granclaw 0.0.1-beta.24 → 0.0.1-beta.26

package/dist/backend/browser/stealth.js

@@ -2,26 +2,24 @@
 /**
  * stealth.ts
  *
- * Central place where we build the agent-browser launch flags that hide
- * automation fingerprints. Two levers, both applied when available:
+ * Two mechanisms for hiding automation fingerprints:
  *
- *   1. --extension <path>       loads the GranClaw stealth Chrome extension
- *                               which patches navigator.webdriver and friends
- *                               at document_start, before any page script runs.
+ *   1. stealthArgv()          — argv fragment for `agent-browser` launch.
+ *                               Adds --executable-path when a real Chrome/Chromium
+ *                               binary is available (real Chrome is less flagged
+ *                               than the Playwright-bundled build).
  *
- *   2. --executable-path <path> points agent-browser at the user's real
- *                               Google Chrome install (macOS/Linux/Windows)
- *                               instead of the Chromium it downloads itself.
- *                               Real Chrome is less flagged by Google/Cloudflare
- *                               than Chromium for generic fingerprint reasons.
+ *   2. injectStealthViaCdp()  — connects to the running browser via CDP and
+ *                               calls Page.addScriptToEvaluateOnNewDocument with
+ *                               the stealth.js patches. Also fires Runtime.evaluate
+ *                               on the current page so the patches apply immediately,
+ *                               not just on the next navigation.
+ *                               Works in both headless (Docker) and headed (local)
+ *                               mode — no display or extension loader required.
  *
- * Both are best-effort: if the extension directory is missing or Chrome isn't
- * installed we simply skip that flag. Callers always get back a flat argv
- * fragment they can spread into their existing spawn line.
- *
- * Override hooks for users who want to pin a specific Chrome:
- *   GRANCLAW_STEALTH_DISABLED=1           → no flags at all
- *   GRANCLAW_CHROME_PATH=/abs/path/chrome → force a specific binary
+ * Override hooks:
+ *   GRANCLAW_STEALTH_DISABLED=1           → both mechanisms are no-ops
+ *   GRANCLAW_CHROME_PATH=/abs/path/chrome → force a specific binary for --executable-path
  */
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
@@ -29,19 +27,23 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.STEALTH_EXTENSION_DIR = void 0;
 exports.stealthArgv = stealthArgv;
+exports.injectStealthViaCdp = injectStealthViaCdp;
+exports.prewarmStealthDaemon = prewarmStealthDaemon;
 exports.__resetStealthCacheForTests = __resetStealthCacheForTests;
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
+const http_1 = __importDefault(require("http"));
+const child_process_1 = require("child_process");
+const util_1 = require("util");
+const ws_1 = require("ws");
+const execFileAsync = (0, util_1.promisify)(child_process_1.execFile);
+// ── Extension dir (source of stealth.js) ──────────────────────────────────────
 /**
  * Resolve the stealth-extension directory across three layouts:
  *
  *   - dev (tsx src):        packages/backend/src/browser/      → ../../assets/stealth-extension
  *   - backend standalone:   packages/backend/dist/browser/     → ../../assets/stealth-extension
- *   - cli bundled publish:  packages/cli/dist/backend/browser/ → ../../assets/stealth-extension
- *                                                              OR ../assets/stealth-extension
- *
- * We probe both candidates and take the first that exists so the helper is
- * layout-agnostic. Callers fall back gracefully when none resolve.
+ *   - cli bundled publish:  packages/cli/dist/backend/browser/ → ../assets/stealth-extension
  */
 function resolveExtensionDir() {
     const candidates = [
@@ -56,17 +58,14 @@ function resolveExtensionDir() {
 }
 const STEALTH_EXTENSION_DIR = resolveExtensionDir();
 exports.STEALTH_EXTENSION_DIR = STEALTH_EXTENSION_DIR;
-/**
- * Probe a list of well-known Chrome install paths and return the first that
- * exists. Resolved once per process to keep the per-launch cost at zero.
- */
+// ── Chrome binary detection ───────────────────────────────────────────────────
 let cachedChromePath;
 function detectChromePath() {
     if (cachedChromePath !== undefined)
         return cachedChromePath;
-    // GRANCLAW_CHROME_PATH takes priority; fall back to the agent-browser env
-    // var so Docker containers (which set AGENT_BROWSER_CHROME_PATH=/usr/bin/chromium)
-    // automatically point stealth at the same binary agent-browser will use.
+    // GRANCLAW_CHROME_PATH takes priority; fall back to AGENT_BROWSER_CHROME_PATH
+    // so Docker containers (AGENT_BROWSER_CHROME_PATH=/usr/bin/chromium) automatically
+    // use the same binary that agent-browser itself is configured to use.
     const override = process.env.GRANCLAW_CHROME_PATH || process.env.AGENT_BROWSER_CHROME_PATH;
     if (override && fs_1.default.existsSync(override)) {
         cachedChromePath = override;
@@ -106,35 +105,174 @@ function detectChromePath() {
     cachedChromePath = null;
     return null;
 }
+// ── argv builder ──────────────────────────────────────────────────────────────
 /**
- * Return the argv fragment to pass to `agent-browser` on the command that
- * boots the daemon. agent-browser ignores launch flags on subsequent calls
- * to an already-running daemon, so these must land on the first command.
- *
- * The caller splices the result into its own argv — e.g.:
- *
- *   const argv = ['--session', agentId, ...stealthArgv(), 'open', url];
+ * Return the argv fragment for the `agent-browser` command that boots the
+ * daemon. Only --executable-path is emitted here; the stealth JS patches are
+ * applied separately via injectStealthViaCdp() after the session is up.
  */
 function stealthArgv() {
-    // Re-enabled 2026-04-14: UA/deviceMemory patches added, AGENT_BROWSER_CHROME_PATH
-    // wired up so Docker containers automatically use the in-place Chromium.
-    // Set GRANCLAW_STEALTH_DISABLED=1 to opt out entirely.
     if (process.env.GRANCLAW_STEALTH_DISABLED === '1')
         return [];
     const argv = [];
-    if (STEALTH_EXTENSION_DIR) {
-        argv.push('--extension', STEALTH_EXTENSION_DIR);
-    }
     const chrome = detectChromePath();
     if (chrome) {
         argv.push('--executable-path', chrome);
     }
     return argv;
 }
+// ── CDP stealth injection ─────────────────────────────────────────────────────
+/**
+ * Poll for the browser-level CDP WebSocket URL.
+ *
+ * @param retries How many attempts to make (default 8, ~2.4 s). Pass 1 for
+ *                a fast single-shot check used by the background watcher.
+ */
+async function discoverCdpUrl(sessionId, workspaceDir, retries = 8) {
+    const bin = process.env.AGENT_BROWSER_BIN ?? 'agent-browser';
+    for (let i = 0; i < retries; i++) {
+        try {
+            const { stdout } = await execFileAsync(bin, ['--session', sessionId, 'get', 'cdp-url'], {
+                cwd: workspaceDir,
+                timeout: 2000,
+            });
+            const url = stdout.trim();
+            if (url.startsWith('ws://') || url.startsWith('wss://'))
+                return url;
+        }
+        catch { /* daemon not ready yet */ }
+        if (i < retries - 1)
+            await new Promise((r) => setTimeout(r, 300));
+    }
+    return null;
+}
+/**
+ * Fetch all page targets from the browser's /json/list endpoint.
+ */
+async function fetchPageTargets(browserCdpUrl) {
+    return new Promise((resolve) => {
+        const match = /^wss?:\/\/([^/]+)\//.exec(browserCdpUrl);
+        if (!match) {
+            resolve([]);
+            return;
+        }
+        const host = match[1];
+        const req = http_1.default.get(`http://${host}/json/list`, { timeout: 3000 }, (res) => {
+            let body = '';
+            res.on('data', (c) => { body += c.toString(); });
+            res.on('end', () => {
+                try {
+                    const targets = JSON.parse(body);
+                    resolve(targets
+                        .filter((t) => t.type === 'page' && t.webSocketDebuggerUrl)
+                        .map((t) => ({ webSocketDebuggerUrl: t.webSocketDebuggerUrl })));
+                }
+                catch {
+                    resolve([]);
+                }
+            });
+        });
+        req.on('error', () => resolve([]));
+        req.on('timeout', () => { req.destroy(); resolve([]); });
+    });
+}
 /**
- * Test-only hook to reset the Chrome-path cache between tests.
- * @internal
+ * Open a CDP WebSocket to a single page target and:
+ *   1. Register the stealth script for all future navigations via
+ *      Page.addScriptToEvaluateOnNewDocument.
+ *   2. Run it immediately on the current document via Runtime.evaluate so
+ *      patches are live without a reload.
  */
+function injectIntoPage(wsUrl, script) {
+    return new Promise((resolve) => {
+        const cleanup = (ws) => { try {
+            ws.close();
+        }
+        catch { /* ignore */ } resolve(); };
+        const timer = setTimeout(() => cleanup(ws), 5000);
+        const ws = new ws_1.WebSocket(wsUrl);
+        ws.on('open', () => {
+            ws.send(JSON.stringify({
+                id: 1,
+                method: 'Page.addScriptToEvaluateOnNewDocument',
+                params: { source: script },
+            }));
+            ws.send(JSON.stringify({
+                id: 2,
+                method: 'Runtime.evaluate',
+                params: { expression: script, returnByValue: false },
+            }));
+            // Allow a short window for Chrome to ack, then close.
+            setTimeout(() => { clearTimeout(timer); cleanup(ws); }, 400);
+        });
+        ws.on('error', () => { clearTimeout(timer); resolve(); });
+        ws.on('close', () => { clearTimeout(timer); resolve(); });
+    });
+}
+/**
+ * Inject the stealth script into every open page of the agent's browser
+ * session via CDP. Call this after the agent-browser daemon has started.
+ *
+ * Best-effort: any error is swallowed so a CDP failure never breaks the
+ * caller's main flow.
+ */
+async function injectStealthViaCdp(sessionId, workspaceDir) {
+    if (process.env.GRANCLAW_STEALTH_DISABLED === '1')
+        return;
+    if (!STEALTH_EXTENSION_DIR)
+        return;
+    const scriptPath = path_1.default.join(STEALTH_EXTENSION_DIR, 'stealth.js');
+    if (!fs_1.default.existsSync(scriptPath))
+        return;
+    try {
+        const script = fs_1.default.readFileSync(scriptPath, 'utf-8');
+        const cdpUrl = await discoverCdpUrl(sessionId, workspaceDir);
+        if (!cdpUrl)
+            return;
+        const pages = await fetchPageTargets(cdpUrl);
+        await Promise.all(pages.map((p) => injectIntoPage(p.webSocketDebuggerUrl, script)));
+        console.log(`[stealth] injected into ${pages.length} page(s) for session "${sessionId}"`);
+    }
+    catch (err) {
+        console.warn(`[stealth] CDP injection failed for "${sessionId}":`, err);
+    }
+}
+// ── Daemon pre-warm ───────────────────────────────────────────────────────────
+/**
+ * Pre-warm the agent's browser daemon and register stealth before any
+ * agent navigation. Call this once at agent process startup for agents
+ * that have the browser tool enabled.
+ *
+ * Steps:
+ *   1. Start the daemon with `agent-browser open about:blank` (no-op if
+ *      already running — agent-browser reuses the existing daemon).
+ *   2. Inject Page.addScriptToEvaluateOnNewDocument via CDP so every
+ *      subsequent navigation the agent makes will have stealth running
+ *      before the page's own scripts.
+ *
+ * This is a one-time setup. If the agent later kills its daemon via
+ * `browser close --all`, the next daemon start won't have stealth until
+ * the live view relay re-attaches (which also injects stealth).
+ */
+async function prewarmStealthDaemon(sessionId, workspaceDir) {
+    if (process.env.GRANCLAW_STEALTH_DISABLED === '1')
+        return;
+    try {
+        const bin = process.env.AGENT_BROWSER_BIN ?? 'agent-browser';
+        // Boot the daemon (or no-op if already running) and land on about:blank.
+        // Use execFileAsync with a short timeout — we don't care about the result,
+        // only that the daemon is now up.
+        await execFileAsync(bin, ['--session', sessionId, ...stealthArgv(), 'open', 'about:blank'], { cwd: workspaceDir, timeout: 15000 });
+    }
+    catch {
+        // Daemon failed to start (no Chrome, wrong env, etc.) — skip silently.
+        return;
+    }
+    // Daemon is up. Register stealth for all future navigations.
+    await injectStealthViaCdp(sessionId, workspaceDir);
+}
+// ── Test helpers ──────────────────────────────────────────────────────────────
+/** @internal */
 function __resetStealthCacheForTests() {
     cachedChromePath = undefined;
 }

package/dist/backend/orchestrator/agent-manager.js

@@ -25,6 +25,7 @@ exports.stopAndRemoveAgent = stopAndRemoveAgent;
 const child_process_1 = require("child_process");
 const path_1 = __importDefault(require("path"));
 const config_js_1 = require("../config.js");
+const stealth_js_1 = require("../browser/stealth.js");
 const secrets_vault_js_1 = require("../secrets-vault.js");
 exports.BASE_AGENT_PORT = Number(process.env.AGENT_BASE_PORT ?? 3100);
 /**
@@ -87,6 +88,13 @@ function startNewAgent(agent) {
     const managed = { config: agent, wsPort, bbPort: null, pid: child.pid };
     registry.set(agent.id, managed);
     console.log(`[orchestrator] agent "${agent.id}" started on ws port ${wsPort} (pid ${child.pid})`);
+    // Pre-warm the browser daemon for browser-capable agents so stealth is
+    // registered via Page.addScriptToEvaluateOnNewDocument before the agent's
+    // first navigation. Fire-and-forget — never blocks agent startup.
+    if (agent.allowedTools?.includes('browser')) {
+        const workspaceDir = path_1.default.resolve(config_js_1.REPO_ROOT, agent.workspaceDir);
+        void (0, stealth_js_1.prewarmStealthDaemon)(agent.id, workspaceDir);
+    }
     return managed;
 }
 /**

package/dist/backend/orchestrator/browser-live.js

@@ -39,6 +39,9 @@ const http_1 = __importDefault(require("http"));
 const ws_1 = require("ws");
 const child_process_1 = require("child_process");
 const util_1 = require("util");
+const stealth_js_1 = require("../browser/stealth.js");
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
 const execFileAsync = (0, util_1.promisify)(child_process_1.execFile);
 const TAB_POLL_INTERVAL_MS = 2000;
 /**
@@ -261,6 +264,57 @@ function pickCdpPageForTab(pages, activeUrl) {
     const real = pages.filter((p) => !isInert(p.url));
     return real.length > 0 ? real[real.length - 1] : pages[pages.length - 1];
 }
+/**
+ * Lazily read stealth.js once and cache it. Returns null if the extension
+ * directory is missing (e.g. the package wasn't installed with assets).
+ */
+let cachedStealthScript;
+function readStealthScript() {
+    if (cachedStealthScript !== undefined)
+        return cachedStealthScript;
+    if (!stealth_js_1.STEALTH_EXTENSION_DIR) {
+        cachedStealthScript = null;
+        return null;
+    }
+    const scriptPath = path_1.default.join(stealth_js_1.STEALTH_EXTENSION_DIR, 'stealth.js');
+    try {
+        cachedStealthScript = fs_1.default.readFileSync(scriptPath, 'utf-8');
+    }
+    catch {
+        cachedStealthScript = null;
+    }
+    return cachedStealthScript;
+}
+/**
+ * Inject the stealth patches on an already-open CDP WebSocket. Uses the
+ * stream's cdpMessageId counter so IDs stay monotonically increasing.
+ *
+ * Two commands:
+ *   - Page.addScriptToEvaluateOnNewDocument — persists across navigations
+ *   - Runtime.evaluate                       — applies to the current document immediately
+ *
+ * Best-effort: silently skipped when stealth is disabled or the script is unavailable.
+ */
+function injectStealthOnPage(chromeWs, stream) {
+    if (process.env.GRANCLAW_STEALTH_DISABLED === '1')
+        return;
+    const script = readStealthScript();
+    if (!script)
+        return;
+    try {
+        chromeWs.send(JSON.stringify({
+            id: ++stream.cdpMessageId,
+            method: 'Page.addScriptToEvaluateOnNewDocument',
+            params: { source: script },
+        }));
+        chromeWs.send(JSON.stringify({
+            id: ++stream.cdpMessageId,
+            method: 'Runtime.evaluate',
+            params: { expression: script, returnByValue: false },
+        }));
+    }
+    catch { /* ws closed between open and send — ignore */ }
+}
 /**
  * Attach to a specific CDP page target and begin screencasting. Called on
  * initial attach and again whenever we need to rebind to a new tab.
@@ -278,6 +332,9 @@ function attachPageCdp(stream, page) {
             catch { }
             return;
         }
+        // Inject stealth patches on every page attach — works headlessly via CDP,
+        // no display or extension loader needed.
+        injectStealthOnPage(chromeWs, stream);
         chromeWs.send(JSON.stringify({
             id: ++stream.cdpMessageId,
             method: 'Page.startScreencast',

package/dist/backend/orchestrator/server.js

@@ -1411,6 +1411,9 @@ function createServer() {
             res.status(500).json({ error: `Failed to launch browser: ${message}` });
             return;
         }
+        // Inject stealth patches via CDP now that the daemon is up.
+        // Fire-and-forget — a CDP failure must never block the browser-open response.
+        void (0, stealth_js_1.injectStealthViaCdp)(req.params.id, workspaceDir);
         headedBrowsers.set(req.params.id, { url });
         console.log(`[browser] launched headed browser for "${req.params.id}" with profile → ${url}`);
         res.status(201).json({ url, profileDir });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "granclaw",
-  "version": "0.0.1-beta.24",
+  "version": "0.0.1-beta.26",
   "description": "A personal AI assistant you run on your own machine.",
   "license": "MIT",
   "repository": {