infra/cli/browser_stealth.js

// Minimal stealth init script for Playwright-driven Chromium.
// Vendored from puppeteer-extra-plugin-stealth/evasions/* (MIT) — covers:
//   webdriver, chrome.runtime, navigator.plugins, navigator.languages,
//   Permissions.query, WebGL getParameter (vendor + renderer spoof).
// Run via context.add_init_script() so it executes before any page script.
(() => {
  // navigator.webdriver — most common detection, removed entirely.
  Object.defineProperty(Navigator.prototype, 'webdriver', { get: () => undefined });

  // window.chrome.runtime — many sites check that real Chrome exposes this.
  if (!window.chrome) window.chrome = {};
  window.chrome.runtime = window.chrome.runtime || {};

  // navigator.plugins — headless reports zero; spoof a plausible PDF viewer.
  Object.defineProperty(navigator, 'plugins', {
    get: () => [{ name: 'Chrome PDF Plugin' }, { name: 'Chrome PDF Viewer' }, { name: 'Native Client' }],
  });

  // navigator.languages — headless returns empty array.
  Object.defineProperty(navigator, 'languages', { get: () => ['en-US', 'en'] });

  // Permissions.query — headless returns 'denied' for notifications instead of 'default'.
  const origQuery = window.navigator.permissions && window.navigator.permissions.query;
  if (origQuery) {
    window.navigator.permissions.query = (parameters) =>
      parameters && parameters.name === 'notifications'
        ? Promise.resolve({ state: Notification.permission })
        : origQuery(parameters);
  }

  // WebGL getParameter — spoof vendor + renderer strings to a real GPU.
  const spoofGl = (proto) => {
    if (!proto) return;
    const orig = proto.getParameter;
    proto.getParameter = function (parameter) {
      if (parameter === 37445) return 'Intel Inc.';                   // UNMASKED_VENDOR_WEBGL
      if (parameter === 37446) return 'Intel Iris OpenGL Engine';     // UNMASKED_RENDERER_WEBGL
      return orig.apply(this, arguments);
    };
  };
  spoofGl(window.WebGLRenderingContext && window.WebGLRenderingContext.prototype);
  spoofGl(window.WebGL2RenderingContext && window.WebGL2RenderingContext.prototype);

  // disable-devtool.js (theajack/disable-devtool) auto-inits via a script
  // tag with `disable-devtool-auto`. Its Performance detector trips under
  // Playwright (CDP adds console.log latency vs console.table) and the
  // redirect URL is hard-coded — for hmembeds that's google.com.
  // Hide the auto-init marker so the library's IIFE exits early.
  const origQS = Document.prototype.querySelector;
  Document.prototype.querySelector = function (sel) {
    if (typeof sel === 'string' && sel.indexOf('disable-devtool-auto') !== -1) return null;
    return origQS.apply(this, arguments);
  };
})();
homelab v0.8.0: browser verbs for headful anti-bot web automation Add `homelab browser run\|open` so agents can drive the cluster's headful Chrome (chrome-service) over CDP from the devvm. The headless playwright/mcp browser can load anti-bot sites and fill their forms, but the gated submit silently fails — e.g. the Stirling Ackroyd Fixflo tenant portal returned net::ERR_FILE_NOT_FOUND on its pre-submit check and hung, creating nothing. Driving the real headful Chrome submits first try. That capability already existed but was undiscoverable, so it cost ~40 min + redundant form re-runs to find; now it is one command, versioned, test-covered, and `browser --help` carries the when-to-use signature + an error-code cheat-sheet so the right tool is reached at the right moment (the failure was judgment, not setup). - port-forward svc/chrome-service:9222 (tunnels API-server->pod, so it bypasses the :9222 NetworkPolicy), assert non-headless via /json/version, connect_over_cdp, inject the same vendored stealth.js the in-cluster callers use; the port-forward is always torn down, on success and on error. - node CDP client pinned to playwright-core@1.48.2 to match the v1.48.0-noble image (Chromium 130); self-provisioned lazily into ~/.cache/homelab, no per-user setup. - default is a fresh incognito context (safe for the shared browser + concurrent callers); --shared-context reuses the warmed persistent profile. - TDD: cmd_browser_test.go covers arg parsing, headless detection, the version pin, the help cheat-sheet, and a stealth.js drift guard. Verified end-to-end against bot.sannysoft.com (real Chrome UA, webdriver hidden, plugins/WebGL spoofed) and `browser open`. - docs: README v0.8 section, ADR-0013, and a chrome-service.md "driving from outside the cluster" section. Closes: code-nepg Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-22 12:22:22 +00:00			`// Minimal stealth init script for Playwright-driven Chromium.`
			`// Vendored from puppeteer-extra-plugin-stealth/evasions/* (MIT) — covers:`
			`// webdriver, chrome.runtime, navigator.plugins, navigator.languages,`
			`// Permissions.query, WebGL getParameter (vendor + renderer spoof).`
			`// Run via context.add_init_script() so it executes before any page script.`
			`(() => {`
			`// navigator.webdriver — most common detection, removed entirely.`
			`Object.defineProperty(Navigator.prototype, 'webdriver', { get: () => undefined });`

			`// window.chrome.runtime — many sites check that real Chrome exposes this.`
			`if (!window.chrome) window.chrome = {};`
			`window.chrome.runtime = window.chrome.runtime \|\| {};`

			`// navigator.plugins — headless reports zero; spoof a plausible PDF viewer.`
			`Object.defineProperty(navigator, 'plugins', {`
			`get: () => [{ name: 'Chrome PDF Plugin' }, { name: 'Chrome PDF Viewer' }, { name: 'Native Client' }],`
			`});`

			`// navigator.languages — headless returns empty array.`
			`Object.defineProperty(navigator, 'languages', { get: () => ['en-US', 'en'] });`

			`// Permissions.query — headless returns 'denied' for notifications instead of 'default'.`
			`const origQuery = window.navigator.permissions && window.navigator.permissions.query;`
			`if (origQuery) {`
			`window.navigator.permissions.query = (parameters) =>`
			`parameters && parameters.name === 'notifications'`
			`? Promise.resolve({ state: Notification.permission })`
			`: origQuery(parameters);`
			`}`

			`// WebGL getParameter — spoof vendor + renderer strings to a real GPU.`
			`const spoofGl = (proto) => {`
			`if (!proto) return;`
			`const orig = proto.getParameter;`
			`proto.getParameter = function (parameter) {`
			`if (parameter === 37445) return 'Intel Inc.'; // UNMASKED_VENDOR_WEBGL`
			`if (parameter === 37446) return 'Intel Iris OpenGL Engine'; // UNMASKED_RENDERER_WEBGL`
			`return orig.apply(this, arguments);`
			`};`
			`};`
			`spoofGl(window.WebGLRenderingContext && window.WebGLRenderingContext.prototype);`
			`spoofGl(window.WebGL2RenderingContext && window.WebGL2RenderingContext.prototype);`

			`// disable-devtool.js (theajack/disable-devtool) auto-inits via a script`
			// tag with `disable-devtool-auto`. Its Performance detector trips under
			`// Playwright (CDP adds console.log latency vs console.table) and the`
			`// redirect URL is hard-coded — for hmembeds that's google.com.`
			`// Hide the auto-init marker so the library's IIFE exits early.`
			`const origQS = Document.prototype.querySelector;`
			`Document.prototype.querySelector = function (sel) {`
			`if (typeof sel === 'string' && sel.indexOf('disable-devtool-auto') !== -1) return null;`
			`return origQS.apply(this, arguments);`
			`};`
			`})();`