19.35.1",
+		"@f5xc-salesdemos/xcsh-stats": "19.36.0",
+		"@f5xc-salesdemos/pi-agent-core": "19.36.0",
+		"@f5xc-salesdemos/pi-ai": "19.36.0",
+		"@f5xc-salesdemos/pi-natives": "19.36.0",
+		"@f5xc-salesdemos/pi-resource-management": "19.36.0",
+		"@f5xc-salesdemos/pi-tui": "19.36.0",
+		"@f5xc-salesdemos/pi-utils": "19.36.0",
 		"@sinclair/typebox": "^0.34",
 		"@xterm/headless": "^6.0",
 		"ajv": "^8.20",

package/scripts/capture-login-fixture.ts

@@ -0,0 +1,30 @@
+#!/usr/bin/env bun
+// One-shot capture of the F5/Keycloak login-wall DOM fixture used by the
+// auth-preflight detection predicates:
+//   test/browser/fixtures/xc-login-wall.html   (logged-OUT login page)
+//
+// Uses a throwaway profile so the first navigation is unauthenticated. No creds
+// needed (we only capture the login page). Run manually; delete the profile after.
+//
+// The authenticated-console fixture (test/browser/fixtures/xc-console-authed.html)
+// is sourced from a real logged-in console capture rather than scripted login:
+// a fresh Chrome profile hits a Keycloak "login-actions" interstitial that is not
+// worth automating just to produce a fixture.
+import puppeteer from "puppeteer";
+
+const CHROME = process.env.CHROME_PATH;
+const BASE = process.env.F5XC_API_URL ?? "https://nferreira.staging.volterra.us";
+const PROFILE = "/tmp/xc-login-capture-profile";
+const LOGIN_OUT = "test/browser/fixtures/xc-login-wall.html";
+
+const browser = await puppeteer.launch({ headless: true, executablePath: CHROME, userDataDir: PROFILE });
+try {
+	const page = (await browser.pages())[0] ?? (await browser.newPage());
+	await page.goto(BASE, { waitUntil: "networkidle2", timeout: 45000 }).catch(() => {});
+	await new Promise(r => setTimeout(r, 2500));
+	const loginHtml = await page.content();
+	await Bun.write(LOGIN_OUT, loginHtml);
+	console.log(`wrote ${LOGIN_OUT} (${loginHtml.length} bytes) url=${page.url().slice(0, 80)}`);
+} finally {
+	await browser.close().catch(() => {});
+}

package/src/browser/acquire.ts

@@ -0,0 +1,154 @@
+import * as os from "node:os";
+import * as path from "node:path";
+import type { Browser, Page } from "puppeteer";
+import { assertLoopbackBrowserUrl, pickCoDrivePage, resolveBrowserConnectUrl } from "../tools/browser";
+import { locateChrome } from "./chrome-locate";
+
+export type AcquireMode = "attached" | "launched-default" | "launched-dedicated";
+
+const DEFAULT_DEBUG_PORT = 9222;
+
+export function dedicatedProfileDir(home: string = os.homedir()): string {
+	return path.join(home, ".xcsh", "chrome-profile");
+}
+
+export function defaultProfileDir(opts?: {
+	platform?: NodeJS.Platform;
+	env?: NodeJS.ProcessEnv;
+	home?: string;
+}): string | null {
+	const platform = opts?.platform ?? process.platform;
+	const env = opts?.env ?? process.env;
+	const home = opts?.home ?? os.homedir();
+	switch (platform) {
+		case "darwin":
+			return path.join(home, "Library", "Application Support", "Google", "Chrome");
+		case "linux":
+			return path.join(home, ".config", "google-chrome");
+		case "win32": {
+			const localAppData = env.LOCALAPPDATA;
+			if (!localAppData) return null;
+			return path.join(localAppData, "Google", "Chrome", "User Data");
+		}
+		default:
+			return null;
+	}
+}
+
+async function withLaunchTimeout<T>(p: Promise<T>, ms: number): Promise<T> {
+	let timer: ReturnType<typeof setTimeout> | undefined;
+	const timeout = new Promise<never>((_resolve, reject) => {
+		timer = setTimeout(() => reject(new Error("launch timed out")), ms);
+	});
+	try {
+		return await Promise.race([p, timeout]);
+	} finally {
+		if (timer) clearTimeout(timer);
+	}
+}
+
+export function buildLaunchArgs(opts: { profileDir?: string; debugPort: number }): string[] {
+	const args = [`--remote-debugging-port=${opts.debugPort}`, "--no-first-run", "--no-default-browser-check"];
+	if (opts.profileDir) args.push(`--user-data-dir=${opts.profileDir}`);
+	return args;
+}
+
+export function isProfileLockError(message: string): boolean {
+	// Chrome's own SingletonLock messages, plus Puppeteer's message when an
+	// explicit --user-data-dir is already held by a running browser
+	// ("The browser is already running for <dir>. Use a different `userDataDir` …").
+	return /singletonlock|processsingleton|profile appears to be in use|create a processsingleton|already running for|use a different\s+`?userdatadir/i.test(
+		message,
+	);
+}
+
+async function tryAttach(browserURL: string): Promise<{ browser: Browser; page: Page } | null> {
+	const puppeteer = (await import("puppeteer")).default;
+	try {
+		const browser = await puppeteer.connect({ browserURL });
+		const pages = await browser.pages();
+		const page = pages.length ? pages[pickCoDrivePage(pages)]! : await browser.newPage();
+		return { browser, page };
+	} catch {
+		return null;
+	}
+}
+
+async function launch(executablePath: string, args: string[]): Promise<Browser> {
+	const puppeteer = (await import("puppeteer")).default;
+	return puppeteer.launch({ headless: false, executablePath, args, defaultViewport: null });
+}
+
+export async function acquirePage(opts: {
+	settings: { get(key: string): unknown };
+	debugPort?: number;
+}): Promise<{ browser: Browser; page: Page; mode: AcquireMode }> {
+	const debugPort = opts.debugPort ?? DEFAULT_DEBUG_PORT;
+	const configuredUrl = resolveBrowserConnectUrl(opts.settings);
+	const attachUrl = configuredUrl ?? `http://127.0.0.1:${debugPort}`;
+	assertLoopbackBrowserUrl(attachUrl);
+
+	// 1) Attach to a Chrome already exposing the debug port.
+	const attached = await tryAttach(attachUrl);
+	if (attached) return { ...attached, mode: "attached" };
+
+	// If the user explicitly configured connectUrl but nothing is there, that is an error
+	// (do not silently launch a different browser than they asked to attach to).
+	if (configuredUrl) {
+		throw new Error(
+			`Could not attach to Chrome at ${configuredUrl}. Start Chrome with --remote-debugging-port=${debugPort} and retry, or unset browser.connectUrl to let xcsh launch Chrome.`,
+		);
+	}
+
+	const located = locateChrome({ settings: opts.settings });
+	if (!located) {
+		throw new Error(
+			"Google Chrome not found. Install Google Chrome, or set the browser.chromePath setting to your Chrome/Chromium executable.",
+		);
+	}
+
+	// 2) Launch the user's installed Chrome with their DEFAULT profile + debug port.
+	// We pass --user-data-dir EXPLICITLY (Chrome's implicit default profile would hand off
+	// to an already-running Chrome and exit, leaving puppeteer.launch hanging on a debug
+	// endpoint that never appears). A timeout guards against that handoff case so we can
+	// fall through to a dedicated profile instead of hanging.
+	const defaultDir = defaultProfileDir();
+	if (defaultDir) {
+		try {
+			const browser = await withLaunchTimeout(
+				launch(located.path, buildLaunchArgs({ debugPort, profileDir: defaultDir })),
+				12_000,
+			);
+			const pages = await browser.pages();
+			const page = pages.length ? pages[0]! : await browser.newPage();
+			return { browser, page, mode: "launched-default" };
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			// Profile locked (Chrome already running) or the launch timed out (handoff to a
+			// running instance) → fall through to a dedicated, xcsh-owned profile.
+			if (!isProfileLockError(msg) && !msg.includes("launch timed out")) throw err;
+		}
+	}
+
+	// 3) Default profile unavailable (locked / handoff / unsupported platform) → dedicated
+	// xcsh-owned profile. A previous xcsh-launched Chrome on this profile may still be
+	// running (close() only disconnects, never terminates), so this launch can hit the
+	// same SingletonLock/handoff and hang. Guard it with a timeout; there is no further
+	// fallback, so a timeout/lock error is fatal.
+	const profileDir = dedicatedProfileDir();
+	let browser: Browser;
+	try {
+		browser = await withLaunchTimeout(launch(located.path, buildLaunchArgs({ debugPort, profileDir })), 12_000);
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		if (msg.includes("launch timed out") || isProfileLockError(msg)) {
+			throw new Error(
+				"Could not launch Chrome on the dedicated xcsh profile (it may already be in use); close other xcsh-launched Chrome windows and retry.",
+			);
+		}
+		throw err;
+	}
+	const pages = await browser.pages();
+	const page = pages.length ? pages[0]! : await browser.newPage();
+	return { browser, page, mode: "launched-dedicated" };
+}

package/src/browser/auth.ts

@@ -0,0 +1,176 @@
+/**
+ * Auth preflight for the F5 XC console.
+ *
+ * Pure predicates (`isLoginWall` / `isAuthenticated`) classify a document as a
+ * login wall or an authenticated console shell. They work over a minimal
+ * structural Document so they run both under linkedom in tests and against the
+ * live `document` (via page.evaluate) in the browser. `ensureAuthenticated` is
+ * the browser-bound orchestrator: on a login wall it triggers saved-password
+ * autofill + submit, then falls back to a co-drive poll until the operator logs
+ * in. It is verified at a later live gate (no unit test drives a real browser).
+ *
+ * No Puppeteer imports leak into the pure predicates; only `ensureAuthenticated`
+ * references the `Page` type.
+ */
+
+import type { Page } from "puppeteer";
+
+/** Minimal structural interface matching both linkedom and browser Document. */
+export interface AuthDocument {
+	querySelector(sel: string): unknown;
+	querySelectorAll(sel: string): ArrayLike<unknown>;
+}
+
+/**
+ * Selectors that identify a login form. The real XC login wall is a Keycloak
+ * page with `#username`, `#password`, and a `#kc-login` submit; the id/name/type
+ * alternatives keep this robust across Keycloak theme variations.
+ */
+export const LOGIN_SELECTOR = "#username, #password, input[name='username'], input[type='password']";
+
+/**
+ * Selector that identifies the authenticated console shell. The XC console
+ * decorates its chrome with `ves-`-prefixed component classes; the login wall
+ * has none (the only `ves-` strings there live in URL query params, not class
+ * attributes).
+ */
+export const CONSOLE_SHELL_SELECTOR = "[class*='ves-']";
+
+/** True when the document presents a login form (Keycloak login wall). */
+export function isLoginWall(doc: AuthDocument): boolean {
+	return doc.querySelector(LOGIN_SELECTOR) != null;
+}
+
+/**
+ * True when the document is the authenticated console shell: it carries
+ * `ves-`-classed chrome and is NOT showing a login form.
+ */
+export function isAuthenticated(doc: AuthDocument): boolean {
+	return doc.querySelector(CONSOLE_SHELL_SELECTOR) != null && !isLoginWall(doc);
+}
+
+/**
+ * Source for an injected IIFE that nudges the browser's saved-password manager
+ * to autofill the login form and then submits it.
+ *
+ * It focuses the username/password fields and dispatches synthetic input events
+ * so Chrome's credential manager offers its saved entry, then clicks the submit
+ * control (`#kc-login`) or, failing that, submits the enclosing form. Returns
+ * `true` when a form was found and a submit was attempted.
+ *
+ * Built as a string (rather than a function reference) so the caller can pass it
+ * straight to `page.evaluate`.
+ */
+export function triggerSavedPasswordExpr(): string {
+	return `(() => {
+  const username = document.querySelector("#username, input[name='username']");
+  const password = document.querySelector("#password, input[type='password']");
+  if (!username && !password) return false;
+  const nudge = (el) => {
+    if (!el) return;
+    el.focus();
+    el.dispatchEvent(new Event("input", { bubbles: true }));
+    el.dispatchEvent(new Event("change", { bubbles: true }));
+  };
+  nudge(username);
+  nudge(password);
+  const submit = document.querySelector("#kc-login, button[type='submit'], input[type='submit']");
+  if (submit) { submit.click(); return true; }
+  const form = (password || username || {}).form;
+  if (form && typeof form.requestSubmit === "function") { form.requestSubmit(); return true; }
+  if (form && typeof form.submit === "function") { form.submit(); return true; }
+  return false;
+})()`;
+}
+
+export interface EnsureAuthenticatedOptions {
+	/** Co-drive poll interval in ms (default 1000). */
+	pollIntervalMs?: number;
+	/** Total time to wait for the operator to complete login in ms (default 300000 = 5 min). */
+	timeoutMs?: number;
+	/** Optional callback invoked once when login is required, so callers can surface a co-drive prompt. */
+	onLoginRequired?: () => void;
+}
+
+const DEFAULT_POLL_INTERVAL_MS = 1000;
+const DEFAULT_TIMEOUT_MS = 5 * 60 * 1000;
+
+function sleep(ms: number): Promise<void> {
+	return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+/**
+ * Compute the auth state against the live document inside the page.
+ *
+ * Self-contained: the selectors are passed as `page.evaluate` ARGS so nothing
+ * relies on closure or sibling-function scope (those identifiers do not exist in
+ * the page realm). Mirrors the pure `isLoginWall` / `isAuthenticated` predicates,
+ * which remain the documented logic over the same two selector consts.
+ */
+async function evalAuthState(page: Page): Promise<{ loginWall: boolean; authed: boolean }> {
+	return page.evaluate(
+		(loginSel, shellSel) => {
+			const doc = (globalThis as unknown as { document: { querySelector(s: string): unknown } }).document;
+			const loginWall = doc.querySelector(loginSel) != null;
+			const authed = doc.querySelector(shellSel) != null && !loginWall;
+			return { loginWall, authed };
+		},
+		LOGIN_SELECTOR,
+		CONSOLE_SHELL_SELECTOR,
+	);
+}
+
+/**
+ * Ensure the console at `consoleUrl` is authenticated.
+ *
+ * 1. Navigate to `consoleUrl`.
+ * 2. If already authenticated, return immediately.
+ * 3. If on a login wall, trigger saved-password autofill + submit once.
+ * 4. Poll until authenticated (operator co-drive) or the timeout elapses.
+ *
+ * Throws if the timeout elapses before authentication succeeds.
+ */
+export async function ensureAuthenticated(
+	page: Page,
+	consoleUrl: string,
+	opts: EnsureAuthenticatedOptions = {},
+): Promise<void> {
+	const pollIntervalMs = opts.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS;
+	const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+
+	await page.goto(consoleUrl, { waitUntil: "domcontentloaded" });
+
+	{
+		const { authed } = await evalAuthState(page);
+		if (authed) return;
+	}
+
+	let nudged = false;
+	let loginAnnounced = false;
+	const deadline = Date.now() + timeoutMs;
+
+	while (Date.now() < deadline) {
+		const { loginWall, authed } = await evalAuthState(page);
+		if (authed) return;
+
+		if (loginWall) {
+			if (!loginAnnounced) {
+				opts.onLoginRequired?.();
+				loginAnnounced = true;
+			}
+			if (!nudged) {
+				// Try saved-password autofill + submit exactly once; subsequent
+				// passes fall through to co-drive polling so we don't fight the
+				// operator if autofill failed or no credential was saved.
+				await page.evaluate(triggerSavedPasswordExpr());
+				nudged = true;
+			}
+		}
+
+		await sleep(pollIntervalMs);
+	}
+
+	throw new Error(
+		`Timed out after ${timeoutMs}ms waiting for authentication at ${consoleUrl}; the console is still showing a login wall.`,
+	);
+}

package/src/browser/cdp-core.ts

@@ -1,5 +1,5 @@
 import type { Browser, CDPSession, Page } from "puppeteer";
-import { assertLoopbackBrowserUrl, pickCoDrivePage, resolveBrowserConnectUrl } from "../tools/browser";
+import type { AcquireMode } from "./acquire";
 
 type Settings = { get(key: string): unknown };
 
@@ -7,24 +7,20 @@ export class BrowserSession {
 	#browser: Browser | null = null;
 	#page: Page | null = null;
 	#cdp: CDPSession | null = null;
-	#attached = false;
+	#mode: AcquireMode | null = null;
 	constructor(private readonly settings: Settings) {}
 
+	get mode(): AcquireMode | null {
+		return this.#mode;
+	}
+
 	async ensurePage(): Promise<Page> {
 		if (this.#page && !this.#page.isClosed()) return this.#page;
-		const puppeteer = (await import("puppeteer")).default;
-		const connectUrl = resolveBrowserConnectUrl(this.settings);
-		if (connectUrl) {
-			assertLoopbackBrowserUrl(connectUrl);
-			this.#browser = await puppeteer.connect({ browserURL: connectUrl });
-			this.#attached = true;
-			const pages = await this.#browser.pages();
-			this.#page = pages.length ? pages[pickCoDrivePage(pages)]! : await this.#browser.newPage();
-		} else {
-			this.#browser = await puppeteer.launch({ headless: !!this.settings.get("browser.headless") });
-			this.#attached = false;
-			this.#page = await this.#browser.newPage();
-		}
+		const { acquirePage } = await import("./acquire");
+		const { browser, page, mode } = await acquirePage({ settings: this.settings });
+		this.#browser = browser;
+		this.#page = page;
+		this.#mode = mode;
 		this.#cdp = null;
 		return this.#page;
 	}
@@ -37,12 +33,13 @@ export class BrowserSession {
 
 	async close(): Promise<void> {
 		if (this.#browser) {
-			if (this.#attached) await this.#browser.disconnect();
-			else await this.#browser.close();
+			// Never terminate the user's Chrome (attached or launched against their profile);
+			// just detach. Puppeteer's disconnect leaves the browser running.
+			await this.#browser.disconnect().catch(() => {});
 		}
 		this.#browser = null;
 		this.#page = null;
 		this.#cdp = null;
-		this.#attached = false;
+		this.#mode = null;
 	}
 }

package/src/browser/chrome-locate.ts

@@ -0,0 +1,66 @@
+import { execFileSync } from "node:child_process";
+import * as fs from "node:fs";
+import * as path from "node:path";
+
+export interface LocateChromeOpts {
+	settings?: { get(key: string): unknown };
+	platform?: NodeJS.Platform;
+	env?: NodeJS.ProcessEnv;
+	exists?: (p: string) => boolean;
+	which?: (cmd: string) => string | null;
+}
+
+export interface LocatedChrome {
+	path: string;
+	source: "setting" | "macos" | "path" | "nixos" | "windows";
+}
+
+function defaultWhich(cmd: string): string | null {
+	try {
+		const out = execFileSync("sh", ["-c", `command -v ${cmd}`], { encoding: "utf-8" }).trim();
+		return out || null;
+	} catch {
+		return null;
+	}
+}
+
+export function locateChrome(opts: LocateChromeOpts = {}): LocatedChrome | null {
+	const platform = opts.platform ?? process.platform;
+	const env = opts.env ?? process.env;
+	const exists = opts.exists ?? ((p: string) => fs.existsSync(p));
+	const which = opts.which ?? defaultWhich;
+
+	const override = opts.settings?.get("browser.chromePath");
+	if (typeof override === "string" && override.trim() && exists(override.trim())) {
+		return { path: override.trim(), source: "setting" };
+	}
+
+	if (platform === "darwin") {
+		const macCandidates = [
+			"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",
+			"/Applications/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary",
+			"/Applications/Chromium.app/Contents/MacOS/Chromium",
+		];
+		for (const c of macCandidates) if (exists(c)) return { path: c, source: "macos" };
+		return null;
+	}
+
+	if (platform === "win32") {
+		const roots = [env.PROGRAMFILES, env["PROGRAMFILES(X86)"], env.LOCALAPPDATA].filter(Boolean) as string[];
+		for (const root of roots) {
+			const c = path.join(root, "Google", "Chrome", "Application", "chrome.exe");
+			if (exists(c)) return { path: c, source: "windows" };
+		}
+		return null;
+	}
+
+	// linux / other unix
+	for (const cmd of ["google-chrome", "google-chrome-stable", "chromium", "chromium-browser"]) {
+		const found = which(cmd);
+		if (found) return { path: found, source: "path" };
+	}
+	for (const c of [path.join(env.HOME ?? "", ".nix-profile/bin/chromium"), "/run/current-system/sw/bin/chromium"]) {
+		if (c && exists(c)) return { path: c, source: "nixos" };
+	}
+	return null;
+}

package/src/browser/index.ts

@@ -1,6 +1,9 @@
+export * from "./acquire";
 export * from "./actions";
+export * from "./auth";
 export * from "./ax";
 export * from "./cdp-core";
+export * from "./chrome-locate";
 export * from "./dom-context";
 export * from "./input-commit";
 export * from "./resolver";

package/src/config/settings-schema.ts

@@ -1408,6 +1408,17 @@ export const SETTINGS_SCHEMA = {
 		},
 	},
 
+	"browser.chromePath": {
+		type: "string",
+		default: undefined,
+		ui: {
+			tab: "tools",
+			label: "Chrome executable path (override)",
+			description:
+				"Absolute path to a Chrome/Chromium executable. Overrides auto-detection of the installed browser used for console automation. Leave unset to auto-detect.",
+		},
+	},
+
 	"browser.screenshotDir": {
 		type: "string",
 		default: undefined,

package/src/internal-urls/build-info.generated.ts

@@ -17,17 +17,17 @@ export interface BuildInfo {
 }
 
 export const BUILD_INFO: BuildInfo = {
-	"version": "19.35.1",
-	"commit": "859c5bbaeadef1b3556025c624f25a0597a74b2c",
-	"shortCommit": "859c5bb",
+	"version": "19.36.0",
+	"commit": "25f2668aebf96b7025f2b1abc9646adcd929d0b0",
+	"shortCommit": "25f2668",
 	"branch": "main",
-	"tag": "v19.35.1",
-	"commitDate": "2026-06-19T11:39:13Z",
-	"buildDate": "2026-06-19T11:59:24.040Z",
+	"tag": "v19.36.0",
+	"commitDate": "2026-06-19T19:08:49Z",
+	"buildDate": "2026-06-19T19:30:15.957Z",
 	"dirty": true,
 	"prNumber": "",
 	"repoUrl": "https://github.com/f5xc-salesdemos/xcsh",
 	"repoSlug": "f5xc-salesdemos/xcsh",
-	"commitUrl": "https://github.com/f5xc-salesdemos/xcsh/commit/859c5bbaeadef1b3556025c624f25a0597a74b2c",
-	"releaseUrl": "https://github.com/f5xc-salesdemos/xcsh/releases/tag/v19.35.1"
+	"commitUrl": "https://github.com/f5xc-salesdemos/xcsh/commit/25f2668aebf96b7025f2b1abc9646adcd929d0b0",
+	"releaseUrl": "https://github.com/f5xc-salesdemos/xcsh/releases/tag/v19.36.0"
 };

package/src/internal-urls/console-catalog.generated.ts

@@ -28,7 +28,7 @@ export const CONSOLE_CATALOG_DATA: ConsoleCatalogData = {
 		"demos/waap-full-stack-teardown":
 			'schema: "urn:f5xc:console:workflow:v1"\nid: "waap-full-stack-teardown"\nlabel: "WAAP Full Stack Teardown — Delete HTTP LB + App Firewall + Origin Pool"\nresource:\n  - "http-load-balancer"\n  - "app-firewall"\n  - "origin-pool"\noperation: "demo"\n\npreconditions:\n  - "user_logged_in"\n  - "namespace_selected"\n  - "role_minimum: admin"\n\nparams:\n  namespace:\n    required: true\n    description: "Namespace containing the resources"\n    example: "demo"\n  app_name:\n    required: true\n    description: "Base name used when creating resources"\n    example: "example-app"\n\nsteps:\n  - id: "delete-http-lb"\n    action: "run-workflow"\n    workflow: "http-load-balancer/delete"\n    with:\n      namespace: "{namespace}"\n      name: "{app_name}-lb"\n    description: "Step 1: Delete the HTTP Load Balancer (must be deleted before its dependencies)"\n\n  - id: "delete-app-firewall"\n    action: "run-workflow"\n    workflow: "app-firewall/delete"\n    with:\n      namespace: "{namespace}"\n      name: "{app_name}-waf"\n    description: "Step 2: Delete the App Firewall policy"\n\n  - id: "delete-origin-pool"\n    action: "run-workflow"\n    workflow: "origin-pool/delete"\n    with:\n      namespace: "{namespace}"\n      name: "{app_name}-pool"\n    description: "Step 3: Delete the Origin Pool"\n\npostconditions:\n  - "resource_deleted: {app_name}-lb"\n  - "resource_deleted: {app_name}-waf"\n  - "resource_deleted: {app_name}-pool"\n\nmetadata:\n  confidence: "draft"\n  discovered_at: "2026-06-16"\n  console_version: "2025.06"\n  estimated_duration_seconds: 60\n  notes: >\n    Teardown companion for waap-full-stack demo. Deletes resources in\n    reverse dependency order: HTTP LB first (references origin pool and\n    app firewall), then app firewall, then origin pool.\n',
 		"health-check/create":
-			'schema: "urn:f5xc:console:workflow:v1"\nid: "health-check-create"\nlabel: "Create Health Check"\nresource: "health-check"\noperation: "create"\n\npreconditions:\n  - "user_logged_in"\n  - "namespace_selected"\n  - "role_minimum: admin"\n\nparams:\n  namespace:\n    required: true\n    description: "Target namespace"\n    example: "demo"\n  name:\n    required: true\n    description: "Health check name (lowercase alphanumeric and hyphens)"\n    example: "example-health-check"\n  health_check_type:\n    required: false\n    description: "Health check protocol type"\n    example: "HTTP HealthCheck"\n    default: "HTTP HealthCheck"\n  timeout:\n    required: false\n    type: "number"\n    description: "Timeout for each health check probe in seconds"\n    example: 3\n    default: 3\n  interval:\n    required: false\n    type: "number"\n    description: "Interval between health check probes in seconds"\n    example: 15\n    default: 15\n  unhealthy_threshold:\n    required: false\n    type: "number"\n    description: "Number of consecutive failures before marking unhealthy"\n    example: 1\n    default: 1\n  healthy_threshold:\n    required: false\n    type: "number"\n    description: "Number of consecutive successes before marking healthy"\n    example: 3\n    default: 3\n\nsteps:\n  - id: "navigate-to-list"\n    action: "navigate"\n    url: "/web/workspaces/web-app-and-api-protection/namespaces/{namespace}/manage/load_balancers/health_checks"\n    wait_for: "text(\'Health Checks\')"\n    description: "Navigate to Health Checks list page within Web App & API Protection workspace"\n\n  - id: "click-add-tab"\n    action: "click"\n    selector: "tab:text(\'Add Health Check\')"\n    wait_for: "textbox[name=\'Name\']"\n    description: "Click the Add Health Check tab to open the inline create form"\n    note: "This is a tab element, not a button"\n\n  - id: "fill-name"\n    action: "fill"\n    selector: "textbox[name=\'Name\']"\n    value: "{name}"\n    description: "Enter the health check name in the Name textbox"\n\n  - id: "select-type"\n    condition: "params.health_check_type is set"\n    action: "select"\n    selector: "listbox"\n    context: "Health Check Parameters section"\n    value: "{health_check_type}"\n    description: "Select the health check type (HTTP HealthCheck or TCP HealthCheck)"\n\n  - id: "set-timeout"\n    condition: "params.timeout is set"\n    action: "fill"\n    selector: "spinbutton[name=\'Timeout\']"\n    value: "{timeout}"\n    description: "Set the health check timeout value"\n\n  - id: "set-interval"\n    condition: "params.interval is set"\n    action: "fill"\n    selector: "spinbutton[name=\'Interval\']"\n    value: "{interval}"\n    description: "Set the health check interval value"\n\n  - id: "set-unhealthy-threshold"\n    condition: "params.unhealthy_threshold is set"\n    action: "fill"\n    selector: "spinbutton[name=\'Unhealthy Threshold\']"\n    value: "{unhealthy_threshold}"\n    description: "Set the unhealthy threshold value"\n\n  - id: "set-healthy-threshold"\n    condition: "params.healthy_threshold is set"\n    action: "fill"\n    selector: "spinbutton[name=\'Healthy Threshold\']"\n    value: "{healthy_threshold}"\n    description: "Set the healthy threshold value"\n\n  - id: "save"\n    action: "click"\n    selector: "button:text(\'Add Health Check\')"\n    context: "footer"\n    wait_for: "text(\'{name}\')"\n    wait_timeout_ms: 30000\n    description: "Click the Add Health Check button in the form footer to save"\n\n  - id: "verify-created"\n    action: "assert"\n    selector: "text(\'{name}\')"\n    description: "Verify the resource was created by checking the name appears in the list"\n\npostconditions:\n  - "resource_list_page_visible"\n  - "resource_name_in_list: {name}"\n\nmetadata:\n  confidence: "validated"\n  discovered_at: "2026-06-15"\n  validated_at: "2026-06-15"\n  console_version: "2025.06"\n  estimated_duration_seconds: 25\n  notes: "Selectors use aria/text-based patterns validated against live console. No data-testid attributes exist. Has Show Advanced Fields toggle for additional parameters."\n',
+			'schema: "urn:f5xc:console:workflow:v1"\nid: "health-check-create"\nlabel: "Create Health Check"\nresource: "health-check"\noperation: "create"\n\npreconditions:\n  - "user_logged_in"\n  - "namespace_selected"\n  - "role_minimum: admin"\n\nparams:\n  namespace:\n    required: true\n    description: "Target namespace"\n    example: "demo"\n  name:\n    required: true\n    description: "Health check name (lowercase alphanumeric and hyphens)"\n    example: "example-health-check"\n  health_check_type:\n    required: false\n    description: "Health check protocol type"\n    example: "HTTP HealthCheck"\n    default: "HTTP HealthCheck"\n  timeout:\n    required: false\n    type: "number"\n    description: "Timeout for each health check probe in seconds"\n    example: 3\n    default: 3\n  interval:\n    required: false\n    type: "number"\n    description: "Interval between health check probes in seconds"\n    example: 15\n    default: 15\n  unhealthy_threshold:\n    required: false\n    type: "number"\n    description: "Number of consecutive failures before marking unhealthy"\n    example: 1\n    default: 1\n  healthy_threshold:\n    required: false\n    type: "number"\n    description: "Number of consecutive successes before marking healthy"\n    example: 3\n    default: 3\n\nsteps:\n  - id: "navigate-to-list"\n    action: "navigate"\n    url: "/web/workspaces/web-app-and-api-protection/namespaces/{namespace}/manage/load_balancers/health_checks"\n    wait_for: "text(\'Health Checks\')"\n    description: "Navigate to Health Checks list page within Web App & API Protection workspace"\n\n  - id: "click-add-tab"\n    action: "click"\n    selector: "tab:text(\'Add Health Check\')"\n    wait_for: "textbox[name=\'Name\']"\n    description: "Click the Add Health Check tab to open the inline create form"\n    note: "This is a tab element, not a button"\n\n  - id: "fill-name"\n    action: "fill"\n    selector: "textbox[name=\'Name\']"\n    value: "{name}"\n    description: "Enter the health check name in the Name textbox"\n\n  - id: "select-type"\n    condition: "params.health_check_type is set"\n    action: "select"\n    selector: "listbox"\n    context: "Health Check Parameters section"\n    value: "{health_check_type}"\n    description: "Select the health check type (HTTP HealthCheck or TCP HealthCheck)"\n\n  - id: "set-timeout"\n    condition: "params.timeout is set"\n    action: "fill"\n    selector: "spinbutton[name=\'Timeout\']"\n    value: "{timeout}"\n    description: "Set the health check timeout value"\n\n  - id: "set-interval"\n    condition: "params.interval is set"\n    action: "fill"\n    selector: "spinbutton[name=\'Interval\']"\n    value: "{interval}"\n    description: "Set the health check interval value"\n\n  - id: "set-unhealthy-threshold"\n    condition: "params.unhealthy_threshold is set"\n    action: "fill"\n    selector: "spinbutton[name=\'Unhealthy Threshold\']"\n    value: "{unhealthy_threshold}"\n    description: "Set the unhealthy threshold value"\n\n  - id: "set-healthy-threshold"\n    condition: "params.healthy_threshold is set"\n    action: "fill"\n    selector: "spinbutton[name=\'Healthy Threshold\']"\n    value: "{healthy_threshold}"\n    description: "Set the healthy threshold value"\n\n  - id: "save"\n    action: "click"\n    selector: "button:text(\'Add Health Check\')"\n    wait_for: "text(\'{name}\')"\n    wait_timeout_ms: 30000\n    description: "Click the Add Health Check button to save. The \'button\' role disambiguates the footer save button from the same-named tab, so no section context is needed. The wait_for confirms the new resource\'s name appears in the list, which is the creation verification."\n\npostconditions:\n  - "resource_list_page_visible"\n  - "resource_name_in_list: {name}"\n\nmetadata:\n  confidence: "validated"\n  discovered_at: "2026-06-15"\n  validated_at: "2026-06-18"\n  console_version: "2025.06"\n  estimated_duration_seconds: 25\n  notes: "Selectors use aria/text-based patterns validated against live console. No data-testid attributes exist. Has Show Advanced Fields toggle for additional parameters."\n',
 		"health-check/delete":
 			'schema: "urn:f5xc:console:workflow:v1"\nid: "health-check-delete"\nlabel: "Delete Health Check"\nresource: "health-check"\noperation: "delete"\n\npreconditions:\n  - "user_logged_in"\n  - "namespace_selected"\n  - "role_minimum: admin"\n  - "resource_exists: {name}"\n\nparams:\n  namespace:\n    required: true\n    description: "Namespace containing the health check"\n    example: "demo"\n  name:\n    required: true\n    description: "Name of the health check to delete"\n    example: "example-health-check"\n\nsteps:\n  - id: "navigate-to-list"\n    action: "navigate"\n    url: "/web/namespace/{namespace}/load-balancers/health-checks"\n    wait_for: "[data-testid=\'resource-table\']"\n    description: "Navigate to Health Checks list page"\n\n  - id: "find-row"\n    action: "assert"\n    selector: "[data-testid=\'resource-row-{name}\']"\n    expected_text: "{name}"\n    description: "Locate the target resource row in the table"\n\n  - id: "open-actions"\n    action: "click"\n    selector: "[data-testid=\'resource-row-{name}\'] [data-testid=\'row-actions\']"\n    wait_for: "[data-testid=\'action-delete\']"\n    description: "Open the row actions menu"\n\n  - id: "click-delete"\n    action: "click"\n    selector: "[data-testid=\'action-delete\']"\n    wait_for: "[data-testid=\'confirm-delete-modal\']"\n    description: "Click Delete to open the confirmation modal"\n\n  - id: "confirm-delete"\n    action: "click"\n    selector: "[data-testid=\'confirm-delete-btn\']"\n    wait_for: "[data-testid=\'resource-table\']"\n    wait_timeout_ms: 15000\n    description: "Confirm deletion and wait for the table to refresh"\n\n  - id: "verify-deleted"\n    action: "assert"\n    selector: "[data-testid=\'resource-table\']"\n    description: "Verify the resource no longer appears in the table"\n\npostconditions:\n  - "resource_removed_from_list"\n  - "list_page_visible"\n\nmetadata:\n  confidence: "draft"\n  discovered_at: "2026-06-15"\n  console_version: "2025.06"\n  estimated_duration_seconds: 15\n',
 		"http-load-balancer/clone":

package/src/internal-urls/console-resolve.ts

@@ -23,6 +23,20 @@ function operationsFor(resource: string, catalog: ConsoleCatalogData): string[]
 		.map(k => k.slice(prefix.length));
 }
 
+const normKey = (s: string): string => s.toLowerCase().replace(/[-_\s]+/g, "");
+
+export function canonicalizeResource(name: string, catalog: ConsoleCatalogData): string | null {
+	const target = normKey(name);
+	const keys = Object.keys(catalog.resources);
+	// exact-normalized match first
+	let hit = keys.find(k => normKey(k) === target);
+	if (hit) return hit;
+	// tolerate trailing plural 's'
+	const singular = target.replace(/s$/, "");
+	hit = keys.find(k => normKey(k) === singular || normKey(k).replace(/s$/, "") === target);
+	return hit ?? null;
+}
+
 function renderIndex(catalog: ConsoleCatalogData): string {
 	const lines = [`# F5 XC Console Catalogue (v${catalog.version})`, "", "## Resources", ""];
 	for (const id of Object.keys(catalog.resources).sort()) {
@@ -33,27 +47,43 @@ function renderIndex(catalog: ConsoleCatalogData): string {
 }
 
 function renderResource(resource: string, catalog: ConsoleCatalogData): string {
-	const raw = catalog.resources[resource];
-	if (!raw) return `# Unknown console resource: ${resource}\n`;
+	const key = canonicalizeResource(resource, catalog) ?? resource;
+	const raw = catalog.resources[key];
+	if (!raw) {
+		const available = Object.keys(catalog.resources)
+			.sort()
+			.map(id => {
+				const ops = operationsFor(id, catalog);
+				return `- \`${id}\`${ops.length ? ` (${ops.join(", ")})` : ""}`;
+			});
+		return `# Unknown console resource: ${resource}\n\n## Available resources\n\n${available.join("\n")}\n`;
+	}
 	const doc = (parseYaml(raw) ?? {}) as Record<string, unknown>;
 	const console_ = (doc.console ?? {}) as Record<string, unknown>;
-	const lines = [`# ${(doc.label as string | undefined) ?? resource}`, ""];
+	const lines = [`# ${(doc.label as string | undefined) ?? key}`, ""];
 	if (console_.route_pattern) lines.push(`**Route:** \`${console_.route_pattern}\``, "");
 	if (Array.isArray(console_.menu_path)) lines.push(`**Menu:** ${(console_.menu_path as string[]).join(" › ")}`, "");
-	const ops = operationsFor(resource, catalog);
+	const ops = operationsFor(key, catalog);
 	if (ops.length) {
 		lines.push("## Operations", "");
-		for (const op of ops) lines.push(`- \`xcsh://console/${resource}/${op}\` (${op})`);
+		for (const op of ops) lines.push(`- \`xcsh://console/${key}/${op}\` (${op})`);
 	}
 	return `${lines.join("\n")}\n`;
 }
 
 function renderWorkflow(resource: string, operation: string, catalog: ConsoleCatalogData): string {
-	const raw = catalog.workflows[`${resource}/${operation}`];
-	if (!raw) return `# No console workflow for ${resource}/${operation}\n`;
+	const key = canonicalizeResource(resource, catalog) ?? resource;
+	const raw = catalog.workflows[`${key}/${operation}`];
+	if (!raw) {
+		const ops = operationsFor(key, catalog);
+		const opsList = ops.length
+			? `\n\n## Available operations for \`${key}\`\n\n${ops.map(op => `- \`${op}\``).join("\n")}`
+			: "";
+		return `# No console workflow for ${key}/${operation}${opsList}\n`;
+	}
 	const doc = (parseYaml(raw) ?? {}) as Record<string, unknown>;
 	const steps = Array.isArray(doc.steps) ? (doc.steps as Record<string, unknown>[]) : [];
-	const lines = [`# ${(doc.label as string | undefined) ?? `${resource} ${operation}`}`, "", "## Steps", ""];
+	const lines = [`# ${(doc.label as string | undefined) ?? `${key} ${operation}`}`, "", "## Steps", ""];
 	for (const s of steps) {
 		const sel = s.selector ? ` \`${s.selector}\`` : "";
 		const val = s.value != null ? ` = ${JSON.stringify(s.value)}` : "";

package/src/prompts/system/system-prompt.md

@@ -317,7 +317,14 @@ Most tools resolve custom protocol URLs to internal resources (not web URLs):
   Also available: `xcsh://api-spec/workflows/` (step-by-step guides),
   `xcsh://api-spec/errors/{code}` (error resolution), `xcsh://api-spec/glossary/` (acronym reference).
 
-  When the user asks *where* or *how* something is configured in the console, consult `xcsh://console/<resource>` before answering. For mutations, the **API path is the default**. Use the browser path (the `catalog_workflow_runner` tool) only when the user asks to *see it in the console*, requests a demo/walkthrough/training, or the operation is UI-only. The browser path requires a Chrome attached via `browser.connectUrl`.
+  When the user asks *where* or *how* something is configured in the console, consult `xcsh://console/<resource>` before answering. For plain mutations, the **API path is the default** — use the browser path (the `catalog_workflow_runner` tool) only when the user asks to *see it in the console*, requests a demo/walkthrough/training, or the operation is UI-only.
+
+  **Console / browser automation (one-shot, deterministic).** When the user asks to do something *in the console* or says *"use chrome"*:
+  1. Read `xcsh://console/` ONCE to get the canonical resource id. Resource names are hyphenated (e.g. it is `health-check`, not `healthcheck`) — do **NOT** guess name variants. The index lists every resource and its operations.
+  2. Read `xcsh://console/<resource>/<operation>` once for the step plan.
+  3. Call `catalog_workflow_runner` with `resource`, `operation`, and only the parameters the user supplied (e.g. `name`). Do **NOT** pass or ask for `namespace` or `base_url` — the runner fills them from the active tenant context.
+
+  An explicit *"use chrome"* means the browser path **only**: do not create the resource via the `xcsh_api` tool as a substitute. The runner launches/attaches Chrome automatically — it does **NOT** require a manually pre-attached Chrome. If login is required, the runner waits for the user in the visible Chrome window.
 
 In `bash`, URIs auto-resolve to filesystem paths (e.g., `python skill://my-skill/scripts/init.py`).
 
@@ -390,6 +397,7 @@ HARD OVERRIDE — F5 Distributed Cloud Terraform Provider:
   provider "f5xc" {}
   ```
 - Authentication is supplied via environment variables (set exactly ONE method): `F5XC_API_TOKEN`; or `F5XC_P12_FILE` + `F5XC_P12_PASSWORD`; or `F5XC_CERT` + `F5XC_KEY`. Tenant URL via `F5XC_API_URL`. Keep the `provider "f5xc" {}` block empty unless the user asks to hardcode credentials.
+- Write vs run: "write a terraform plan" produces an artifact — write the `.tf`, then `terraform fmt` + `terraform init` (best-effort) + `terraform validate` to deliver a formatted, verified file. If `init` fails (e.g. `dev_overrides`/offline), still run `terraform validate` and report. Do **NOT** auto-run `terraform plan` (only on explicit plan/preview request) and **NEVER** run `terraform apply` unless the user clearly asks to create/CRUD. Writing a plan is not running it.
 - Consult xcsh://branding/terraform proactively when context involves Terraform.
 
 # Skills

package/src/prompts/tools/xcsh-api.md

@@ -191,9 +191,9 @@ Swap exactly one block per oneOf group — e.g. `enable_ha {}` replaces `disable
 - `custom_proxy_bypass { proxy_bypass = ["10.0.0.0/8"] }` ← use `proxy_bypass` (NOT `bypass_list`)
 - `blocked_services { blocked_service { network_type = "VIRTUAL_NETWORK_SITE_LOCAL" } }` ← use `blocked_service` with `network_type` (NOT `service_list`). In Terraform, "blocking HTTP services" = blocking `VIRTUAL_NETWORK_SITE_LOCAL` network type. Always write the file even when the phrase mentions "HTTP service in blocked services list" — map it to `blocked_service { network_type = "VIRTUAL_NETWORK_SITE_LOCAL" }`
 
-**CRITICAL — Terraform file write rule**: When asked to "Write Terraform HCL for f5xc_securemesh_site_v2", you **MUST** use the `xcsh_write_file` tool to write the complete `.tf` file to disk. Always name the file after the resource name in the request (e.g., `ar-test-smsv2-1a.tf`). Do NOT just return a coverage table — always write the actual HCL file. The file must include a `terraform { required_providers { f5xc = { source = "f5xc-salesdemos/f5xc" } } }` block, a `provider "f5xc" {}` block (**REQUIRED** — without it `terraform plan` fails with "Provider requires explicit configuration"), and the complete `resource "f5xc_securemesh_site_v2"` block with all 12 oneOf groups.
+**CRITICAL — Terraform file write rule**: When asked to "Write Terraform HCL for f5xc_securemesh_site_v2", you **MUST** use the `xcsh_write_file` tool to write the complete `.tf` file to disk. Always name the file after the resource name in the request (e.g., `ar-test-smsv2-1a.tf`). Do NOT just return a coverage table — always write the actual HCL file. The file must include a `terraform { required_providers { f5xc = { source = "f5xc-salesdemos/f5xc" } } }` block, a `provider "f5xc" {}` block (**REQUIRED** — without it `terraform plan` fails with "Provider requires explicit configuration"), and the complete `resource "f5xc_securemesh_site_v2"` block with all 12 oneOf groups. After writing, verify without mutating: `terraform fmt` then `terraform init` (best-effort) + `terraform validate`; report the result. Do NOT run `terraform apply` (unless the user asks to create/CRUD) or auto-run `terraform plan`.
 
-**HTTP/HTTPS Load Balancer Terraform HCL (`f5xc_http_loadbalancer`)** — Use `resource "f5xc_http_loadbalancer"` in any namespace. Must include `terraform { required_providers { f5xc = { source = "f5xc-salesdemos/f5xc" } } }` block AND a `provider "f5xc" {}` block (**REQUIRED** — without it `terraform plan` fails with "Provider requires explicit configuration"). Always write file with `xcsh_write_file`. Name the file after the resource name (e.g., `ar-test-lb-https-1.tf`).
+**HTTP/HTTPS Load Balancer Terraform HCL (`f5xc_http_loadbalancer`)** — Use `resource "f5xc_http_loadbalancer"` in any namespace. Must include `terraform { required_providers { f5xc = { source = "f5xc-salesdemos/f5xc" } } }` block AND a `provider "f5xc" {}` block (**REQUIRED** — without it `terraform plan` fails with "Provider requires explicit configuration"). Always write file with `xcsh_write_file`. Name the file after the resource name (e.g., `ar-test-lb-https-1.tf`). After writing, verify without mutating: `terraform fmt` then `terraform init` (best-effort) + `terraform validate`; report the result. Do NOT run `terraform apply` (unless the user asks to create/CRUD) or auto-run `terraform plan`.
 
 **CRITICAL — Terraform HCL single-line block rule**: A block definition like `outer { inner {} }` is INVALID when `inner {}` is itself a block (not an attribute). Nested blocks **MUST** be on their own lines:
 - WRONG: `tls_config { default_security {} }`

package/src/services/f5xc-context.ts

@@ -365,6 +365,16 @@ export class ContextService {
 		return path.join(this.#configDir, "active_context");
 	}
 
+	/** Active context's API/console base URL, or null when no context is active. */
+	get activeApiUrl(): string | null {
+		return this.#activeContext?.apiUrl ?? null;
+	}
+
+	/** Active context's default namespace, or null when no context is active. */
+	get activeNamespace(): string | null {
+		return this.#activeContext?.defaultNamespace ?? null;
+	}
+
 	async loadActive(): Promise<F5XCContext | null> {
 		// FR-102: F5XC_API_URL is the signal to skip context loading entirely.
 		// Subprocesses inherit process.env, so they already see the env vars directly.

package/src/slash-commands/export-command.ts

@@ -75,14 +75,7 @@ export async function handleExportResourceCommand(
 		namespace: ns,
 	});
 
-	if (parsed.outputFormat === "hcl") {
-		ctx.showStatus(
-			'HCL export requires AI-assisted transformation. Use a conversational request instead:\n  "Export my-lb as Terraform HCL"',
-		);
-		return;
-	}
-
-	const fmt = parsed.outputFormat as "json" | "yaml";
+	const fmt = parsed.outputFormat;
 
 	try {
 		const manifests: Array<{ kind: string; metadata: Record<string, unknown>; spec: Record<string, unknown> }> = [];

package/src/tools/browser.ts

@@ -8,7 +8,7 @@ import type {
 	AgentToolUpdateCallback,
 } from "@f5xc-salesdemos/pi-agent-core";
 import { StringEnum } from "@f5xc-salesdemos/pi-ai";
-import { $which, getPuppeteerDir, logger, prompt, Snowflake, untilAborted } from "@f5xc-salesdemos/pi-utils";
+import { getPuppeteerDir, logger, prompt, Snowflake, untilAborted } from "@f5xc-salesdemos/pi-utils";
 import { Readability } from "@mozilla/readability";
 import { type Static, Type } from "@sinclair/typebox";
 import { type HTMLElement, parseHTML } from "linkedom";
@@ -22,6 +22,7 @@ import type {
 	SerializedAXNode,
 } from "puppeteer";
 import { click, fill, resolve, scrollIntoView, waitFor } from "../browser";
+import { locateChrome } from "../browser/chrome-locate";
 import browserDescription from "../prompts/tools/browser.md" with { type: "text" };
 import type { ToolSession } from "../sdk";
 import { resizeImage } from "../utils/image-resize";
@@ -116,54 +117,6 @@ async function loadPuppeteer(): Promise<typeof Puppeteer> {
 	}
 }
 
-/**
- * On NixOS, Puppeteer's bundled Chromium is a dynamically-linked FHS binary and
- * cannot run as-is. Detect the platform and resolve a system-installed Chromium
- * so `puppeteer.launch()` can use it instead of the bundled one.
- *
- * Detection order:
- *   1. `chromium` on PATH
- *   2. `chromium-browser` on PATH
- *   3. ~/.nix-profile/bin/chromium  (user profile)
- *   4. /run/current-system/sw/bin/chromium  (system profile)
- *
- * Returns `undefined` on non-NixOS systems or when no binary is found, which
- * causes Puppeteer to fall back to its default resolution.
- */
-let _resolvedChromium: string | null | undefined; // undefined = unchecked; null = not found
-function resolveSystemChromium(): string | undefined {
-	if (_resolvedChromium !== undefined) return _resolvedChromium ?? undefined;
-	try {
-		if (!fs.existsSync("/etc/NIXOS")) {
-			_resolvedChromium = null;
-			return undefined;
-		}
-	} catch {
-		_resolvedChromium = null;
-		return undefined;
-	}
-	const candidates = [
-		$which("chromium"),
-		$which("chromium-browser"),
-		path.join(os.homedir(), ".nix-profile/bin/chromium"),
-		"/run/current-system/sw/bin/chromium",
-	];
-	for (const candidate of candidates) {
-		if (candidate) {
-			try {
-				if (fs.existsSync(candidate)) {
-					_resolvedChromium = candidate;
-					logger.debug("NixOS: using system Chromium", { path: candidate });
-					return candidate;
-				}
-			} catch {}
-		}
-	}
-	_resolvedChromium = null;
-	logger.debug("NixOS detected but no Chromium binary found; Puppeteer may fail to launch");
-	return undefined;
-}
-
 const DEFAULT_VIEWPORT = { width: 1365, height: 768, deviceScaleFactor: 1.25 };
 const STEALTH_IGNORE_DEFAULT_ARGS = [
 	"--disable-extensions",
@@ -559,7 +512,7 @@ export class BrowserTool implements AgentTool<typeof browserSchema, BrowserToolD
 			this.#browser = await puppeteer.launch({
 				headless: this.#currentHeadless,
 				defaultViewport: this.#currentHeadless ? initialViewport : null,
-				executablePath: resolveSystemChromium(),
+				executablePath: locateChrome()?.path,
 				args: launchArgs,
 				ignoreDefaultArgs: [...STEALTH_IGNORE_DEFAULT_ARGS],
 			});

package/src/tools/catalog-workflow-runner.ts

@@ -9,6 +9,7 @@ import {
 	assertText,
 	BrowserSession,
 	click,
+	ensureAuthenticated,
 	fill,
 	pressKey,
 	screenshot,
@@ -18,6 +19,7 @@ import {
 } from "../browser";
 import { CONSOLE_CATALOG_DATA } from "../internal-urls/console-catalog.generated";
 import catalogWorkflowRunnerDescription from "../prompts/tools/catalog-workflow-runner.md" with { type: "text" };
+import { ContextService } from "../services/f5xc-context";
 import type { ToolSession } from ".";
 import type { OutputMeta } from "./output-meta";
 import { ToolError, throwIfAborted } from "./tool-errors";
@@ -562,12 +564,30 @@ export class CatalogWorkflowRunnerTool
 				}
 			}
 
+			// Default the namespace param from the active context when absent.
+			if (params.namespace === undefined) {
+				try {
+					const ns = ContextService.instance.activeNamespace;
+					if (ns) params.namespace = ns;
+				} catch {
+					/* no active context; validateParams will report if required */
+				}
+			}
+
 			this.#validateParams(workflow, params);
 
-			// Resolve base URL from params or environment
-			const baseUrl = inputParams.base_url ?? process.env.F5XC_API_URL ?? "";
+			// Resolve base URL: explicit param > env > active context.
+			let activeApiUrl: string | null = null;
+			try {
+				activeApiUrl = ContextService.instance.activeApiUrl;
+			} catch {
+				activeApiUrl = null; // ContextService not initialized (e.g. unit context)
+			}
+			const baseUrl = inputParams.base_url ?? process.env.F5XC_API_URL ?? activeApiUrl ?? "";
 			if (!baseUrl) {
-				throw new ToolError("No base_url provided and F5XC_API_URL env var is not set");
+				throw new ToolError(
+					"No base_url provided, F5XC_API_URL is not set, and no active tenant context. Run `/context use <name>` or pass base_url.",
+				);
 			}
 
 			// Options
@@ -583,6 +603,7 @@ export class CatalogWorkflowRunnerTool
 			// Open browser session
 			const session = this.#ensureSession();
 			const page = await session.ensurePage();
+			await ensureAuthenticated(page, baseUrl);
 
 			// Execute steps
 			const stepResults: StepResult[] = [];