camofox-browser 2.4.1 → 2.4.4

package/CHANGELOG.md

@@ -2,6 +2,41 @@
 
 ## [Unreleased]
 
+## [2.4.4] - 2026-05-23
+
+### Fixed
+- First tab creation now reuses the browser engine's initial untracked `about:blank` page when safe, preventing headed and virtual-display sessions from opening an extra empty window beside the requested page.
+
+### Security
+- Refreshed Express/body-parser/qs and CI reporter dependency locks so `npm audit --audit-level=moderate` reports zero vulnerabilities.
+
+### Tests
+- Added unit and real browser regression coverage for the first-tab initial blank-page reuse path.
+
+## [2.4.3] - 2026-05-13
+
+### Fixed
+- Session-level `proxyProfile` and raw `proxy` settings now reach the browser context launch path, so proxy egress intent is applied instead of only being validated/stored.
+- Session-profile contexts now use delimiter-safe runtime keys derived from `userId + sessionKey + profile signature` and profile-keyed persistent directories, preventing sibling proxy profiles for the same user from sharing one browser context or `userDataDir`.
+- Session/user ownership checks no longer use raw `userId::sessionKey` prefix matching, so `userId` or `sessionKey` values containing `::` cannot collide with another user's sessions, tab index, or cleanup path.
+- First-create rollback now closes staged profile-keyed contexts by user/generation and always releases the canonical mutex, so a failed proxy-profile first tab cannot wedge future retries.
+- Rejected core/OpenClaw requests no longer persist provisional session proxy profiles or leave allocated profile-key sessions/contexts behind after runtime allocation failures.
+- Concurrent core/OpenClaw requests for the same new session profile now wait for the profile-create attempt to commit or rollback, so a failed creator cannot delete a sibling request that already returned success.
+- Idle lifecycle cleanup now closes and removes only the exact zero-tab profile-key session, preserving active sibling profile sessions for the same user.
+- Display-mode toggles now prewarm the existing single profile-key context for VNC with its profile launch settings while avoiding stale default-context prelaunches before first tab create.
+- Cookie import now rejects ambiguous user-level requests when multiple active browser contexts exist, requiring `tabId` targeting instead of importing into an arbitrary sibling context.
+- Eviction, timeout, and shutdown cleanup now resolve encoded session/profile keys back to their raw owner user IDs for trace/download/VNC cleanup.
+- Internal session/profile/trace ownership tokens now preserve UTF-16 code-unit identity, so malformed Unicode user/session IDs cannot collapse into replacement-character aliases or cross profile/trace ownership boundaries.
+- Legacy UTF-8 trace artifact lookup now accepts only collision-free owner tokens, so a crafted user ID cannot use a legacy token that is also another user's UTF-16LE artifact token.
+- Explicit session close now treats `userId` as an external owner ID only, so raw internal `u:`, `o:`, or `p:` session/profile keys cannot close another user's runtime state through `/sessions/:userId`.
+- Default profile directory compatibility now applies only to well-formed non-internal user IDs; raw IDs that look like internal `u:`, `s:`, `p:`, or `o:` keys, or contain malformed UTF-16, remain isolated under encoded profile-key directories.
+
+## [2.4.2] - 2026-05-13
+
+### Fixed
+- `proxyProfile` now takes precedence over raw `proxy` when both are supplied for session proxy/geo resolution, matching the documented/tested contract for `/tabs` and `/tabs/open`.
+- Refreshed runtime and dev dependency lockfile entries so full `npm audit` reports zero vulnerabilities.
+
 ## Release Audit: v2.3.0 -> v2.4.1
 
 ### What shipped in this line

package/README.md

@@ -393,7 +393,7 @@ This works with **Claude Code**, **Codex**, **Cursor**, **Gemini CLI**, **GitHub
 | Skill | Focus | Best For |
 |-------|-------|----------|
 | `camofox-browser` | Full coverage (CLI + API + OpenClaw) | Complete reference |
-| `camofox-cli` | CLI-only (50 commands) | Terminal-first workflows |
+| `camofox-cli` | CLI-only (50+ commands) | Terminal-first workflows |
 | `dogfood` | QA testing workflow | Systematic web app testing |
 | `gemini-image` | Gemini image generation | AI image automation |
 | `reddit` | Reddit automation | Reddit posting/commenting |
@@ -849,11 +849,13 @@ Then use profiles by name in API requests or CLI commands.
 | `CAMOFOX_MAX_BATCH_CONCURRENCY` | `5` | Batch download concurrency cap |
 | `CAMOFOX_MAX_BLOB_SIZE_MB` | `5` | Max blob payload size |
 | `CAMOFOX_MAX_DOWNLOADS_PER_USER` | `500` | Per-user download record cap |
+| `CAMOFOX_CONSOLE_BUFFER_SIZE` | `1000` | Per-tab console/error message buffer size (minimum `100`) |
 | `HANDLER_TIMEOUT_MS` | `30000` | Handler timeout fallback |
 | `MAX_CONCURRENT_PER_USER` | `3` | Concurrent operations per user |
 | `CAMOFOX_VNC_BASE_PORT` | `6080` | noVNC/websockify base port |
 | `CAMOFOX_VNC_HOST` | `localhost` | noVNC host in returned URL |
 | `CAMOFOX_CLI_USER` | `cli-default` | Default CLI user id |
+| `CAMOFOX_SERVER_PID_FILE` | (unset) | Optional daemon PID file path used by the CLI server manager |
 | `CAMOFOX_IDLE_TIMEOUT_MS` | `1800000` | Stage 1 idle cleanup threshold (ms) |
 | `CAMOFOX_IDLE_EXIT_TIMEOUT_MS` | `1800000` | Stage 2 daemon exit quiet window (ms, defaults to match Stage 1) |
 | `CAMOFOX_PRESETS_FILE` | (unset) | Optional JSON file defining/overriding geo presets |
@@ -866,9 +868,12 @@ Then use profiles by name in API requests or CLI commands.
 | `PROXY_USERNAME` | (empty) | Proxy username (server-level default) |
 | `PROXY_PASSWORD` | (empty) | Proxy password (server-level default) |
 | `CAMOFOX_MAX_SNAPSHOT_CHARS` | `80000` | Max characters in snapshot before truncation |
+| `CAMOFOX_MAX_SNAPSHOT_NODES` | `2000` | Max accessibility snapshot nodes before truncation |
 | `CAMOFOX_SNAPSHOT_TAIL_CHARS` | `5000` | Characters preserved at end of truncated snapshot |
 | `CAMOFOX_BUILDREFS_TIMEOUT_MS` | `12000` | Timeout for building element refs |
 | `CAMOFOX_TAB_LOCK_TIMEOUT_MS` | `30000` | Timeout for acquiring tab lock |
+| `CAMOFOX_TRACES_DIR` | `~/.camofox/traces` | Managed Playwright trace artifact directory |
+| `CAMOFOX_TRACE_MAX_DURATION_MS` | `300000` | Maximum trace recording duration before automatic stop |
 | `CAMOFOX_HEALTH_PROBE_INTERVAL_MS` | `60000` | Health probe check interval |
 | `CAMOFOX_FAILURE_THRESHOLD` | `3` | Consecutive failures before health degradation |
 | `CAMOFOX_YT_DLP_TIMEOUT_MS` | `30000` | Timeout for yt-dlp subtitle extraction |

package/dist/src/routes/core.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"core.d.ts","sourceRoot":"","sources":["../../../src/routes/core.ts"],"names":[],"mappings":"AAwGA,QAAA,MAAM,MAAM,4CAAW,CAAC;AAktDxB,eAAe,MAAM,CAAC"}
+{"version":3,"file":"core.d.ts","sourceRoot":"","sources":["../../../src/routes/core.ts"],"names":[],"mappings":"AAmHA,QAAA,MAAM,MAAM,4CAAW,CAAC;AAk0DxB,eAAe,MAAM,CAAC"}

package/dist/src/routes/core.js

@@ -186,6 +186,16 @@ router.post('/sessions/:userId/cookies', express_1.default.json({ limit: '512kb'
                     message: 'Cannot import cookies without an active session. Create a tab via POST /tabs first.',
                 });
             }
+            if (existingSessions.length > 1) {
+                (0, logging_1.log)('warn', 'cookie import rejected: ambiguous active sessions', {
+                    userId: String(userId),
+                    sessionCount: existingSessions.length,
+                });
+                return res.status(409).json({
+                    error: 'Ambiguous active sessions',
+                    message: 'Multiple active browser contexts exist for this user. Provide tabId to import cookies into a specific context.',
+                });
+            }
             session = existingSessions[0][1];
         }
         await session.context.addCookies(sanitized);
@@ -272,6 +282,11 @@ router.get('/presets', (_req, res) => {
 // Create new tab
 router.post('/tabs', async (req, res) => {
     let createUserId;
+    let createSessionKey;
+    let createdSessionProfile = false;
+    let createdSessionProfileSignature;
+    let createdDefaultSessionProfileClaim = false;
+    let releaseSessionProfileCreate;
     let isFirstCreator = false;
     let stagedGeneration;
     try {
@@ -287,10 +302,11 @@ router.post('/tabs', async (req, res) => {
             return res.status(400).json({ error: 'userId and sessionKey required' });
         }
         createUserId = String(userId);
+        createSessionKey = String(resolvedSessionKey);
         // Check for session profile conflict (proxy/geo drift)
+        let resolvedSessionProfile;
         if (proxy || proxyProfile || geoMode) {
             const { resolveSessionProfileInput, getConfiguredServerProxy, loadProxyProfiles } = await Promise.resolve().then(() => __importStar(require('../utils/proxy-profiles')));
-            const { establishSessionProfile } = await Promise.resolve().then(() => __importStar(require('../services/session')));
             const profileInput = {
                 preset,
                 locale,
@@ -307,14 +323,10 @@ router.post('/tabs', async (req, res) => {
             };
             try {
                 const resolvedProfileBase = resolveSessionProfileInput(profileInput, deps);
-                const resolvedProfile = { ...resolvedProfileBase, sessionKey: resolvedSessionKey };
-                establishSessionProfile(userId, resolvedSessionKey, resolvedProfile);
+                resolvedSessionProfile = { ...resolvedProfileBase, sessionKey: resolvedSessionKey };
             }
             catch (err) {
                 const message = err instanceof Error ? err.message : String(err);
-                if (message === 'Session profile conflict') {
-                    return res.status(409).json({ error: 'Session profile conflict' });
-                }
                 return res.status(400).json({ error: message });
             }
         }
@@ -370,14 +382,58 @@ router.post('/tabs', async (req, res) => {
             (0, logging_1.log)('error', 'canonical profile acquisition failed after retries', { userId: String(userId) });
             return res.status(503).json({ error: 'Could not acquire canonical profile, try again' });
         }
-        const sessionMapKey = (0, session_1.getSessionMapKey)(userId, contextOverrides);
+        if (resolvedSessionProfile) {
+            while (true) {
+                await (0, session_1.waitForSessionProfileCreate)(userId, resolvedSessionKey);
+                const existingProfile = (0, session_1.getEstablishedSessionProfile)(userId, resolvedSessionKey);
+                if (existingProfile) {
+                    if (existingProfile.signature !== resolvedSessionProfile.signature) {
+                        return res.status(409).json({ error: 'Session profile conflict' });
+                    }
+                    break;
+                }
+                if ((0, session_1.hasDefaultSessionProfileRuntime)(userId, resolvedSessionKey)) {
+                    return res.status(409).json({ error: 'Session profile conflict' });
+                }
+                const mutex = (0, session_1.acquireSessionProfileCreateMutex)(userId, resolvedSessionKey, resolvedSessionProfile.signature);
+                if (mutex.acquired) {
+                    releaseSessionProfileCreate = mutex.release;
+                    try {
+                        (0, session_1.establishSessionProfile)(userId, resolvedSessionKey, resolvedSessionProfile);
+                        createdSessionProfile = true;
+                        createdSessionProfileSignature = resolvedSessionProfile.signature;
+                    }
+                    catch (err) {
+                        releaseSessionProfileCreate(false);
+                        releaseSessionProfileCreate = undefined;
+                        const message = err instanceof Error ? err.message : String(err);
+                        if (message === 'Session profile conflict') {
+                            return res.status(409).json({ error: 'Session profile conflict' });
+                        }
+                        return res.status(400).json({ error: message });
+                    }
+                    break;
+                }
+                await mutex.wait;
+            }
+        }
+        else {
+            await (0, session_1.waitForSessionProfileCreate)(userId, resolvedSessionKey);
+            if (!(0, session_1.getEstablishedSessionProfile)(userId, resolvedSessionKey)) {
+                createdDefaultSessionProfileClaim = (0, session_1.claimDefaultSessionProfileRuntime)(userId, resolvedSessionKey);
+            }
+        }
+        const establishedProfile = (0, session_1.getEstablishedSessionProfile)(userId, resolvedSessionKey);
+        const sessionMapKey = establishedProfile
+            ? (0, session_1.getSessionMapKey)(userId, resolvedSessionKey, establishedProfile.signature)
+            : (0, session_1.getSessionMapKey)(userId, contextOverrides);
         let tabId;
         let pageUrl;
         if (isFirstCreator) {
-            const staged = await (0, session_1.createStagedSession)(userId, contextOverrides);
+            const staged = await (0, session_1.createStagedSession)(userId, contextOverrides, resolvedSessionKey);
             stagedGeneration = staged.generation;
             const { session, generation } = staged;
-            const page = await session.context.newPage();
+            const page = await (0, tab_1.acquirePageForNewTab)(session.context);
             tabId = node_crypto_1.default.randomUUID();
             page.__camofox_tabId = tabId;
             const tabState = await (0, tab_1.createTabState)(page);
@@ -399,19 +455,37 @@ router.post('/tabs', async (req, res) => {
             }, generation);
             if (!committed) {
                 await (0, session_1.rollbackStagedFirstUse)(createUserId ?? userId, generation).catch(() => { });
+                if (createdSessionProfile && createdSessionProfileSignature) {
+                    await (0, session_1.rollbackSessionProfileRuntime)(userId, resolvedSessionKey, createdSessionProfileSignature);
+                }
+                if (createdDefaultSessionProfileClaim) {
+                    (0, session_1.clearDefaultSessionProfileClaim)(userId, resolvedSessionKey);
+                    createdDefaultSessionProfileClaim = false;
+                }
+                releaseSessionProfileCreate?.(false);
+                releaseSessionProfileCreate = undefined;
                 return res.status(409).json({ error: 'Session closed during creation' });
             }
             (0, download_1.commitStagedDownloads)(tabId);
             pageUrl = page.url();
         }
         else {
-            const session = await (0, session_1.getSession)(userId, contextOverrides);
+            const session = await (0, session_1.getSession)(userId, contextOverrides, resolvedSessionKey);
             const totalTabs = (0, session_1.countTotalTabsForSessions)([[sessionMapKey, session]]);
             if (totalTabs >= session_1.MAX_TABS_PER_SESSION) {
+                if (createdSessionProfile && createdSessionProfileSignature) {
+                    await (0, session_1.rollbackSessionProfileRuntime)(userId, resolvedSessionKey, createdSessionProfileSignature);
+                }
+                if (createdDefaultSessionProfileClaim) {
+                    (0, session_1.clearDefaultSessionProfileClaim)(userId, resolvedSessionKey);
+                    createdDefaultSessionProfileClaim = false;
+                }
+                releaseSessionProfileCreate?.(false);
+                releaseSessionProfileCreate = undefined;
                 return res.status(429).json({ error: 'Maximum tabs per session reached' });
             }
             const group = (0, session_1.getTabGroup)(session, resolvedSessionKey);
-            const page = await session.context.newPage();
+            const page = await (0, tab_1.acquirePageForNewTab)(session.context);
             tabId = node_crypto_1.default.randomUUID();
             page.__camofox_tabId = tabId;
             const tabState = await (0, tab_1.createTabState)(page);
@@ -436,6 +510,9 @@ router.post('/tabs', async (req, res) => {
             url: pageUrl,
         });
         lifecycle_controller_1.lifecycleController.recordInteractiveActivity();
+        releaseSessionProfileCreate?.(true);
+        releaseSessionProfileCreate = undefined;
+        createdSessionProfile = false;
         return res.json({ tabId, url: pageUrl });
     }
     catch (err) {
@@ -447,6 +524,19 @@ router.post('/tabs', async (req, res) => {
                 (0, session_1.rollbackCanonicalMutex)(createUserId);
             }
         }
+        if (createdSessionProfile && createUserId && createSessionKey) {
+            if (createdSessionProfileSignature) {
+                await (0, session_1.rollbackSessionProfileRuntime)(createUserId, createSessionKey, createdSessionProfileSignature);
+            }
+            else {
+                (0, session_1.clearSessionProfile)(createUserId, createSessionKey);
+            }
+        }
+        if (createdDefaultSessionProfileClaim && createUserId && createSessionKey) {
+            (0, session_1.clearDefaultSessionProfileClaim)(createUserId, createSessionKey);
+        }
+        releaseSessionProfileCreate?.(false);
+        releaseSessionProfileCreate = undefined;
         const message = err instanceof Error ? err.message : String(err);
         (0, logging_1.log)('error', 'tab create failed', { reqId: req.reqId, error: message });
         return res.status(getRouteErrorStatus(err)).json({ error: (0, errors_1.safeError)(err) });
@@ -1079,14 +1169,28 @@ router.post('/sessions/:userId/toggle-display', async (req, res) => {
                 error: 'headless must be a boolean or "virtual"',
             });
         }
-        // Existing tabs become invalid after context restart.
-        await (0, session_1.closeSessionsForUser)(userId);
-        await context_pool_1.contextPool.restartContext(userId, headless);
+        const existingSessions = (0, session_1.getSessionsForUser)(userId);
+        const prewarmProfileKey = existingSessions.length === 1 ? existingSessions[0][0] : undefined;
+        const prewarmEntry = prewarmProfileKey ? context_pool_1.contextPool.getEntry(prewarmProfileKey) : undefined;
+        const prewarmLaunchSettings = prewarmProfileKey && !prewarmEntry ? (0, session_1.getSessionProfileLaunchSettings)(userId, prewarmProfileKey) : undefined;
+        const prewarmOptions = prewarmEntry ? prewarmEntry.seedOptions : prewarmLaunchSettings?.contextOverrides ?? undefined;
+        const prewarmProxy = prewarmEntry ? prewarmEntry.proxyConfig : prewarmLaunchSettings?.proxy ?? null;
+        let tabsInvalidated = false;
         let vncUrl;
         if (headless === true) {
+            if (prewarmProfileKey) {
+                // Existing tabs become invalid after context restart/close.
+                await (0, session_1.closeSessionsForUser)(userId, { clearProfiles: false });
+                tabsInvalidated = true;
+            }
+            context_pool_1.contextPool.setHeadlessOverride(userId, headless);
             await (0, vnc_1.stopVnc)(userId).catch(() => { });
         }
-        else {
+        else if (prewarmProfileKey) {
+            // Existing tabs become invalid after context restart.
+            await (0, session_1.closeSessionsForUser)(userId, { clearProfiles: false });
+            tabsInvalidated = true;
+            await context_pool_1.contextPool.restartContext(userId, headless, prewarmProfileKey, prewarmOptions, prewarmProxy);
             const displayNum = (0, context_pool_1.getDisplayForUser)(userId);
             if (displayNum) {
                 try {
@@ -1099,13 +1203,21 @@ router.post('/sessions/:userId/toggle-display', async (req, res) => {
                 }
             }
         }
+        else {
+            context_pool_1.contextPool.setHeadlessOverride(userId, headless);
+        }
         const modeLabel = headless === false ? 'headed mode' : headless === 'virtual' ? 'virtual display mode' : 'headless mode';
         return res.json({
             ok: true,
             headless,
+            tabsInvalidated,
             ...(vncUrl
                 ? { vncUrl, message: 'Browser visible via VNC' }
-                : { message: `Browser restarted in ${modeLabel}. Previous tabs invalidated — create new tabs.` }),
+                : {
+                    message: tabsInvalidated
+                        ? `Display mode updated to ${modeLabel}. Previous tabs invalidated — create new tabs.`
+                        : `Display mode override saved as ${modeLabel}. Existing tabs preserved; new contexts use the requested mode.`,
+                }),
             userId,
         });
     }