Add ADE browser CLI proof flow

[arul28]

Summary

• Adds ADE built-in browser CLI control, session targeting, and proof registration flows.
• Wires desktop browser IPC/preload/shared types with project-scoped browser profiles and WebAuthn/session handling.
• Updates Work/chat prompt clipboard behavior, browser panel state, ADE browser skills/help, and proof docs.

Validation

• npm --prefix apps/ade-cli run test
• npm --prefix apps/ade-cli run typecheck
• npm --prefix apps/ade-cli run build
• npm --prefix apps/desktop run typecheck
• npm --prefix apps/desktop run lint (passes with existing warnings)
• npm --prefix apps/desktop run build
• npx vitest run src/main/services/builtInBrowser/builtInBrowserService.test.ts src/main/services/builtInBrowser/builtInBrowserWebAuthn.test.ts src/main/services/computerUse/computerUseArtifactBrokerService.test.ts
• npx vitest run src/renderer/components/chat/AgentChatComposer.test.tsx src/renderer/components/chat/AgentChatPane.test.tsx src/renderer/components/terminals/WorkSidebar.test.tsx src/renderer/components/terminals/WorkViewArea.test.tsx
• post-rebase: npm --prefix apps/ade-cli run typecheck, npm --prefix apps/desktop run typecheck, and targeted desktop browser/chat tests

Risks

• Browser attach/profile isolation is intentionally strict; attached webviews must match the current project browser profile partition.
• Existing desktop lint warnings remain outside this lane scope.

  Open in ADE  ·  ade/ade-browser-1d208e91 branch  ·  PR #512

Greptile Summary

This PR introduces the ADE Browser — a project-scoped built-in browser with full agent automation capabilities, replacing the previous global single-partition model with per-project Electron sessions and per-tab ownership/leasing.

• Project-scoped browser profiles: Tabs, cookies, and storage are now isolated by project root (SHA256-keyed Electron partition). builtInBrowserService manages multiple window×profile service instances and routes API calls by project root or source window.
• Agent action API: New observe, click, fill, typeText, dispatchKey, scroll, clear, and wait methods write screenshots and DOM snapshots to disk (.ade/cache/browser-observations/), capture per-tab network/console diagnostics, and record action traces. Corresponding CLI subcommands (browser session, browser observe, browser click, etc.) are added with rich flag support.
• Storage key migration in AgentChatPane: Draft kind keys chat and cli are unified under work-start, with a multi-key read that picks the most recently updated entry for backward compatibility.

Confidence Score: 3/5

The core browser automation machinery is well-structured, but there is a path traversal in the element-handle file lookup that must be fixed before this ships to agents.

The new readObservationElementHandle function builds a file path from a user-supplied element handle whose observation ID is validated by a regex that permits / characters, allowing path.join normalization to read files outside the intended per-tab cache directory. Legitimate observation IDs never contain slashes, so a one-line sanitizePathSegment call on parsed.observationId would close the issue. The rest of the change — project-scoped partitions, per-tab leasing, action tracing, observation pruning — is carefully implemented with appropriate bounds on all user-controlled numeric inputs.

builtInBrowserService.ts around readObservationElementHandle and the parseElementHandle regex; main.ts for the window-activation side effect in getWindowForProjectRoot.

Security Review

• CWE-22 Path Traversal — readObservationElementHandle in builtInBrowserService.ts uses the observationId from a user-supplied element handle directly in path.join without sanitization. The parsing regex (obs-[^:]+) permits / in the observation ID, allowing a crafted handle like obs-x/../../etc/secret:e:1 to traverse outside the intended per-tab cache directory and read arbitrary .json files from the host filesystem. Impact in this desktop context is limited by the tabId field check, but the unauthorized file read and potential in-memory load of large files are present vulnerabilities.

Important Files Changed

Filename	Overview
apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts	Massive expansion adding agent-oriented browser automation: sessions, observations (screenshots + DOM snapshots saved to disk), per-tab ownership/leasing, network/console diagnostics, click/fill/scroll/wait/typeText/dispatchKey actions, action traces, and element-map overlays. Contains a path traversal vulnerability in readObservationElementHandle where unsanitized user-supplied observationId can escape the expected cache directory via path.join. Also has inconsistent deletedCount units in the cleanup result.
apps/desktop/src/shared/types/builtInBrowser.ts	Adds ~200 lines of new type definitions for sessions, observations, diagnostics, action traces, element targets, and agent action args. Types are well-structured with clear optional/nullable distinctions and backward-compatible design for the fill value vs. element-target text field.
apps/ade-cli/src/cli.ts	Adds 800+ lines of new browser subcommands (session lifecycle, observe, click, fill, clear, key, scroll, wait, trace, proof). Arg-parsing helpers follow the established mutation-based pattern. The autoNewOwnedTab heuristic that opens a fresh tab for agent callers without an explicit tab target is a good safety guard.
apps/desktop/src/main/main.ts	Wires up project-root-to-window resolution callbacks and normalizes webview partitions against the new per-project profile prefix. The getWindowForProjectRoot callback may activate (foreground) windows as a side effect of passive API routing calls, which could disrupt user focus unexpectedly.
apps/desktop/src/main/services/ipc/registerIpc.ts	Extends IPC handlers for reload/goBack/goForward/stop/captureScreenshot to accept optional tab-target args, and adds a parseBuiltInBrowserTabTargetArgs helper. Changes look correct and consistent with the new per-tab targeting model.
apps/desktop/src/renderer/components/chat/AgentChatPane.tsx	Migrates launch-config and composer-draft storage keys to a unified work-start kind (shared between chat and cli), reads across multiple legacy keys by picking the most-recently-updated entry, and adds a guard that rejects cursor model configs for incompatible draft kinds. Migration logic is careful and uses Sets to deduplicate keys.
apps/desktop/src/main/services/builtInBrowser/builtInBrowserWebAuthn.ts	Extracts per-session WebAuthn configuration into configureBuiltInBrowserSessionWebAuthn guarded by a module-level WeakSet, enabling each new browser profile partition to get its own WebAuthn handler. The shouldConfigureTouchIdWebAuthn default now enables Touch ID for packaged builds without an explicit env var.
apps/desktop/src/main/services/builtInBrowser/builtInBrowserConstants.ts	Adds BUILT_IN_BROWSER_PROFILE_PREFIX for project-scoped partition names. Simple and correct.

Sequence Diagram

sequenceDiagram
    participant Agent as Agent CLI
    participant Bridge as Desktop Bridge
    participant Service as BuiltInBrowserService
    participant WinService as WindowBrowserService
    participant FS as File System (project/.ade/cache)
    participant WC as WebContents (CDP)

    Agent->>Bridge: browser open url --lane id
    Bridge->>Service: navigate(input, sourceWindow)
    Service->>WinService: navigate(input)
    WinService->>WC: loadURL(url)
    WinService-->>Agent: BuiltInBrowserStatus

    Agent->>Bridge: browser session start --tab id
    Bridge->>Service: startSession(input)
    Service->>WinService: startSession(input)
    WinService-->>Agent: session + status

    Agent->>Bridge: browser observe --browser-session sid --map
    Bridge->>Service: observe(input)
    Service->>WinService: observe(input)
    WinService->>WC: capturePage CDP
    WC-->>WinService: screenshot PNG
    WinService->>WC: Runtime.evaluate BROWSER_DOM_FUNCTION
    WC-->>WinService: DOM snapshot + elements
    WinService->>WC: Runtime.evaluate ELEMENT_MAP_OVERLAY
    WC-->>WinService: element map screenshot
    WinService->>FS: write obs-id.png obs-id.map.png obs-id.json
    WinService->>FS: pruneObservationDirectory keepCount
    WinService-->>Agent: BuiltInBrowserObservation filePath dom elementMap

    Agent->>Bridge: browser click --handle obs-id:e:3
    Bridge->>Service: click(input)
    Service->>WinService: click(input)
    WinService->>FS: readFile obs-id.json element handle lookup
    FS-->>WinService: element snapshot selector center
    WinService->>WC: Input.dispatchMouseEvent CDP
    WinService->>WinService: observe post-action screenshot
    WinService-->>Agent: BuiltInBrowserAgentActionResult ok observation trace

Loading

Prompt To Fix All With AI

Fix the following 3 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 3
apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts:2397-2410
**Path traversal via unsanitized element handle observation ID**

The `parsed.observationId` value comes directly from a user-supplied element handle string and is placed into `path.join` without any sanitization. The `parseElementHandle` regex uses `[^:]` which permits `/` characters, so a crafted handle like `obs-x/../../../../home/user/.secrets:e:1` causes Node's `path.join` to normalize the `..` segments and escape the intended `tabId`-scoped directory. The resulting `fs.readFile` call reads an arbitrary `.json` file from the filesystem. The `tabId` check provides some protection against direct data extraction, but any large or controlled JSON file can still be read into memory (OOM risk) or matched if the tabId is predictable.

The fix is to pass `parsed.observationId` through `sanitizePathSegment` before embedding it in the path — the function already replaces `/`, `\`, and other separators, and legitimate observation IDs (format `obs-<timestamp>-<uuid>`) are not altered by it.

### Issue 2 of 3
apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts:2337-2358
**`deletedCount` counts files, not observations**

`deletedCount` accumulates one per deleted file (`.json` + `.png` + `.map.png` = up to 3 per stale observation), while `keptCount` counts observation records. Callers reading `BuiltInBrowserObservationCleanup` will see `deletedCount` values 3× larger than the number of observations actually pruned, which is misleading when agents or users inspect the cleanup field. Consider either counting observations consistently or renaming the field to `deletedFileCount`.

### Issue 3 of 3
apps/desktop/src/main/main.ts:1110-1139
**`getWindowForProjectRoot` activates windows as a side effect of API routing**

The callback calls `bindWindowToProject` with `foreground: true` whenever `selection.activateProjectRoot` is true. `liveWindowForProjectRoot` (and therefore this callback) is invoked for every browser service call that includes a `projectRoot` field — including passive reads like `browser status` or `observe`. This means a read-only call from an agent can unexpectedly bring a desktop window to the foreground, interrupting the user. Consider separating the "find the right window" logic from "activate it": the activation could happen only for write/navigation operations, or when explicitly requested.

_{Reviews (1): Last reviewed commit: "Add ADE browser CLI proof flow" | Re-trigger Greptile}

Greptile also left 3 inline comments on this PR.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
ade	Ignored	Preview	Jun 2, 2026 7:35am

[coderabbitai]

Warning

Review limit reached

@arul28, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 10 minutes and 48 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 935a3ec0-8ad0-4250-ac1c-b19940bdb51b

📥 Commits

Reviewing files that changed from the base of the PR and between d394fcb and 5647e78.

⛔ Files ignored due to path filters (5)

• docs/ARCHITECTURE.md is excluded by !docs/**
• docs/PRD.md is excluded by !docs/**
• docs/features/agents/README.md is excluded by !docs/**
• docs/features/chat/README.md is excluded by !docs/**
• docs/features/proof.md is excluded by !docs/**

📒 Files selected for processing (35)

• apps/ade-cli/src/bootstrap.ts
• apps/ade-cli/src/cli.test.ts
• apps/ade-cli/src/cli.ts
• apps/ade-cli/src/services/builtInBrowser/desktopBridgeClient.test.ts
• apps/ade-cli/src/services/builtInBrowser/desktopBridgeClient.ts
• apps/ade-cli/src/services/builtInBrowser/desktopBridgeMethods.ts
• apps/desktop/build/entitlements.mac.inherit.plist
• apps/desktop/build/entitlements.mac.plist
• apps/desktop/resources/ade-cli-help.txt
• apps/desktop/resources/agent-skills/ade-browser/SKILL.md
• apps/desktop/resources/agent-skills/ade-proof-artifacts/SKILL.md
• apps/desktop/src/main/main.ts
• apps/desktop/src/main/services/adeActions/registry.test.ts
• apps/desktop/src/main/services/builtInBrowser/builtInBrowserConstants.ts
• apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.test.ts
• apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts
• apps/desktop/src/main/services/builtInBrowser/builtInBrowserWebAuthn.test.ts
• apps/desktop/src/main/services/builtInBrowser/builtInBrowserWebAuthn.ts
• apps/desktop/src/main/services/computerUse/computerUseArtifactBrokerService.test.ts
• apps/desktop/src/main/services/computerUse/computerUseArtifactBrokerService.ts
• apps/desktop/src/main/services/ipc/registerIpc.ts
• apps/desktop/src/preload/global.d.ts
• apps/desktop/src/preload/preload.ts
• apps/desktop/src/renderer/browserMock.ts
• apps/desktop/src/renderer/components/chat/AgentChatComposer.test.tsx
• apps/desktop/src/renderer/components/chat/AgentChatComposer.tsx
• apps/desktop/src/renderer/components/chat/AgentChatPane.test.tsx
• apps/desktop/src/renderer/components/chat/AgentChatPane.tsx
• apps/desktop/src/renderer/components/chat/ChatBuiltInBrowserPanel.tsx
• apps/desktop/src/renderer/components/terminals/WorkSidebar.test.tsx
• apps/desktop/src/renderer/components/terminals/WorkSidebar.tsx
• apps/desktop/src/renderer/components/terminals/WorkViewArea.test.tsx
• apps/desktop/src/renderer/components/terminals/WorkViewArea.tsx
• apps/desktop/src/shared/adeCliGuidance.ts
• apps/desktop/src/shared/types/builtInBrowser.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ade/ade-browser-1d208e91

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[arul28]

@copilot review but do not make fixes

[arul28]

@copilot review but do not make fixes

[arul28]

@copilot review but do not make fixes