granclaw 0.0.1-beta.26 → 0.0.1-beta.28

package/dist/backend/agent/runner-pi.js

@@ -708,6 +708,12 @@ async function runAgent(agent, message, onChunk, options) {
                     }
                     if (!browserState.handle.recordingStarted) {
                         await (0, session_manager_js_1.startRecording)(browserState.handle);
+                        // Re-inject stealth into whatever daemon was just booted by
+                        // startBrowserRecording. Page.addScriptToEvaluateOnNewDocument
+                        // registered here will run before every subsequent navigation
+                        // on this page target, so stealth patches survive open commands.
+                        // Awaited so patches are live before the agent's first command fires.
+                        await (0, stealth_js_1.injectStealthViaCdp)(agent.id, workspaceDir);
                     }
                     // Build argv: --session <id> [--profile <path>] [--extension ...] [--executable-path ...] <command> <args...>
                     // agent-browser only applies launch flags on the command that boots
@@ -727,6 +733,12 @@ async function runAgent(agent, message, onChunk, options) {
                             maxBuffer: 10 * 1024 * 1024,
                         });
                         (0, session_manager_js_1.appendCommand)(browserState.handle, `${command} ${args.join(' ')}`.trim());
+                        // Re-inject stealth after 'open' — agent-browser may create a new
+                        // page target for the navigation, and new targets don't inherit
+                        // Page.addScriptToEvaluateOnNewDocument from previous targets.
+                        // Awaited so patches are registered before the next tool call runs.
+                        if (command === 'open')
+                            await (0, stealth_js_1.injectStealthViaCdp)(agent.id, workspaceDir);
                         const out = stdout.trim() || stderr.trim() || 'ok';
                         return { content: [{ type: 'text', text: out }] };
                     }
@@ -1002,6 +1014,18 @@ async function runAgent(agent, message, onChunk, options) {
                 await (0, session_manager_js_1.finalizeSession)(browserState.handle, 'closed');
             }
             catch { /* best effort */ }
+            // Navigate back to about:blank to release the current site's resources
+            // (memory, service workers, open connections) while keeping the daemon
+            // alive so Chrome-level stealth flags (--user-agent, --disable-blink-features)
+            // survive into the next turn. We intentionally avoid 'tab close --all'
+            // because that may kill the daemon entirely, losing the stealth flags.
+            // Full cleanup happens in prewarmStealthDaemon's Phase 1 'close --all'
+            // the next time the agent process starts.
+            try {
+                const bin = process.env.AGENT_BROWSER_BIN ?? 'agent-browser';
+                await execFileAsync(bin, ['--session', agent.id, 'open', 'about:blank'], { cwd: workspaceDir, timeout: 5000 });
+            }
+            catch { /* best effort */ }
         }
         // Restore env var only if it was injected (envKey is set only after model guard)
         if (envKey !== undefined) {

package/dist/backend/assets/stealth-extension/stealth.js

@@ -265,4 +265,58 @@
       configurable: true,
     });
   });
+
+  // ── 13. screen dimensions ───────────────────────────────────────────────
+  // Headless Chrome defaults to 800×600 which is trivially detected.
+  // Spoof a common 1920×1080 desktop resolution.
+  safe(() => {
+    const W = 1920, H = 1080;
+    const props = {
+      width:       { get: () => W, configurable: true },
+      height:      { get: () => H, configurable: true },
+      availWidth:  { get: () => W, configurable: true },
+      availHeight: { get: () => H - 40, configurable: true }, // taskbar ~40px
+      colorDepth:  { get: () => 24, configurable: true },
+      pixelDepth:  { get: () => 24, configurable: true },
+    };
+    Object.defineProperties(Screen.prototype, props);
+  });
+
+  // ── 14. Canvas fingerprint noise ────────────────────────────────────────
+  // Sites call toDataURL() or getImageData() on a hidden canvas and hash the
+  // result. The hash is deterministic per GPU/driver combination — headless
+  // SwiftShader produces a known fingerprint. Adding sub-pixel noise to each
+  // getImageData call makes the hash unique per session while remaining
+  // visually imperceptible.
+  safe(() => {
+    const origGetImageData = CanvasRenderingContext2D.prototype.getImageData;
+    CanvasRenderingContext2D.prototype.getImageData = function (x, y, w, h) {
+      const imageData = origGetImageData.call(this, x, y, w, h);
+      const data = imageData.data;
+      // XOR the last byte of every 4th pixel with a session-stable noise value
+      // so the fingerprint changes across sessions but is stable within one.
+      const noise = (Math.random() * 10 + 1) | 0; // 1–10, chosen once per page
+      for (let i = 3; i < data.length; i += 4 * 50) { // every 50th pixel's alpha
+        data[i] = Math.max(0, Math.min(255, data[i] ^ noise));
+      }
+      return imageData;
+    };
+  });
+
+  // ── 15. AudioContext fingerprint noise ──────────────────────────────────
+  // AudioContext.createOscillator + OfflineAudioContext rendering produces a
+  // deterministic output that fingerprinters hash. Patching getChannelData to
+  // add imperceptible noise breaks the hash without affecting audible output.
+  safe(() => {
+    const origGetChannelData = AudioBuffer.prototype.getChannelData;
+    AudioBuffer.prototype.getChannelData = function (channel) {
+      const channelData = origGetChannelData.call(this, channel);
+      if (channelData.length > 0) {
+        // Perturb a single sample by a sub-perceptible amount
+        const idx = channelData.length >> 1;
+        channelData[idx] += (Math.random() - 0.5) * 1e-7;
+      }
+      return channelData;
+    };
+  });
 })();

package/dist/backend/browser/stealth.js

@@ -108,13 +108,22 @@ function detectChromePath() {
 // ── argv builder ──────────────────────────────────────────────────────────────
 /**
  * Return the argv fragment for the `agent-browser` command that boots the
- * daemon. Only --executable-path is emitted here; the stealth JS patches are
- * applied separately via injectStealthViaCdp() after the session is up.
+ * daemon.
+ *
+ *  --executable-path   Use real Chrome when available (less flagged than
+ *                      Playwright's bundled build).
+ *  --args              Chrome-level launch flags:
+ *                        --disable-blink-features=AutomationControlled
+ *                          Removes navigator.webdriver = true, which is the
+ *                          #1 bot-detection signal set by Playwright/CDP.
+ *
+ * The User-Agent is handled separately in prewarmStealthDaemon via a
+ * two-phase boot (discover real UA → restart with --user-agent <patched>).
  */
 function stealthArgv() {
     if (process.env.GRANCLAW_STEALTH_DISABLED === '1')
         return [];
-    const argv = [];
+    const argv = ['--args', '--disable-blink-features=AutomationControlled'];
     const chrome = detectChromePath();
     if (chrome) {
         argv.push('--executable-path', chrome);
@@ -182,6 +191,9 @@ async function fetchPageTargets(browserCdpUrl) {
  *      Page.addScriptToEvaluateOnNewDocument.
  *   2. Run it immediately on the current document via Runtime.evaluate so
  *      patches are live without a reload.
+ *
+ * User-Agent patching is handled at the Chrome level via --user-agent in
+ * prewarmStealthDaemon, so it applies to every page target automatically.
  */
 function injectIntoPage(wsUrl, script) {
     return new Promise((resolve) => {
@@ -202,7 +214,6 @@ function injectIntoPage(wsUrl, script) {
                 method: 'Runtime.evaluate',
                 params: { expression: script, returnByValue: false },
             }));
-            // Allow a short window for Chrome to ack, then close.
             setTimeout(() => { clearTimeout(timer); cleanup(ws); }, 400);
         });
         ws.on('error', () => { clearTimeout(timer); resolve(); });
@@ -238,37 +249,117 @@ async function injectStealthViaCdp(sessionId, workspaceDir) {
     }
 }
 // ── Daemon pre-warm ───────────────────────────────────────────────────────────
+/**
+ * Fetch the raw User-Agent string from the browser's CDP /json/version endpoint.
+ * This reads the actual Chrome UA before any JS patches touch navigator.userAgent.
+ */
+async function fetchRawBrowserUA(cdpUrl) {
+    return new Promise((resolve) => {
+        const match = /^wss?:\/\/([^/]+)\//.exec(cdpUrl);
+        if (!match) {
+            resolve('');
+            return;
+        }
+        const host = match[1];
+        const req = http_1.default.get(`http://${host}/json/version`, { timeout: 3000 }, (res) => {
+            let body = '';
+            res.on('data', (c) => { body += c.toString(); });
+            res.on('end', () => {
+                try {
+                    const ua = JSON.parse(body)['User-Agent'] ?? '';
+                    resolve(ua);
+                }
+                catch {
+                    resolve('');
+                }
+            });
+        });
+        req.on('error', () => resolve(''));
+        req.on('timeout', () => { req.destroy(); resolve(''); });
+    });
+}
 /**
  * Pre-warm the agent's browser daemon and register stealth before any
  * agent navigation. Call this once at agent process startup for agents
  * that have the browser tool enabled.
  *
- * Steps:
- *   1. Start the daemon with `agent-browser open about:blank` (no-op if
- *      already running — agent-browser reuses the existing daemon).
- *   2. Inject Page.addScriptToEvaluateOnNewDocument via CDP so every
- *      subsequent navigation the agent makes will have stealth running
- *      before the page's own scripts.
+ * Two-phase boot:
+ *   Phase 1 — Boot the daemon without a UA override to discover the real
+ *              browser UA from /json/version (reading navigator.userAgent
+ *              would give the JS-patched value, not the raw one).
+ *   Phase 2 — Kill the daemon and restart it with:
+ *                --user-agent <Chrome/X.Y.Z>  strips "HeadlessChrome"
+ *                --args --disable-blink-features=AutomationControlled
+ *                  removes navigator.webdriver = true for every page target
+ *              Then inject Page.addScriptToEvaluateOnNewDocument so the
+ *              JS stealth patches (WebGL, plugins, permissions…) apply to
+ *              all subsequent navigations on the initial page target.
  *
- * This is a one-time setup. If the agent later kills its daemon via
- * `browser close --all`, the next daemon start won't have stealth until
- * the live view relay re-attaches (which also injects stealth).
+ * Chrome-level flags apply globally to every page target the daemon creates,
+ * so they survive agent-browser open commands that spawn new targets.
  */
 async function prewarmStealthDaemon(sessionId, workspaceDir) {
     if (process.env.GRANCLAW_STEALTH_DISABLED === '1')
         return;
+    const bin = process.env.AGENT_BROWSER_BIN ?? 'agent-browser';
+    const profileDir = path_1.default.join(workspaceDir, '.browser-profile');
+    const uaCachePath = path_1.default.join(profileDir, 'ua.txt');
+    // ── UA cache: skip Phase 1 when the patched UA was already discovered ─────
+    // prewarmStealthDaemon writes the patched UA to <workspace>/.browser-profile/ua.txt
+    // after Phase 1 so subsequent backend restarts skip the extra boot cycle.
+    let patchedUA = '';
+    try {
+        const cached = fs_1.default.readFileSync(uaCachePath, 'utf-8').trim();
+        if (cached.startsWith('Mozilla/'))
+            patchedUA = cached;
+    }
+    catch { /* file absent — fall through to Phase 1 */ }
+    if (!patchedUA) {
+        // ── Phase 1: boot daemon to discover the real browser UA ─────────────────
+        try {
+            await execFileAsync(bin, ['--session', sessionId, 'open', 'about:blank'], { cwd: workspaceDir, timeout: 15000 });
+        }
+        catch {
+            return; // No Chrome / wrong env — skip silently.
+        }
+        const cdpUrl = await discoverCdpUrl(sessionId, workspaceDir);
+        if (cdpUrl) {
+            const rawUA = await fetchRawBrowserUA(cdpUrl);
+            if (rawUA.includes('HeadlessChrome/')) {
+                patchedUA = rawUA.replace('HeadlessChrome/', 'Chrome/');
+                // Persist so the next backend restart skips Phase 1.
+                try {
+                    fs_1.default.mkdirSync(profileDir, { recursive: true });
+                    fs_1.default.writeFileSync(uaCachePath, patchedUA, 'utf-8');
+                }
+                catch { /* best effort */ }
+            }
+        }
+        // Kill the Phase-1 daemon so we can restart it with corrected launch flags.
+        try {
+            await execFileAsync(bin, ['--session', sessionId, 'close', '--all'], { cwd: workspaceDir, timeout: 5000 });
+        }
+        catch { /* ignore — daemon may already be gone */ }
+    }
+    // ── Phase 2: restart with stealth Chrome flags ────────────────────────────
+    // stealthArgv() includes --args --disable-blink-features=AutomationControlled
+    // (fixes navigator.webdriver) and --executable-path when real Chrome is found.
+    // Persist the patched UA as a process-level env var so that every subsequent
+    // agent-browser call in this process (including startBrowserRecording's
+    // `record start`) inherits the correct UA even if the daemon restarts.
+    if (patchedUA)
+        process.env.AGENT_BROWSER_USER_AGENT = patchedUA;
+    const launchArgs = ['--session', sessionId, ...stealthArgv()];
+    if (patchedUA)
+        launchArgs.push('--user-agent', patchedUA);
+    launchArgs.push('open', 'about:blank');
     try {
-        const bin = process.env.AGENT_BROWSER_BIN ?? 'agent-browser';
-        // Boot the daemon (or no-op if already running) and land on about:blank.
-        // Use execFileAsync with a short timeout — we don't care about the result,
-        // only that the daemon is now up.
-        await execFileAsync(bin, ['--session', sessionId, ...stealthArgv(), 'open', 'about:blank'], { cwd: workspaceDir, timeout: 15000 });
+        await execFileAsync(bin, launchArgs, { cwd: workspaceDir, timeout: 15000 });
     }
     catch {
-        // Daemon failed to start (no Chrome, wrong env, etc.) — skip silently.
         return;
     }
-    // Daemon is up. Register stealth for all future navigations.
+    // Daemon is up with correct flags. Register stealth JS for future navigations.
     await injectStealthViaCdp(sessionId, workspaceDir);
 }
 // ── Test helpers ──────────────────────────────────────────────────────────────

package/dist/backend/orchestrator/agent-manager.js

@@ -51,6 +51,12 @@ function startAllAgents() {
         const child = spawnAgent(agent, wsPort);
         registry.set(agent.id, { config: agent, wsPort, bbPort: null, pid: child.pid });
         console.log(`[orchestrator] agent "${agent.id}" started on ws port ${wsPort} (pid ${child.pid})`);
+        // Pre-warm the browser daemon for browser-capable agents so stealth is
+        // registered before the first navigation. Fire-and-forget.
+        if (agent.allowedTools?.includes('browser')) {
+            const workspaceDir = path_1.default.resolve(config_js_1.REPO_ROOT, agent.workspaceDir);
+            void (0, stealth_js_1.prewarmStealthDaemon)(agent.id, workspaceDir);
+        }
     });
 }
 function getManagedAgents() {
@@ -75,6 +81,10 @@ function restartAgent(agentId) {
     const child = spawnAgent(agent, managed.wsPort);
     registry.set(agentId, { config: agent, wsPort: managed.wsPort, bbPort: null, pid: child.pid });
     console.log(`[orchestrator] agent "${agentId}" restarted (pid ${child.pid})`);
+    if (agent.allowedTools?.includes('browser')) {
+        const workspaceDir = path_1.default.resolve(config_js_1.REPO_ROOT, agent.workspaceDir);
+        void (0, stealth_js_1.prewarmStealthDaemon)(agent.id, workspaceDir);
+    }
 }
 /**
  * Start a new agent. Assigns the next available port.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "granclaw",
-  "version": "0.0.1-beta.26",
+  "version": "0.0.1-beta.28",
   "description": "A personal AI assistant you run on your own machine.",
   "license": "MIT",
   "repository": {