@hasna/browser 0.4.5 → 0.4.7

package/dist/server/index.js

@@ -3,7 +3,6 @@ var __create = Object.create;
 var __getProtoOf = Object.getPrototypeOf;
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 function __accessProp(key) {
   return this[key];
@@ -30,23 +29,6 @@ var __toESM = (mod, isNodeMode, target) => {
     cache.set(mod, to);
   return to;
 };
-var __toCommonJS = (from) => {
-  var entry = (__moduleCache ??= new WeakMap).get(from), desc;
-  if (entry)
-    return entry;
-  entry = __defProp({}, "__esModule", { value: true });
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (var key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(entry, key))
-        __defProp(entry, key, {
-          get: __accessProp.bind(from, key),
-          enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
-        });
-  }
-  __moduleCache.set(from, entry);
-  return entry;
-};
-var __moduleCache;
 var __commonJS = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
 var __returnValue = (v) => v;
 function __exportSetter(name, newValue) {
@@ -10834,6 +10816,7 @@ function watchPage(page, opts) {
   const changes = [];
   const intervalMs = opts?.intervalMs ?? 500;
   const maxChanges = opts?.maxChanges ?? 50;
+  const sessionId = opts?.sessionId;
   const interval = setInterval(async () => {
     if (changes.length >= maxChanges)
       return;
@@ -10847,7 +10830,7 @@ function watchPage(page, opts) {
       }
     } catch {}
   }, intervalMs);
-  activeWatches.set(id, { interval, changes });
+  activeWatches.set(id, { interval, changes, sessionId });
   return {
     id,
     stop: () => {
@@ -10866,10 +10849,12 @@ function stopWatch(watchId) {
     activeWatches.delete(watchId);
   }
 }
-function stopAllWatchesForSession(_sessionId) {
-  for (const [id, w] of activeWatches) {
-    clearInterval(w.interval);
-    activeWatches.delete(id);
+function stopAllWatchesForSession(sessionId) {
+  for (const [id, w] of [...activeWatches]) {
+    if (!sessionId || w.sessionId === sessionId) {
+      clearInterval(w.interval);
+      activeWatches.delete(id);
+    }
   }
 }
 async function clickRef(page, sessionId, ref, opts) {
@@ -14606,7 +14591,7 @@ var require_operation = __commonJS((exports, module) => {
 // node_modules/@img/colour/color.cjs
 var require_color = __commonJS((exports, module) => {
   var __defProp3 = Object.defineProperty;
-  var __getOwnPropDesc2 = Object.getOwnPropertyDescriptor;
+  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
   var __getOwnPropNames3 = Object.getOwnPropertyNames;
   var __hasOwnProp3 = Object.prototype.hasOwnProperty;
   var __export3 = (target, all) => {
@@ -14617,16 +14602,16 @@ var require_color = __commonJS((exports, module) => {
     if (from && typeof from === "object" || typeof from === "function") {
       for (let key of __getOwnPropNames3(from))
         if (!__hasOwnProp3.call(to, key) && key !== except)
-          __defProp3(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc2(from, key)) || desc.enumerable });
+          __defProp3(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
     }
     return to;
   };
-  var __toCommonJS2 = (mod) => __copyProps(__defProp3({}, "__esModule", { value: true }), mod);
+  var __toCommonJS = (mod) => __copyProps(__defProp3({}, "__esModule", { value: true }), mod);
   var index_exports = {};
   __export3(index_exports, {
     default: () => index_default
   });
-  module.exports = __toCommonJS2(index_exports);
+  module.exports = __toCommonJS(index_exports);
   var colors = {
     aliceblue: [240, 248, 255],
     antiquewhite: [250, 235, 215],
@@ -18232,6 +18217,207 @@ var THEMES = {
     brightWhite: "#ffffff"
   }
 };
+async function configureDomRenderer(page, options) {
+  await page.evaluate((opts) => {
+    const runtimeKey = "__takumiTuiDomRenderer";
+    const rootId = "takumi-tui-dom-root";
+    const styleId = "takumi-tui-dom-style";
+    const win = window;
+    const ensureStyle = () => {
+      let style = document.getElementById(styleId);
+      if (!style) {
+        style = document.createElement("style");
+        style.id = styleId;
+        document.head.appendChild(style);
+      }
+      style.textContent = `
+        #${rootId} {
+          position: absolute;
+          inset: 0;
+          overflow: hidden;
+          display: flex;
+          flex-direction: column;
+          white-space: pre;
+          font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", monospace;
+          line-height: 1.2;
+          background: var(--takumi-tui-bg, #1e1e1e);
+          color: var(--takumi-tui-fg, #d4d4d4);
+          z-index: 4;
+          pointer-events: none;
+          user-select: text;
+        }
+        #${rootId}[data-active="0"] {
+          display: none;
+        }
+        #${rootId} .takumi-tui-dom-row {
+          display: flex;
+          min-height: 1.2em;
+        }
+        #${rootId} .takumi-tui-dom-cell {
+          display: inline-flex;
+          align-items: center;
+          justify-content: center;
+          min-width: 0.62em;
+          height: 1.2em;
+        }
+        #${rootId} .takumi-tui-dom-cell[data-cursor="true"] {
+          outline: 1px solid currentColor;
+          outline-offset: -1px;
+        }
+        body[data-takumi-dom-render="1"] .xterm-rows,
+        body[data-takumi-dom-render="1"] .xterm-text-layer,
+        body[data-takumi-dom-render="1"] .xterm-cursor-layer,
+        body[data-takumi-dom-render="1"] .xterm-selection-layer {
+          opacity: 0 !important;
+        }
+      `;
+    };
+    const ensureRoot = () => {
+      let root = document.getElementById(rootId);
+      if (!root) {
+        root = document.createElement("div");
+        root.id = rootId;
+        root.setAttribute("role", "grid");
+        root.setAttribute("aria-label", "Terminal DOM renderer");
+        const host = document.getElementById("terminal-container") ?? document.querySelector(".xterm") ?? document.body;
+        if (getComputedStyle(host).position === "static") {
+          host.style.position = "relative";
+        }
+        host.appendChild(root);
+      }
+      root.style.setProperty("--takumi-tui-bg", opts.theme === "light" ? "#ffffff" : "#1e1e1e");
+      root.style.setProperty("--takumi-tui-fg", opts.theme === "light" ? "#1e1e1e" : "#d4d4d4");
+      root.style.fontSize = `${opts.fontSize ?? 14}px`;
+      root.dataset.active = opts.active ? "1" : "0";
+      if (opts.active)
+        root.removeAttribute("aria-hidden");
+      else
+        root.setAttribute("aria-hidden", "true");
+      document.body.dataset.takumiDomRender = opts.active ? "1" : "0";
+      return root;
+    };
+    const readCellChars = (line, col) => {
+      try {
+        const cell = typeof line?.getCell === "function" ? line.getCell(col) : null;
+        const chars = typeof cell?.getChars === "function" ? cell.getChars() : "";
+        if (chars)
+          return chars;
+      } catch {}
+      try {
+        const text = typeof line?.translateToString === "function" ? line.translateToString(false, col, col + 1) : "";
+        if (text)
+          return text;
+      } catch {}
+      return " ";
+    };
+    const buildState = (activeOnly) => {
+      const term = win.term ?? win.terminal;
+      if (!term?.buffer?.active) {
+        return {
+          text: "",
+          rows: [],
+          row_count: 0,
+          cols: null,
+          total_rows: 0,
+          buffer_length: null,
+          cursor_row: -1,
+          cursor_col: -1,
+          font_size: null,
+          theme: opts.theme
+        };
+      }
+      const buf = term.buffer.active;
+      const rows = [];
+      const root = ensureRoot();
+      const fragment = document.createDocumentFragment();
+      for (let row = 0;row < buf.length; row++) {
+        const line = buf.getLine(row);
+        if (!line)
+          continue;
+        const rowEl = document.createElement("div");
+        rowEl.className = "takumi-tui-dom-row";
+        rowEl.setAttribute("role", "row");
+        rowEl.dataset.row = String(row);
+        rowEl.setAttribute("aria-rowindex", String(row + 1));
+        let rowText = "";
+        for (let col = 0;col < term.cols; col++) {
+          const char = readCellChars(line, col) || " ";
+          rowText += char;
+          const cellEl = document.createElement("span");
+          cellEl.className = "takumi-tui-dom-cell";
+          cellEl.setAttribute("role", "gridcell");
+          cellEl.dataset.row = String(row);
+          cellEl.dataset.col = String(col);
+          cellEl.setAttribute("aria-colindex", String(col + 1));
+          cellEl.textContent = char;
+          if (buf.cursorY === row && buf.cursorX === col) {
+            cellEl.dataset.cursor = "true";
+          }
+          rowEl.appendChild(cellEl);
+        }
+        rows.push(rowText.replace(/\s+$/g, ""));
+        rowEl.setAttribute("aria-label", rows[rows.length - 1] || " ");
+        fragment.appendChild(rowEl);
+      }
+      root.replaceChildren(fragment);
+      root.setAttribute("aria-rowcount", String(rows.length));
+      root.dataset.method = "dom";
+      return {
+        text: rows.join(`
+`).trimEnd(),
+        rows,
+        row_count: rows.length,
+        cols: term.cols,
+        total_rows: term.rows,
+        buffer_length: buf.length,
+        cursor_row: buf.cursorY,
+        cursor_col: buf.cursorX,
+        font_size: term.options?.fontSize ?? null,
+        theme: term.options?.theme?.background === "#ffffff" ? "light" : "dark"
+      };
+    };
+    ensureStyle();
+    ensureRoot();
+    if (!win[runtimeKey]) {
+      win[runtimeKey] = {
+        sync: () => buildState(false),
+        activate: (active) => {
+          const root = ensureRoot();
+          root.dataset.active = active ? "1" : "0";
+          if (active)
+            root.removeAttribute("aria-hidden");
+          else
+            root.setAttribute("aria-hidden", "true");
+          document.body.dataset.takumiDomRender = active ? "1" : "0";
+        }
+      };
+      const intervalId = window.setInterval(() => {
+        try {
+          win[runtimeKey]?.sync?.();
+        } catch {}
+      }, 50);
+      win[runtimeKey].intervalId = intervalId;
+    }
+    win[runtimeKey].activate(opts.active);
+    win[runtimeKey].sync();
+  }, options);
+}
+async function destroyDomRenderer(page) {
+  await page.evaluate(() => {
+    const runtimeKey = "__takumiTuiDomRenderer";
+    const win = window;
+    if (win[runtimeKey]?.intervalId) {
+      clearInterval(win[runtimeKey].intervalId);
+    }
+    delete win[runtimeKey];
+    document.getElementById("takumi-tui-dom-root")?.remove();
+    document.getElementById("takumi-tui-dom-style")?.remove();
+    delete document.body.dataset.takumiDomRender;
+  }).catch(() => {});
+}
+function isDomMethod(method) {
+  return method === "dom";
+}
 function isTuiAvailable() {
   try {
     execSync2("which ttyd", { stdio: "ignore" });
@@ -18244,7 +18430,7 @@ async function findAvailablePort(startPort) {
   let port = startPort;
   for (let i = 0;i < 100; i++) {
     try {
-      const resp = await fetch(`http://localhost:${port}`);
+      await fetch(`http://localhost:${port}`);
       port++;
     } catch {
       return port;
@@ -18270,24 +18456,16 @@ async function launchTui(command, options = {}) {
   }
   const port = await findAvailablePort(nextPort);
   nextPort = port + 1;
-  const ttydProcess = spawn2("ttyd", ["--writable", "--port", String(port), "/bin/sh", "-c", command], {
-    stdio: "ignore",
-    detached: false
-  });
+  const ttydProcess = spawn2("ttyd", ["--writable", "--port", String(port), "/bin/sh", "-c", command], { stdio: "ignore", detached: false });
   ttydProcess.on("error", (err) => {
     console.error(`[tui] ttyd process error: ${err.message}`);
   });
   try {
     await waitForTtyd(port);
     const viewport = options.viewport ?? { width: 1280, height: 720 };
-    const browser = await launchPlaywright({
-      headless: options.headless ?? true,
-      viewport
-    });
+    const browser = await launchPlaywright({ headless: options.headless ?? true, viewport });
     const page = await getPage(browser, { viewport });
-    await page.goto(`http://localhost:${port}`, {
-      waitUntil: "domcontentloaded"
-    });
+    await page.goto(`http://localhost:${port}`, { waitUntil: "domcontentloaded" });
     await page.waitForSelector(".xterm-screen", { timeout: 1e4 });
     let resolvedTheme = "dark";
     const requestedTheme = options.theme ?? "system";
@@ -18306,16 +18484,15 @@ async function launchTui(command, options = {}) {
     const themeColors = THEMES[resolvedTheme];
     await page.evaluate((theme) => {
       const term = window.term ?? window.terminal;
-      if (term?.options) {
+      if (term?.options)
         term.options.theme = theme;
-      }
       document.body.style.backgroundColor = theme.background;
       const container = document.getElementById("terminal-container");
       if (container)
         container.style.backgroundColor = theme.background;
-      const viewport2 = document.querySelector(".xterm-viewport");
-      if (viewport2)
-        viewport2.style.backgroundColor = theme.background;
+      const vp = document.querySelector(".xterm-viewport");
+      if (vp)
+        vp.style.backgroundColor = theme.background;
     }, themeColors);
     if (options.fontSize) {
       await page.evaluate((size) => {
@@ -18324,13 +18501,31 @@ async function launchTui(command, options = {}) {
           term.options.fontSize = size;
       }, options.fontSize);
     }
-    return { ttydProcess, port, browser, page, theme: resolvedTheme };
+    const method = options.method ?? "buffer";
+    await configureDomRenderer(page, {
+      active: isDomMethod(method),
+      theme: resolvedTheme,
+      fontSize: options.fontSize
+    });
+    return {
+      ttydProcess,
+      port,
+      browser,
+      page,
+      theme: resolvedTheme,
+      method,
+      lastHealthCheck: Date.now(),
+      reconnectCount: 0
+    };
   } catch (err) {
-    ttydProcess.kill();
+    try {
+      ttydProcess.kill("SIGTERM");
+    } catch {}
     throw err;
   }
 }
 async function closeTui(session) {
+  await destroyDomRenderer(session.page);
   try {
     await session.page.close();
   } catch {}
@@ -18340,6 +18535,9 @@ async function closeTui(session) {
   try {
     session.ttydProcess.kill("SIGTERM");
   } catch {}
+  try {
+    session.ttydProcess.kill("SIGKILL");
+  } catch {}
 }
 
 // src/engines/selector.ts
@@ -18551,19 +18749,13 @@ Object.defineProperty(navigator, 'plugins', {
       { name: 'Chrome PDF Viewer', filename: 'mhjfbmdgcfjbbpaeojofohoefgiehjai', description: '', length: 1 },
       { name: 'Native Client', filename: 'internal-nacl-plugin', description: '', length: 2 },
     ];
-    // Mimic PluginArray interface
-    const pluginArray = Object.create(PluginArray.prototype);
+    // Mimic PluginArray interface \u2014 guard against removed prototypes
+    const pluginArray = {};
     plugins.forEach((p, i) => {
-      const plugin = Object.create(Plugin.prototype);
-      Object.defineProperties(plugin, {
-        name: { value: p.name, enumerable: true },
-        filename: { value: p.filename, enumerable: true },
-        description: { value: p.description, enumerable: true },
-        length: { value: p.length, enumerable: true },
-      });
+      const plugin = { ...p, item: () => null };
       pluginArray[i] = plugin;
     });
-    Object.defineProperty(pluginArray, 'length', { value: plugins.length });
+    pluginArray.length = plugins.length;
     pluginArray.item = (i) => pluginArray[i] || null;
     pluginArray.namedItem = (name) => plugins.find(p => p.name === name) ? pluginArray[plugins.findIndex(p => p.name === name)] : null;
     pluginArray.refresh = () => {};
@@ -18618,14 +18810,16 @@ if (ttlInterval.unref)
 var DB_PRUNE_INTERVAL_MS = 30 * 60000;
 var DB_RETENTION_HOURS = 24;
 var dbPruneInterval = setInterval(() => {
-  try {
-    const { getDatabase: getDatabase2 } = (init_schema(), __toCommonJS(exports_schema));
-    const db = getDatabase2();
-    const cutoff = new Date(Date.now() - DB_RETENTION_HOURS * 3600000).toISOString();
-    db.prepare("DELETE FROM network_log WHERE session_id IN (SELECT id FROM sessions WHERE status != 'active') AND timestamp < ?").run(cutoff);
-    db.prepare("DELETE FROM console_log WHERE session_id IN (SELECT id FROM sessions WHERE status != 'active') AND timestamp < ?").run(cutoff);
-    db.prepare("DELETE FROM snapshots WHERE session_id IN (SELECT id FROM sessions WHERE status != 'active') AND timestamp < ?").run(cutoff);
-  } catch {}
+  (async () => {
+    try {
+      const { getDatabase: getDatabase2 } = await Promise.resolve().then(() => (init_schema(), exports_schema));
+      const db = getDatabase2();
+      const cutoff = new Date(Date.now() - DB_RETENTION_HOURS * 3600000).toISOString();
+      db.prepare("DELETE FROM network_log WHERE session_id IN (SELECT id FROM sessions WHERE status != 'active') AND timestamp < ?").run(cutoff);
+      db.prepare("DELETE FROM console_log WHERE session_id IN (SELECT id FROM sessions WHERE status != 'active') AND timestamp < ?").run(cutoff);
+      db.prepare("DELETE FROM snapshots WHERE session_id IN (SELECT id FROM sessions WHERE status != 'active') AND timestamp < ?").run(cutoff);
+    } catch {}
+  })();
 }, DB_PRUNE_INTERVAL_MS);
 if (dbPruneInterval.unref)
   dbPruneInterval.unref();
@@ -18661,7 +18855,7 @@ async function createSession2(opts = {}) {
     try {
       cleanups2.push(setupDialogHandler(page2, session2.id));
     } catch {}
-    handles.set(session2.id, { browser: cdpBrowser, bunView: null, tuiSession: null, page: page2, engine: "cdp", cleanups: cleanups2, tokenBudget: { total: 0, used: 0 }, lastActivity: Date.now(), autoGallery: opts.autoGallery ?? false });
+    handles.set(session2.id, { browser: cdpBrowser, bunView: null, tuiSession: null, page: page2, engine: "cdp", cleanups: cleanups2, tokenBudget: { total: 0, used: 0 }, lastActivity: Date.now(), autoGallery: opts.autoGallery ?? false, startUrl: opts.startUrl ?? "" });
     return { session: session2, page: page2 };
   }
   const engine = opts.engine === "auto" || !opts.engine ? selectEngine(opts.useCase ?? "spa_navigate" /* SPA_NAVIGATE */, opts.engine) : opts.engine;
@@ -18675,13 +18869,29 @@ async function createSession2(opts = {}) {
       browser = await launchPlaywright({ headless: opts.headless ?? true, viewport: opts.viewport, userAgent: opts.userAgent });
       page = await getPage(browser, { viewport: opts.viewport, userAgent: opts.userAgent });
     } else {
-      bunView = new BunWebViewSession({
+      const testView = new BunWebViewSession({
         width: opts.viewport?.width ?? 1280,
         height: opts.viewport?.height ?? 720,
         profile: opts.name ?? undefined
       });
-      if (opts.stealth) {}
-      page = createBunProxy(bunView);
+      let bunWorks = true;
+      try {
+        await testView.goto("data:text/html,<html></html>");
+      } catch {
+        bunWorks = false;
+        try {
+          await testView.close();
+        } catch {}
+      }
+      if (!bunWorks) {
+        console.warn("[browser] Bun.WebView exists but Chrome not available \u2014 falling back to playwright");
+        browser = await launchPlaywright({ headless: opts.headless ?? true, viewport: opts.viewport, userAgent: opts.userAgent });
+        page = await getPage(browser, { viewport: opts.viewport, userAgent: opts.userAgent });
+      } else {
+        bunView = testView;
+        if (opts.stealth) {}
+        page = createBunProxy(bunView);
+      }
     }
   } else if (resolvedEngine === "lightpanda") {
     browser = await connectLightpanda();
@@ -18693,7 +18903,8 @@ async function createSession2(opts = {}) {
       headless: opts.headless ?? true,
       viewport: opts.viewport,
       theme: opts.tuiTheme ?? "system",
-      fontSize: opts.tuiFontSize
+      fontSize: opts.tuiFontSize,
+      method: opts.tuiMethod ?? "buffer"
     });
     browser = tuiSess.browser;
     page = tuiSess.page;
@@ -18719,7 +18930,7 @@ async function createSession2(opts = {}) {
     try {
       cleanups2.push(setupDialogHandler(page, session2.id));
     } catch {}
-    handles.set(session2.id, { browser, bunView: null, tuiSession: tuiSess, page, engine: "tui", cleanups: cleanups2, tokenBudget: { total: 0, used: 0 }, lastActivity: Date.now(), autoGallery: opts.autoGallery ?? false });
+    handles.set(session2.id, { browser, bunView: null, tuiSession: tuiSess, page, engine: "tui", cleanups: cleanups2, tokenBudget: { total: 0, used: 0 }, lastActivity: Date.now(), autoGallery: opts.autoGallery ?? false, startUrl: opts.startUrl ?? "bash" });
     return { session: session2, page };
   } else {
     browser = await pool.acquire(opts.headless ?? true);
@@ -18791,7 +19002,7 @@ async function createSession2(opts = {}) {
       } catch {}
     }
   }
-  handles.set(session.id, { browser, bunView, tuiSession: null, page, engine: bunView ? "bun" : resolvedEngine, cleanups, tokenBudget: { total: 0, used: 0 }, lastActivity: Date.now(), autoGallery: opts.autoGallery ?? false });
+  handles.set(session.id, { browser, bunView, tuiSession: null, page, engine: bunView ? "bun" : resolvedEngine, cleanups, tokenBudget: { total: 0, used: 0 }, lastActivity: Date.now(), autoGallery: opts.autoGallery ?? false, startUrl: opts.startUrl ?? "" });
   if (opts.startUrl) {
     try {
       if (bunView) {
@@ -18822,38 +19033,43 @@ function getSessionPage(sessionId) {
 }
 async function closeSession2(sessionId) {
   const handle = handles.get(sessionId);
-  if (handle) {
-    for (const cleanup of handle.cleanups) {
-      try {
-        cleanup();
-      } catch {}
-    }
-    if (handle.bunView) {
-      try {
-        await handle.bunView.close();
-      } catch {}
-    } else if (handle.tuiSession) {} else {
-      try {
-        await handle.page.context().close();
-      } catch {}
-      if (handle.browser)
-        pool.release(handle.browser);
+  try {
+    if (handle) {
+      for (const cleanup of handle.cleanups) {
+        try {
+          cleanup();
+        } catch {}
+      }
+      if (handle.bunView) {
+        try {
+          await handle.bunView.close();
+        } catch {}
+      } else if (handle.tuiSession) {} else {
+        try {
+          await handle.page.context().close();
+        } catch {}
+        try {
+          if (handle.browser)
+            pool.release(handle.browser);
+        } catch {}
+      }
     }
+    try {
+      const { clearLastSnapshot: clearLastSnapshot2, clearSessionRefs: clearSessionRefs2 } = await Promise.resolve().then(() => (init_snapshot(), exports_snapshot));
+      clearLastSnapshot2(sessionId);
+      clearSessionRefs2(sessionId);
+    } catch {}
+    try {
+      const { stopAllWatchesForSession: stopAllWatchesForSession2 } = await Promise.resolve().then(() => (init_actions(), exports_actions));
+      stopAllWatchesForSession2(sessionId);
+    } catch {}
+    try {
+      const { clearDialogs: clearDialogs2 } = await Promise.resolve().then(() => (init_dialogs(), exports_dialogs));
+      clearDialogs2(sessionId);
+    } catch {}
+  } finally {
     handles.delete(sessionId);
   }
-  try {
-    const { clearLastSnapshot: clearLastSnapshot2, clearSessionRefs: clearSessionRefs2 } = await Promise.resolve().then(() => (init_snapshot(), exports_snapshot));
-    clearLastSnapshot2(sessionId);
-    clearSessionRefs2(sessionId);
-  } catch {}
-  try {
-    const { stopAllWatchesForSession: stopAllWatchesForSession2 } = await Promise.resolve().then(() => (init_actions(), exports_actions));
-    stopAllWatchesForSession2(sessionId);
-  } catch {}
-  try {
-    const { clearDialogs: clearDialogs2 } = await Promise.resolve().then(() => (init_dialogs(), exports_dialogs));
-    clearDialogs2(sessionId);
-  } catch {}
   return closeSession(sessionId);
 }
 function listSessions2(filter) {
@@ -18952,6 +19168,12 @@ import { mkdirSync as mkdirSync7 } from "fs";
 // src/db/gallery.ts
 init_schema();
 import { randomUUID as randomUUID4 } from "crypto";
+function validateDataPath(filePath) {
+  if (filePath.includes("..")) {
+    throw new Error(`File path must not contain '..': ${filePath}`);
+  }
+  return filePath;
+}
 function deserialize(row) {
   return {
     id: row.id,
@@ -18976,6 +19198,9 @@ function deserialize(row) {
 function createEntry(data) {
   const db = getDatabase();
   const id = randomUUID4();
+  validateDataPath(data.path);
+  if (data.thumbnail_path)
+    validateDataPath(data.thumbnail_path);
   db.prepare(`
     INSERT INTO gallery_entries
       (id, session_id, project_id, url, title, path, thumbnail_path, format,
@@ -19591,38 +19816,74 @@ async function diffImages(path1, path2) {
 
 // src/server/index.ts
 var PORT = parseInt(process.env["BROWSER_SERVER_PORT"] ?? "7030");
+var API_KEY = process.env["BROWSER_API_KEY"] ?? null;
+var ALLOWED_ORIGIN = process.env["BROWSER_ALLOWED_ORIGIN"] ?? (API_KEY ? null : "http://localhost:3000");
 var startTime = Date.now();
-var CORS_HEADERS = {
-  "Access-Control-Allow-Origin": "*",
-  "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-  "Access-Control-Allow-Headers": "Content-Type"
-};
+function corsHeaders(origin) {
+  const headers = {
+    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": "Content-Type, Authorization"
+  };
+  if (origin) {
+    if (!API_KEY && !origin.startsWith("http://localhost") && !origin.startsWith("http://127.0.0.1")) {
+      headers["Access-Control-Allow-Origin"] = ALLOWED_ORIGIN ?? "http://localhost:3000";
+    } else {
+      headers["Access-Control-Allow-Origin"] = origin;
+    }
+  }
+  return headers;
+}
+function authenticate(req) {
+  if (!API_KEY)
+    return null;
+  const header = req.headers.get("Authorization") ?? "";
+  const token = header.startsWith("Bearer ") ? header.slice(7) : "";
+  if (token !== API_KEY) {
+    return new Response(JSON.stringify({ error: "Unauthorized" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  return null;
+}
 var networkCleanup = new Map;
 var consoleCleanup = new Map;
 var harCaptures = new Map;
-function ok(data, status = 200) {
+async function safeJson(req) {
+  try {
+    const contentType = req.headers.get("content-type") ?? "";
+    if (!contentType.includes("application/json")) {
+      return { error: badRequest("Content-Type must be application/json") };
+    }
+    const body = await req.json();
+    return { body };
+  } catch {
+    return { error: badRequest("Invalid or missing JSON body") };
+  }
+}
+function ok(data, status = 200, extraHeaders) {
   return new Response(JSON.stringify(data), {
     status,
-    headers: { "Content-Type": "application/json", ...CORS_HEADERS }
+    headers: { "Content-Type": "application/json", ...extraHeaders ?? {} }
   });
 }
-function notFound(msg) {
+function notFound(msg, extraHeaders) {
   return new Response(JSON.stringify({ error: msg }), {
     status: 404,
-    headers: { "Content-Type": "application/json", ...CORS_HEADERS }
+    headers: { "Content-Type": "application/json", ...extraHeaders ?? {} }
   });
 }
-function badRequest(msg) {
+function badRequest(msg, extraHeaders) {
   return new Response(JSON.stringify({ error: msg }), {
     status: 400,
-    headers: { "Content-Type": "application/json", ...CORS_HEADERS }
+    headers: { "Content-Type": "application/json", ...extraHeaders ?? {} }
   });
 }
-function serverError(e) {
+function serverError(e, extraHeaders) {
   const msg = e instanceof Error ? e.message : String(e);
   return new Response(JSON.stringify({ error: msg }), {
     status: 500,
-    headers: { "Content-Type": "application/json", ...CORS_HEADERS }
+    headers: { "Content-Type": "application/json", ...extraHeaders ?? {} }
   });
 }
 var server = Bun.serve({
@@ -19631,8 +19892,15 @@ var server = Bun.serve({
     const url = new URL(req.url);
     const path = url.pathname;
     const method = req.method;
+    const origin = req.headers.get("Origin") ?? undefined;
+    const headers = corsHeaders(origin ?? null);
     if (method === "OPTIONS") {
-      return new Response(null, { status: 204, headers: CORS_HEADERS });
+      return new Response(null, { status: 204, headers });
+    }
+    if (!path.startsWith("/dashboard") && path !== "/health") {
+      const authError = authenticate(req);
+      if (authError)
+        return authError;
     }
     try {
       if (path === "/health" && method === "GET") {
@@ -19649,7 +19917,10 @@ var server = Bun.serve({
         return ok({ sessions: listSessions2(status ? { status, projectId } : { projectId }) });
       }
       if (path === "/api/sessions" && method === "POST") {
-        const body = await req.json();
+        const parsed = await safeJson(req);
+        if ("error" in parsed)
+          return parsed.error;
+        const body = parsed.body;
         const { session } = await createSession2({
           engine: body.engine ?? "auto",
           projectId: body.project_id,
@@ -19671,25 +19942,36 @@ var server = Bun.serve({
         return ok({ session });
       }
       if (path === "/api/navigate" && method === "POST") {
-        const body = await req.json();
+        const parsed = await safeJson(req);
+        if ("error" in parsed)
+          return parsed.error;
+        const body = parsed.body;
         if (!body.session_id || !body.url)
-          return badRequest("session_id and url required");
-        const page = getSessionPage(body.session_id);
-        await navigate(page, body.url);
-        return ok({ url: body.url, title: await page.title(), current_url: page.url() });
+          return badRequest("session_id and url required", headers);
+        const sessionId = body.session_id;
+        const url2 = body.url;
+        const page = getSessionPage(sessionId);
+        await navigate(page, url2);
+        return ok({ url: url2, title: await page.title(), current_url: page.url() });
       }
       if (path === "/api/extract" && method === "POST") {
-        const body = await req.json();
+        const parsed = await safeJson(req);
+        if ("error" in parsed)
+          return parsed.error;
+        const body = parsed.body;
         if (!body.session_id)
-          return badRequest("session_id required");
+          return badRequest("session_id required", headers);
         const page = getSessionPage(body.session_id);
         const result = await extract(page, { format: body.format, selector: body.selector });
         return ok(result);
       }
       if (path === "/api/screenshot" && method === "POST") {
-        const body = await req.json();
+        const parsed = await safeJson(req);
+        if ("error" in parsed)
+          return parsed.error;
+        const body = parsed.body;
         if (!body.session_id)
-          return badRequest("session_id required");
+          return badRequest("session_id required", headers);
         const page = getSessionPage(body.session_id);
         const result = await takeScreenshot(page, { selector: body.selector, fullPage: body.full_page });
         return ok(result);
@@ -19726,16 +20008,22 @@ var server = Bun.serve({
         return ok({ metrics: await getPerformanceMetrics(page) });
       }
       if (path === "/api/har/start" && method === "POST") {
-        const body = await req.json();
+        const parsed = await safeJson(req);
+        if ("error" in parsed)
+          return parsed.error;
+        const body = parsed.body;
         const page = getSessionPage(body.session_id);
         harCaptures.set(body.session_id, startHAR(page));
         return ok({ started: true });
       }
       if (path === "/api/har/stop" && method === "POST") {
-        const body = await req.json();
+        const parsed = await safeJson(req);
+        if ("error" in parsed)
+          return parsed.error;
+        const body = parsed.body;
         const capture = harCaptures.get(body.session_id);
         if (!capture)
-          return notFound("No active HAR capture");
+          return notFound("No active HAR capture", headers);
         const har = capture.stop();
         harCaptures.delete(body.session_id);
         return ok({ har });
@@ -19744,8 +20032,11 @@ var server = Bun.serve({
         return ok({ recordings: listRecordings(url.searchParams.get("project_id") ?? undefined) });
       }
       if (path.match(/^\/api\/recordings\/([^/]+)\/replay$/) && method === "POST") {
+        const parsed = await safeJson(req);
+        if ("error" in parsed)
+          return parsed.error;
+        const body = parsed.body;
         const id = path.split("/")[3];
-        const body = await req.json();
         const page = getSessionPage(body.session_id);
         const result = await replayRecording(id, page);
         return ok(result);
@@ -19757,9 +20048,12 @@ var server = Bun.serve({
         return ok({ deleted: id });
       }
       if (path === "/api/crawl" && method === "POST") {
-        const body = await req.json();
+        const parsed = await safeJson(req);
+        if ("error" in parsed)
+          return parsed.error;
+        const body = parsed.body;
         if (!body.url)
-          return badRequest("url required");
+          return badRequest("url required", headers);
         const result = await crawl(body.url, {
           maxDepth: body.max_depth ?? 2,
           maxPages: body.max_pages ?? 50,
@@ -19771,9 +20065,12 @@ var server = Bun.serve({
         return ok({ agents: listAgents(url.searchParams.get("project_id") ?? undefined) });
       }
       if (path === "/api/agents" && method === "POST") {
-        const body = await req.json();
+        const parsed = await safeJson(req);
+        if ("error" in parsed)
+          return parsed.error;
+        const body = parsed.body;
         if (!body.name)
-          return badRequest("name required");
+          return badRequest("name required", headers);
         const agent = registerAgent2(body.name, { description: body.description, projectId: body.project_id, sessionId: body.session_id, workingDir: body.working_dir });
         return ok({ agent }, 201);
       }
@@ -19792,9 +20089,12 @@ var server = Bun.serve({
         return ok({ projects: listProjects() });
       }
       if (path === "/api/projects" && method === "POST") {
-        const body = await req.json();
+        const parsed = await safeJson(req);
+        if ("error" in parsed)
+          return parsed.error;
+        const body = parsed.body;
         if (!body.name || !body.path)
-          return badRequest("name and path required");
+          return badRequest("name and path required", headers);
         const project = ensureProject(body.name, body.path, body.description);
         return ok({ project }, 201);
       }
@@ -19810,21 +20110,30 @@ var server = Bun.serve({
         return ok(getGalleryStats(url.searchParams.get("project_id") ?? undefined));
       }
       if (path === "/api/gallery/diff" && method === "POST") {
-        const body = await req.json();
+        const parsed = await safeJson(req);
+        if ("error" in parsed)
+          return parsed.error;
+        const body = parsed.body;
         const e1 = getEntry(body.id1);
         const e2 = getEntry(body.id2);
         if (!e1 || !e2)
-          return notFound("Gallery entry not found");
+          return notFound("Gallery entry not found", headers);
         return ok(await diffImages(e1.path, e2.path));
       }
       if (path.match(/^\/api\/gallery\/([^/]+)\/tag$/) && method === "POST") {
+        const parsed = await safeJson(req);
+        if ("error" in parsed)
+          return parsed.error;
+        const body = parsed.body;
         const id = path.split("/")[3];
-        const body = await req.json();
         return ok({ entry: tagEntry(id, body.tag) });
       }
       if (path.match(/^\/api\/gallery\/([^/]+)\/favorite$/) && method === "PUT") {
+        const parsed = await safeJson(req);
+        if ("error" in parsed)
+          return parsed.error;
+        const body = parsed.body;
         const id = path.split("/")[3];
-        const body = await req.json();
         return ok({ entry: favoriteEntry(id, body.favorited) });
       }
       if (path.match(/^\/api\/gallery\/([^/]+)\/thumbnail$/) && method === "GET") {
@@ -19832,14 +20141,14 @@ var server = Bun.serve({
         const entry = getEntry(id);
         if (!entry?.thumbnail_path || !existsSync9(entry.thumbnail_path))
           return notFound("Thumbnail not found");
-        return new Response(Bun.file(entry.thumbnail_path), { headers: { ...CORS_HEADERS } });
+        return new Response(Bun.file(entry.thumbnail_path), { headers: { ...headers } });
       }
       if (path.match(/^\/api\/gallery\/([^/]+)\/image$/) && method === "GET") {
         const id = path.split("/")[3];
         const entry = getEntry(id);
         if (!entry?.path || !existsSync9(entry.path))
           return notFound("Image not found");
-        return new Response(Bun.file(entry.path), { headers: { ...CORS_HEADERS } });
+        return new Response(Bun.file(entry.path), { headers: { ...headers } });
       }
       if (path.match(/^\/api\/gallery\/([^/]+)$/) && method === "DELETE") {
         const id = path.split("/")[3];
@@ -19867,7 +20176,7 @@ var server = Bun.serve({
         const file = getDownload(id);
         if (!file || !existsSync9(file.path))
           return notFound("Download not found");
-        return new Response(Bun.file(file.path), { headers: { ...CORS_HEADERS } });
+        return new Response(Bun.file(file.path), { headers: { ...headers } });
       }
       if (path.match(/^\/api\/downloads\/([^/]+)$/) && method === "DELETE") {
         const id = path.split("/")[3];
@@ -19875,15 +20184,21 @@ var server = Bun.serve({
       }
       const dashboardDist = join12(import.meta.dir, "../../dashboard/dist");
       if (existsSync9(dashboardDist)) {
-        const filePath = path === "/" ? join12(dashboardDist, "index.html") : join12(dashboardDist, path);
+        const cleanPath = path.replace(/^\//, "");
+        if (cleanPath.includes("..") || cleanPath.startsWith("/"))
+          return notFound("Not found", headers);
+        const filePath = path === "/" ? join12(dashboardDist, "index.html") : join12(dashboardDist, cleanPath);
+        const resolved = await Bun.file(filePath).arrayBuffer().then(() => join12(dashboardDist, cleanPath)) || "";
+        if (!resolved.startsWith(dashboardDist))
+          return notFound("Not found", headers);
         if (existsSync9(filePath)) {
-          return new Response(Bun.file(filePath), { headers: CORS_HEADERS });
+          return new Response(Bun.file(filePath), { headers });
         }
-        return new Response(Bun.file(join12(dashboardDist, "index.html")), { headers: CORS_HEADERS });
+        return new Response(Bun.file(join12(dashboardDist, "index.html")), { headers });
       }
       if (path === "/" || path === "") {
         return new Response("@hasna/browser REST API running. Dashboard not built.", {
-          headers: { "Content-Type": "text/plain", ...CORS_HEADERS }
+          headers: { "Content-Type": "text/plain", ...headers }
         });
       }
       return notFound(`Route not found: ${method} ${path}`);