feat(tool): add browser automation via Chrome DevTools Protocol (CDP)

[Yourdaylight]

Summary

Implement a BrowserTool that provides browser automation capabilities through direct CDP (Chrome DevTools Protocol) WebSocket connection. This addresses Issue #293 (Browser Automation) from the project roadmap.

Key design choices:

• Go-native CDP client using gorilla/websocket (already in go.mod — zero new dependencies)
• Optional via //go:build cdp — default builds have zero browser code; go build -tags cdp enables full support
• Borrowed [N]-indexed DOM state from opencli for LLM-friendly structured output at zero vision token cost
• 13 stealth anti-detection patches to avoid website bot detection

Features

Action	Description
navigate	Open URL, wait for load
state	Extract [N]-indexed interactive DOM elements (core action)
click [N]	Click element by index
type [N] "text"	Type into element
fill [N] "text"	Clear + type into element
select [N] "option"	Select dropdown option
screenshot	Capture PNG, deliver via MediaStore to user
get_text [N]	Extract element text/value
scroll up/down	Scroll page
keys <key>	Keyboard input (Enter, Tab, etc.)
evaluate <js>	Run JavaScript (opt-in via config)
close	Close browser session

Security

• SSRF protection via net.ParseIP — blocks private/loopback/link-local/metadata IPs
• JS evaluate disabled by default (allow_evaluate: false)
• Concurrent-safe lazy CDP connection (sync.Mutex)
• Screenshot temp files cleaned up properly
• Safe JS string embedding via json.Marshal (not fmt.Sprintf %q)

Browsing History

Tracks visited pages and includes compact history summary in state output:

Browsing history (3 pages):
  1. Example Domain — https://example.com/
  2. Sign in to GitHub — https://github.com/login
> 3. Hacker News — https://news.ycombinator.com/

Current page: Hacker News
URL: https://news.ycombinator.com/

Interactive elements (25):
[0] a "Hacker News"
[1] a "new"
...

Files

New (7 files, +2230 lines):

• pkg/tools/browser.go — BrowserTool core (Tool interface, 12 actions)
• pkg/tools/browser_cdp.go — CDP WebSocket client
• pkg/tools/browser_cdp_util.go — Chrome path auto-detection (macOS/Linux/Windows)
• pkg/tools/browser_stealth.go — 13 anti-detection JS patches
• pkg/tools/browser_stub.go — Stub for non-CDP builds
• pkg/tools/browser_test.go — Unit tests (8 tests)
• pkg/tools/browser_integration_test.go — Integration tests (9 tests)

Modified (2 files):

• pkg/config/config.go — BrowserToolConfig struct + IsToolEnabled("browser")
• pkg/agent/instance.go — Browser tool registration

Test plan

• go build (default) compiles without browser code
• go build -tags cdp compiles with full browser support
• go vet passes for both build tag variants
• Unit tests pass (8/8): Chrome detection, URL validation, stealth JS, params
• Integration tests pass (9/9): navigate, state, screenshot, click, type, evaluate, stealth, scroll, SSRF blocking, temp file cleanup
• E2E verified against Chrome 146 headless: example.com, GitHub login page, Hacker News
• GitHub login form correctly detected: username input, password input, submit button
• Stealth: navigator.webdriver === false confirmed
• SSRF: localhost, 127.0.0.1, 10.x, 192.168.x, 172.16.x, [::1], 169.254.169.254 all blocked

Ref: #293

[CLAassistant]

All committers have signed the CLA.

[Copilot]

Pull request overview

Adds an optional (build-tagged) CDP-based browser automation tool to PicoClaw, enabling agents to navigate pages, extract structured DOM state, interact with elements, and capture screenshots, while integrating with existing tool registration and config.

Changes:

• Introduces BrowserTool (CDP build tag) with actions like navigate/state/click/type/screenshot/evaluate plus stealth patches and browsing history.
• Implements a lightweight CDP WebSocket client and Chrome executable discovery utilities.
• Wires the tool into configuration (BrowserToolConfig, IsToolEnabled("browser")) and agent tool registration; adds unit + integration tests.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
pkg/tools/browser.go	Core BrowserTool implementation (actions, SSRF guard, history, screenshot/media integration).
pkg/tools/browser_cdp.go	CDP WebSocket client for sending commands and handling events.
pkg/tools/browser_cdp_util.go	Chrome/Chromium path discovery + launch arg helper.
pkg/tools/browser_stealth.go	Stealth JS patches injected on new documents.
pkg/tools/browser_stub.go	Non-CDP build stub returning “not compiled” errors.
pkg/tools/browser_test.go	Unit tests for URL validation, chrome detection, stealth JS, args helpers.
pkg/tools/browser_integration_test.go	CDP integration tests behind integration tag.
pkg/config/config.go	Adds BrowserToolConfig and enables tools.browser gating via IsToolEnabled.
pkg/agent/instance.go	Registers browser tool when enabled (warns if unavailable).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

screenshot returns ResponseHandled=true and tells the user the screenshot was sent even when mediaStore is nil or when mediaStore.Store fails (in both cases mediaRef stays empty). This makes the tool report success without delivering any media, and the deferred temp-file cleanup also removes the only copy. Consider returning an error when no MediaStore is configured (similar to send_file), or returning an artifact path/ref that can actually be delivered; also treat Store failures as tool errors rather than silent warnings.

[Copilot]

scroll accepts any direction value (and even an empty one) because argument validation currently doesn't enforce the schema enum. For invalid/empty directions the code scrolls down by default but returns a misleading message (e.g. "Scrolled "). Add explicit validation (only "up"/"down") and return an error for anything else.

[Copilot]

Several actions ignore JSON unmarshal failures from CDP Evaluate results (e.g. select ignores both unmarshals). If parsing fails, the code can incorrectly report success with empty fields. Please handle json.Unmarshal errors and surface a tool error when the CDP/JS result isn't in the expected shape.

[Copilot]

get_text ignores errors from both json.Unmarshal calls. If CDP returns a non-string/non-JSON value, this can silently produce an empty resultStr/Text and mislead the agent. Handle unmarshal errors and return an ErrorResult when parsing fails.

[Copilot]

The SSRF check only blocks literal IP hosts and a few hard-coded hostnames; it does not resolve DNS for normal hostnames. An attacker can supply a hostname that resolves to a private/loopback/metadata IP and bypass this check. To make the claimed SSRF protection real, resolve A/AAAA records (and ideally re-check redirects) and block if any resolved IP is private/loopback/link-local/unspecified/metadata.

[Copilot]

Close() iterates pending requests and does a blocking send into each p.ch. If a request already has a response buffered (channel size 1) and Close() races with readLoop, this send can block indefinitely. Use a non-blocking send (select { case ch<-...: default: }), close the channel, or store cancellation state in the pending struct to avoid deadlock during shutdown.

[Copilot]

removeHandler's identity check is brittle: &handlers[i] == nil is unreachable, and comparing fmt.Sprintf("%p", fn) for func values relies on formatting behavior rather than a stable identifier. If removal fails, handlers will leak and keep firing. Consider changing On to return a handler ID/token (or store uintptr from reflect.ValueOf(fn).Pointer() alongside the handler) and remove by that, or maintain per-event slices of structs {id, fn}.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 12 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

NewBrowserTool's doc comment says it "attempts to connect to the CDP endpoint" and will error if the connection fails, but the implementation only discovers Chrome and defers the CDP connection to connectIfNeeded() on first Execute(). Update the comment (or eagerly connect) so callers have correct expectations about when failures surface.

[Copilot]

scrollIntoView is called with behavior: 'instant', but ScrollBehavior only supports 'auto' and 'smooth'. In Chrome this can throw a TypeError, breaking click/type/fill actions. Use a valid behavior value (e.g. 'auto') or omit the option.

Suggested change

	el.scrollIntoView({block: 'center', behavior: 'instant'});
	el.scrollIntoView({block: 'center', behavior: 'auto'});

[Copilot]

This screenshot path deletes tmpFile after storing it in MediaStore, but MediaStore.Store explicitly does not copy/move the file (it just records a mapping). Removing the file here will make the returned media ref unresolvable/broken later. Keep the file on disk and rely on MediaStore cleanup/release policies instead.

[Copilot]

BrowserTool stores mutable per-session state (history slice, cdp pointer) on the tool instance without synchronizing access. Tool execution can be concurrent, and the codebase explicitly relies on immutable request context to avoid shared mutable state on singleton tools. Add a mutex (or another concurrency-safe state holder) around history updates and close/reset operations (and any other mutable fields).

Suggested change

	cfg config.BrowserToolConfig
	cdp *CDPClient
	cdpMu sync.Mutex // guards lazy cdp connection
	chromePath string
	stealthJS string
	mediaStore media.MediaStore
	history []pageVisit // browsing history, most recent last
	cfg config.BrowserToolConfig
	stateMu sync.Mutex // guards mutable browser session state below, including cdp/history close/reset
	cdp *CDPClient // guarded by stateMu
	history []pageVisit // guarded by stateMu; browsing history, most recent last
	cdpMu sync.Mutex // guards lazy cdp connection orchestration
	chromePath string
	stealthJS string
	mediaStore media.MediaStore

[Copilot]

state() writes data-pcw-idx attributes but never clears previous indices from elements that are no longer considered interactive/visible. A later click/type can still find and act on a stale element by old index, even after telling the user to re-run state. Consider clearing existing [data-pcw-idx] attributes at the start of state(), and/or re-checking visibility in click/type/fill before interacting.

[Copilot]

CDPClient.Send/SendWithTimeout ignores the passed-in context from tool actions; it uses a fixed timer and doesn't set per-call read/write deadlines. As a result, BrowserTool's ctx timeout/cancellation may not be respected while waiting on CDP commands. Consider threading ctx through Send (or adding SendCtx) and using ctx.Deadline/Done to bound both the WebSocket write and the response wait.

[Copilot]

BrowserToolConfig.Timeout is tagged as json/yaml "timeout_seconds" but its env var is PICOCLAW_TOOLS_BROWSER_TIMEOUT. This is inconsistent with other *_TIMEOUT_SECONDS env vars in this config and makes configuration harder to discover. Consider renaming the env tag to PICOCLAW_TOOLS_BROWSER_TIMEOUT_SECONDS (or aligning the field name/tag).

Suggested change

	Timeout int `json:"timeout_seconds" yaml:"timeout_seconds,omitempty" env:"PICOCLAW_TOOLS_BROWSER_TIMEOUT"`
	Timeout int `json:"timeout_seconds" yaml:"timeout_seconds,omitempty" env:"PICOCLAW_TOOLS_BROWSER_TIMEOUT_SECONDS"`

[Copilot]

This integration test asserts result.ForLLM contains "Screenshot captured", but the screenshot implementation returns "Screenshot saved to ..." when no MediaStore is configured (which is the case in setupBrowserTool). This will fail under -tags integration unless a MediaStore is injected or the assertion is updated to match the actual behavior.

[Copilot]

scrollIntoView is called with behavior: 'instant', but ScrollBehavior only supports 'auto' and 'smooth'. This can throw a TypeError and break typing/focus. Use a valid behavior value (e.g. 'auto') or omit the option.

[Copilot]

scrollIntoView is called with behavior: 'instant', but ScrollBehavior only supports 'auto' and 'smooth'. This can throw a TypeError and break fill/clear. Use a valid behavior value (e.g. 'auto') or omit the option.