human-browser 4.4.0 → 4.5.0

package/README.md

@@ -1,9 +1,10 @@
 # Human Browser — Cloud Stealth Browser for AI Agents
 
-> **No Mac Mini. No local machine. Your agent runs it anywhere.**  
+> **No Mac Mini. No local install. Your agent runs it anywhere.**
 > Residential IPs from 10+ countries. Bypasses Cloudflare, DataDome, PerimeterX.
 >
-> 🌐 **Product page:** https://humanbrowser.cloud  
+> 🌐 **Product page:** https://humanbrowser.cloud
+> 🤖 **A2A endpoint:** `https://agent.humanbrowser.cloud/a2a`
 > 💬 **Support:** https://t.me/virixlabs
 
 ---
@@ -15,115 +16,166 @@ Regular Playwright on a data-center server gets blocked **immediately** by:
 - DataDome (fingerprint analysis)
 - PerimeterX (behavioral analysis)
 - Instagram, LinkedIn, TikTok (residential IP requirement)
+- Google sign-in, Akamai BMP (TLS / WebRTC fingerprint matching)
 
-Human Browser solves this by combining:
-1. **Residential IP** — real ISP address from the target country (not a data center)
-2. **Real device fingerprint** — iPhone 15 Pro or Windows Chrome, complete with canvas, WebGL, fonts
-3. **Human-like behavior** — Bezier mouse curves, 60–220ms typing, natural scroll with jitter
-4. **Full anti-detection** — `webdriver=false`, no automation flags, correct timezone & geolocation
+Local stealth libraries (patchright, undetected-chromedriver, playwright-stealth) close some of these gaps in JS, but leak others — most notably **WebRTC ICE candidates** that surface the server's real datacenter IP regardless of your proxy.
 
----
+Human Browser's **cloud build** runs a custom forked Chromium with **C++-source-level fingerprint patches** (TLS ja3/ja4 matched to real Chrome, GPU vendor/renderer spoofing, WebRTC IP replacement, canvas/WebGL/audio noise) that you cannot get from any npm package. Plus residential proxies. Plus a live browser viewer. **Drive it via the Agent2Agent protocol — no install, no version pinning, no Linux build of Chromium for you to maintain.**
 
-## Quick Start
+---
 
-**No setup required** — just call `launchHuman()` and it automatically activates a free trial:
+## Agent2Agent (A2A) — recommended path
 
-```js
-const { launchHuman } = require('./scripts/browser-human');
+**Endpoint:** `https://agent.humanbrowser.cloud/a2a`
+**Auth:** `Authorization: Bearer hb_live_<your-token>`
+**Agent card:** `https://agent.humanbrowser.cloud/.well-known/agent.json`
 
-// 🚀 Zero config — auto-fetches trial credentials from humanbrowser.cloud
-const { browser, page, humanType, humanClick, humanScroll, sleep } = await launchHuman();
-// Output: 🎉 Human Browser trial activated! (~100MB Romania residential IP)
+Works with anything that speaks A2A — LangGraph, CrewAI, Google ADK, OpenAI Agents SDK, Claude/Anthropic agents, any hand-rolled JSON-RPC client.
 
-// Specific country
-const { page } = await launchHuman({ country: 'us' }); // US residential IP
-const { page } = await launchHuman({ country: 'gb' }); // UK residential IP
+### Submit + poll (recommended)
 
-// Desktop Chrome (Windows fingerprint)
-const { page } = await launchHuman({ mobile: false, country: 'us' });
+```bash
+# 1. Submit a goal — get back task_id and viewerUrl
+curl -sS https://agent.humanbrowser.cloud/a2a \
+  -H "Authorization: Bearer hb_live_<your-token>" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "jsonrpc": "2.0",
+    "id": 1,
+    "method": "message/send",
+    "params": {
+      "message": {
+        "role": "user",
+        "metadata": { "profile": "main", "model": "anthropic/claude-sonnet-4-6" },
+        "parts": [{ "kind": "text", "text": "Log into example.com and report the dashboard total" }]
+      }
+    }
+  }'
+# → { "result": {
+#       "id": "t_abc...",
+#       "metadata": { "viewerUrl": "https://humanbrowser.cloud/a/s_xyz?k=...", "cost": {...} }
+#     } }
+
+# 2. Poll task.metadata while running — every 5–10 s.
+#    metadata is enriched per step: step_count, current_url, last_thinking,
+#    last_eval, last_action, cost.
+curl -sS https://agent.humanbrowser.cloud/a2a \
+  -H "Authorization: Bearer hb_live_<your-token>" \
+  -H "Content-Type: application/json" \
+  -d '{"jsonrpc":"2.0","id":2,"method":"tasks/get","params":{"id":"t_abc..."}}'
+
+# 3. When task.state ∈ {completed, failed, canceled} → done.
+#    Final outcome is in task.metadata.outcome:
+#    { success, result, step_count, duration_ms, cost, files }
+#    Full artifact in task.artifacts[0].
+```
 
-await page.goto('https://example.com', { waitUntil: 'domcontentloaded' });
-await humanScroll(page, 'down');
-await humanType(page, 'input[type="email"]', 'user@example.com');
-await humanClick(page, 760, 400);
-await browser.close();
+### Or: webhook callback (no polling)
+
+Pass `callback_url` in `message.metadata` and we POST the final `Task` envelope to that URL when the task hits a terminal state. Signed with `X-HB-Signature: sha256=<HMAC>` when the server is configured with a webhook secret. Retries 3× on 5xx / network errors with 2 / 8 / 30 s backoff.
+
+```json
+{
+  "message": {
+    "role": "user",
+    "metadata": {
+      "profile": "main",
+      "callback_url": "https://your-agent.host/hb-callback"
+    },
+    "parts": [{ "kind": "text", "text": "..." }]
+  }
+}
 ```
 
-> **Trial exhausted?** Get a paid plan at https://humanbrowser.cloud, then set `PROXY_USER` / `PROXY_PASS` in your `.env`.
+### Or: SSE streaming
+
+`method: "message/stream"` returns Server-Sent Events; each step pushes a `status-update` event with the latest `task.metadata`. Use this if your client can hold a long-lived connection.
+
+### Live viewer
+
+Every spawned session ships a `viewerUrl` in `task.metadata`. Open it to:
+- Watch the browser live
+- See the agent timeline (👤 you · 🤖 caller-agent like dzeny · 🧠 hb-agent — color-coded)
+- Inject manual goals into a running session via the input box
+
+### Important: don't fire-and-await
+
+`message/send` resolves only on terminal state, and tasks routinely run 5–30 min. Don't hold an HTTP connection that long — NAT / load-balancer / proxy timeouts will sever it and your client loses context **while our server keeps running and billing**. Use polling or webhooks instead.
 
 ---
 
-## Setup
+## Sensitive data handling
 
-```bash
-npm install playwright
-npx playwright install chromium --with-deps
+Pass logins / passwords / API keys via the A2A `DataPart` with `metadata.sensitive=true` — they're injected as task input and are **stripped from logs, never written to artifacts, never echoed back in streams**.
 
-# Install via skill manager
-clawhub install al1enjesus/human-browser
+```json
+{
+  "message": {
+    "role": "user",
+    "parts": [
+      { "kind": "text", "text": "Log in and download the latest report" },
+      { "kind": "data", "data": { "email": "...", "password": "..." }, "metadata": { "sensitive": true } }
+    ]
+  }
+}
 ```
 
 ---
 
-## Supported Countries
+## Profile persistence + per-token defaults
 
-| Country | Code | Best for |
-|---------|------|----------|
-| 🇷🇴 Romania | `ro` | Polymarket, Instagram, Binance, Cloudflare |
-| 🇺🇸 United States | `us` | Netflix, DoorDash, US Banks, Amazon |
-| 🇬🇧 United Kingdom | `gb` | Polymarket, Binance, BBC iPlayer |
-| 🇩🇪 Germany | `de` | EU services, German e-commerce |
-| 🇳🇱 Netherlands | `nl` | Crypto, Polymarket, Web3 |
-| 🇯🇵 Japan | `jp` | Japanese e-commerce, Line |
-| 🇫🇷 France | `fr` | EU services, luxury brands |
-| 🇨🇦 Canada | `ca` | North American services |
-| 🇸🇬 Singapore | `sg` | APAC/SEA e-commerce |
-| 🇦🇺 Australia | `au` | Oceania content |
+Each session inherits a named **profile** that persists cookies / localStorage / IndexedDB / Service Worker storage between spawns. Pass it in `message.metadata.profile`:
+
+```json
+{ "message": { "metadata": { "profile": "polymarket-main" }, "role": "user", "parts": [...] } }
+```
+
+If you don't pass one, the server uses the token's `default_profile` (configurable per token via admin API) and falls back to `"default"`. Same profile across reconnects → same cookies, same fingerprint, same WebRTC IP. Up to 5 concurrent sessions per token by default.
 
 ---
 
-## Proxy Providers
+## Library mode (advanced — for self-hosting)
 
-### Option 1: Human Browser Managed (recommended)
-Buy directly at **humanbrowser.cloud** — we handle everything, from $13.99/mo.  
-Supports crypto (USDT/ETH/BTC/SOL) and card. AI agents can auto-purchase.
+If you want to skip the cloud entirely and drive your own Chromium with a residential proxy you supply yourself, the `human-browser` npm package exposes `launchHuman()` — a drop-in Playwright launcher with our humanizer helpers, geo-fingerprint plumbing, and built-in 2captcha integration.
 
-### Option 2: Bring Your Own Proxy
+**Note:** the library does NOT include our forked Chromium with C++ stealth patches — that binary is part of the cloud build only. Library mode is patchright-stealth-plus-helpers; expect lower pass-rate on Cloudflare BM / DataDome / Google sign-in / WebRTC-aware bot scoring than the cloud.
 
-Plug any residential proxy into Human Browser via env vars.
-**Recommended providers** (tested and verified):
+```js
+const { launchHuman } = require('human-browser');
 
-| Provider | Quality | Price | Best for |
-|---|---|---|---|
-| **[Decodo](https://decodo.com)** (ex-Smartproxy) | ⭐⭐⭐⭐⭐ | ~$2.5/GB | Cloudflare, DataDome, all-round. No KYC. |
-| **[Bright Data](https://get.brightdata.com/4ihj1kk8jt0v)** | ⭐⭐⭐⭐⭐ | ~$8.4/GB | Enterprise-grade, 72M+ IPs, 195 countries |
-| **[IPRoyal](https://iproyal.com)** | ⭐⭐⭐⭐ | ~$1.75/GB | High volume, budget, ethically sourced |
-| **[NodeMaven](https://nodemaven.com)** | ⭐⭐⭐⭐ | ~$3.5/GB | High success rate, pay-per-GB, no minimums |
-| **[Oxylabs](https://oxylabs.io)** | ⭐⭐⭐⭐⭐ | ~$8/GB | Business-grade, dedicated support |
+// Zero config — auto-fetches trial credentials from humanbrowser.cloud
+const { browser, page, humanType, humanClick, humanScroll, sleep } = await launchHuman();
 
-```env
-PROXY_HOST=your-proxy-host
-PROXY_PORT=22225
-PROXY_USER=your-username
-PROXY_PASS=your-password
+const { page } = await launchHuman({ country: 'us' });      // US residential IP
+const { page } = await launchHuman({ mobile: false });      // Desktop Chrome fingerprint
 ```
 
+```bash
+npm install human-browser playwright
+npx playwright install chromium --with-deps
+```
+
+For proxy-provider env vars (BYO Decodo / IPRoyal / Bright Data / NodeMaven / Oxylabs), see the [proxy setup notes](./references/brightdata-setup.md) and the env section of `scripts/browser-human.js`.
+
 ---
 
-## How it compares
+## Supported countries
 
-| Feature | Regular Playwright | Human Browser |
-|---------|-------------------|---------------|
-| IP type | Data center → blocked | Residential → clean |
-| Bot detection | Fails | Passes all |
-| Mouse movement | Instant teleport | Bezier curves |
-| Typing speed | Instant | 60–220ms/char |
-| Fingerprint | Detectable bot | iPhone 15 Pro |
-| Countries | None | 10+ residential |
-| Cloudflare | Blocked | Bypassed |
-| DataDome | Blocked | Bypassed |
+| Country | Code | Best for |
+|---------|------|----------|
+| 🇷🇴 Romania | `ro` | Polymarket, Instagram, Binance, Cloudflare |
+| 🇺🇸 United States | `us` | Netflix, DoorDash, US banks, Amazon |
+| 🇬🇧 United Kingdom | `gb` | Polymarket, Binance, BBC iPlayer |
+| 🇩🇪 Germany | `de` | EU services, German e-commerce |
+| 🇳🇱 Netherlands | `nl` | Crypto, Polymarket, Web3 |
+| 🇯🇵 Japan | `jp` | Japanese e-commerce, Line |
+| 🇫🇷 France | `fr` | EU services, luxury brands |
+| 🇨🇦 Canada | `ca` | North American services |
+| 🇸🇬 Singapore | `sg` | APAC/SEA e-commerce |
+| 🇦🇺 Australia | `au` | Oceania content |
 
 ---
 
-→ **Product page + pricing:** https://humanbrowser.cloud  
+→ **Buy a plan + pricing:** https://humanbrowser.cloud
 → **Support & questions:** https://t.me/virixlabs
+→ **Full spec for hand-rolled A2A clients:** [SKILL.md](./SKILL.md)

package/SKILL.md

@@ -954,4 +954,50 @@ curl -sX POST https://agent.humanbrowser.cloud/a2a \
 
 For live streaming, swap `message/send` → `message/stream` and read the response as `text/event-stream`. Each frame is a JSON-RPC notification carrying a `Task`, `TaskStatusUpdateEvent` or `TaskArtifactUpdateEvent` — exactly what `runOnCloud()` parses internally.
 
+#### Webhook callback (v77+)
+
+If you'd rather not poll, pass `callback_url` in `message.metadata` and we POST the final task envelope to that URL when the task hits a terminal state:
+
+```bash
+curl -sX POST https://agent.humanbrowser.cloud/a2a \
+  -H "Authorization: Bearer $HUMANBROWSER_API_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "jsonrpc":"2.0","id":1,"method":"message/send",
+    "params":{"message":{
+      "role":"user",
+      "metadata":{"callback_url":"https://your-host/hb-callback"},
+      "parts":[{"kind":"text","text":"..."}]
+    }}
+  }'
+```
+
+The POST carries the full `Task` JSON (status, history, artifacts, metadata) plus `kind: "task.final"` and a `deliveredAt` timestamp. Headers: `Content-Type: application/json`, `X-HB-Task-Id`, `X-HB-Task-State`, and `X-HB-Signature: sha256=<HMAC>` when the server is configured with `A2A_WEBHOOK_SECRET`. Retries 3× on 5xx / network error with 2 / 8 / 30 s backoff. HTTPS only; max URL length 1000 chars.
+
+#### Per-step metadata (v77+)
+
+`task.metadata` is now enriched on every step the agent takes, so polling `tasks/get` gives a rich progress snapshot without parsing `task.history`:
+
+| Field | When updated | Example |
+|---|---|---|
+| `step_count` | each step | `12` |
+| `current_url` | each step | `"https://featured.com/experts/questions"` |
+| `last_thinking` | each step | first ~2 KB of the agent's reasoning |
+| `last_next_goal` | each step | the planner's next-step intent |
+| `last_eval` | each step | the agent's own verdict on the last action |
+| `last_action` | each action | `{ "name": "click", "at": "2026-05-11T..." }` |
+| `cost` | each LLM call | `{ tokens_in, tokens_out, usd, model }` |
+| `outcome` | terminal `done` | `{ success, result, step_count, duration_ms, cost, files }` |
+| `viewerUrl` | initial | `https://humanbrowser.cloud/a/s_xyz?k=...` |
+
+A polling client thus renders a faithful "what's it doing right now" panel:
+
+```
+step 12/50 · https://featured.com/experts/questions
+last action: click on "Page 2"
+last eval: Successfully navigated to page 2 of 7
+cost: $0.58
+viewer: https://humanbrowser.cloud/a/s_xyz?k=...
+```
+
 > **Note on multi-turn**: the A2A spec describes an `input-required` state for tasks that need follow-up input. The current cloud build runs every task to terminal in one shot — multi-turn resumption is reserved in the protocol but not yet wired up server-side. Use `tasks/cancel` and submit a fresh task if you need to redirect.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "human-browser",
-  "version": "4.4.0",
+  "version": "4.5.0",
   "description": "Stealth browser for AI agents. Bypasses Cloudflare, DataDome, PerimeterX. Residential IPs from 10+ countries. iPhone 15 Pro fingerprint. Drop-in Playwright replacement — launchHuman() just works.",
   "keywords": [
     "browser-automation",