browser-use 0.6.0 → 0.7.0

package/dist/filesystem/file-system.js

@@ -6,6 +6,33 @@ import PDFDocument from 'pdfkit';
 import { createRequire } from 'node:module';
 import { spawnSync } from 'node:child_process';
 const require = createRequire(import.meta.url);
+const chmodPrivatePath = (targetPath, mode) => {
+    if (process.platform !== 'win32') {
+        fsSync.chmodSync(targetPath, mode);
+    }
+};
+const writePrivateTextFile = (filePath, content) => {
+    fsSync.writeFileSync(filePath, content, {
+        encoding: 'utf-8',
+        mode: 0o600,
+    });
+    chmodPrivatePath(filePath, 0o600);
+};
+const writePrivateBufferFile = (filePath, content) => {
+    fsSync.writeFileSync(filePath, content, { mode: 0o600 });
+    chmodPrivatePath(filePath, 0o600);
+};
+const writePrivateTextFileAsync = async (filePath, content) => {
+    await fsp.writeFile(filePath, content, {
+        encoding: 'utf-8',
+        mode: 0o600,
+    });
+    chmodPrivatePath(filePath, 0o600);
+};
+const writePrivateBufferFileAsync = async (filePath, content) => {
+    await fsp.writeFile(filePath, content, { mode: 0o600 });
+    chmodPrivatePath(filePath, 0o600);
+};
 export async function extractPdfText(buffer) {
     const pdfParseModule = (await import('pdf-parse'));
     if (typeof pdfParseModule.default === 'function') {
@@ -256,10 +283,10 @@ class BaseFile {
         return this.content;
     }
     async syncToDisk(dir) {
-        await fsp.writeFile(path.join(dir, this.fullName), this.content, 'utf-8');
+        await writePrivateTextFileAsync(path.join(dir, this.fullName), this.content);
     }
     syncToDiskSync(dir) {
-        fsSync.writeFileSync(path.join(dir, this.fullName), this.content, 'utf-8');
+        writePrivateTextFile(path.join(dir, this.fullName), this.content);
     }
     async write(content, dir) {
         this.writeFileContent(content);
@@ -314,13 +341,14 @@ class PdfFile extends BaseFile {
         const filePath = path.join(dir, this.fullName);
         await new Promise((resolve, reject) => {
             const doc = new PDFDocument({ autoFirstPage: true });
-            const stream = fsSync.createWriteStream(filePath);
+            const stream = fsSync.createWriteStream(filePath, { mode: 0o600 });
             doc.pipe(stream);
             doc.fontSize(12).text(this.content || '', { width: 500, align: 'left' });
             doc.end();
             stream.on('finish', resolve);
             stream.on('error', reject);
         });
+        chmodPrivatePath(filePath, 0o600);
     }
     syncToDiskSync(dir) {
         const filePath = path.join(dir, this.fullName);
@@ -330,7 +358,7 @@ const PDFDocument = require(${JSON.stringify(require.resolve('pdfkit'))});
 const filePath = ${JSON.stringify(filePath)};
 const content = ${JSON.stringify(this.content ?? '')};
 const doc = new PDFDocument({ autoFirstPage: true });
-const stream = createWriteStream(filePath);
+const stream = createWriteStream(filePath, { mode: 0o600 });
 doc.pipe(stream);
 doc.fontSize(12).text(content || '', { width: 500, align: 'left' });
 doc.end();
@@ -348,6 +376,7 @@ stream.on('error', (err) => {
                 `Could not write to file '${this.fullName}'.`;
             throw new FileSystemError(`Error: ${errorMsg.trim()}`);
         }
+        chmodPrivatePath(filePath, 0o600);
     }
 }
 class DocxFile extends BaseFile {
@@ -357,12 +386,12 @@ class DocxFile extends BaseFile {
     async syncToDisk(dir) {
         const filePath = path.join(dir, this.fullName);
         const docxBuffer = buildDocxBuffer(this.content || '');
-        await fsp.writeFile(filePath, docxBuffer);
+        await writePrivateBufferFileAsync(filePath, docxBuffer);
     }
     syncToDiskSync(dir) {
         const filePath = path.join(dir, this.fullName);
         const docxBuffer = buildDocxBuffer(this.content || '');
-        fsSync.writeFileSync(filePath, docxBuffer);
+        writePrivateBufferFile(filePath, docxBuffer);
     }
 }
 class HtmlFile extends BaseFile {
@@ -410,7 +439,8 @@ export class FileSystem {
         if (fsSync.existsSync(this.dataDir)) {
             fsSync.rmSync(this.dataDir, { recursive: true, force: true });
         }
-        fsSync.mkdirSync(this.dataDir, { recursive: true });
+        fsSync.mkdirSync(this.dataDir, { recursive: true, mode: 0o700 });
+        chmodPrivatePath(this.dataDir, 0o700);
         if (createDefaultFiles) {
             this.createDefaultFiles();
         }
@@ -419,7 +449,7 @@ export class FileSystem {
         for (const filename of this.defaultFiles) {
             const file = this.instantiateFile(filename);
             this.files.set(filename, file);
-            fsSync.writeFileSync(path.join(this.dataDir, filename), file.read(), 'utf-8');
+            writePrivateTextFile(path.join(this.dataDir, filename), file.read());
         }
     }
     isValidFilename(filename) {

package/dist/integrations/gmail/service.js

@@ -9,6 +9,32 @@ import { google } from 'googleapis';
 import { createLogger } from '../../logging-config.js';
 import { CONFIG } from '../../config.js';
 const logger = createLogger('browser_use.gmail');
+const chmodPrivatePath = (targetPath, mode) => {
+    if (process.platform === 'win32') {
+        return;
+    }
+    try {
+        fs.chmodSync(targetPath, mode);
+    }
+    catch {
+        /* best effort */
+    }
+};
+const ensurePrivateDirectory = (dirPath) => {
+    fs.mkdirSync(dirPath, { recursive: true, mode: 0o700 });
+    chmodPrivatePath(dirPath, 0o700);
+};
+const readPrivateJsonFile = (filePath) => {
+    chmodPrivatePath(filePath, 0o600);
+    return JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+};
+const writePrivateJsonFile = (filePath, value) => {
+    fs.writeFileSync(filePath, JSON.stringify(value), {
+        encoding: 'utf-8',
+        mode: 0o600,
+    });
+    chmodPrivatePath(filePath, 0o600);
+};
 export class GmailService {
     static SCOPES = [
         'https://www.googleapis.com/auth/gmail.readonly',
@@ -27,9 +53,7 @@ export class GmailService {
         this.accessToken = options.access_token || null;
         // Ensure config directory exists (only if not using direct token)
         if (!this.accessToken) {
-            if (!fs.existsSync(this.configDir)) {
-                fs.mkdirSync(this.configDir, { recursive: true });
-            }
+            ensurePrivateDirectory(this.configDir);
         }
         // Set up credential paths
         this.credentialsFile =
@@ -63,7 +87,7 @@ export class GmailService {
             // Original file-based authentication flow
             // Try to load existing tokens
             if (fs.existsSync(this.tokenFile)) {
-                const tokenData = JSON.parse(fs.readFileSync(this.tokenFile, 'utf-8'));
+                const tokenData = readPrivateJsonFile(this.tokenFile);
                 const auth = new google.auth.OAuth2();
                 auth.setCredentials(tokenData);
                 this.creds = auth;
@@ -90,7 +114,7 @@ export class GmailService {
                             `4. Save as 'gmail_credentials.json' in ${this.configDir}/`);
                         return false;
                     }
-                    const credentials = JSON.parse(fs.readFileSync(this.credentialsFile, 'utf-8'));
+                    const credentials = readPrivateJsonFile(this.credentialsFile);
                     const { client_secret, client_id, redirect_uris } = credentials.installed || credentials.web;
                     const oAuth2Client = new google.auth.OAuth2(client_id, client_secret, redirect_uris[0]);
                     const authUrl = oAuth2Client.generateAuthUrl({
@@ -108,7 +132,7 @@ export class GmailService {
                         '4. Implement token exchange logic');
                 }
                 // Save tokens for next time
-                fs.writeFileSync(this.tokenFile, JSON.stringify(this.creds.credentials));
+                writePrivateJsonFile(this.tokenFile, this.creds.credentials);
                 logger.info(`💾 Tokens saved to ${this.tokenFile}`);
             }
             // Build Gmail service

package/dist/llm/browser-use/chat.js

@@ -43,13 +43,13 @@ export class ChatBrowserUse {
     fast;
     fetchImplementation;
     constructor(options = {}) {
-        const { model = 'bu-latest', apiKey = process.env.BROWSER_USE_API_KEY, baseUrl = process.env.BROWSER_USE_LLM_URL ??
+        const { model = 'bu-2-0', apiKey = process.env.BROWSER_USE_API_KEY, baseUrl = process.env.BROWSER_USE_LLM_URL ??
             'https://llm.api.browser-use.com', timeout = 120, maxRetries = 5, retryBaseDelay = 1.0, retryMaxDelay = 60.0, fast = false, fetchImplementation = fetch, } = options;
         const isValidModel = VALID_MODELS.has(model) || model.startsWith('browser-use/');
         if (!isValidModel) {
             throw new Error(`Invalid model: '${model}'. Must be one of bu-latest, bu-1-0, bu-2-0 or start with 'browser-use/'`);
         }
-        this.model = model === 'bu-latest' ? 'bu-1-0' : model;
+        this.model = model === 'bu-latest' ? 'bu-2-0' : model;
         if (!apiKey) {
             throw new Error('You need to set the BROWSER_USE_API_KEY environment variable. Get your key at https://cloud.browser-use.com/new-api-key');
         }

package/dist/llm/codex/auth.d.ts

@@ -0,0 +1,118 @@
+export declare const CODEX_PROVIDER = "openai-codex";
+export declare const DEFAULT_CODEX_BASE_URL = "https://chatgpt.com/backend-api/codex";
+export declare const CODEX_OAUTH_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+export declare const CODEX_OAUTH_TOKEN_URL = "https://auth.openai.com/oauth/token";
+export declare const CODEX_DEVICE_AUTH_BASE_URL = "https://auth.openai.com";
+export declare const CODEX_ACCESS_TOKEN_REFRESH_SKEW_SECONDS = 120;
+export interface CodexTokens {
+    access_token: string;
+    refresh_token: string;
+    [key: string]: unknown;
+}
+export interface CodexTokenRecord {
+    tokens: CodexTokens;
+    last_refresh: string | null;
+    auth_mode: string | null;
+    source: string | null;
+}
+export interface CodexRuntimeCredentials {
+    provider: typeof CODEX_PROVIDER;
+    base_url: string;
+    api_key: string;
+    source: string;
+    last_refresh: string | null;
+    auth_mode: 'chatgpt';
+}
+export interface CodexAuthStatus {
+    authenticated: boolean;
+    auth_store_path: string;
+    provider: typeof CODEX_PROVIDER;
+    base_url: string;
+    source: string | null;
+    last_refresh: string | null;
+    access_token_expiring: boolean | null;
+    error?: {
+        code: string;
+        message: string;
+        relogin_required: boolean;
+    };
+}
+export declare class CodexAuthError extends Error {
+    provider: string;
+    code: string;
+    relogin_required: boolean;
+    constructor(message: string, code?: string, reloginRequired?: boolean);
+}
+interface AuthPathOptions {
+    configDir?: string | null;
+    authStorePath?: string | null;
+}
+interface FetchOptions {
+    fetchImplementation?: typeof fetch;
+    timeoutMs?: number;
+}
+export interface RefreshCodexOAuthOptions extends FetchOptions {
+    tokenUrl?: string;
+    clientId?: string;
+}
+export interface ResolveCodexRuntimeCredentialsOptions extends RefreshCodexOAuthOptions, AuthPathOptions {
+    forceRefresh?: boolean;
+    refreshIfExpiring?: boolean;
+    refreshSkewSeconds?: number;
+    lockTimeoutMs?: number;
+    baseURL?: string | null;
+}
+export interface DeviceCodeLoginOptions extends FetchOptions {
+    issuer?: string;
+    clientId?: string;
+    stdout?: Pick<NodeJS.WriteStream, 'write'>;
+    sleep?: (ms: number) => Promise<void>;
+    maxWaitMs?: number;
+    now?: () => number;
+}
+export declare const getCodexAuthStorePath: (options?: AuthPathOptions) => string;
+export declare const readCodexTokens: (options?: AuthPathOptions) => Promise<CodexTokenRecord>;
+export declare const saveCodexTokens: (tokens: CodexTokens, options?: AuthPathOptions & {
+    lastRefresh?: string | null;
+    source?: string | null;
+    lockTimeoutMs?: number;
+}) => Promise<void>;
+export declare const clearCodexTokens: (options?: AuthPathOptions & {
+    lockTimeoutMs?: number;
+}) => Promise<void>;
+export declare const codexAccessTokenIsExpiring: (accessToken: string, skewSeconds?: number, nowMs?: number) => boolean;
+export declare const getCodexCloudflareHeaders: (accessToken: string) => Record<string, string>;
+export declare const importCodexCliTokens: (options?: {
+    codexHome?: string | null;
+    authPath?: string | null;
+    nowMs?: number;
+}) => Promise<CodexTokens | null>;
+export declare const refreshCodexOAuth: (accessToken: string, refreshToken: string, options?: RefreshCodexOAuthOptions) => Promise<CodexTokens & {
+    last_refresh: string;
+}>;
+export declare const resolveCodexRuntimeCredentials: (options?: ResolveCodexRuntimeCredentialsOptions) => Promise<CodexRuntimeCredentials>;
+export declare const getCodexAuthStatus: (options?: AuthPathOptions & {
+    baseURL?: string | null;
+}) => Promise<CodexAuthStatus>;
+export declare const saveImportedCodexCliTokens: (options?: AuthPathOptions & {
+    codexHome?: string | null;
+    codexAuthPath?: string | null;
+    lockTimeoutMs?: number;
+}) => Promise<boolean>;
+export declare const loginCodexDeviceCode: (options?: DeviceCodeLoginOptions) => Promise<{
+    tokens: CodexTokens;
+    base_url: string;
+    last_refresh: string;
+    auth_mode: "chatgpt";
+    source: "device-code";
+}>;
+export declare const loginAndSaveCodexDeviceCode: (options?: DeviceCodeLoginOptions & AuthPathOptions & {
+    lockTimeoutMs?: number;
+}) => Promise<{
+    tokens: CodexTokens;
+    base_url: string;
+    last_refresh: string;
+    auth_mode: "chatgpt";
+    source: "device-code";
+}>;
+export {};