fix(mcp): guard shared playwright browser

Author: skulidropek

packages/app/src/docker-git/cli/usage.ts

@@ -94,6 +94,8 @@ Container runtime env (set via .orch/env/project.env):
   DOCKER_GIT_ZSH_AUTOSUGGEST_STYLE=...  zsh-autosuggestions highlight style (default: fg=8,italic)
   DOCKER_GIT_ZSH_AUTOSUGGEST_STRATEGY=...  Suggestion sources (default: history completion)
   MCP_PLAYWRIGHT_ISOLATED=1|0           Isolated browser contexts (recommended for many Codex; default: 1)
+  MCP_PLAYWRIGHT_CDP_GUARD=1|0          Guard CDP so MCP cannot close/crash shared Chromium (default: 1)
+  MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE=1|0  Block destructive Browser.close/crash CDP methods (default: 1)
   MCP_PLAYWRIGHT_CDP_ENDPOINT=http://...  Override CDP endpoint (default: http://dg-<repo>-browser:9223)
   MCP_PLAYWRIGHT_RETRY_ATTEMPTS=<n>     Retry attempts for browser sidecar startup wait (default: 10)
   MCP_PLAYWRIGHT_RETRY_DELAY=<seconds>  Delay between retry attempts (default: 2)

packages/app/src/lib/core/templates-entrypoint/base.ts

@@ -30,6 +30,8 @@ AGENT_AUTO="\${AGENT_AUTO:-}"
 MCP_PLAYWRIGHT_ENABLE="\${MCP_PLAYWRIGHT_ENABLE:-${config.enableMcpPlaywright ? "1" : "0"}}"
 MCP_PLAYWRIGHT_CDP_ENDPOINT="\${MCP_PLAYWRIGHT_CDP_ENDPOINT:-}"
 MCP_PLAYWRIGHT_ISOLATED="\${MCP_PLAYWRIGHT_ISOLATED:-1}"
+MCP_PLAYWRIGHT_CDP_GUARD="\${MCP_PLAYWRIGHT_CDP_GUARD:-1}"
+MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE="\${MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE:-1}"
 
 SSH_ENV_PATH="/home/${config.sshUser}/.ssh/environment"
 

packages/app/src/lib/core/templates/docker-compose.ts

@@ -102,6 +102,8 @@ const buildPlaywrightFragments = (
     maybeBrowserService:
       `\n  ${browserServiceName}:\n    build:\n      context: .\n      dockerfile: ${browserDockerfile}\n    container_name: ${browserContainerName}\n    restart: unless-stopped\n${
         renderResourceLimits(resourceLimits)
+      }${
+        renderEnvFiles(config)
       }    environment:\n      VNC_NOPW: "1"\n    shm_size: "2gb"\n    expose:\n      - "9223"\n    dns:\n      - 8.8.8.8\n      - 8.8.4.4\n      - 1.1.1.1\n    volumes:\n      - ${browserVolumeName}:/data\n    networks:\n      - ${networkName}\n`,
     maybeBrowserVolume: `  ${browserVolumeName}:`
   }

packages/app/src/lib/core/templates/dockerfile.ts

@@ -119,8 +119,7 @@ RUN ARCH="$(uname -m)" \
 
 const dockerfilePlaywrightMcpBlock = String.raw`RUN npm install -g @playwright/mcp@latest
 
-# docker-git: wrapper that converts a CDP HTTP endpoint into a usable WS endpoint
-# Some Chromium images return webSocketDebuggerUrl pointing at 127.0.0.1 (container-local).
+# docker-git: wrapper that waits for the guarded CDP endpoint before launching Playwright MCP.
 RUN cat <<'EOF' > /usr/local/bin/docker-git-playwright-mcp
 #!/usr/bin/env bash
 set -euo pipefail
@@ -150,6 +149,7 @@ fi
 # COMPLEXITY: O(max_attempts * timeout_per_attempt)
 MCP_PLAYWRIGHT_RETRY_ATTEMPTS="\${MCP_PLAYWRIGHT_RETRY_ATTEMPTS:-10}"
 MCP_PLAYWRIGHT_RETRY_DELAY="\${MCP_PLAYWRIGHT_RETRY_DELAY:-2}"
+MCP_PLAYWRIGHT_CDP_GUARD="\${MCP_PLAYWRIGHT_CDP_GUARD:-1}"
 
 fetch_cdp_version() {
   curl -sSf --connect-timeout 3 --max-time 10 -H 'Host: 127.0.0.1:9222' "\${CDP_ENDPOINT%/}/json/version" 2>/dev/null
@@ -171,7 +171,19 @@ if [[ -z "$JSON" ]]; then
   exit 1
 fi
 
+EXTRA_ARGS=()
+if [[ "\${MCP_PLAYWRIGHT_ISOLATED:-1}" == "1" ]]; then
+  EXTRA_ARGS+=(--isolated)
+fi
+
+# Guarded endpoints are stable HTTP CDP endpoints. Passing the HTTP URL lets Playwright MCP
+# re-resolve /json/version instead of pinning itself to one stale /devtools/browser/<id>.
+if [[ "$MCP_PLAYWRIGHT_CDP_GUARD" == "1" ]]; then
+  exec playwright-mcp --cdp-endpoint "$CDP_ENDPOINT" "\${EXTRA_ARGS[@]}" "$@"
+fi
+
 # kechangdev/browser-vnc binds Chromium CDP on 127.0.0.1:9222; it also host-checks HTTP requests.
+# When the guard is disabled, preserve the old behavior by converting the HTTP endpoint to WS.
 WS_URL="$(printf "%s" "$JSON" | node -e 'const fs=require("fs"); const j=JSON.parse(fs.readFileSync(0,"utf8")); process.stdout.write(j.webSocketDebuggerUrl || "")')"
 if [[ -z "$WS_URL" ]]; then
   echo "docker-git-playwright-mcp: webSocketDebuggerUrl missing" >&2
@@ -182,11 +194,6 @@ fi
 BASE_WS="$(CDP_ENDPOINT="$CDP_ENDPOINT" node -e 'const { URL } = require("url"); const u=new URL(process.env.CDP_ENDPOINT); const proto=u.protocol==="https:"?"wss:":"ws:"; process.stdout.write(proto + "//" + u.host)')"
 WS_REWRITTEN="$(BASE_WS="$BASE_WS" WS_URL="$WS_URL" node -e 'const { URL } = require("url"); const base=new URL(process.env.BASE_WS); const ws=new URL(process.env.WS_URL); ws.protocol=base.protocol; ws.host=base.host; process.stdout.write(ws.toString())')"
 
-EXTRA_ARGS=()
-if [[ "\${MCP_PLAYWRIGHT_ISOLATED:-1}" == "1" ]]; then
-  EXTRA_ARGS+=(--isolated)
-fi
-
 exec playwright-mcp --cdp-endpoint "$WS_REWRITTEN" "\${EXTRA_ARGS[@]}" "$@"
 EOF
 RUN chmod +x /usr/local/bin/docker-git-playwright-mcp`

packages/app/src/lib/core/templates/playwright.ts

@@ -2,9 +2,15 @@
 export const renderPlaywrightBrowserDockerfile = (): string =>
   `FROM kechangdev/browser-vnc:latest
 
-# bash for noVNC startup, procps for ps -p used by novnc_proxy, socat for CDP proxy
-# python3/net-tools for diagnostics
-RUN apk add --no-cache bash procps socat python3 net-tools
+# bash for noVNC startup, procps for ps -p used by novnc_proxy, socat for CDP fallback
+# nodejs/npm/ws for the CDP guard, python3/net-tools for diagnostics
+RUN apk add --no-cache bash procps socat nodejs npm python3 net-tools
+RUN npm install --omit=dev --prefix /opt/docker-git-cdp-guard ws@8.18.3
+
+RUN cat <<'EOF' > /usr/local/bin/docker-git-cdp-guard
+${cdpGuardScript}
+EOF
+RUN chmod +x /usr/local/bin/docker-git-cdp-guard
 
 COPY mcp-playwright-start-extra.sh /usr/local/bin/mcp-playwright-start-extra.sh
 RUN chmod +x /usr/local/bin/mcp-playwright-start-extra.sh
@@ -13,6 +19,231 @@ RUN chmod +x /usr/local/bin/mcp-playwright-start-extra.sh
 # Clear stale Chromium profile locks before boot
 ENTRYPOINT ["/bin/sh", "-lc", "rm -f /data/SingletonLock /data/SingletonCookie /data/SingletonSocket || true; /usr/local/bin/mcp-playwright-start-extra.sh & exec /start.sh"]`
 
+const cdpGuardScript = String.raw`#!/usr/bin/env node
+"use strict";
+
+const http = require("node:http");
+const { URL } = require("node:url");
+const { WebSocket, WebSocketServer } = require("/opt/docker-git-cdp-guard/node_modules/ws");
+
+const upstreamHost = process.env.MCP_PLAYWRIGHT_UPSTREAM_CDP_HOST || "127.0.0.1";
+const upstreamPort = Number.parseInt(process.env.MCP_PLAYWRIGHT_UPSTREAM_CDP_PORT || "9222", 10);
+const listenHost = process.env.MCP_PLAYWRIGHT_CDP_GUARD_HOST || "0.0.0.0";
+const listenPort = Number.parseInt(process.env.MCP_PLAYWRIGHT_CDP_GUARD_PORT || "9223", 10);
+const blockedMethods = new Set(["Browser.close", "Browser.crash", "Browser.crashGpuProcess"]);
+
+const log = (message) => process.stderr.write("[docker-git-cdp-guard] " + message + "\n");
+
+const shouldBlockBrowserClose = () => process.env.MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE !== "0";
+
+const requestHost = (request) => {
+  const host = request.headers.host;
+  return typeof host === "string" && host.length > 0 ? host : "127.0.0.1:" + listenPort;
+};
+
+const rewriteWebSocketUrl = (value, host) => {
+  try {
+    const url = new URL(value);
+    url.protocol = "ws:";
+    url.host = host;
+    return url.toString();
+  } catch {
+    return value;
+  }
+};
+
+const rewriteDebuggerUrls = (value, host) => {
+  if (Array.isArray(value)) {
+    return value.map((item) => rewriteDebuggerUrls(item, host));
+  }
+  if (value === null || typeof value !== "object") {
+    return value;
+  }
+  return Object.fromEntries(
+    Object.entries(value).map(([key, child]) => [
+      key,
+      key === "webSocketDebuggerUrl" && typeof child === "string"
+        ? rewriteWebSocketUrl(child, host)
+        : rewriteDebuggerUrls(child, host)
+    ])
+  );
+};
+
+const rewriteJsonBody = (body, host) => {
+  try {
+    return Buffer.from(JSON.stringify(rewriteDebuggerUrls(JSON.parse(body.toString("utf8")), host)));
+  } catch {
+    return body;
+  }
+};
+
+const proxyHttp = (request, response) => {
+  const chunks = [];
+  request.on("data", (chunk) => chunks.push(chunk));
+  request.on("end", () => {
+    const headers = { ...request.headers, host: upstreamHost + ":" + upstreamPort };
+    delete headers.connection;
+    delete headers["content-length"];
+    const upstream = http.request(
+      {
+        hostname: upstreamHost,
+        port: upstreamPort,
+        method: request.method,
+        path: request.url || "/",
+        headers
+      },
+      (upstreamResponse) => {
+        const upstreamChunks = [];
+        upstreamResponse.on("data", (chunk) => upstreamChunks.push(chunk));
+        upstreamResponse.on("end", () => {
+          const rawBody = Buffer.concat(upstreamChunks);
+          const body = (request.url || "/").startsWith("/json")
+            ? rewriteJsonBody(rawBody, requestHost(request))
+            : rawBody;
+          const responseHeaders = { ...upstreamResponse.headers };
+          delete responseHeaders["content-length"];
+          delete responseHeaders["content-encoding"];
+          response.writeHead(upstreamResponse.statusCode || 502, responseHeaders);
+          response.end(body);
+        });
+      }
+    );
+    upstream.on("error", (error) => {
+      response.writeHead(502, { "content-type": "text/plain; charset=utf-8" });
+      response.end("CDP upstream unavailable: " + error.message + "\n");
+    });
+    upstream.end(Buffer.concat(chunks));
+  });
+};
+
+const fetchCurrentBrowserPath = () =>
+  new Promise((resolve, reject) => {
+    const request = http.get(
+      {
+        hostname: upstreamHost,
+        port: upstreamPort,
+        path: "/json/version",
+        headers: { host: upstreamHost + ":" + upstreamPort }
+      },
+      (response) => {
+        const chunks = [];
+        response.on("data", (chunk) => chunks.push(chunk));
+        response.on("end", () => {
+          try {
+            const parsed = JSON.parse(Buffer.concat(chunks).toString("utf8"));
+            const raw = typeof parsed.webSocketDebuggerUrl === "string" ? parsed.webSocketDebuggerUrl : "";
+            const path = raw.length > 0 ? new URL(raw).pathname : "";
+            path.length > 0 ? resolve(path) : reject(new Error("webSocketDebuggerUrl missing"));
+          } catch (error) {
+            reject(error);
+          }
+        });
+      }
+    );
+    request.on("error", reject);
+  });
+
+const upstreamPathFor = async (rawPath) => {
+  const path = rawPath || "/";
+  return path.startsWith("/devtools/browser/") ? await fetchCurrentBrowserPath() : path;
+};
+
+const parseMessage = (data) => JSON.parse(Buffer.isBuffer(data) ? data.toString("utf8") : String(data));
+
+const isBlockedCdpMessage = (data) => {
+  if (!shouldBlockBrowserClose()) {
+    return false;
+  }
+  try {
+    const message = parseMessage(data);
+    return message !== null && typeof message === "object" && blockedMethods.has(message.method);
+  } catch {
+    return false;
+  }
+};
+
+const blockedCdpResponse = (data) => {
+  try {
+    const message = parseMessage(data);
+    return Object.prototype.hasOwnProperty.call(message, "id")
+      ? JSON.stringify({ id: message.id, result: {} })
+      : "";
+  } catch {
+    return "";
+  }
+};
+
+const handleWebSocket = async (client, request) => {
+  const pending = [];
+  let upstream = null;
+  const forwardToUpstream = (data, isBinary) => {
+    if (!upstream || upstream.readyState !== WebSocket.OPEN) {
+      pending.push([data, isBinary]);
+      return;
+    }
+    if (!isBinary && isBlockedCdpMessage(data)) {
+      const response = blockedCdpResponse(data);
+      if (response.length > 0 && client.readyState === WebSocket.OPEN) {
+        client.send(response);
+      }
+      return;
+    }
+    upstream.send(data, { binary: isBinary });
+  };
+
+  client.on("message", forwardToUpstream);
+
+  try {
+    const upstreamPath = await upstreamPathFor(request.url || "/");
+    upstream = new WebSocket("ws://" + upstreamHost + ":" + upstreamPort + upstreamPath, {
+      headers: { host: upstreamHost + ":" + upstreamPort }
+    });
+    upstream.on("open", () => {
+      for (const [data, isBinary] of pending.splice(0)) {
+        forwardToUpstream(data, isBinary);
+      }
+    });
+    upstream.on("message", (data, isBinary) => {
+      if (client.readyState === WebSocket.OPEN) {
+        client.send(data, { binary: isBinary });
+      }
+    });
+    upstream.on("close", (code, reason) => {
+      if (client.readyState === WebSocket.OPEN) {
+        client.close(code, reason);
+      }
+    });
+    upstream.on("error", (error) => {
+      log("upstream websocket error: " + error.message);
+      if (client.readyState === WebSocket.OPEN) {
+        client.close(1011, "CDP upstream websocket error");
+      }
+    });
+    client.on("close", () => {
+      if (upstream && upstream.readyState === WebSocket.OPEN) {
+        upstream.close();
+      }
+    });
+  } catch (error) {
+    log("websocket setup failed: " + error.message);
+    client.close(1011, "CDP upstream unavailable");
+  }
+};
+
+const server = http.createServer(proxyHttp);
+const wss = new WebSocketServer({ noServer: true });
+
+server.on("upgrade", (request, socket, head) => {
+  wss.handleUpgrade(request, socket, head, (client) => {
+    handleWebSocket(client, request);
+  });
+});
+
+server.listen(listenPort, listenHost, () => {
+  log("listening on " + listenHost + ":" + listenPort + " -> " + upstreamHost + ":" + upstreamPort);
+});
+`
+
 export const renderPlaywrightStartExtra = (): string =>
   `#!/bin/sh
 set -eu
@@ -23,8 +254,12 @@ rm -f /data/SingletonLock /data/SingletonCookie /data/SingletonSocket || true
 # Wait for chromium/x11vnc/noVNC to come up
 sleep 2
 
-# CDP proxy: expose 9223 on the docker network, forward to 127.0.0.1:9222 inside the browser container
-socat TCP-LISTEN:9223,fork,reuseaddr TCP:127.0.0.1:9222 >/var/log/socat-9223.log 2>&1 &
+# CDP guard: expose 9223 on the docker network and block browser-level destructive CDP methods
+if [ "\${MCP_PLAYWRIGHT_CDP_GUARD:-1}" = "1" ]; then
+  docker-git-cdp-guard >/var/log/docker-git-cdp-guard.log 2>&1 &
+else
+  socat TCP-LISTEN:9223,fork,reuseaddr TCP:127.0.0.1:9222 >/var/log/socat-9223.log 2>&1 &
+fi
 
 # Optional VNC password disabling (useful if you publish VNC/noVNC ports)
 if [ "\${VNC_NOPW:-1}" = "1" ]; then

packages/app/src/lib/usecases/actions/prepare-files.ts

@@ -231,6 +231,8 @@ const defaultProjectEnvContents = [
   "DOCKER_GIT_ZSH_AUTOSUGGEST_STYLE=fg=8,italic",
   "DOCKER_GIT_ZSH_AUTOSUGGEST_STRATEGY=history completion",
   "MCP_PLAYWRIGHT_ISOLATED=1",
+  "MCP_PLAYWRIGHT_CDP_GUARD=1",
+  "MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE=1",
   ""
 ].join("\n")
 

packages/lib/src/core/templates-entrypoint/base.ts

@@ -29,6 +29,8 @@ AGENT_AUTO="\${AGENT_AUTO:-}"
 MCP_PLAYWRIGHT_ENABLE="\${MCP_PLAYWRIGHT_ENABLE:-${config.enableMcpPlaywright ? "1" : "0"}}"
 MCP_PLAYWRIGHT_CDP_ENDPOINT="\${MCP_PLAYWRIGHT_CDP_ENDPOINT:-}"
 MCP_PLAYWRIGHT_ISOLATED="\${MCP_PLAYWRIGHT_ISOLATED:-1}"
+MCP_PLAYWRIGHT_CDP_GUARD="\${MCP_PLAYWRIGHT_CDP_GUARD:-1}"
+MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE="\${MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE:-1}"
 
 SSH_ENV_PATH="/home/${config.sshUser}/.ssh/environment"
 

packages/lib/src/core/templates/docker-compose.ts

@@ -101,6 +101,8 @@ const buildPlaywrightFragments = (
     maybeBrowserService:
       `\n  ${browserServiceName}:\n    build:\n      context: .\n      dockerfile: ${browserDockerfile}\n    container_name: ${browserContainerName}\n    restart: unless-stopped\n${
         renderResourceLimits(resourceLimits)
+      }${
+        renderEnvFiles(config)
       }    environment:\n      VNC_NOPW: "1"\n    shm_size: "2gb"\n    expose:\n      - "9223"\n    dns:\n      - 8.8.8.8\n      - 8.8.4.4\n      - 1.1.1.1\n    volumes:\n      - ${browserVolumeName}:/data\n    networks:\n      - ${networkName}\n`,
     maybeBrowserVolume: `  ${browserVolumeName}:`
   }