bunite-core 0.12.0 → 0.14.0

package/src/native/win/native_host_ffi.cpp

@@ -2,14 +2,94 @@
 
 #include "include/cef_version.h"
 #include "include/cef_version_info.h"
+#include "include/cef_parser.h"
+#include "include/cef_values.h"
+
+// CDP path — input dispatch (mouse wheel) and screenshot use CefBrowserHost::
+// ExecuteDevToolsMethod. Replies arrive on the CefDevToolsMessageObserver.
+// scroll: SendMouseWheelEvent doesn't reach the page in windowed CEF
+//   (verified empirically on Win 11 / CEF 119+).
+// screenshot: PrintWindow PW_RENDERFULLCONTENT misses hardware-composited
+//   surfaces (returns all-black). Page.captureScreenshot is compositor-aware.
+#include <atomic>
+#include <functional>
+#include <mutex>
+#include <unordered_map>
+
 
 using bunite_win::runOnUiThreadSync;
 using bunite_win::runOnCefUiThreadSync;
 
-static constexpr int32_t BUNITE_ABI_VERSION = 5;
+static constexpr int32_t BUNITE_ABI_VERSION = 9;
 
 namespace {
 
+// CDP message routing: ExecuteDevToolsMethod returns a message_id; the
+// singleton observer routes OnDevToolsMethodResult back to a stashed callback.
+std::mutex g_cdp_cb_mutex;
+std::unordered_map<int, std::function<void(bool, std::string)>> g_cdp_callbacks;
+
+class BuniteDevToolsObserver : public CefDevToolsMessageObserver {
+public:
+  void OnDevToolsMethodResult(CefRefPtr<CefBrowser>, int message_id, bool success,
+                              const void* result, size_t result_size) override {
+    std::function<void(bool, std::string)> cb;
+    {
+      std::lock_guard<std::mutex> lk(g_cdp_cb_mutex);
+      auto it = g_cdp_callbacks.find(message_id);
+      if (it == g_cdp_callbacks.end()) return;
+      cb = std::move(it->second);
+      g_cdp_callbacks.erase(it);
+    }
+    std::string r;
+    if (result && result_size) r.assign(static_cast<const char*>(result), result_size);
+    cb(success, std::move(r));
+  }
+  void OnDevToolsAgentDetached(CefRefPtr<CefBrowser>) override {
+    // Pending method results are dropped by CEF on detach (browser crash,
+    // process restart). Fire all callbacks with a failure result to prevent
+    // hung promises in the TS layer.
+    std::unordered_map<int, std::function<void(bool, std::string)>> orphans;
+    {
+      std::lock_guard<std::mutex> lk(g_cdp_cb_mutex);
+      orphans.swap(g_cdp_callbacks);
+    }
+    for (auto& kv : orphans) kv.second(false, "{\"error\":\"devtools_agent_detached\"}");
+  }
+  IMPLEMENT_REFCOUNTING(BuniteDevToolsObserver);
+};
+
+CefRefPtr<CefDevToolsMessageObserver> getDevToolsObserver() {
+  static CefRefPtr<CefDevToolsMessageObserver> obs = new BuniteDevToolsObserver();
+  return obs;
+}
+
+void cefCdpCall(ViewHost* v, const std::string& method, const std::string& params_json,
+                std::function<void(bool, std::string)> cb = nullptr) {
+  if (!v || !v->browser) {
+    if (cb) cb(false, "{}");
+    return;
+  }
+  CefRefPtr<CefDictionaryValue> params;
+  if (!params_json.empty()) {
+    CefRefPtr<CefValue> val = CefParseJSON(params_json, JSON_PARSER_RFC);
+    if (val && val->GetType() == VTYPE_DICTIONARY) params = val->GetDictionary();
+  }
+  if (!params) params = CefDictionaryValue::Create();
+  // Register the callback under the *assigned* message id (ExecuteDevToolsMethod
+  // returns it). We supply 0 to let CEF assign so our counter can't collide
+  // with CEF's internal counter.
+  const int assigned_id = v->browser->GetHost()->ExecuteDevToolsMethod(0, method, params);
+  if (assigned_id == 0) {
+    if (cb) cb(false, "{\"error\":\"ExecuteDevToolsMethod failed\"}");
+    return;
+  }
+  if (cb) {
+    std::lock_guard<std::mutex> lk(g_cdp_cb_mutex);
+    g_cdp_callbacks[assigned_id] = std::move(cb);
+  }
+}
+
 std::string wideToUtf8(const std::wstring& value) {
   if (value.empty()) return {};
   const int bytes = WideCharToMultiByte(
@@ -48,6 +128,24 @@ std::string resolveProcessHelperPath() {
 
 } // namespace
 
+namespace bunite_win {
+void registerCdpObserverForView(ViewHost* view) {
+  if (!view || !view->browser) return;
+  view->devtools_registration =
+      view->browser->GetHost()->AddDevToolsMessageObserver(getDevToolsObserver());
+}
+
+void respondToDialogRequest(ViewHost* view, uint32_t request_id,
+                            bool accept, const std::string& text) {
+  if (!view) return;
+  auto it = view->pending_dialogs.find(request_id);
+  if (it == view->pending_dialogs.end()) return;
+  CefRefPtr<CefJSDialogCallback> cb = std::move(it->second);
+  view->pending_dialogs.erase(it);
+  if (cb) cb->Continue(accept, text);
+}
+}  // namespace bunite_win
+
 extern "C" BUNITE_EXPORT int32_t bunite_abi_version(void) {
   return BUNITE_ABI_VERSION;
 }
@@ -79,12 +177,25 @@ extern "C" BUNITE_EXPORT void bunite_set_log_level(int32_t level) {
   buniteSetLogLevel(static_cast<BuniteLogLevel>(level));
 }
 
+// See webview2_runtime.cpp `reapChildrenOnExit`. Same rationale for process_helper.
+static void reapChildrenOnExit() {
+  HANDLE job = CreateJobObjectW(nullptr, nullptr);
+  if (!job) return;
+  JOBOBJECT_EXTENDED_LIMIT_INFORMATION info{};
+  info.BasicLimitInformation.LimitFlags = JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;
+  if (!SetInformationJobObject(job, JobObjectExtendedLimitInformation, &info, sizeof(info)) ||
+      !AssignProcessToJobObject(job, GetCurrentProcess())) {
+    CloseHandle(job);
+  }
+}
+
 extern "C" BUNITE_EXPORT bool bunite_init(
   const char* cef_dir,
   bool hide_console,
   bool popup_blocking,
   const char* engine_config_json
 ) {
+  reapChildrenOnExit();
   {
     std::lock_guard<std::mutex> lock(g_runtime.lifecycle_mutex);
     if (g_runtime.initialized) {
@@ -857,6 +968,272 @@ extern "C" BUNITE_EXPORT void bunite_view_remove(uint32_t view_id) {
   bunite_win::postCefUiTask([view_id]() { bunite_win::closeViewHost(bunite_win::getViewHostById(view_id)); });
 }
 
+// Input dispatch — native CEF API. Real OS-input path → MouseEvent.isTrusted = true.
+namespace {
+
+// Local names — `MOD_ALT`/`MOD_SHIFT` are Win32 RegisterHotKey macros.
+constexpr uint32_t kBmodAlt = 1, kBmodCtrl = 2, kBmodMeta = 4, kBmodShift = 8;
+
+uint32_t cefModifiers(uint32_t bits) {
+  uint32_t flags = 0;
+  if (bits & kBmodShift) flags |= EVENTFLAG_SHIFT_DOWN;
+  if (bits & kBmodCtrl)  flags |= EVENTFLAG_CONTROL_DOWN;
+  if (bits & kBmodAlt)   flags |= EVENTFLAG_ALT_DOWN;
+  if (bits & kBmodMeta)  flags |= EVENTFLAG_COMMAND_DOWN;
+  return flags;
+}
+
+cef_mouse_button_type_t cefButton(int32_t b) {
+  switch (b) { case 1: return MBT_MIDDLE; case 2: return MBT_RIGHT; default: return MBT_LEFT; }
+}
+
+}  // namespace
+
+extern "C" BUNITE_EXPORT void bunite_view_click(uint32_t view_id, double x, double y,
+                                                  int32_t button, int32_t click_count, uint32_t modifiers) {
+  if (click_count < 1) click_count = 1;
+  bunite_win::postCefUiTask([view_id, x, y, button, click_count, modifiers]() {
+    auto* view = bunite_win::getViewHostById(view_id);
+    if (!view || !view->browser) return;
+    auto host = view->browser->GetHost();
+    if (!host) return;
+    CefMouseEvent ev{};
+    ev.x = static_cast<int>(x);
+    ev.y = static_cast<int>(y);
+    ev.modifiers = cefModifiers(modifiers);
+    // Multi-click → repeated pairs with increasing clickCount so the page sees dblclick.
+    for (int i = 1; i <= click_count; ++i) {
+      host->SendMouseClickEvent(ev, cefButton(button), /*mouseUp=*/false, i);
+      host->SendMouseClickEvent(ev, cefButton(button), /*mouseUp=*/true, i);
+    }
+  });
+}
+
+extern "C" BUNITE_EXPORT void bunite_view_type(uint32_t view_id, const char* text) {
+  std::string s = text ? text : "";
+  bunite_win::postCefUiTask([view_id, s]() {
+    auto* view = bunite_win::getViewHostById(view_id);
+    if (!view || !view->browser) return;
+    auto host = view->browser->GetHost();
+    if (!host) return;
+    std::wstring wide(s.size(), 0);
+    int n = MultiByteToWideChar(CP_UTF8, 0, s.c_str(), static_cast<int>(s.size()),
+                                wide.data(), static_cast<int>(wide.size()));
+    wide.resize(n);
+    // Per character: RAWKEYDOWN + CHAR + KEYUP. CHAR-only doesn't trigger the
+    // DOM `input` event on text fields — Chromium expects a paired key cycle.
+    // BMP only (surrogate pairs would mis-fire `keypress` twice).
+    for (size_t i = 0; i < wide.size(); ++i) {
+      wchar_t ch = wide[i];
+      if (ch >= 0xD800 && ch <= 0xDBFF) {
+        static bool warned = false;
+        if (!warned) { warned = true; BUNITE_WARN("cef type: supplementary-plane codepoint skipped"); }
+        if (i + 1 < wide.size()) ++i;
+        continue;
+      }
+      const int vk = (ch >= 'a' && ch <= 'z') ? (ch - ('a' - 'A'))  // letters map to upper VK
+                    : (ch >= 'A' && ch <= 'Z') || (ch >= '0' && ch <= '9') ? ch
+                    : 0;
+      CefKeyEvent down{};
+      down.type = KEYEVENT_RAWKEYDOWN;
+      down.windows_key_code = vk ? vk : ch;
+      down.character = ch;
+      down.unmodified_character = ch;
+      host->SendKeyEvent(down);
+      CefKeyEvent c{};
+      c.type = KEYEVENT_CHAR;
+      c.windows_key_code = ch;
+      c.character = ch;
+      c.unmodified_character = ch;
+      host->SendKeyEvent(c);
+      CefKeyEvent up{};
+      up.type = KEYEVENT_KEYUP;
+      up.windows_key_code = vk ? vk : ch;
+      up.character = ch;
+      up.unmodified_character = ch;
+      host->SendKeyEvent(up);
+    }
+  });
+}
+
+extern "C" BUNITE_EXPORT void bunite_view_press(uint32_t view_id, int32_t windows_vk_code,
+                                                  int32_t /*mac_key_code*/,
+                                                  const char* /*key*/, const char* /*code*/,
+                                                  const char* character, uint32_t modifiers,
+                                                  int32_t action, bool extended, int32_t /*location*/) {
+  std::string char_str = character ? character : "";
+  bunite_win::postCefUiTask([view_id, windows_vk_code, char_str, modifiers, action, extended]() {
+    auto* view = bunite_win::getViewHostById(view_id);
+    if (!view || !view->browser) return;
+    auto host = view->browser->GetHost();
+    if (!host) return;
+    uint32_t mod = cefModifiers(modifiers);
+    // Chromium's KeycodeConverter::NativeKeycodeToDomCode expects raw scancode
+    // with 0xE0 prefix when extended (see chromium ui/events dom_code_data.inc).
+    // Not LPARAM — Chromium's Win backend keys off scancode|(extended ? 0xE000 : 0).
+    UINT scancode = windows_vk_code ? MapVirtualKeyW(static_cast<UINT>(windows_vk_code), MAPVK_VK_TO_VSC) : 0;
+    int32_t native = static_cast<int32_t>(extended ? (0xE000u | scancode) : scancode);
+
+    if (action != 1 && windows_vk_code != 0) {
+      CefKeyEvent down{};
+      down.type = KEYEVENT_RAWKEYDOWN;
+      down.windows_key_code = windows_vk_code;
+      down.native_key_code = native;
+      down.modifiers = mod;
+      host->SendKeyEvent(down);
+    }
+    // CHAR rides with the down half (Playwright convention) — emitted only
+    // when we're sending the down (action=both or down).
+    if (action != 1 && !char_str.empty()) {
+      std::wstring wide(char_str.size(), 0);
+      int n = MultiByteToWideChar(CP_UTF8, 0, char_str.c_str(), static_cast<int>(char_str.size()),
+                                  wide.data(), static_cast<int>(wide.size()));
+      wide.resize(n);
+      for (size_t i = 0; i < wide.size(); ++i) {
+        wchar_t ch = wide[i];
+        if (ch >= 0xD800 && ch <= 0xDBFF) {
+          if (i + 1 < wide.size()) ++i;
+          continue;
+        }
+        CefKeyEvent ce{};
+        ce.type = KEYEVENT_CHAR;
+        ce.character = ch;
+        ce.unmodified_character = ch;
+        ce.windows_key_code = ch;
+        ce.modifiers = mod;
+        host->SendKeyEvent(ce);
+      }
+    }
+    if (action != 0 && windows_vk_code != 0) {
+      CefKeyEvent up{};
+      up.type = KEYEVENT_KEYUP;
+      up.windows_key_code = windows_vk_code;
+      up.native_key_code = native;
+      up.modifiers = mod;
+      host->SendKeyEvent(up);
+    }
+  });
+}
+
+extern "C" BUNITE_EXPORT void bunite_view_scroll(uint32_t view_id, double dx, double dy,
+                                                   double x, double y, uint32_t modifiers) {
+  bunite_win::postCefUiTask([view_id, dx, dy, x, y, modifiers]() {
+    auto* view = bunite_win::getViewHostById(view_id);
+    if (!view) return;
+    // CDP path — native SendMouseWheelEvent doesn't reach the page in
+    // windowed CEF. deltaY is CSS pixels, matching WV2.
+    std::string params =
+      "{\"type\":\"mouseWheel\""
+      ",\"x\":" + std::to_string(x) +
+      ",\"y\":" + std::to_string(y) +
+      ",\"deltaX\":" + std::to_string(dx) +
+      ",\"deltaY\":" + std::to_string(dy) +
+      ",\"modifiers\":" + std::to_string(modifiers) + "}";
+    cefCdpCall(view, "Input.dispatchMouseEvent", params);
+  });
+}
+
+extern "C" BUNITE_EXPORT void bunite_view_mouse(uint32_t view_id, int32_t action,
+                                                  double x, double y, int32_t button,
+                                                  uint32_t modifiers) {
+  bunite_win::postCefUiTask([view_id, action, x, y, button, modifiers]() {
+    auto* view = bunite_win::getViewHostById(view_id);
+    if (!view || !view->browser) return;
+    auto host = view->browser->GetHost();
+    if (!host) return;
+    CefMouseEvent ev{};
+    ev.x = static_cast<int>(x);
+    ev.y = static_cast<int>(y);
+    ev.modifiers = cefModifiers(modifiers);
+    if (action == 0) {
+      // move
+      host->SendMouseMoveEvent(ev, /*mouseLeave=*/false);
+    } else {
+      // down (1) / up (2)
+      CefBrowserHost::MouseButtonType btn = (button == 2) ? MBT_RIGHT
+                                          : (button == 1) ? MBT_MIDDLE : MBT_LEFT;
+      host->SendMouseClickEvent(ev, btn, /*mouseUp=*/action == 2, /*clickCount=*/1);
+    }
+  });
+}
+
+extern "C" BUNITE_EXPORT void bunite_view_respond_dialog(uint32_t view_id, uint32_t request_id,
+                                                          bool accept, const char* text) {
+  std::string text_str = text ? text : "";
+  bunite_win::postCefUiTask([view_id, request_id, accept, text_str]() {
+    auto* view = bunite_win::getViewHostById(view_id);
+    if (!view) return;
+    bunite_win::respondToDialogRequest(view, request_id, accept, text_str);
+  });
+}
+
+namespace {
+
+void emitScreenshotError(uint32_t view_id, uint32_t request_id, const char* code, const std::string& msg) {
+  std::string payload = "{\"requestId\":" + std::to_string(request_id) +
+                        ",\"ok\":false,\"code\":\"" + code + "\","
+                        "\"message\":\"" + bunite_win::escapeJsonString(msg) + "\"}";
+  bunite_win::emitWebviewEvent(view_id, "screenshot-result", payload);
+}
+
+}  // namespace
+
+extern "C" BUNITE_EXPORT uint32_t bunite_view_capabilities(uint32_t view_id) {
+  // CEF — click/type/press are native (isTrusted=true); scroll and
+  // screenshot go via CDP (windowed SendMouseWheelEvent doesn't reach the
+  // page, and Page.captureScreenshot is compositor-aware vs PrintWindow's
+  // black-frame trap).
+  auto* view = bunite_win::getViewHostById(view_id);
+  if (!view) return 0;
+  return BUNITE_CAP_EVALUATE | BUNITE_CAP_SURFACE_EVENTS |
+         BUNITE_CAP_NATIVE_INPUT_TRUSTED |
+         BUNITE_CAP_CLICK | BUNITE_CAP_TYPE | BUNITE_CAP_PRESS | BUNITE_CAP_SCROLL |
+         BUNITE_CAP_MOUSE | BUNITE_CAP_DIALOGS | BUNITE_CAP_CONSOLE |
+         BUNITE_CAP_SCREENSHOT | BUNITE_CAP_FORMAT_PNG | BUNITE_CAP_FORMAT_JPEG;
+}
+
+extern "C" BUNITE_EXPORT void bunite_view_screenshot(uint32_t view_id, uint32_t request_id,
+                                                       const char* format, int32_t quality) {
+  std::string fmt = format ? format : "png";
+  bunite_win::postCefUiTask([view_id, request_id, fmt, quality]() {
+    auto* view = bunite_win::getViewHostById(view_id);
+    if (!view) {
+      emitScreenshotError(view_id, request_id, "not_supported", "view not ready");
+      return;
+    }
+    const bool jpeg = (fmt == "jpeg" || fmt == "jpg");
+    const std::string outFmt = jpeg ? "jpeg" : "png";
+    const std::string mime = jpeg ? "image/jpeg" : "image/png";
+    std::string params = "{\"format\":\"" + outFmt + "\"";
+    if (jpeg && quality >= 0) params += ",\"quality\":" + std::to_string(quality);
+    params += "}";
+    cefCdpCall(view, "Page.captureScreenshot", params,
+        [view_id, request_id, outFmt, mime](bool ok, std::string result) {
+          if (!ok) {
+            emitScreenshotError(view_id, request_id, "runtime_error",
+                                std::string("Page.captureScreenshot failed: ") + result);
+            return;
+          }
+          CefRefPtr<CefValue> val = CefParseJSON(result, JSON_PARSER_RFC);
+          if (!val || val->GetType() != VTYPE_DICTIONARY) {
+            emitScreenshotError(view_id, request_id, "runtime_error", "captureScreenshot malformed result");
+            return;
+          }
+          CefString data = val->GetDictionary()->GetString("data");
+          if (data.empty()) {
+            emitScreenshotError(view_id, request_id, "runtime_error", "captureScreenshot missing data");
+            return;
+          }
+          std::string b64 = data.ToString();
+          std::string payload = "{\"requestId\":" + std::to_string(request_id) +
+                                ",\"ok\":true,\"format\":\"" + outFmt +
+                                "\",\"mime\":\"" + mime +
+                                "\",\"dataBase64\":\"" + b64 + "\"}";
+          bunite_win::emitWebviewEvent(view_id, "screenshot-result", payload);
+        });
+  });
+}
+
 extern "C" BUNITE_EXPORT void bunite_view_open_devtools(uint32_t view_id) {
   bunite_win::postCefUiTask([view_id]() { bunite_win::openDevToolsForView(bunite_win::getViewHostById(view_id)); });
 }

package/src/native/win/native_host_internal.h

@@ -34,9 +34,11 @@
 #include "include/cef_app.h"
 #include "include/cef_browser.h"
 #include "include/cef_client.h"
+#include "include/cef_devtools_message_observer.h"
 #include "include/cef_command_line.h"
 #include "include/cef_parser.h"
 #include "include/cef_permission_handler.h"
+#include "include/cef_jsdialog_handler.h"
 #include "include/cef_resource_handler.h"
 #include "include/cef_resource_request_handler.h"
 #include "include/cef_scheme.h"
@@ -97,6 +99,14 @@ struct ViewHost {
   std::atomic<bool> closing = false;
   CefRefPtr<CefBrowser> browser;
   CefRefPtr<CefClient> client;
+  // DevTools observer registration — kept alive for the life of the view so
+  // CDP method results (screenshot etc.) can route back to bunite handlers.
+  CefRefPtr<CefRegistration> devtools_registration;
+
+  // Page-initiated dialog callbacks held until host responds via
+  // `respondToDialogRequest`. CEF holds the page execution while we wait.
+  std::unordered_map<uint32_t, CefRefPtr<CefJSDialogCallback>> pending_dialogs;
+  uint32_t next_dialog_request_id = 1;
 
   // Pending state: applied in OnAfterCreated when browser HWND becomes available.
   bool pending_visible = true;
@@ -214,6 +224,9 @@ void finalizeWindowHost(WindowHost* window);                // [UI thread]
 void openDevToolsForView(ViewHost* view);                   // [CEF UI thread]
 void closeDevToolsForView(ViewHost* view);                  // [CEF UI thread]
 void toggleDevToolsForView(ViewHost* view);                 // [CEF UI thread]
+void registerCdpObserverForView(ViewHost* view);            // [CEF UI thread]
+void respondToDialogRequest(ViewHost* view, uint32_t request_id,
+                            bool accept, const std::string& text);  // [CEF UI thread]
 bool initializeCefOnUiThread();                             // [UI thread]
 void shutdownCefOnUiThread();                               // [UI thread]
 void cancelPendingPermissionRequestsOnUiThread();           // [CEF UI thread]

package/src/native/win/native_host_utils.cpp

@@ -211,7 +211,8 @@ std::vector<std::string> parseNavigationRulesJson(const std::string& rules_json)
 }
 
 bool shouldAlwaysAllowNavigationUrl(const std::string& url) {
-  return url == "about:blank" || url.rfind("appres://app.internal/internal/", 0) == 0;
+  // Exact-match — prefix would let `../../evil` style paths bypass scrutiny.
+  return url == "about:blank" || url == "appres://app.internal/internal/index.html";
 }
 
 uint32_t cefPermissionsToBuniteKind(uint32_t cef_bits) {

package/src/native/win/process_helper_win.cpp

@@ -48,10 +48,10 @@ public:
     std::string script = args->GetString(1).ToString();
 
     auto context = frame->GetV8Context();
+    auto reply = CefProcessMessage::Create("bunite.evaluate.result");
+    auto rl = reply->GetArgumentList();
+    rl->SetInt(0, static_cast<int>(request_id));
     if (!context) {
-      auto reply = CefProcessMessage::Create("bunite.evaluate.result");
-      auto rl = reply->GetArgumentList();
-      rl->SetInt(0, static_cast<int>(request_id));
       rl->SetBool(1, false);
       rl->SetString(2, "runtime_error");
       rl->SetString(3, "no V8 context");
@@ -59,37 +59,64 @@ public:
       return true;
     }
 
+    // Same wrapper as WebView2/mac/linux: try/catch returning a JSON envelope
+    // string. SecurityError is detected locale-independently inside the JS.
+    std::string wrapped =
+        "(function(){try{return JSON.stringify({__bunite_ok:true,value:(" + script +
+        ")})}catch(e){var c=(e&&e.name===\"SecurityError\")?\"cross_origin\":\"runtime_error\";"
+        "return JSON.stringify({__bunite_ok:false,code:c,"
+        "message:(e&&e.message)?e.message:String(e),"
+        "name:(e&&e.name)||\"\"})}})()";
+
     context->Enter();
     CefRefPtr<CefV8Value> retval;
     CefRefPtr<CefV8Exception> exception;
-    bool ok = context->Eval(script, "bunite://evaluate", 0, retval, exception);
-
-    auto reply = CefProcessMessage::Create("bunite.evaluate.result");
-    auto rl = reply->GetArgumentList();
-    rl->SetInt(0, static_cast<int>(request_id));
-    if (ok && retval) {
-      // V8 JSON.stringify for cross-process transport.
-      auto global = context->GetGlobal();
-      auto json_obj = global->GetValue("JSON");
-      auto stringify = json_obj ? json_obj->GetValue("stringify") : nullptr;
-      std::string json_str;
-      if (stringify && stringify->IsFunction()) {
-        CefV8ValueList args2; args2.push_back(retval);
-        auto json_v = stringify->ExecuteFunction(json_obj, args2);
-        if (json_v && json_v->IsString()) json_str = json_v->GetStringValue().ToString();
+    bool ok = context->Eval(wrapped, "bunite://evaluate", 0, retval, exception);
+
+    if (ok && retval && retval->IsString()) {
+      std::string inner = retval->GetStringValue().ToString();
+      if (inner.find("\"__bunite_ok\":true") != std::string::npos) {
+        static const std::string prefix = "{\"__bunite_ok\":true,\"value\":";
+        std::string value_json = "null";
+        if (inner.compare(0, prefix.size(), prefix) == 0 &&
+            inner.size() > prefix.size() + 1) {
+          value_json = inner.substr(prefix.size(), inner.size() - prefix.size() - 1);
+        }
+        rl->SetBool(1, true);
+        rl->SetString(2, value_json);
+        rl->SetString(3, "");
+      } else {
+        // Anchor at the envelope prefix — user-controlled e.message could
+        // otherwise inject a fake "code" via the substring scan above.
+        static const std::string codePrefix = "{\"__bunite_ok\":false,\"code\":\"";
+        std::string code = "runtime_error";
+        std::string msg = "script threw";
+        if (inner.compare(0, codePrefix.size(), codePrefix) == 0) {
+          size_t start = codePrefix.size();
+          size_t end = start;
+          while (end < inner.size() && inner[end] != '"') ++end;
+          if (end > start) code = inner.substr(start, end - start);
+          static const std::string msgKey = "\",\"message\":\"";
+          if (end + msgKey.size() <= inner.size() &&
+              inner.compare(end, msgKey.size(), msgKey) == 0) {
+            size_t mstart = end + msgKey.size();
+            size_t mend = mstart;
+            while (mend < inner.size()) {
+              if (inner[mend] == '"' && (mend == mstart || inner[mend - 1] != '\\')) break;
+              ++mend;
+            }
+            if (mend > mstart) msg = inner.substr(mstart, mend - mstart);
+          }
+        }
+        rl->SetBool(1, false);
+        rl->SetString(2, code);
+        rl->SetString(3, msg);
       }
-      if (json_str.empty()) json_str = "null";
-      rl->SetBool(1, true);
-      rl->SetString(2, json_str);
-      rl->SetString(3, "");
     } else {
+      // Wrapper itself failed (syntax error in user script, or V8 internal).
       std::string msg = exception ? exception->GetMessage().ToString() : "eval failed";
-      // SecurityError typically arises from cross-origin reach.
-      std::string code = (msg.find("SecurityError") != std::string::npos ||
-                          msg.find("cross-origin") != std::string::npos)
-                         ? "cross_origin" : "runtime_error";
       rl->SetBool(1, false);
-      rl->SetString(2, code);
+      rl->SetString(2, "runtime_error");
       rl->SetString(3, msg);
     }
     context->Exit();