Add batched POST /chromium/configure

[hiroTamada]

Summary

• Adds POST /chromium/configure: one multipart request to batch display sizing, Chrome policies, Chromium flags, profile archive, extensions, and optional start_url navigation after a single Chromium restart.
• Introduces cdpclient.NavigateFirstPage for post-ready Page.navigate (flattened CDP session, waits for load / domcontentloaded). Fixes concurrent WebSocket reads that caused flaky navigate failures.
• Refactors extension upload logic into shared applyExtensionZipItems used by configure and existing upload-and-restart.
• E2e: 31-way powerset over optional configure parts plus bare/JSON start_url tests; local runner script and DETACHED=1 headless run-docker.sh for manual API use.
• make test: e2e package timeout raised to 120m (full suite exceeds default 10m).

Test plan

• go vet ./... and unit tests (go test excluding /e2e)
• ./scripts/run-local-chromium-configure-powerset.sh (31 permutations + start_url variants) against locally built headless image
• Full go test -race -timeout 120m ./e2e/ with E2E_CHROMIUM_HEADLESS_IMAGE / E2E_CHROMIUM_HEADFUL_IMAGE pointing at images built from this branch

Made with Cursor

---

Note

Medium Risk
Moderate risk: introduces a new multipart configure endpoint that performs filesystem/policy/flag/profile mutations and changes the Chromium restart/DevTools-readiness flow, which could affect instance startup stability and extension handling.

Overview
Adds a new multipart POST /configure endpoint to apply batched Chromium/session changes (policies, flags, extensions, profile archive, and display sizing) with a single stop/start cycle, plus optional best-effort start_url navigation via CDP.

Refactors extension installation into shared applyExtensionZipItems (with partial-install cleanup) and reworks Chromium restart logic to explicitly stop then start via supervisorctl, waiting for DevTools readiness by actively dialing the upstream.

Extends cdpclient with DispatchStartURL, updates generated OpenAPI client/server types (including structured ChromiumConfigureError), adds unit + e2e coverage for multipart combinations, and increases e2e test timeout to 120m.

^{Reviewed by Cursor Bugbot for commit 0f63e8a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Monitoring Plan: POST /chromium/configure

This PR introduces a new batched multipart endpoint (POST /chromium/configure) that consolidates display resizing, Chromium flag merging, enterprise policy application, extension installation, user-data profile loading, and optional CDP navigation into a single API call. It also refactors UploadExtensionsAndRestart to share logic with the new endpoint via applyExtensionZipItems(), and adds new stopChromium()/startChromiumAndWait() helpers backed by supervisorctl with 2-minute timeouts and a 15-second DevTools readiness wait.

Key risks to watch post-deploy: (1) the new endpoint is not yet exercised in production so a spike in 400/500 responses would indicate client or validation issues; (2) the refactored stop/start cycle now shares code paths with existing extension uploads — any regression in the supervisorctl integration would surface as stop chromium failed or CDP ready wait failed errors, which today run at ~1–14/hr per signal; (3) startChromiumAndWait() now uses a 15-second readiness timeout (previously indefinite via subscription) which could produce devtools not ready in time errors if Chromium is slow to start under load. Status updates will be posted automatically on this PR as monitoring progresses.

View agent

[rgarcia]

reviewed — implementation shape looks good overall. a few API/schema things worth tightening before this lands:

• server/openapi.yaml:1173 — nit: consider /configure instead of /chromium/configure; display config is not Chromium-specific, and this endpoint may grow to cover more non-Chromium session configuration over time.
• server/openapi.yaml:1182 — the “control-plane sync path” wording feels too inside-baseball for public API docs. maybe reword this to just describe the execution order directly.
• server/openapi.yaml:1214 — strip_components feels like archive layout mechanics leaking into a high-level profile/configure API. even though this exists on the generic zstd upload endpoint, for profile archives it may be better to require/document one expected archive structure instead.
• server/openapi.yaml:2586 — ChromiumConfigureError does not define step, but the handler returns it and generated oapi.go currently includes it. since this schema has additionalProperties: false, the source schema and generated code should be reconciled so clients/validators agree on the 500 response shape.

[cursor]

No scheme validation allows file:// and javascript: navigation

Medium Severity

normalizeStartURL only adds https:// for bare hosts. URLs with explicit schemes like file:///etc/passwd or javascript:... pass through unvalidated and are dispatched via CDP Page.navigate. The test at line 69 confirms file:///etc/passwd is accepted. While Chrome may block some schemes, file:// URIs are navigable in Chromium when launched without --disable-file-url-scheme, potentially exposing local filesystem contents through the browser.

 

^{Reviewed by Cursor Bugbot for commit 182f0a8. Configure here.}

[cursor]

Endpoint path /configure doesn't name the Chromium subsystem

Low Severity

The new endpoint is registered at /configure, but all existing related endpoints live under /chromium/* (/chromium/policies, /chromium/flags, /chromium/upload-extensions-and-restart). The generic /configure path doesn't identify the subsystem being configured. The PR title itself references POST /chromium/configure, and the OpenAPI description even says "Prefer this over separate /chromium/* and /display calls," confirming this is Chromium-scoped. The path violates the rule requiring paths to name the specific subsystem.

Additional Locations (1)

• server/lib/oapi/oapi.go#L13136-L13138

 

^{Triggered by learned rule: OpenAPI descriptions must be caller-focused; paths must name the specific subsystem}

^{Reviewed by Cursor Bugbot for commit 569d99f. Configure here.}

[cursor]

Display-only configure path skips display when needsStop true

Medium Severity

chromiumNeedsStopCycle does not consider displayJSON as a stop-cycle trigger, but within the needsStop=true branch, the display section is guarded by st.displayJSON != nil && strings.TrimSpace(*st.displayJSON) != "". If a user sends only display with a RestartChromium: true field alongside, say, flags that trigger the stop cycle, the stopped-path display logic runs. However, in the stopped path, chromiumDisplayApplyWhileStopped ignores the RestartChromium field from the display body entirely. This is inconsistent with the standalone PatchDisplay behavior where RestartChromium controls whether Chromium is restarted for the resize. The batched handler always restarts regardless because the stop cycle forces it.

Additional Locations (1)

• server/cmd/api/api/chromium_configure.go#L123-L143

 

^{Reviewed by Cursor Bugbot for commit 569d99f. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

There are 5 total unresolved issues (including 3 from previous reviews).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 0f63e8a. Configure here.}

[cursor]

Duplicate extension names across pairs silently overwrite each other

Medium Severity

The new chromiumCfgParseMultipart validates duplicate extensions.name within a single pair but not across pairs. Two pairs with the same name (e.g. both named "foo") pass the parser and reach applyExtensionZipItems, where the batch stat-check loop passes for both (neither exists on disk yet), then the second pair's zip silently overwrites the first's extracted files. This is inconsistent with the per-pair duplicate rejection the PR explicitly added.

Additional Locations (1)

• server/cmd/api/api/chromium.go#L175-L184

 

^{Reviewed by Cursor Bugbot for commit 0f63e8a. Configure here.}

[cursor]

Start error may be missed due to select race

Low Severity

In startChromiumAndWait, when the start goroutine fails it sends on errCh then closes doneCh (via defer). Both channels become ready nearly simultaneously. If select picks doneCh first and tryReady happens to succeed (e.g. DevTools is reachable from a stale upstream with allowCurrent=true), the function returns nil (success) despite the supervisorctl start command having failed. The error on errCh is never consumed.

 

^{Reviewed by Cursor Bugbot for commit 0f63e8a. Configure here.}