pi-agent-browser-native 0.2.31 → 0.2.32

package/extensions/agent-browser/lib/results/shared.ts

@@ -25,10 +25,12 @@ export type AgentBrowserSuccessCategory = "artifact-saved" | "artifact-unverifie
 
 export type AgentBrowserFailureCategory =
 	| "aborted"
+	| "cleanup-failed"
 	| "confirmation-required"
 	| "download-not-verified"
 	| "missing-binary"
 	| "parse-failure"
+	| "policy-blocked"
 	| "qa-failure"
 	| "selector-not-found"
 	| "selector-unsupported"
@@ -60,6 +62,12 @@ export interface AgentBrowserNextAction {
 	id: string;
 	params?: {
 		args?: string[];
+		electron?: {
+			action: "cleanup" | "list" | "launch" | "probe" | "status";
+			all?: boolean;
+			handoff?: "connect" | "snapshot" | "tabs";
+			launchId?: string;
+		};
 		networkSourceLookup?: {
 			filter?: string;
 			requestId?: string;
@@ -359,6 +367,8 @@ export function classifyAgentBrowserFailureCategory(options: {
 	if (/ENOENT|not found on PATH|could not find.*agent-browser|agent-browser is required but was not found/i.test(text)) return "missing-binary";
 	if (options.parseError || /invalid JSON|missing boolean success|success field must be boolean|returned no JSON output/i.test(text)) return "parse-failure";
 	if (/aborted/i.test(text)) return "aborted";
+	if (/policy[- ]blocked|blocked by caller policy|caller deny policy|caller allow policy/i.test(text)) return "policy-blocked";
+	if (/cleanup failed|cleanup.*partial|partial cleanup|remaining resources/i.test(text)) return "cleanup-failed";
 	if (options.tabDrift || /could not re-select the intended tab|about:blank|selected tab looks wrong|tab drift|tab.*wrong/i.test(text)) return "tab-drift";
 	if (/\bUnknown ref\b|\bstale ref\b|@ref may be stale|\bref\b.*\b(?:not found|missing|expired)\b/i.test(text)) return "stale-ref";
 	if (usedRef && /could not locate element|element not found|no element/i.test(text)) return "stale-ref";
@@ -424,6 +434,22 @@ function buildArtifactVerificationAction(artifact: FileArtifactMetadata): AgentB
 	};
 }
 
+function buildElectronToolAction(options: {
+	action: "cleanup" | "probe" | "status";
+	id: string;
+	launchId: string;
+	reason: string;
+	safety?: string;
+}): AgentBrowserNextAction {
+	return {
+		id: options.id,
+		params: { electron: { action: options.action, launchId: options.launchId } },
+		reason: options.reason,
+		...(options.safety ? { safety: options.safety } : {}),
+		tool: "agent_browser",
+	};
+}
+
 const MUTATING_COMMANDS = new Set([
 	"back",
 	"check",
@@ -465,12 +491,74 @@ export function buildAgentBrowserNextActions(options: {
 	args?: string[];
 	command?: string;
 	confirmationId?: string;
+	electron?: {
+		launchId?: string;
+		sessionName?: string;
+		status?: "active" | "cleaned" | "dead" | "failed" | "partial" | "succeeded";
+	};
 	failureCategory?: AgentBrowserFailureCategory;
 	resultCategory: AgentBrowserResultCategory;
 	savedFilePath?: string;
 	successCategory?: AgentBrowserSuccessCategory;
 }): AgentBrowserNextAction[] | undefined {
 	const actions: AgentBrowserNextAction[] = [];
+	if (options.electron?.launchId) {
+		const { launchId, sessionName, status } = options.electron;
+		if (options.resultCategory === "success" && status !== "cleaned") {
+			actions.push(
+				buildElectronToolAction({
+					action: "status",
+					id: "status-electron-launch",
+					launchId,
+					reason: "Check the wrapper-tracked Electron launch liveness and current CDP targets without mutating the app.",
+				}),
+				buildElectronToolAction({
+					action: "probe",
+					id: "probe-electron-launch",
+					launchId,
+					reason: "Probe the attached Electron managed session and carry the wrapper launchId for follow-up diagnostics.",
+				}),
+				buildElectronToolAction({
+					action: "cleanup",
+					id: "cleanup-electron-launch",
+					launchId,
+					reason: "Clean the wrapper-owned Electron process and isolated userDataDir when the run is complete.",
+					safety: "Only operates on the launchId created by electron.launch; explicit artifacts and manually launched apps remain host-owned.",
+				}),
+			);
+			if (sessionName) {
+				actions.push(
+					buildNextToolAction({
+						args: ["--session", sessionName, "tab", "list"],
+						id: "list-electron-tabs",
+						reason: "Inspect attached Electron page/webview targets before choosing the active tab.",
+					}),
+					buildNextToolAction({
+						args: ["--session", sessionName, "snapshot", "-i"],
+						id: "snapshot-electron-session",
+						reason: "Refresh interactive refs for the attached Electron session.",
+						safety: "Use current Electron refs only after a fresh snapshot for this session.",
+					}),
+				);
+			}
+		} else if (options.resultCategory === "failure" && options.failureCategory === "cleanup-failed") {
+			actions.push(
+				buildElectronToolAction({
+					action: "status",
+					id: "status-electron-launch",
+					launchId,
+					reason: "Inspect which wrapper-tracked Electron resources remain after partial cleanup.",
+				}),
+				buildElectronToolAction({
+					action: "cleanup",
+					id: "retry-electron-cleanup",
+					launchId,
+					reason: "Retry cleanup for the same wrapper-owned Electron launch after reviewing remaining resources.",
+					safety: "Only retry for the same launchId; do not use cleanup for manually launched Electron apps.",
+				}),
+			);
+		}
+	}
 	if (options.resultCategory === "success") {
 		if (options.command === "open") {
 			actions.push(buildNextToolAction({

package/extensions/agent-browser/lib/temp.ts

@@ -390,6 +390,32 @@ export async function writeSecureTempFile(options: {
 	return path;
 }
 
+export async function createSecureTempDirectory(prefix: string): Promise<string> {
+	const tempRoot = await getSessionTempRoot();
+	await assertSecureTempRootBudget(tempRoot, 0);
+	const directory = await mkdtemp(join(tempRoot, prefix));
+	await chmod(directory, 0o700).catch(() => undefined);
+	await refreshSecureTempRootLease(tempRoot).catch(() => undefined);
+	return directory;
+}
+
+export async function getSecureTempChildDirectoryValidationError(path: string, childPrefix: string): Promise<string | undefined> {
+	const parentDirectory = dirname(path);
+	const childName = path.slice(parentDirectory.length + 1);
+	if (!childName.startsWith(childPrefix)) {
+		return `Refusing to remove ${path}; expected wrapper temp child prefix ${childPrefix}.`;
+	}
+	const ownershipMarker = await readTempRootOwnershipMarker(parentDirectory);
+	if (!ownershipMarker) {
+		return `Refusing to remove ${path}; parent directory is not a pi-agent-browser owned temp root.`;
+	}
+	const currentUid = getCurrentProcessUid();
+	if (currentUid !== undefined && ownershipMarker.ownerUid !== undefined && ownershipMarker.ownerUid !== currentUid) {
+		return `Refusing to remove ${path}; parent temp root is owned by uid ${ownershipMarker.ownerUid}, not current uid ${currentUid}.`;
+	}
+	return undefined;
+}
+
 export async function writePersistentSessionArtifactFile(options: {
 	content: string | Uint8Array;
 	prefix: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-agent-browser-native",
-  "version": "0.2.31",
+  "version": "0.2.32",
   "description": "pi extension that exposes agent-browser as a native tool for browser automation",
   "type": "module",
   "author": "Mitch Fultz (https://github.com/fitchmultz)",
@@ -38,6 +38,7 @@
     "LICENSE",
     "docs/ARCHITECTURE.md",
     "docs/COMMAND_REFERENCE.md",
+    "docs/ELECTRON.md",
     "docs/RELEASE.md",
     "docs/REQUIREMENTS.md",
     "docs/SUPPORT_MATRIX.md",
@@ -55,9 +56,9 @@
     "typebox": "*"
   },
   "devDependencies": {
-    "@earendil-works/pi-ai": "^0.75.3",
-    "@earendil-works/pi-coding-agent": "^0.75.3",
-    "@earendil-works/pi-tui": "^0.75.3",
+    "@earendil-works/pi-ai": "^0.75.4",
+    "@earendil-works/pi-coding-agent": "^0.75.4",
+    "@earendil-works/pi-tui": "^0.75.4",
     "@types/node": "^25.6.1",
     "tsx": "^4.21.0",
     "typebox": "^1.1.38",