pi-agent-browser-native 0.2.48 → 0.2.49

package/dist/extensions/agent-browser/lib/playbook.js

@@ -0,0 +1,121 @@
+import { LAUNCH_SCOPED_FLAG_LABEL } from "./launch-scoped-flags.js";
+/**
+ * Purpose: Provide the canonical agent_browser operating playbook shared by runtime prompt metadata and generated documentation fragments.
+ * Responsibilities: Define stable guidance bullets, native tool-call examples, and wrapper-behavior notes without importing runtime/browser process code.
+ * Scope: Agent-facing documentation and prompt-guidance text only; command execution and wrapper state behavior live in runtime modules.
+ * Usage: Imported by the extension entrypoint for promptGuidelines and by the documentation drift-check script for generated Markdown blocks.
+ * Invariants/Assumptions: The native pi tool receives args after the agent-browser binary, stdin is only for batch/eval --stdin/auth save --password-stdin, and wrapper behavior documented here must match implemented behavior.
+ */
+export const PROJECT_RULE_PROMPT = "Project rule: when browser automation is needed, prefer the native `agent_browser` tool. Do not run direct `agent-browser` bash commands unless the user explicitly asks for a bash-oriented workflow or browser-integration debugging.";
+export const TOOL_PROMPT_GUIDELINES_PREFIX = [
+    "Use agent_browser whenever the task requires a real browser or live web content.",
+];
+export function buildInstalledDocsGuideline(paths) {
+    return `For deeper agent_browser guidance without bloating context, read installed package docs on demand: ${paths.readmePath} for setup/external dependencies, ${paths.commandReferencePath} for command workflows, and ${paths.toolContractPath} for result/details contracts. Do not load the full command reference unless needed; prefer targeted sections.`;
+}
+export const QUICK_START_GUIDELINES = [
+    `Quick start mental model: use exactly one of args (exact agent-browser CLI args after the binary), semanticAction (a thin shorthand compiled to find argv for locator actions, direct selector/ref click/check/fill, or select argv for native dropdowns), job (a constrained short-workflow schema compiled to batch --bail by default; set failFast:false only when later diagnostics should continue after a failed step), qa (a lightweight fail-fast QA preset built on batch --bail with bounded visible expected-text checks, including qa.attached for current sessions), electron (desktop Electron list/launch/status/cleanup/probe), or the experimental sourceLookup / networkSourceLookup helpers (candidates only; each compiled to batch); stdin is only for batch, eval --stdin, auth save --password-stdin, and wrapper-generated batch stdin from job, qa, sourceLookup, or networkSourceLookup, and is rejected with electron; sessionMode=fresh switches the extension-managed pi-scoped session to a fresh upstream launch when you need new launch-scoped flags (${LAUNCH_SCOPED_FLAG_LABEL}) to apply. Use outputPath for durable eval/get/snapshot captures. Do not pass --json in args; the wrapper injects it.`,
+    "There is no first-class reusable named browser recipe runtime above top-level job, the qa preset, and raw batch stdin; keep recurring flows in documentation examples or those inputs (closed RQ-0068; see docs/ARCHITECTURE.md#no-reusable-recipe-layer-yet).",
+    "Common first calls (first-call recipe): { args: [\"open\", \"<url>\"] } → { args: [\"snapshot\", \"-i\"] } → { args: [\"click\", \"@eN\"] } or { args: [\"fill\", \"@eN\", \"<text>\"] } using @refs and visible labels from that snapshot, then { args: [\"snapshot\", \"-i\"] } after navigation or DOM changes. On https://example.com/ the main link label is Learn more (use exact snapshot text, not guessed link copy).",
+    "Locator-first clicks/fills and native select changes without hand-building argv: { semanticAction: { action: \"click\", locator: \"text\", value: \"Close\" } }, { semanticAction: { action: \"fill\", locator: \"label\", value: \"Email\", text: \"user@example.com\" } }, direct current targets such as { semanticAction: { action: \"fill\", selector: \"@e1\", text: \"prompt\" } }, or { semanticAction: { action: \"select\", selector: \"#flavor\", value: \"chocolate\" } }; add semanticAction.session when targeting a named upstream browser session; details.compiledSemanticAction shows the semantic target, while details.effectiveArgs may show a resolved current @ref for active-session role/name click/check/fill actions to avoid hidden duplicate matches; semanticAction does not expose uncheck while upstream find ... uncheck is not runtime-supported, so use raw uncheck with a stable selector or current ref; selector-not-found failures may append bounded click try-*-candidate next actions or, for fill misses with current editable refs, details.richInputRecovery with focus/click actions that do not copy fill text; stale-ref failures can return retry-semantic-action-after-stale-ref for compiled find actions when retry safety is provable.",
+    `Common advanced calls: { args: ["batch"], stdin: "[[\"open\",\"https://example.com\"],[\"snapshot\",\"-i\"]]" }, { job: { steps: [{ action: "open", url: "https://example.com" }, { action: "assertText", text: "Example Domain" }, { action: "screenshot", path: ".dogfood/example.png" }] } }, { qa: { url: "https://example.com", expectedText: "Example Domain", screenshotPath: ".dogfood/qa-example.png" } } (example.com smoke only; elsewhere match exact visible text from snapshot -i), { electron: { action: "list", query: "code" } }, { electron: { action: "launch", appName: "Visual Studio Code", handoff: "snapshot" } }, { electron: { action: "probe" } }, { qa: { attached: true, expectedText: "Explorer" } }, { args: ["eval", "--stdin"], stdin: "document.title", outputPath: "logs/page-title.json" }, { args: ["auth", "save", "name", "--password-stdin"], stdin: "<password from user-approved secret source>" }, { args: ["--profile", "Default", "open", "https://example.com/account"], sessionMode: "fresh" }, and { args: ["open", "--enable", "react-devtools", "https://example.com"], sessionMode: "fresh" }. For app pages with a native dropdown, job steps can include { action: "select", selector: "#flavor", value: "chocolate" } before the dependent assertion; for locator-friendly pages, job click/fill steps can use semantic locator fields such as { action: "fill", locator: "role", role: "searchbox", name: "Search", text: "agent browser" }; for human-paced input, job type steps can use { action: "type", selector: "#prompt", text: "hello", delayMs: 20, press: "Enter" }; delayed typing is capped at 200 characters per step, and generated per-character rows are compacted in visible batch prose while full rows remain in details.batchSteps.`,
+    "Constrained job navigation is explicit only: click (and select/submit flows that may navigate) does not prove the next page loaded; add assertUrl and/or assertText after navigation-prone steps before screenshot or later interactions. Keep jobs short around navigation, click, and rerender boundaries on dynamic React/product apps; avoid a whole checkout in one job. If a long job times out and details.timeoutPartialProgress shows a mutating incomplete step, inspect current page state and continue with a shorter job or single action instead of blindly retrying the mutating step. Example: { job: { steps: [{ action: \"open\", url: \"https://shop.example/checkout\" }, { action: \"fill\", selector: \"#email\", text: \"user@example.com\" }, { action: \"click\", selector: \"#continue\" }, { action: \"assertUrl\", url: \"**/shipping\" }, { action: \"assertText\", text: \"Shipping address\" }, { action: \"screenshot\", path: \".dogfood/shipping.png\" }] } }. Top-level click may add navigationSummary hints, but job never auto-inserts post-click asserts.",
+    "High-value command reference: click <selector> --new-tab opens link-like targets in a new tab; select <selector> <value...> changes native dropdown values; scroll <dir> [px] --selector <sel>, wrapper-handled scroll <selector> <dir> [px|percent] targets nested scrollers, and wrapper-handled scroll to end/top targets document scrolling; download <selector> <path> saves a file triggered by a click; get title/url/text/html/value/attr/count reads page state; screenshot [selector] [path] captures a page or element image; pdf <path> saves a PDF; tab list and tab <tab-id-or-label> inspect or recover the active tab; react tree/inspect/renders/suspense introspect React after --enable react-devtools; vitals [url] measures Core Web Vitals; pushstate <url> performs SPA navigation; tap <selector> and swipe <direction> [distance] support iOS/provider touch flows.",
+    "For artifact-producing commands, read the visible artifact block and details.artifactVerification before using files: check requested path, absolute path, existence, size bytes, artifact kind, optional mediaType, status, optional limitation, and verified/missing/pending/unverified counts. details.artifacts contains per-file metadata; record start rows are pending/openRecording until record stop writes the target. The wrapper creates parent directories for direct artifact paths and can save simple loopback HTTP(S) anchor downloads directly to the requested path before upstream download fallback. Browser close does not delete explicit saved files; if close reports details.artifactCleanup, use host file tools to remove paths listed in explicitArtifactPaths (when non-empty) after inspection. If close fails with details.promptGuard.reason=requested-artifacts-missing-before-close, save the exact required artifact path before closing. For annotated screenshots inside batch, put --annotate in top-level args (for example { args: [\"--annotate\", \"batch\"], stdin: \"[[\\\"screenshot\\\",\\\"/tmp/page.png\\\"]]\" }) rather than inside the screenshot step; if annotation labels crowd a dense page, use a scoped or non-annotated screenshot plus snapshot refs instead.",
+    "When details.nextActions is present, prefer those exact native agent_browser follow-up payloads over prose guidance; they may include args, stdin, sessionMode, networkSourceLookup, safety notes, or artifactPath for saved files.",
+];
+export const WEB_SEARCH_PROMPT_GUIDELINE = "Use agent_browser_web_search for quick live search/URL discovery; it chooses Exa or Brave, preferring Exa unless configured otherwise. Use agent_browser for interaction/DOM/screenshots/auth. Do not run parallel searches: one good query, inspect results, then one follow-up max; on HTTP 429 stop and report provider limits.";
+export const SHARED_BROWSER_PLAYBOOK_GUIDELINES = [
+    "Standard workflow: open the page, snapshot -i, interact using current @refs from that snapshot, and re-snapshot after navigation, scrolling, rerendering, or other major DOM changes because refs are page-scoped; the wrapper fails mutation-prone stale/recycled refs before upstream can silently target a different current-page element. On dense pages, use wrapper-side snapshot -i --search <text> or snapshot -i --filter role=<role> to render matching refs while preserving the full ref map in details.refSnapshot, add snapshot --viewport when scroll position or above/below-fold context matters, and add snapshot --diff when a quick before/after ref-map delta would prevent reading a full spill file.",
+    "For ordinary forms from one snapshot, batch multiple fill @refs before the submit/click step to avoid serial tool calls; if a fill may autosubmit, navigate, or rerender later fields, split the flow and refresh refs first.",
+    "Snapshot choice: prefer snapshot -i for routine clicks/fills (interactive @refs, main-content-first). Use snapshot --compact when you need a denser same-page tree without full spill; use full snapshot (no -i) only when you need the complete accessibility tree. Re-snapshot after navigation or major DOM changes. When snapshot -i compacts because the tree is oversized, scan visible output for Omitted high-value controls and optional details.data.highValueControlRefIds before opening the spill file: those list bounded searchboxes, textboxes, comboboxes, buttons, tabs, checkboxes, radios, options, and menuitems that did not fit the key/other ref previews.",
+    "When a visible text or accessible-name target should survive ref churn, prefer find locators such as role, text, label, placeholder, alt, title, or testid with the intended action instead of guessing a CSS selector.",
+    "For desktop or host-controlled rich inputs, if semanticAction fill misses, refresh refs and prefer a current editable @ref from details.richInputRecovery or the latest snapshot; focus or click that ref, then use keyboard inserttext or keyboard type with the intended text. Do not auto-submit with Enter or a submit button unless the user flow explicitly calls for it.",
+    "Do not assume Playwright selector dialects such as text=Close or button:has-text('Close') are supported wrapper syntax unless current upstream agent-browser behavior has been verified.",
+    "For authenticated or user-specific content explicitly requested by the user, such as feeds, inboxes, account pages, or private dashboards, use a real profile only when the user/config asks for it or profiles have been inspected; do not assume --profile Default exists on every machine. Do not use a real profile for public pages just because they are dashboards. Treat visible page content from real profiles as model-visible transcript data; use --auto-connect only if profile-based reuse is unavailable or the task is specifically about attaching to a running debug-enabled browser. If profile/user-data-dir resolution fails, stop retrying opens, run profiles and/or doctor through agent_browser, then report what the user needs to configure.",
+    "Do not invent fixed explicit session names for routine tasks. Use the implicit session unless you truly need multiple isolated browser sessions in the same conversation.",
+    `When using launch-scoped flags (${LAUNCH_SCOPED_FLAG_LABEL}), put them on the first command for that session. If you intentionally use an explicit --session, keep using that same explicit session for follow-ups.`,
+    `If you already used the implicit session and now need launch-scoped flags (${LAUNCH_SCOPED_FLAG_LABEL}), retry with top-level sessionMode set to fresh or pass an explicit --session for the new launch; never pass --session-mode inside args. After a successful unnamed fresh launch, later auto calls follow that new session.`,
+    "For React introspection, launch the page with --enable react-devtools before first navigation, then use react tree, react inspect <fiberId>, sourceLookup candidates for local UI source hints, react renders start/stop, or react suspense; sourceLookup is experimental and reports confidence/evidence instead of guaranteed DOM-to-file mappings. For failed fetches and APIs, networkSourceLookup (experimental) correlates failed network requests with initiator metadata and bounded workspace URL literals—candidates only, not definitive blame. Use vitals [url] for Core Web Vitals and hydration timing, and pushstate <url> for client-side SPA navigation.",
+    "For first-navigation setup, use open without a URL plus network route --resource-type <csv>, cookies set --curl <file>, or --init-script/--enable before navigate/opening the target page.",
+    "For stateful browser context work, prefer purpose-specific page actions before dumping browser data: use auth save --password-stdin with the tool stdin field for credentials, auth list/show/delete/remove for local auth-profile maintenance, auth login when you need the browser to fill a saved profile, state save/load for portable test state, state list/show/rename/clear/clear -a/clean for saved-state lifecycle cleanup, cookies get/set/clear and storage local|session only when the task needs those values, and expect cookie/storage/auth/state summaries to redact credential-like fields while allowing benign primitive storage values when useful for local QA.",
+    "For batch chains that touch cookies, storage, auth, or other secret-bearing commands, use details.batchSteps for per-step artifacts, categories, spill paths, and full structured errors; top-level details.data on batch is only a compact redacted step matrix (success, argv-redacted command, redacted result or scrubbed error text) built from the same presentation rules as standalone calls.",
+    "For non-core families, pass current upstream commands through the native tool directly: network route/requests/har (including request filters like --type/--method/--status), diff snapshot/screenshot/url with scoped/baseline options, trace/profiler/record, console/errors/highlight/inspect/clipboard, stream enable/disable/status, dashboard start/stop, device list for iOS simulator inventory, and chat. For compact network requests output, prefer details.nextActions for request detail, route-mock diagnostics, actionable failed-request networkSourceLookup, filtering, clearing the aggregate buffer before repro, or HAR capture follow-ups instead of guessing request-id syntax. Artifact-producing commands report details.artifacts and verification state; long-running starts such as stream, dashboard, trace/profiler, and record should be paired with the matching stop/disable command when the task is done; stream enable already-enabled outcomes are treated as idempotent success with status/disable follow-ups.",
+    "For Electron desktop apps, prefer top-level electron for wrapper-owned discovery, isolated launch, status, compact probe, and cleanup: list first, treat likely-sensitive annotations as hints rather than enforcement, launch with the default snapshot handoff unless handoff: \"tabs\" is the safer diagnostic starting point, use electron.probe or snapshot -i/qa.attached for current-session state, and always cleanup the returned launchId when done. electron.launch uses an isolated temporary profile; it does not reuse the app's normal signed-in profile or attach to an already-running authenticated app. For signed-in local app state, host-launch the normal app with --remote-debugging-port when appropriate, then use raw args connect <port|url>; after connect, inspect tab list, select the stable tab id such as tab t2, then run a condition wait or snapshot -i before using refs. close commands (`close`, `quit`, or `exit`) only close the browser/CDP session; leave manually launched app shutdown, profile cleanup, and explicit artifacts to the host owner.",
+    "For provider or specialized app workflows, load version-matched upstream guidance with skills get agentcore|electron|slack|dogfood|vercel-sandbox through the native tool; add --full when you need references/templates, and use skills get --all only for broad skill audits. Provider launches such as -p ios, --provider browserbase/kernel/browseruse/browserless/agentcore, and iOS --device are upstream-owned setup paths; use sessionMode fresh when switching providers and expect external credentials or local Appium/Xcode setup to be required.",
+    "For dialogs and frames, use dialog status/accept/dismiss and frame <selector|main> through native args; dialog commands and eval snippets that look like alert/confirm/prompt/dialog triggers are shorter-bounded than normal browser calls, and timed-out dialog-like interactions may add inspect-dialog-after-timeout, dismiss-dialog-after-timeout, or recover-fresh-session-after-dialog-timeout nextActions. When --confirm-actions produces a pending confirmation, use details.nextActions or exact confirm <id> / deny <id> calls instead of inventing ids.",
+    "If a session lands on the wrong page or tab, an interaction changes origin unexpectedly, or an open call returns blocked, blank, or otherwise unexpected results, use tab list / tab <tab-id-or-label> / snapshot -i to recover state before retrying different URLs or fallback strategies. For headed demos, put --headed on the first launch with sessionMode=fresh and verify with screenshot/tab/get-url evidence because tool success cannot prove the OS window is visible to the user. For desktop readiness, prefer real conditions first: wait --text, wait --url, wait --fn, wait --load <state>, wait --download, or qa.attached; for disappearance checks in agent-browser 0.27.2, use wait --fn predicates instead of stale upstream-help examples like wait <selector> --state hidden. Use electron.probe/status for wrapper-owned launch health or target mismatch. Fixed waits are a last resort: use explicit --timeout or top-level timeoutMs for legitimately slow waits, and treat a successful payload like \"waited\":\"timeout\" as elapsed time only—verify completion with an observed condition, fresh snapshot, or screenshot.",
+    "For feed, timeline, or inbox reading tasks, focus on the main timeline/list region and read the first item there rather than unrelated composer or sidebar content.",
+    "For read-only browsing tasks, prefer extracting the answer from the current snapshot, structured ref labels, or eval --stdin on the current page before navigating away. Only click into media viewers, detail routes, or new pages when the current view does not contain the needed information.",
+    "For downloads, prefer download <selector> <path> when an element click should save a file; simple loopback anchor downloads are saved to the requested path when the wrapper can resolve an HTTP(S) href. Do not rely on click alone when you need the downloaded file on disk.",
+    "On dashboards with nested scroll containers, verify scroll with a screenshot or fresh snapshot -i; if the viewport did not move, details.data.scrolled may be false/noMovement true and you should prefer scrollintoview <@ref> or target the actual scrollable region with scroll <selector> <dir> [px|percent]. For native selects, use select <selector> <value...> (or semanticAction/job select) instead of clicking option refs; for custom comboboxes, a click/semanticAction may only focus the field, so re-snapshot and fall back to type, press Enter/arrow keys, or visible option refs.",
+    "When using eval --stdin, scope checks and actions to the target element or route whenever possible instead of relying on broad page-wide text heuristics.",
+    "When using eval --stdin for extraction, pass the JavaScript through the native tool stdin field, not as an extra args token after --stdin, and return the value you want instead of relying on console.log as the primary result channel. Prefer plain expressions like ({ title: document.title }) or explicitly invoked functions like (() => ({ title: document.title }))(); use outputPath when the eval/get/snapshot data should be saved as a durable local file. If a function-shaped snippet returns {}, details.evalStdinHint may warn that the function was serialized instead of called. On file:// pages, when upstream JSON returns result: null for non-trivial stdin, details.evalResultWarning may append Eval result warning without failing the tool—treat that as inconclusive DOM verification. If get text on a CSS selector surfaces details.selectorTextVisibility or selectorTextVisibilityAll, prefer a visible @ref, a more specific selector, or the inspect-visible-text-candidates nextAction over hidden tab content.",
+    "When details.pageChangeSummary is present, use changeType and summary as a compact signal for navigation, DOM mutation, confirmations, or artifacts; when nextActionIds is set, match those ids to entries in details.nextActions (or per-step nextActions inside batch) for concrete follow-up payloads instead of inferring from prose alone. If details.clickDispatch reports a click-dispatch miss, refresh/inspect/retry the real click first; for static local fixtures only, an explicit eval --stdin programmatic .click() can exercise app handlers, but treat it as an untrusted scripted workaround and never use it to bypass stop-before-submit/order/purchase boundaries. If a no-navigation click surfaces details.overlayBlockers, inspect the fresh snapshot evidence before using a close/dismiss candidate nextAction; ordinary page chrome without dialog/alertdialog evidence should not trigger this diagnostic.",
+    "When commands save or spill files (screenshots, downloads, PDFs, traces, recordings, HAR, large snapshot spills), use the user's exact requested paths when given and treat paths as provisional until details.artifactVerification shows every row verified: branch on missingCount, pendingCount, unverifiedCount, per-entry state, and optional limitation before downstream file use or PASS/FAIL reporting.",
+    "For evidence-only screenshots, QA captures, or other audit artifacts, save to an explicit path and branch on details.artifactVerification plus details.artifacts before reporting PASS/FAIL; do not require vision review of inline image attachments unless the user asked for visual inspection.",
+    "Respect explicit user stop boundaries yourself: if the user says to stop before order/post/purchase/submit, do not click that final action. The wrapper does not infer broad business intent from prompt text; details.promptGuard is reserved for concrete artifact-before-close checks.",
+    "Successful record stop needs ffmpeg on PATH; the wrapper may warn after record start when ffmpeg is missing.",
+    "Do not call --help or other exploratory inspection commands unless the user explicitly asks for them or debugging the browser integration is necessary.",
+];
+export const TOOL_PROMPT_GUIDELINES_SUFFIX = [
+    "Prefer agent_browser over bash for opening sites, docs, clicking, filling, screenshots, eval, and batch workflows.",
+    "Do not fall back to osascript, AppleScript, or generic browser-driving bash commands when agent_browser can do the job.",
+    "Pass exact agent-browser CLI arguments in agent_browser args when you are not using semanticAction, job, or qa, excluding the binary name and --json (agent_browser injects --json automatically).",
+    "Use agent_browser stdin only for eval --stdin, batch, auth save --password-stdin, or wrapper-generated job/qa batches instead of shell heredocs or password args; other command/stdin combinations are rejected before launch.",
+    `Let the agent_browser extension-managed session handle the common path unless you explicitly need a fresh launch for launch-scoped flags (${LAUNCH_SCOPED_FLAG_LABEL}).`,
+    "Use agent_browser sessionMode=fresh when switching from an existing implicit session to a new profile/browser executable/debug/init-script/provider launch without inventing a fixed explicit session name; later auto calls will follow that new session.",
+];
+export const INSPECTION_TOOL_CALL_EXAMPLES = [
+    '{ "args": ["--help"] }',
+    '{ "args": ["--version"] }',
+];
+export const WRAPPER_TAB_RECOVERY_BEHAVIOR = [
+    "After launch-scoped open/goto/navigate calls that can restore existing tabs (for example --profile, --session-name, or --state), agent_browser best-effort re-selects the tab whose URL matches the returned page when restored tabs steal focus during launch.",
+    "After the wrapper observes tab-drift risk for a session (for example profile restore correction, overlapping stale opens, or resumed session state), later active-tab commands best-effort pin that tab inside the same upstream invocation. Routine same-session commands are not preflighted with tab list just because a target tab is known.",
+    "For sessions with observed tab-drift risk, after a successful command on a known target tab, agent_browser also best-effort restores that intended tab if a restored/background tab steals focus after the command completes. Routine same-session commands skip this post-command tab-list probe.",
+    "If a known session target unexpectedly reports about:blank, agent_browser best-effort re-selects the prior intended target when it still exists; if recovery fails, it records the observed about:blank target and reports exact recovery guidance instead of treating the prior page as active.",
+];
+export function buildSharedBrowserPlaybookGuidelines(options) {
+    return [
+        SHARED_BROWSER_PLAYBOOK_GUIDELINES[0],
+        ...(options.includeWebSearch ? [WEB_SEARCH_PROMPT_GUIDELINE] : []),
+        ...SHARED_BROWSER_PLAYBOOK_GUIDELINES.slice(1),
+    ];
+}
+/** Tier A: always-on tool promptGuidelines (keep small; Tier B lives in SHARED_BROWSER_PLAYBOOK_GUIDELINES and docs). */
+export const RUNTIME_PROMPT_GUIDELINES = [
+    "Use agent_browser with exactly one input mode: args, semanticAction, job, qa, sourceLookup/networkSourceLookup, or electron. stdin only for batch/eval/auth or wrapper batch; electron rejects stdin. Do not pass --json in args; agent_browser injects it.",
+    "For agent_browser, the common flow is open, snapshot -i, use current @refs or semanticAction, then re-snapshot after navigation/scroll/rerender/DOM change. Batch same-snapshot forms unless they may submit/navigate/rerender. Keep job flows short around navigation/click/rerender boundaries on dynamic apps. Respect explicit stop boundaries: stop before order/post/purchase/submit.",
+    "Use agent_browser top-level sessionMode=fresh for launch-scoped flags; never put --session-mode in args. For signed-in/account-specific content, use requested/configured profiles, never assume --profile Default; on profile failures, run profiles/doctor and tell the user what to configure. Use --executable-path for configured Chromium. Profile content is model-visible.",
+    "For agent_browser artifacts, save the exact user path and verify details.artifactVerification/details.artifacts before claiming success. If close is blocked by details.promptGuard, save the required artifact first. record stop needs ffmpeg; close does not delete saved files; waited:timeout is not proof.",
+    "When agent_browser details.nextActions is present, prefer exact payloads over prose/guessed selectors. For dense snapshots, check Omitted high-value controls/details.data.highValueControlRefIds. For dashboards, verify scroll with screenshot/snapshot; if nothing moved, target the real scroll region.",
+    "For agent_browser extraction, prefer get title/url/text/html/value/attr/count or eval --stdin with plain expression, not console.log. Batch three or more known refs/selectors (e.g. [[\"get\",\"text\",\"@e1\"],[\"get\",\"text\",\"@e2\"]]); selector visibility warnings → visible @refs/nextActions.",
+];
+export function buildBrowserExecutablePathGuideline(executablePath) {
+    if (!executablePath)
+        return undefined;
+    return `agent_browser config sets browser.executablePath to ${JSON.stringify(executablePath)}; for fresh browser launches that should use that Chromium-compatible executable, add --executable-path ${JSON.stringify(executablePath)} with sessionMode:fresh. The upstream profiles command still lists Chrome profiles only; for non-Chrome Chromium login state, ask the user for an explicit profile/user-data directory path or inspect local setup with profiles/doctor before recommending a profile value.`;
+}
+export function buildBrowserDefaultProfileGuideline(profile) {
+    if (!profile || profile.policy === "explicit-only")
+        return undefined;
+    if (profile.policy === "always") {
+        return `agent_browser config sets browser.defaultProfile.name to ${JSON.stringify(profile.name)} with policy always; use --profile ${JSON.stringify(profile.name)} with sessionMode:fresh when a fresh browser launch should use the configured profile, and treat profile content as model-visible user data.`;
+    }
+    return `agent_browser config sets browser.defaultProfile.name to ${JSON.stringify(profile.name)}; for signed-in/account-specific browser tasks, start with --profile ${JSON.stringify(profile.name)} plus sessionMode:fresh unless the user asks for a different profile.`;
+}
+export function buildToolPromptGuidelines(options) {
+    const browserDefaultProfileGuideline = buildBrowserDefaultProfileGuideline(options.browserDefaultProfile);
+    const browserExecutablePathGuideline = buildBrowserExecutablePathGuideline(options.browserExecutablePath);
+    return [
+        ...TOOL_PROMPT_GUIDELINES_PREFIX,
+        ...(options.docs ? [buildInstalledDocsGuideline(options.docs)] : []),
+        ...RUNTIME_PROMPT_GUIDELINES,
+        ...(browserExecutablePathGuideline ? [browserExecutablePathGuideline] : []),
+        ...(browserDefaultProfileGuideline ? [browserDefaultProfileGuideline] : []),
+        ...(options.includeWebSearch ? [WEB_SEARCH_PROMPT_GUIDELINE] : []),
+        TOOL_PROMPT_GUIDELINES_SUFFIX[0],
+        TOOL_PROMPT_GUIDELINES_SUFFIX[1],
+    ];
+}

package/dist/extensions/agent-browser/lib/process.js

@@ -0,0 +1,448 @@
+/**
+ * Purpose: Execute the upstream agent-browser binary for the pi-agent-browser extension.
+ * Responsibilities: Spawn the agent-browser subprocess, forward a curated environment surface, stream optional stdin, bound in-memory output buffering, spill oversized stdout safely to a private temp file under a disk budget, and honor abort signals.
+ * Scope: Process execution only; argument planning, output formatting, and pi tool registration live elsewhere.
+ * Usage: Called by the extension tool after argument validation and session planning are complete.
+ * Invariants/Assumptions: The binary name is always `agent-browser`; Windows routes through PowerShell to invoke npm launchers with escaped argv; callers handle semantic success/error interpretation.
+ */
+import { spawn } from "node:child_process";
+import { chmod, mkdir } from "node:fs/promises";
+import { env as processEnv, platform as processPlatform } from "node:process";
+import { GLOBAL_BOOLEAN_FLAGS_WITH_OPTIONAL_VALUES, GLOBAL_VALUE_FLAGS, getFlagName } from "./argv-grammar.js";
+import { openSecureTempFile, writeSecureTempChunk } from "./temp.js";
+const MAX_BUFFERED_STDOUT_BYTES = 512 * 1_024;
+const MAX_BUFFERED_STDERR_CHARS = 32_000;
+const MAX_BUFFERED_STDOUT_TAIL_CHARS = 32_000;
+const PROCESS_STDOUT_SPILL_FILE_PREFIX = "process-stdout";
+const AGENT_BROWSER_SOCKET_DIR_ENV = "AGENT_BROWSER_SOCKET_DIR";
+const AGENT_BROWSER_DEFAULT_TIMEOUT_ENV = "AGENT_BROWSER_DEFAULT_TIMEOUT";
+const PI_AGENT_BROWSER_PROCESS_TIMEOUT_ENV = "PI_AGENT_BROWSER_PROCESS_TIMEOUT_MS";
+const DEFAULT_AGENT_BROWSER_SOCKET_DIR_PREFIX = "/tmp/piab";
+export const SAFE_AGENT_BROWSER_OPERATION_TIMEOUT_MS = 25_000;
+const DEFAULT_AGENT_BROWSER_PROCESS_TIMEOUT_MS = 35_000;
+/** Grace period after `exit` before resolving when `close` is delayed by inherited stdio handles. */
+const EXIT_STDIO_GRACE_MS = 100;
+const httpProxyEnvName = "http_proxy";
+const httpsProxyEnvName = "https_proxy";
+const allProxyEnvName = "all_proxy";
+const noProxyEnvName = "no_proxy";
+const INHERITED_ENV_NAMES = new Set([
+    "ALL_PROXY",
+    "APPDATA",
+    "CI",
+    "COLORTERM",
+    "COMSPEC",
+    "DBUS_SESSION_BUS_ADDRESS",
+    "DISPLAY",
+    "FORCE_COLOR",
+    "HOME",
+    "HOMEDRIVE",
+    "HOMEPATH",
+    "HTTPS_PROXY",
+    "HTTP_PROXY",
+    "LANG",
+    "LC_ALL",
+    "LC_CTYPE",
+    "LOCALAPPDATA",
+    "LOGNAME",
+    "NO_COLOR",
+    "NO_PROXY",
+    "NODE_EXTRA_CA_CERTS",
+    "NODE_TLS_REJECT_UNAUTHORIZED",
+    "OS",
+    "PATH",
+    "PATHEXT",
+    "PWD",
+    "SHELL",
+    "SSL_CERT_DIR",
+    "SSL_CERT_FILE",
+    "SYSTEMROOT",
+    "TEMP",
+    "TERM",
+    "TMP",
+    "TMPDIR",
+    "TZ",
+    "USER",
+    "USERNAME",
+    "USERPROFILE",
+    "WAYLAND_DISPLAY",
+    "XAUTHORITY",
+    "AWS_ACCESS_KEY_ID",
+    "AWS_SECRET_ACCESS_KEY",
+    "AWS_SESSION_TOKEN",
+    "AWS_PROFILE",
+    "AWS_REGION",
+    "AWS_DEFAULT_REGION",
+    httpProxyEnvName,
+    httpsProxyEnvName,
+    allProxyEnvName,
+    noProxyEnvName,
+]);
+const INHERITED_ENV_PREFIXES = [
+    "AGENT_BROWSER_",
+    "AGENTCORE_",
+    "AI_GATEWAY_",
+    "BROWSERBASE_",
+    "BROWSERLESS_",
+    "BROWSER_USE_",
+    "KERNEL_",
+    "XDG_",
+];
+function appendTail(text, addition, maxChars) {
+    const combined = text + addition;
+    return combined.length <= maxChars ? combined : combined.slice(combined.length - maxChars);
+}
+function quoteWindowsPowerShellArg(value) {
+    return `'${value.replace(/'/g, "''")}'`;
+}
+const WINDOWS_LEADING_GLOBAL_VALUE_FLAGS = new Set(GLOBAL_VALUE_FLAGS);
+/** Exported for unit tests that lock Windows launcher argv ordering. */
+export function reorderWindowsLeadingGlobalArgs(args) {
+    const leadingGlobals = [];
+    let index = 0;
+    while (index < args.length && args[index]?.startsWith("-")) {
+        const token = args[index];
+        const flagName = getFlagName(token);
+        leadingGlobals.push(token);
+        index += 1;
+        if (WINDOWS_LEADING_GLOBAL_VALUE_FLAGS.has(flagName) && !token.includes("=") && index < args.length) {
+            leadingGlobals.push(args[index]);
+            index += 1;
+            continue;
+        }
+        if (GLOBAL_BOOLEAN_FLAGS_WITH_OPTIONAL_VALUES.has(flagName) && ["true", "false"].includes(args[index] ?? "")) {
+            leadingGlobals.push(args[index]);
+            index += 1;
+        }
+    }
+    if (leadingGlobals.length === 0 || index >= args.length)
+        return args;
+    return [args[index], ...leadingGlobals, ...args.slice(index + 1)];
+}
+function buildAgentBrowserSpawnCommand(args) {
+    if (processPlatform !== "win32") {
+        return { command: "agent-browser", args };
+    }
+    const commandLine = ["&", "agent-browser", ...reorderWindowsLeadingGlobalArgs(args).map(quoteWindowsPowerShellArg)].join(" ");
+    return { command: "powershell.exe", args: ["-NoLogo", "-NoProfile", "-ExecutionPolicy", "Bypass", "-Command", commandLine] };
+}
+function terminateSpawnedChild(child, signal) {
+    if (processPlatform === "win32" && child.pid) {
+        const killer = spawn("taskkill.exe", ["/PID", String(child.pid), "/T", "/F"], { stdio: "ignore" });
+        killer.on("error", () => undefined);
+        killer.unref();
+    }
+    child.kill(signal);
+}
+/** Exported for unit tests that lock subprocess exit-code precedence. */
+export function resolveSpawnedChildExitCode(input) {
+    // Precedence: observed `close` code when present, then wrapper timeout (124), then
+    // post-`exit` fallback when inherited stdio delays `close`, then spawn failure (127).
+    if (input.closeCode !== null && input.closeCode !== undefined) {
+        return input.closeCode;
+    }
+    if (input.timedOut) {
+        return 124;
+    }
+    if (input.useExitFallback && input.exitCode !== null && input.exitCode !== undefined) {
+        return input.exitCode;
+    }
+    return input.spawnError ? 127 : 0;
+}
+function watchSpawnedChildCompletion(child, options) {
+    let exited = false;
+    let exitCode = null;
+    let postExitTimer;
+    // `completed` suppresses duplicate exit/close callbacks; `settled` in `finish` guards async spill cleanup.
+    let completed = false;
+    const complete = (closeCode) => {
+        if (completed)
+            return;
+        completed = true;
+        if (postExitTimer) {
+            clearTimeout(postExitTimer);
+            postExitTimer = undefined;
+        }
+        const context = options.getContext();
+        options.onComplete(resolveSpawnedChildExitCode({
+            closeCode,
+            exitCode,
+            useExitFallback: exited,
+            timedOut: context.timedOut,
+            spawnError: context.spawnError,
+        }));
+    };
+    child.once("exit", (code) => {
+        exited = true;
+        exitCode = code;
+        postExitTimer = setTimeout(() => {
+            destroySpawnedChildStreams(child);
+            complete(undefined);
+        }, options.graceMs);
+        postExitTimer.unref?.();
+    });
+    child.once("close", (code) => {
+        complete(code);
+    });
+    return {
+        clear: () => {
+            if (postExitTimer) {
+                clearTimeout(postExitTimer);
+                postExitTimer = undefined;
+            }
+        },
+    };
+}
+function destroySpawnedChildStreams(child) {
+    child.stdin?.destroy();
+    child.stdout?.destroy();
+    child.stderr?.destroy();
+}
+function parsePositiveIntegerEnv(value) {
+    if (value === undefined || !/^\d+$/.test(value.trim())) {
+        return undefined;
+    }
+    const parsed = Number(value.trim());
+    return Number.isSafeInteger(parsed) && parsed > 0 ? parsed : undefined;
+}
+function clampUpstreamDefaultTimeout(childEnv) {
+    const requestedTimeout = parsePositiveIntegerEnv(childEnv[AGENT_BROWSER_DEFAULT_TIMEOUT_ENV]);
+    if (requestedTimeout === undefined || requestedTimeout > SAFE_AGENT_BROWSER_OPERATION_TIMEOUT_MS) {
+        childEnv[AGENT_BROWSER_DEFAULT_TIMEOUT_ENV] = String(SAFE_AGENT_BROWSER_OPERATION_TIMEOUT_MS);
+    }
+}
+export function getAgentBrowserProcessTimeoutMs(env = processEnv) {
+    return parsePositiveIntegerEnv(env[PI_AGENT_BROWSER_PROCESS_TIMEOUT_ENV]) ?? DEFAULT_AGENT_BROWSER_PROCESS_TIMEOUT_MS;
+}
+export function getAgentBrowserSocketDir(platform = processPlatform, uid = typeof process.getuid === "function" ? process.getuid() : undefined) {
+    if (platform === "win32") {
+        return undefined;
+    }
+    return `${DEFAULT_AGENT_BROWSER_SOCKET_DIR_PREFIX}${typeof uid === "number" ? `-${uid}` : ""}`;
+}
+async function ensureAgentBrowserSocketDir(socketDir) {
+    try {
+        await mkdir(socketDir, { recursive: true, mode: 0o700 });
+        await chmod(socketDir, 0o700).catch(() => undefined);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function getChildEnvName(name) {
+    if (processPlatform === "win32") {
+        const upperName = name.toUpperCase();
+        if (INHERITED_ENV_NAMES.has(upperName))
+            return upperName;
+        return INHERITED_ENV_PREFIXES.some((prefix) => upperName.startsWith(prefix)) ? upperName : undefined;
+    }
+    if (INHERITED_ENV_NAMES.has(name) || INHERITED_ENV_PREFIXES.some((prefix) => name.startsWith(prefix))) {
+        return name;
+    }
+    return undefined;
+}
+export function buildAgentBrowserProcessEnv(baseEnv = processEnv, overrides = undefined) {
+    const childEnv = {};
+    for (const [name, value] of Object.entries(baseEnv)) {
+        const childName = getChildEnvName(name);
+        if (value !== undefined && childName) {
+            childEnv[childName] = value;
+        }
+    }
+    if (!overrides) {
+        clampUpstreamDefaultTimeout(childEnv);
+        return childEnv;
+    }
+    for (const [name, value] of Object.entries(overrides)) {
+        const childName = getChildEnvName(name) ?? name;
+        if (value === undefined) {
+            delete childEnv[childName];
+        }
+        else {
+            childEnv[childName] = value;
+        }
+    }
+    clampUpstreamDefaultTimeout(childEnv);
+    return childEnv;
+}
+export async function runAgentBrowserProcess(options) {
+    const { args, cwd, env, signal, stdin } = options;
+    const timeoutMs = options.timeoutMs ?? getAgentBrowserProcessTimeoutMs();
+    const explicitSocketDir = env?.[AGENT_BROWSER_SOCKET_DIR_ENV];
+    let effectiveEnv = explicitSocketDir === undefined ? { ...env, [AGENT_BROWSER_SOCKET_DIR_ENV]: undefined } : env;
+    const requestedSocketDir = explicitSocketDir ?? getAgentBrowserSocketDir();
+    if (requestedSocketDir && (await ensureAgentBrowserSocketDir(requestedSocketDir))) {
+        effectiveEnv = { ...env, [AGENT_BROWSER_SOCKET_DIR_ENV]: requestedSocketDir };
+    }
+    return await new Promise((resolve) => {
+        let aborted = false;
+        let settled = false;
+        let spawnError;
+        let stderr = "";
+        let stdoutBuffers = [];
+        let stdoutBufferedBytes = 0;
+        let stdoutTail = "";
+        let stdoutSpillHandle;
+        let stdoutSpillPath;
+        let pendingStdoutWrite = Promise.resolve();
+        let stdoutSpillError;
+        let killTimer;
+        let timeoutTimer;
+        let abortListener;
+        let timedOut = false;
+        let completionWatcher;
+        const queueStdoutChunk = (buffer) => {
+            stdoutTail = appendTail(stdoutTail, buffer.toString("utf8"), MAX_BUFFERED_STDOUT_TAIL_CHARS);
+            if (stdoutSpillError)
+                return;
+            if (!stdoutSpillPath && stdoutBufferedBytes + buffer.length <= MAX_BUFFERED_STDOUT_BYTES) {
+                stdoutBuffers.push(buffer);
+                stdoutBufferedBytes += buffer.length;
+                return;
+            }
+            pendingStdoutWrite = pendingStdoutWrite
+                .then(async () => {
+                if (stdoutSpillError)
+                    return;
+                if (!stdoutSpillHandle || !stdoutSpillPath) {
+                    const tempFile = await openSecureTempFile(PROCESS_STDOUT_SPILL_FILE_PREFIX, ".json");
+                    stdoutSpillHandle = tempFile.fileHandle;
+                    stdoutSpillPath = tempFile.path;
+                    if (stdoutBuffers.length > 0) {
+                        await writeSecureTempChunk({
+                            content: Buffer.concat(stdoutBuffers),
+                            fileHandle: stdoutSpillHandle,
+                            path: stdoutSpillPath,
+                        });
+                        stdoutBuffers = [];
+                        stdoutBufferedBytes = 0;
+                    }
+                }
+                await writeSecureTempChunk({ content: buffer, fileHandle: stdoutSpillHandle, path: stdoutSpillPath });
+            })
+                .catch((error) => {
+                stdoutSpillError = error instanceof Error ? error : new Error(String(error));
+            });
+        };
+        const removeAbortListener = () => {
+            if (!signal || !abortListener)
+                return;
+            signal.removeEventListener("abort", abortListener);
+            abortListener = undefined;
+        };
+        const finish = (exitCode) => {
+            if (settled)
+                return;
+            settled = true;
+            void pendingStdoutWrite.finally(async () => {
+                removeAbortListener();
+                if (killTimer) {
+                    clearTimeout(killTimer);
+                }
+                if (timeoutTimer) {
+                    clearTimeout(timeoutTimer);
+                }
+                completionWatcher?.clear();
+                if (stdoutSpillHandle) {
+                    await stdoutSpillHandle.close().catch(() => undefined);
+                }
+                if (!spawnError && stdoutSpillError) {
+                    spawnError = stdoutSpillError;
+                }
+                // Idempotent teardown: streams may already be destroyed by the post-`exit` fallback.
+                destroySpawnedChildStreams(child);
+                resolve({
+                    aborted,
+                    exitCode,
+                    spawnError,
+                    stderr,
+                    stdout: stdoutSpillPath ? stdoutTail : Buffer.concat(stdoutBuffers).toString("utf8"),
+                    stdoutSpillPath,
+                    timedOut,
+                    timeoutMs: timedOut ? timeoutMs : undefined,
+                });
+            });
+        };
+        const spawnCommand = buildAgentBrowserSpawnCommand(args);
+        const child = spawn(spawnCommand.command, spawnCommand.args, {
+            cwd,
+            env: buildAgentBrowserProcessEnv(processEnv, effectiveEnv),
+            stdio: ["pipe", "pipe", "pipe"],
+        });
+        const terminateChild = (reason) => {
+            if (settled)
+                return;
+            if (reason === "abort") {
+                aborted = true;
+            }
+            else {
+                timedOut = true;
+            }
+            terminateSpawnedChild(child, "SIGTERM");
+            killTimer = setTimeout(() => {
+                terminateSpawnedChild(child, "SIGKILL");
+            }, 2_000);
+        };
+        const recordStdinError = (error) => {
+            const stdinError = error instanceof Error ? error : new Error(String(error));
+            const errorCode = stdinError.code;
+            if (errorCode === "EPIPE" || errorCode === "EOF" || errorCode === "ERR_STREAM_DESTROYED") {
+                return;
+            }
+            if (!spawnError) {
+                spawnError = stdinError;
+            }
+        };
+        const writeChildStdin = () => {
+            if (aborted || signal?.aborted) {
+                child.stdin.destroy();
+                return;
+            }
+            try {
+                if (stdin) {
+                    child.stdin.write(stdin);
+                }
+                child.stdin.end();
+            }
+            catch (error) {
+                recordStdinError(error);
+                child.stdin.destroy();
+            }
+        };
+        child.stdin.on("error", recordStdinError);
+        child.once("error", (error) => {
+            spawnError = error instanceof Error ? error : new Error(String(error));
+            finish(resolveSpawnedChildExitCode({
+                useExitFallback: false,
+                timedOut,
+                spawnError,
+            }));
+        });
+        completionWatcher = watchSpawnedChildCompletion(child, {
+            graceMs: EXIT_STDIO_GRACE_MS,
+            onComplete: finish,
+            getContext: () => ({ timedOut, spawnError }),
+        });
+        child.stdout.on("data", (chunk) => {
+            queueStdoutChunk(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+        });
+        child.stderr.on("data", (chunk) => {
+            stderr = appendTail(stderr, chunk.toString(), MAX_BUFFERED_STDERR_CHARS);
+        });
+        if (timeoutMs > 0) {
+            timeoutTimer = setTimeout(() => terminateChild("timeout"), timeoutMs);
+            timeoutTimer.unref?.();
+        }
+        if (signal) {
+            if (signal.aborted) {
+                terminateChild("abort");
+            }
+            else {
+                abortListener = () => terminateChild("abort");
+                signal.addEventListener("abort", abortListener, { once: true });
+            }
+        }
+        writeChildStdin();
+    });
+}