@vellumai/assistant 0.4.23 → 0.4.26

package/src/tools/browser/browser-manager.ts

@@ -5,9 +5,20 @@ import { getLogger } from "../../util/logger.js";
 import { getDataDir } from "../../util/platform.js";
 import { authSessionCache } from "./auth-cache.js";
 import type { ExtractedCredential } from "./network-recording-types.js";
+import { checkBrowserRuntime } from "./runtime-check.js";
 
 const log = getLogger("browser-manager");
 
+/**
+ * Returns true when the host has a GUI capable of displaying a browser window.
+ * macOS and Windows always have a display; Linux requires DISPLAY or WAYLAND_DISPLAY.
+ */
+function canDisplayGui(): boolean {
+  if (process.platform === "darwin" || process.platform === "win32")
+    return true;
+  return !!(process.env.DISPLAY || process.env.WAYLAND_DISPLAY);
+}
+
 function getDownloadsDir(): string {
   const dir = join(getDataDir(), "browser-downloads");
   mkdirSync(dir, { recursive: true });
@@ -118,6 +129,11 @@ export function setLaunchFn(fn: LaunchFn | null): void {
   launchPersistentContext = fn;
 }
 
+async function getDefaultLaunchFn(): Promise<LaunchFn> {
+  const pw = await import("playwright");
+  return pw.chromium.launchPersistentContext.bind(pw.chromium);
+}
+
 function getProfileDir(): string {
   return join(getDataDir(), "browser-profile");
 }
@@ -130,180 +146,78 @@ class BrowserManager {
   private rawPages = new Map<string, unknown>();
   private cdpSessions = new Map<string, CDPSession>();
   private snapshotMaps = new Map<string, Map<string, string>>();
-  private cdpUrl: string = "http://localhost:9222";
-  private cdpBrowser: unknown = null; // Store CDP browser reference separately
-  private _browserLaunched = false; // true when browser was launched via test injection (vs connected via CDP)
   private browserCdpSession: CDPSession | null = null;
   private browserWindowId: number | null = null;
-  private cdpRequestResolvers = new Map<
-    string,
-    (response: { success: boolean; declined?: boolean }) => void
-  >();
   private interactiveModeSessions = new Set<string>();
   private handoffResolvers = new Map<string, () => void>();
-  private sessionSenders = new Map<
-    string,
-    (msg: { type: string; sessionId: string }) => void
-  >();
   private downloads = new Map<string, DownloadInfo[]>();
   private pendingDownloads = new Map<
     string,
     { resolve: (info: DownloadInfo) => void; reject: (err: Error) => void }[]
   >();
 
-  /** Whether page.route() is supported. False for connectOverCDP browsers. */
+  /** Whether page.route() is supported. Always true for launched browsers. */
   get supportsRouteInterception(): boolean {
-    // page.route() only works with launched browsers (test injection), not CDP-connected ones
-    return this._browserLaunched;
-  }
-
-  registerSender(
-    sessionId: string,
-    sendToClient: (msg: { type: string; sessionId: string }) => void,
-  ): void {
-    this.sessionSenders.set(sessionId, sendToClient);
-  }
-
-  unregisterSender(sessionId: string): void {
-    this.sessionSenders.delete(sessionId);
-  }
-
-  async detectCDP(url?: string): Promise<boolean> {
-    const target = url || this.cdpUrl;
-    try {
-      const response = await fetch(`${target}/json/version`, {
-        signal: AbortSignal.timeout(3000),
-      });
-      return response.ok;
-    } catch {
-      return false;
-    }
-  }
-
-  /**
-   * Request Chrome restart from client via IPC. Returns true if client confirmed and CDP is now available.
-   * The sendToClient callback sends the request, and resolveCDPResponse() is called when the response arrives.
-   */
-  async requestCDPFromClient(
-    sessionId: string,
-    sendToClient: (msg: { type: string; sessionId: string }) => void,
-  ): Promise<boolean> {
-    // Cancel any existing pending request for this session to avoid leaked promises
-    const existing = this.cdpRequestResolvers.get(sessionId);
-    if (existing) {
-      existing({ success: false });
-    }
-
-    return new Promise<boolean>((resolve) => {
-      const resolver = (response: { success: boolean; declined?: boolean }) => {
-        clearTimeout(timer);
-        // Only act if we're still the active resolver for this session
-        if (this.cdpRequestResolvers.get(sessionId) === resolver) {
-          this.cdpRequestResolvers.delete(sessionId);
-        }
-        resolve(response.success);
-      };
-
-      // Set a timeout in case the client never responds
-      const timer = setTimeout(() => {
-        if (this.cdpRequestResolvers.get(sessionId) === resolver) {
-          this.cdpRequestResolvers.delete(sessionId);
-        }
-        resolve(false);
-      }, 15_000);
-
-      this.cdpRequestResolvers.set(sessionId, resolver);
-      sendToClient({ type: "browser_cdp_request", sessionId });
-    });
-  }
-
-  /**
-   * Called when a browser_cdp_response message arrives from the client.
-   */
-  resolveCDPResponse(
-    sessionId: string,
-    success: boolean,
-    declined?: boolean,
-  ): void {
-    const resolver = this.cdpRequestResolvers.get(sessionId);
-    if (resolver) {
-      resolver({ success, declined });
-    }
+    return true;
   }
 
-  private async ensureContext(
-    invokingSessionId?: string,
-  ): Promise<BrowserContext> {
+  private async ensureContext(): Promise<BrowserContext> {
     if (this.context) return this.context;
     if (this.contextCreating) return this.contextCreating;
 
     this.contextCreating = (async () => {
-      // Deterministic test mode: when launch is injected via setLaunchFn,
-      // bypass ambient CDP probing/negotiation and use the injected launcher.
-      if (launchPersistentContext != null) {
-        const profileDir = getProfileDir();
-        mkdirSync(profileDir, { recursive: true });
-        await authSessionCache.load();
-        const ctx = await launchPersistentContext(profileDir, {
-          headless: false,
-        });
-        this._browserLaunched = true;
-        log.info({ profileDir }, "Browser context created (test injection)");
-        return ctx;
-      }
+      await authSessionCache.load();
 
-      // Try to detect an existing Chrome with --remote-debugging-port,
-      // or ask the client to launch Chrome with CDP enabled.
-      const sender = invokingSessionId
-        ? this.sessionSenders.get(invokingSessionId)
-        : undefined;
-      let cdpAvailable = await this.detectCDP();
-
-      if (!cdpAvailable && invokingSessionId && sender) {
-        log.info(
-          { sessionId: invokingSessionId },
-          "Requesting CDP from client",
-        );
-        const accepted = await this.requestCDPFromClient(
-          invokingSessionId,
-          sender,
-        );
-        if (accepted) {
-          cdpAvailable = await this.detectCDP();
-          if (!cdpAvailable) {
-            log.warn("Client accepted CDP request but CDP not detected");
+      // Auto-install Chromium if needed (skip when test launcher is injected)
+      if (!launchPersistentContext) {
+        const status = await checkBrowserRuntime();
+        if (status.playwrightAvailable && !status.chromiumInstalled) {
+          log.info("Chromium not installed, installing via playwright...");
+          const proc = Bun.spawn(
+            ["bunx", "playwright", "install", "chromium"],
+            {
+              stdout: "pipe",
+              stderr: "pipe",
+            },
+          );
+          const timeoutMs = 120_000;
+          let timer: ReturnType<typeof setTimeout>;
+          const exitCode = await Promise.race([
+            proc.exited.finally(() => clearTimeout(timer)),
+            new Promise<never>(
+              (_, reject) =>
+                (timer = setTimeout(() => {
+                  proc.kill();
+                  reject(
+                    new Error(
+                      `Chromium install timed out after ${timeoutMs / 1000}s`,
+                    ),
+                  );
+                }, timeoutMs)),
+            ),
+          ]);
+          if (exitCode === 0) {
+            log.info("Chromium installed successfully");
+          } else {
+            const stderr = await new Response(proc.stderr).text();
+            const msg = stderr.trim() || `exited with code ${exitCode}`;
+            throw new Error(`Failed to install Chromium: ${msg}`);
           }
-        } else {
-          log.info("Client declined CDP request");
-          throw new Error("Browser access was declined by user");
         }
       }
 
-      if (!cdpAvailable) {
-        throw new Error(
-          "Chrome with remote debugging is not available. Please launch Chrome with --remote-debugging-port=9222.",
-        );
-      }
-
-      // Initialize auth session cache alongside browser context
-      await authSessionCache.load();
-
-      try {
-        const pw = await import("playwright");
-        const browser = await pw.chromium.connectOverCDP(this.cdpUrl, {
-          timeout: 10_000,
-        });
-        this.cdpBrowser = browser;
-        this._browserLaunched = false;
-        const contexts = browser.contexts();
-        const ctx = contexts[0] || (await browser.newContext());
-        await this.initBrowserCdpSession();
-        log.info({ cdpUrl: this.cdpUrl }, "Connected to Chrome via CDP");
-        return ctx as unknown as BrowserContext;
-      } catch (err) {
-        log.warn({ err }, "CDP connectOverCDP failed");
-        throw new Error(`Failed to connect to Chrome via CDP: ${err}`);
-      }
+      const profileDir = getProfileDir();
+      mkdirSync(profileDir, { recursive: true });
+      const launch = launchPersistentContext ?? (await getDefaultLaunchFn());
+      const headless = !canDisplayGui();
+      const ctx = await launch(profileDir, { headless });
+      log.info(
+        { profileDir, headless },
+        headless
+          ? "Browser context created (headless)"
+          : "Browser context created (visible)",
+      );
+      return ctx;
     })();
 
     try {
@@ -322,8 +236,6 @@ class BrowserManager {
           this.contextCloseHandler = null;
           this.browserCdpSession = null;
           this.browserWindowId = null;
-          this.cdpBrowser = null;
-          this._browserLaunched = false;
           // Resolve any pending handoffs before clearing state
           for (const resolver of this.handoffResolvers.values()) {
             resolver();
@@ -352,7 +264,7 @@ class BrowserManager {
   }
 
   async getOrCreateSessionPage(sessionId: string): Promise<Page> {
-    const context = await this.ensureContext(sessionId);
+    const context = await this.ensureContext();
 
     const existing = this.pages.get(sessionId);
     if (existing && !existing.isClosed()) {
@@ -363,43 +275,17 @@ class BrowserManager {
     this.snapshotMaps.delete(sessionId);
     await this.stopScreencast(sessionId);
 
-    let page: Page | undefined;
-
-    // In connectOverCDP mode, Chrome often starts with a pre-opened blank tab.
-    // Only reuse blank/new-tab pages to avoid hijacking active user tabs, which
-    // could cause user-visible disruption or data loss when the session closes.
-    if (!this._browserLaunched && typeof context.pages === "function") {
-      const BLANK_TAB_URLS = new Set([
-        "about:blank",
-        "chrome://newtab/",
-        "chrome://new-tab-page/",
-      ]);
-      const claimedPages = new Set(this.pages.values());
-      const reusable = context.pages().find((p) => {
-        if (p.isClosed() || claimedPages.has(p)) return false;
-        const url = p.url();
-        return BLANK_TAB_URLS.has(url) || url === "";
-      });
-      if (reusable) {
-        page = reusable;
-        log.debug(
-          { sessionId, url: reusable.url() },
-          "Reusing blank CDP tab instead of creating a new page",
-        );
-      }
-    }
-
-    page ??= await context.newPage();
+    const page = await context.newPage();
     this.pages.set(sessionId, page);
     this.rawPages.set(sessionId, page);
 
     // Track downloads for this page
     this.setupDownloadTracking(sessionId, page);
 
-    // For launched browsers (not CDP-connected), create a page-level CDP session
-    // so we can position the browser window. Browser domain commands (setWindowBounds,
-    // getWindowForTarget) are accessible from page-level CDP sessions.
-    if (!this.browserCdpSession && this._browserLaunched) {
+    // Create a page-level CDP session for window positioning.
+    // Browser domain commands (setWindowBounds, getWindowForTarget) are accessible
+    // from page-level CDP sessions.
+    if (!this.browserCdpSession) {
       try {
         const rawPage = page as unknown as RawPlaywrightPage;
         this.browserCdpSession = await rawPage.context().newCDPSession(rawPage);
@@ -509,28 +395,6 @@ class BrowserManager {
       this.browserCdpSession = null;
       this.browserWindowId = null;
     }
-
-    // Close or disconnect CDP browser connection if present
-    if (this.cdpBrowser) {
-      const b = this.cdpBrowser as {
-        close?: () => Promise<void>;
-        disconnect?: () => Promise<void>;
-      };
-      const wasLaunched = this._browserLaunched;
-      this.cdpBrowser = null;
-      this._browserLaunched = false;
-      try {
-        if (wasLaunched) {
-          // Launched browsers must be closed to terminate the process
-          await b.close?.();
-        } else {
-          // CDP-connected browsers should be disconnected, not closed
-          await b.disconnect?.();
-        }
-      } catch (err) {
-        log.warn({ err }, "Failed to close/disconnect CDP browser");
-      }
-    }
   }
 
   async stopScreencast(sessionId: string): Promise<void> {
@@ -563,26 +427,6 @@ class BrowserManager {
     return map.get(elementId) ?? null;
   }
 
-  /**
-   * Create a browser-level CDP session and discover the window ID.
-   * Called once after browser launch/connect so positionWindowSidebar/moveWindowOnscreen can work.
-   */
-  private async initBrowserCdpSession(): Promise<void> {
-    if (!this.cdpBrowser) return;
-    try {
-      const browser = this.cdpBrowser as {
-        newBrowserCDPSession?: () => Promise<CDPSession>;
-      };
-      if (typeof browser.newBrowserCDPSession !== "function") return;
-
-      this.browserCdpSession = await browser.newBrowserCDPSession();
-      this.browserWindowId = null;
-      await this.ensureBrowserWindowId();
-    } catch (err) {
-      log.warn({ err }, "Failed to init browser CDP session");
-    }
-  }
-
   private async ensureBrowserWindowId(): Promise<number | null> {
     if (!this.browserCdpSession) return null;
     if (this.browserWindowId != null) return this.browserWindowId;

package/src/tools/browser/browser-screencast.ts

@@ -16,10 +16,6 @@ export function registerSessionSender(
   sendToClient: (msg: ServerMessage) => void,
 ): void {
   sessionSenders.set(sessionId, sendToClient);
-  browserManager.registerSender(
-    sessionId,
-    sendToClient as (msg: { type: string; sessionId: string }) => void,
-  );
 }
 
 /**
@@ -27,7 +23,6 @@ export function registerSessionSender(
  */
 export function unregisterSessionSender(sessionId: string): void {
   sessionSenders.delete(sessionId);
-  browserManager.unregisterSender(sessionId);
 }
 
 function getSender(

package/src/tools/network/script-proxy/certs.ts

@@ -1,237 +1,7 @@
-import { X509Certificate } from 'node:crypto';
-import { chmod,mkdir, readFile, stat, writeFile } from 'node:fs/promises';
-import { join } from 'node:path';
-
-const CA_CERT_FILENAME = 'ca.pem';
-const CA_KEY_FILENAME = 'ca-key.pem';
-const COMBINED_CA_FILENAME = 'combined-ca-bundle.pem';
-const ISSUED_DIR = 'issued';
-
-/** Well-known system CA bundle paths by platform. */
-const SYSTEM_CA_PATHS = [
-  '/etc/ssl/cert.pem',                       // macOS
-  '/etc/ssl/certs/ca-certificates.crt',      // Debian/Ubuntu
-  '/etc/pki/tls/certs/ca-bundle.crt',        // RHEL/CentOS/Fedora
-  '/etc/ssl/ca-bundle.pem',                  // openSUSE
-];
-
-// Only allow valid hostname characters: alphanumeric, hyphens, dots, and wildcards
-const HOSTNAME_RE = /^[a-zA-Z0-9.*-]+$/;
-
-/**
- * Ensure a self-signed CA cert+key exists in `{dataDir}/proxy-ca/`.
- * Idempotent: skips generation if both files already exist.
- */
-export async function ensureLocalCA(dataDir: string): Promise<void> {
-  const caDir = join(dataDir, 'proxy-ca');
-  const certPath = join(caDir, CA_CERT_FILENAME);
-  const keyPath = join(caDir, CA_KEY_FILENAME);
-
-  // Check if both files already exist
-  const [certExists, keyExists] = await Promise.all([
-    stat(certPath).then(() => true, () => false),
-    stat(keyPath).then(() => true, () => false),
-  ]);
-
-  if (certExists && keyExists) return;
-
-  await mkdir(caDir, { recursive: true });
-
-  // Generate CA key
-  const keyProc = Bun.spawn([
-    'openssl', 'genrsa', '-out', keyPath, '2048',
-  ], { stdout: 'pipe', stderr: 'pipe' });
-  const keyExit = await keyProc.exited;
-  if (keyExit !== 0) {
-    const stderr = await new Response(keyProc.stderr).text();
-    throw new Error(`Failed to generate CA key: ${stderr}`);
-  }
-
-  // Generate self-signed CA cert (valid 10 years)
-  const certProc = Bun.spawn([
-    'openssl', 'req', '-new', '-x509',
-    '-key', keyPath,
-    '-out', certPath,
-    '-days', '3650',
-    '-subj', '/CN=Vellum Local Proxy CA',
-    '-addext', 'basicConstraints=critical,CA:TRUE',
-    '-addext', 'keyUsage=critical,keyCertSign,cRLSign',
-  ], { stdout: 'pipe', stderr: 'pipe' });
-  const certExit = await certProc.exited;
-  if (certExit !== 0) {
-    const stderr = await new Response(certProc.stderr).text();
-    throw new Error(`Failed to generate CA cert: ${stderr}`);
-  }
-
-  // Set strict permissions
-  await Promise.all([
-    chmod(keyPath, 0o600),
-    chmod(certPath, 0o644),
-  ]);
-}
-
-/**
- * Issue a leaf certificate signed by the local CA for the given hostname.
- * Caches issued certs in `{caDir}/issued/{hostname}.pem`.
- * Returns PEM strings for the cert and key.
- */
-export async function issueLeafCert(
-  caDir: string,
-  hostname: string,
-): Promise<{ cert: string; key: string }> {
-  if (!HOSTNAME_RE.test(hostname)) {
-    throw new Error(`Invalid hostname: ${hostname}`);
-  }
-
-  const issuedDir = join(caDir, ISSUED_DIR);
-  const leafCertPath = join(issuedDir, `${hostname}.pem`);
-  const leafKeyPath = join(issuedDir, `${hostname}-key.pem`);
-
-  // Return cached cert if it exists and is signed by the current CA
-  const [certExists, keyExists] = await Promise.all([
-    stat(leafCertPath).then(() => true, () => false),
-    stat(leafKeyPath).then(() => true, () => false),
-  ]);
-
-  if (certExists && keyExists) {
-    const [cert, key, caCert] = await Promise.all([
-      readFile(leafCertPath, 'utf-8'),
-      readFile(leafKeyPath, 'utf-8'),
-      readFile(join(caDir, CA_CERT_FILENAME), 'utf-8'),
-    ]);
-
-    // Verify cached cert was signed by the current CA, not a previous one
-    try {
-      const leaf = new X509Certificate(cert);
-      const ca = new X509Certificate(caCert);
-      if (leaf.checkIssued(ca)) {
-        return { cert, key };
-      }
-    } catch {
-      // Cert parsing failed — fall through to re-issue
-    }
-  }
-
-  await mkdir(issuedDir, { recursive: true });
-
-  const caCertPath = join(caDir, CA_CERT_FILENAME);
-  const caKeyPath = join(caDir, CA_KEY_FILENAME);
-
-  // Generate leaf key
-  const keyProc = Bun.spawn([
-    'openssl', 'genrsa', '-out', leafKeyPath, '2048',
-  ], { stdout: 'pipe', stderr: 'pipe' });
-  const keyExit = await keyProc.exited;
-  if (keyExit !== 0) {
-    const stderr = await new Response(keyProc.stderr).text();
-    throw new Error(`Failed to generate leaf key for ${hostname}: ${stderr}`);
-  }
-
-  // Generate CSR
-  const csrPath = join(issuedDir, `${hostname}.csr`);
-  const csrProc = Bun.spawn([
-    'openssl', 'req', '-new',
-    '-key', leafKeyPath,
-    '-out', csrPath,
-    '-subj', `/CN=${hostname}`,
-  ], { stdout: 'pipe', stderr: 'pipe' });
-  const csrExit = await csrProc.exited;
-  if (csrExit !== 0) {
-    const stderr = await new Response(csrProc.stderr).text();
-    throw new Error(`Failed to generate CSR for ${hostname}: ${stderr}`);
-  }
-
-  // Write SAN extension config to a temp file
-  const extPath = join(issuedDir, `${hostname}-ext.cnf`);
-  await writeFile(extPath, `subjectAltName=DNS:${hostname}\n`);
-
-  // Sign with CA (valid 1 year)
-  const signProc = Bun.spawn([
-    'openssl', 'x509', '-req',
-    '-in', csrPath,
-    '-CA', caCertPath,
-    '-CAkey', caKeyPath,
-    '-CAcreateserial',
-    '-out', leafCertPath,
-    '-days', '365',
-    '-extfile', extPath,
-  ], { stdout: 'pipe', stderr: 'pipe' });
-  const signExit = await signProc.exited;
-  if (signExit !== 0) {
-    const stderr = await new Response(signProc.stderr).text();
-    throw new Error(`Failed to sign leaf cert for ${hostname}: ${stderr}`);
-  }
-
-  const [cert, key] = await Promise.all([
-    readFile(leafCertPath, 'utf-8'),
-    readFile(leafKeyPath, 'utf-8'),
-  ]);
-  return { cert, key };
-}
-
-/**
- * Create a combined CA bundle that includes both system root CAs and the
- * proxy CA cert. This is needed for non-Node clients (curl, Python, Go)
- * that don't honor NODE_EXTRA_CA_CERTS — they use SSL_CERT_FILE instead,
- * which replaces (rather than supplements) the default CA bundle.
- *
- * Idempotent: skips regeneration if the combined bundle is newer than
- * both the system bundle and the proxy CA cert.
- */
-export async function ensureCombinedCABundle(dataDir: string): Promise<string | null> {
-  const caDir = join(dataDir, 'proxy-ca');
-  const caCertPath = join(caDir, CA_CERT_FILENAME);
-  const combinedPath = join(caDir, COMBINED_CA_FILENAME);
-
-  // Find the system CA bundle
-  let systemBundlePath: string | null = null;
-  for (const p of SYSTEM_CA_PATHS) {
-    try {
-      await stat(p);
-      systemBundlePath = p;
-      break;
-    } catch {
-      // not found, try next
-    }
-  }
-  if (!systemBundlePath) return null;
-
-  // Check if combined bundle already exists and is newer than both sources
-  try {
-    const [combinedSt, caSt, systemSt] = await Promise.all([
-      stat(combinedPath),
-      stat(caCertPath),
-      stat(systemBundlePath),
-    ]);
-    if (combinedSt.mtimeMs > caSt.mtimeMs && combinedSt.mtimeMs > systemSt.mtimeMs) {
-      return combinedPath;
-    }
-  } catch {
-    // One or more files missing — fall through to create
-  }
-
-  try {
-    const [systemCAs, proxyCACert] = await Promise.all([
-      readFile(systemBundlePath, 'utf-8'),
-      readFile(caCertPath, 'utf-8'),
-    ]);
-    await writeFile(combinedPath, systemCAs + '\n' + proxyCACert);
-    return combinedPath;
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Return the path to the combined CA bundle for use as SSL_CERT_FILE.
- */
-export function getCombinedCAPath(dataDir: string): string {
-  return join(dataDir, 'proxy-ca', COMBINED_CA_FILENAME);
-}
-
-/**
- * Return the path to the local CA cert for use as NODE_EXTRA_CA_CERTS.
- */
-export function getCAPath(dataDir: string): string {
-  return join(dataDir, 'proxy-ca', CA_CERT_FILENAME);
-}
+export {
+  ensureCombinedCABundle,
+  ensureLocalCA,
+  getCAPath,
+  getCombinedCAPath,
+  issueLeafCert,
+} from "@vellumai/proxy-sidecar";