Skip to content

feat(browser): use one global human-authenticated profile#810

Merged
arul28 merged 12 commits into
mainfrom
ade/global-human-auth-browser-2683f0cc
Jul 14, 2026
Merged

feat(browser): use one global human-authenticated profile#810
arul28 merged 12 commits into
mainfrom
ade/global-human-auth-browser-2683f0cc

Conversation

@arul28

@arul28 arul28 commented Jul 14, 2026

Copy link
Copy Markdown
Owner

Summary

  • use one durable Electron browser partition per ADE installation while keeping visible tab collections independent per project, window, and personal scope
  • persist and flush browser state, restore tabs, migrate legacy cookies, and add profile diagnostics without logging credential values
  • add browser-grade permission, HTTP authentication, client certificate, download, OAuth popup, and WebAuthn handling with explicit platform limitations
  • enforce opaque agent capabilities, leases, origin approvals, scoped status visibility, and authenticated runtime-to-Electron browser requests
  • keep IPC, preload, shared types, renderer, CLI, docs, and the ade-browser skill aligned

Verification

  • /quality: correctness/security and maintainability tracks passed with no Blocker or High findings
  • /test: consolidated browser contract suites; all eight affected desktop shards passed
  • full desktop suite: all eight shards passed
  • desktop typecheck, build, and lint passed
  • ADE CLI typecheck, 1,735 tests, and build passed
  • real Electron smoke verified persistent cookies, local storage, IndexedDB, cache, service workers, independent tab collections, and restart restoration

Platform limitation

Electron Touch ID WebAuthn credentials are device-bound and session-partition-bound. ADE does not claim Apple Passwords or iCloud-synced passkey support.

Summary by CodeRabbit

  • New Features
    • Added browser origin-access authorization with lease-based control.
    • Added a “Profile” panel for global browser diagnostics and permission management (view, list, and clear remembered decisions).
    • Implemented tab-collection persistence and restoration, including personal vs project-scoped collections.
    • Added authenticated desktop-bridge and enhanced browser auth support (HTTP, client certificates, and Touch ID passkeys).
  • Security
    • Tightened built-in browser action scoping/ownership and enforced approval for sensitive navigation, redirects, and popups.
    • Authenticated desktop-bridge requests and blocked unauthorized browser actions.
  • Documentation
    • Updated browser CLI help and command examples for new origin-access and authorization flows.

Greptile Summary

This PR moves ADE browser automation onto one durable browser profile while tightening actor-scoped access. The main changes are:

  • One global persistent browser storage partition per ADE installation.
  • Separate visible tab collections for project windows and personal chats.
  • Runtime-to-desktop browser bridge authentication.
  • Opaque browser actor capabilities restored inside Electron.
  • Origin approval, permission management, profile diagnostics, and browser state persistence.

Confidence Score: 5/5

This looks safe to merge.

No blocking issues found in the changed code.

T-Rex T-Rex Logs

What T-Rex did

  • I ran the built-browser launch sequence to exercise the code-execution path and validate the dev app in this environment.
  • During the Electron launch, the process failed due to a missing libgtk-3.so.0 library (exit code 127), as shown in the Electron launch log.
  • I ran the renderer fallback tests for the browser panel and verified all 25 tests passed.
  • I ran the persistence fallback tests and confirmed all three target tests passed, including a global persistent profile with independent tab collections and restored project tab URLs and active tab.

View all artifacts

T-Rex Ran code and verified through T-Rex

Important Files Changed

Filename Overview
apps/desktop/src/main/services/builtInBrowser/desktopBridgeServer.ts Validates bridge credentials and restores browser actor scope before dispatching automation calls.
apps/desktop/src/main/services/builtInBrowser/builtInBrowserActorCapabilities.ts Adds in-memory browser actor capability issuance, lookup, reuse, and revocation.
apps/ade-cli/src/adeRpcServer.ts Scopes built-in browser ADE actions to initialized chat identity and forwarded actor capability.
apps/ade-cli/src/services/builtInBrowser/desktopBridgeClient.ts Adds authenticated desktop bridge calls and verification for the browser bridge credential.

Reviews (5): Last reviewed commit: "fix(browser): validate actor grants in E..." | Re-trigger Greptile

@vercel

vercel Bot commented Jul 14, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
ade Ignored Ignored Preview Jul 14, 2026 5:40am

@arul28 arul28 changed the title global-human-auth-browser -> Primary feat(browser): use one global human-authenticated profile Jul 14, 2026
@arul28

arul28 commented Jul 14, 2026

Copy link
Copy Markdown
Owner Author

@copilot review but do not make fixes

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Changes

The built-in browser now uses a global persistent profile with independent tab collections, actor-scoped leases, authenticated desktop bridge calls, persistent permissions and tab state, origin-access authorization, and profile diagnostics across CLI, IPC, preload, and renderer surfaces.

Built-in browser platform

Layer / File(s) Summary
Collections, persistence, and security
apps/desktop/src/main/services/builtInBrowser/*, apps/desktop/src/main/main.ts
Browser routing uses a global partition and independent collections, with persisted tabs, migrated cookies, permissions, authentication prompts, navigation guards, and scoped agent actions.
CLI, runtime, and bridge authorization
apps/ade-cli/src/..., apps/desktop/src/main/services/localRuntime/..., apps/desktop/src/main/services/remoteRuntime/...
Lease-aware browser commands, actor tokens, runtime initialization, origin authorization, and authenticated bridge requests are wired through CLI and runtime layers.
IPC, preload, and renderer controls
apps/desktop/src/shared/..., apps/desktop/src/preload/..., apps/desktop/src/renderer/...
Collection fields, diagnostics, permission APIs, origin-access requests, and the browser Profile panel are added across application boundaries.
Validation and documentation
apps/ade-cli/src/**/*.test.ts, apps/desktop/src/main/services/builtInBrowser/*.test.ts, apps/desktop/resources/agent-skills/ade-browser/SKILL.md
Tests and browser skill documentation cover authorization, persistence, bridge authentication, collection routing, leases, and profile behavior.

Estimated code review effort: 5 (Critical) | ~120 minutes

Possibly related PRs

  • arul28/ADE#243: Extends the built-in browser CLI, IPC, service, and authorization pipeline.

Suggested labels: desktop, docs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.68% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly captures the main change: introducing one global browser profile tied to human authentication.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ade/global-human-auth-browser-2683f0cc

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Comment thread apps/desktop/src/main/services/builtInBrowser/desktopBridgeServer.ts Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (3)
apps/desktop/src/main/services/pty/ptyService.ts (1)

2613-2615: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicate revoke guard across three teardown paths.

The same if (!chatSessionId && isTrackedCliToolType(...)) revokeBuiltInBrowserActorCapability(sessionId) guard is repeated verbatim in closeEntry, the orphaned-dispose branch, and the main dispose branch. Extracting a small helper (e.g. revokeBrowserActorCapabilityIfStandalone(sessionId, chatSessionId, toolType)) would keep this security-relevant check consistent if the condition ever needs to change.

♻️ Suggested helper
+function revokeBrowserActorCapabilityIfStandalone(
+  sessionId: string,
+  chatSessionId: string | null | undefined,
+  toolType: TerminalToolType | null,
+): void {
+  if (!chatSessionId && isTrackedCliToolType(toolType)) {
+    revokeBuiltInBrowserActorCapability(sessionId);
+  }
+}

Then replace each of the three inline checks with a call to this helper.

Also applies to: 4961-4963, 4996-4998

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/desktop/src/main/services/pty/ptyService.ts` around lines 2613 - 2615,
Extract the repeated standalone tracked-CLI capability check into a helper such
as revokeBrowserActorCapabilityIfStandalone, accepting sessionId, chatSessionId,
and toolType. Replace the inline guards in closeEntry and both orphaned-dispose
and main dispose branches with calls to this helper, preserving the existing
revoke behavior.
apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts (1)

2128-2221: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Consider re-validating tab liveness after the human-approval await in navigate/createTab.

Both functions await args.agentAccessController.requireUrlAccess(...) (which can pause for an async human-approval prompt) before mutating existingTab/claiming ownership and calling wc.loadURL(). A concurrent closeTab/window-close during that pause could leave tab.webContents destroyed by the time loadURL is called, surfacing a raw Electron "Object has been destroyed" error instead of a clear domain error. claimTabOwnerFromInput already guards on isDestroyed(), but the final wc.loadURL(targetUrl) call does not.

♻️ Proposed guard
     reclaimTabForHumanNavigation(tab, input);
     claimTabOwnerFromInput(tab, input);
     armAgentNavigationGuard(tab, input);
     const wc = tab.webContents;
+    if (wc.isDestroyed()) throw new Error("Browser tab was closed while waiting for access approval.");
     attachViewsToCurrentWindow();
     await wc.loadURL(targetUrl);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts`
around lines 2128 - 2221, Revalidate the target tab after the await on
requireUrlAccess in both navigate and createTab, before claiming ownership,
mutating tab state, or calling loadURL. Check that the tab and its webContents
still exist and are not destroyed; if they are unavailable, throw a clear
domain-level error rather than invoking Electron on a destroyed object.
apps/desktop/src/main/services/builtInBrowser/builtInBrowserProfileMigration.ts (1)

29-103: 🚀 Performance & Scalability | 🔵 Trivial

Legacy partition sessions stay resident for the app's lifetime.

args.getSession(persist:${partitionName}) opens a full Electron Session for each of up to MAX_LEGACY_PARTITIONS (64) legacy partitions during migration. Electron caches sessions by partition string with no unload API, so these stay memory-resident for the process's life even though they're only needed for this one-time cookie scan.

This is a one-time startup cost bounded by 64 partitions, so likely acceptable in practice — flagging for awareness rather than as a blocking issue.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@apps/desktop/src/main/services/builtInBrowser/builtInBrowserProfileMigration.ts`
around lines 29 - 103, Review the legacy partition migration in
migrateLegacyBuiltInBrowserProfiles and avoid opening persistent Electron
sessions for every legacy partition when the API provides a temporary or
otherwise non-resident cookie-store access path. Preserve the existing cookie
filtering, migration, retry, and completion behavior while ensuring one-time
scans do not retain up to MAX_LEGACY_PARTITIONS sessions for the process
lifetime.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/ade-cli/src/services/builtInBrowser/desktopBridgeClient.ts`:
- Line 6: Update callBridge so authenticatedParams(params) validates the bridge
auth token before ensureClient() opens or reuses a connection and before
entering the connection-error handling path. Missing-token failures must return
without invoking drop(error) or emitting connection_dropped, while genuine
connection failures retain the existing cleanup behavior.

In `@apps/desktop/src/main/services/builtInBrowser/builtInBrowserAgentAccess.ts`:
- Around line 73-99: The origin authorization flow incorrectly short-circuits
before high-risk-host and authenticated-cookie checks can run. Update
authorizeUrl and isKnownSensitiveUrlSync so inspectOrigin reaches
isHighRiskHost, cookieDomainsContainHost, and the session-cookie scan for
origins where those checks are intended to affect authorization; otherwise
remove the unreachable branches, while preserving permission and
authenticated-origin handling.

In `@apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts`:
- Around line 3324-3345: Update setBounds() to await tabRestorationPromise
before invoking ensureActiveTab() or otherwise manipulating tab bounds, matching
the existing gating used by navigate() and createTab(). Preserve the current
bounds behavior after restoration completes and prevent any tab creation during
restorePersistedTabs().

---

Nitpick comments:
In
`@apps/desktop/src/main/services/builtInBrowser/builtInBrowserProfileMigration.ts`:
- Around line 29-103: Review the legacy partition migration in
migrateLegacyBuiltInBrowserProfiles and avoid opening persistent Electron
sessions for every legacy partition when the API provides a temporary or
otherwise non-resident cookie-store access path. Preserve the existing cookie
filtering, migration, retry, and completion behavior while ensuring one-time
scans do not retain up to MAX_LEGACY_PARTITIONS sessions for the process
lifetime.

In `@apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts`:
- Around line 2128-2221: Revalidate the target tab after the await on
requireUrlAccess in both navigate and createTab, before claiming ownership,
mutating tab state, or calling loadURL. Check that the tab and its webContents
still exist and are not destroyed; if they are unavailable, throw a clear
domain-level error rather than invoking Electron on a destroyed object.

In `@apps/desktop/src/main/services/pty/ptyService.ts`:
- Around line 2613-2615: Extract the repeated standalone tracked-CLI capability
check into a helper such as revokeBrowserActorCapabilityIfStandalone, accepting
sessionId, chatSessionId, and toolType. Replace the inline guards in closeEntry
and both orphaned-dispose and main dispose branches with calls to this helper,
preserving the existing revoke behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f766bde9-5900-4154-826b-fdadac66819b

📥 Commits

Reviewing files that changed from the base of the PR and between 075a82c and 1f90002.

⛔ Files ignored due to path filters (7)
  • docs/ARCHITECTURE.md is excluded by !docs/**
  • docs/PRD.md is excluded by !docs/**
  • docs/features/agents/README.md is excluded by !docs/**
  • docs/features/chat/README.md is excluded by !docs/**
  • docs/features/personal-chats/README.md is excluded by !docs/**
  • docs/features/terminals-and-sessions/README.md is excluded by !docs/**
  • docs/features/terminals-and-sessions/pty-and-processes.md is excluded by !docs/**
📒 Files selected for processing (51)
  • apps/ade-cli/README.md
  • apps/ade-cli/src/adeRpcServer.test.ts
  • apps/ade-cli/src/adeRpcServer.ts
  • apps/ade-cli/src/bootstrap.ts
  • apps/ade-cli/src/cli.test.ts
  • apps/ade-cli/src/cli.ts
  • apps/ade-cli/src/services/builtInBrowser/desktopBridgeClient.test.ts
  • apps/ade-cli/src/services/builtInBrowser/desktopBridgeClient.ts
  • apps/ade-cli/src/services/builtInBrowser/desktopBridgeMethods.ts
  • apps/desktop/build/entitlements.mac.plist
  • apps/desktop/resources/agent-skills/ade-browser/SKILL.md
  • apps/desktop/src/main/main.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserActorCapabilities.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserAgentAccess.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserAuthentication.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserConstants.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserNavigation.test.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserPermissions.test.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserPermissions.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserPersistence.test.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserProfileMigration.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserSecurity.test.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.test.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserStateStore.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserWebAuthn.test.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserWebAuthn.ts
  • apps/desktop/src/main/services/builtInBrowser/desktopBridgeServer.test.ts
  • apps/desktop/src/main/services/builtInBrowser/desktopBridgeServer.ts
  • apps/desktop/src/main/services/chat/agentChatService.test.ts
  • apps/desktop/src/main/services/chat/agentChatService.ts
  • apps/desktop/src/main/services/ipc/registerIpc.ts
  • apps/desktop/src/main/services/ipc/runtimeBridge.test.ts
  • apps/desktop/src/main/services/localRuntime/localRuntimeConnectionPool.ts
  • apps/desktop/src/main/services/pty/ptyService.test.ts
  • apps/desktop/src/main/services/pty/ptyService.ts
  • apps/desktop/src/main/services/remoteRuntime/runtimeRpcClient.test.ts
  • apps/desktop/src/main/services/remoteRuntime/runtimeRpcClient.ts
  • apps/desktop/src/main/services/sync/syncHostService.test.ts
  • apps/desktop/src/preload/global.d.ts
  • apps/desktop/src/preload/preload.ts
  • apps/desktop/src/renderer/browserMock.ts
  • apps/desktop/src/renderer/components/app/App.tsx
  • apps/desktop/src/renderer/components/chat/ChatBuiltInBrowserPanel.test.tsx
  • apps/desktop/src/renderer/components/chat/ChatBuiltInBrowserPanel.tsx
  • apps/desktop/src/renderer/components/terminals/TerminalsPage.test.tsx
  • apps/desktop/src/renderer/components/terminals/TerminalsPage.tsx
  • apps/desktop/src/renderer/components/terminals/WorkSidebar.test.tsx
  • apps/desktop/src/renderer/components/terminals/WorkSidebar.tsx
  • apps/desktop/src/shared/ipc.ts
  • apps/desktop/src/shared/types/builtInBrowser.ts
💤 Files with no reviewable changes (5)
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserConstants.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserPermissions.test.ts
  • apps/desktop/src/main/services/builtInBrowser/desktopBridgeServer.test.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserNavigation.test.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserWebAuthn.test.ts

Comment thread apps/ade-cli/src/services/builtInBrowser/desktopBridgeClient.ts
Comment thread apps/desktop/src/main/services/builtInBrowser/builtInBrowserAgentAccess.ts Outdated
@arul28

arul28 commented Jul 14, 2026

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 28d7bd7edb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/desktop/src/main/services/builtInBrowser/desktopBridgeServer.ts Outdated
Comment thread apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts Outdated
@arul28

arul28 commented Jul 14, 2026

Copy link
Copy Markdown
Owner Author

@codex review

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts (2)

2626-2644: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Authorize against the tab that owns the selection

selectCurrent() and clearSelection() validate the active tab, but lastSelectedItem may have been created by selectPoint() for a different, non-active tab. An agent owning the active tab can therefore read or clear another agent’s selected artifact. Track the selection’s owning tab and authorize against that tab before returning or clearing it.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts`
around lines 2626 - 2644, Track the tab identity associated with
lastSelectedItem when selectPoint() creates the selection, and update
selectCurrent() and clearSelection() to authorize through that owning tab rather
than only activeTab(). Return or clear the selection only after the owning-tab
authorization succeeds, while preserving the existing selection and status
emissions.

462-463: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Cancel deferred tab restoration when disposing the service

A fallback or window service can be disposed while tabRestorationPromise is awaiting profile migration. Once migration completes, restorePersistedTabs() still creates new WebContentsView instances, resurrecting the disposed service and leaking browser resources. Add a disposed guard around restoration.

Proposed fix
   let restoringTabs = false;
+  let disposed = false;

   function dispose(): void {
+    disposed = true;
     inspecting = false;
     // ...
   }

   const restorePersistedTabs = async (): Promise<void> => {
+    if (disposed) return;
     const restored = args.restoredState;
     if (!restored?.tabs.length) return;
     restoringTabs = true;
     // ...
     const results = await Promise.allSettled(/* ... */);
     restoringTabs = false;
+    if (disposed) return;
     // log and emit status
   };

Also applies to: 2647-2685, 3334-3365

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts`
around lines 462 - 463, Guard deferred tab restoration with the service’s
disposed state: update restorePersistedTabs() and its tabRestorationPromise
continuation so they exit without creating WebContentsView instances after
disposal. Ensure dispose() marks the service disposed before clearing fallback
services, and apply the same guard to the related restoration paths.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts`:
- Around line 2626-2644: Track the tab identity associated with lastSelectedItem
when selectPoint() creates the selection, and update selectCurrent() and
clearSelection() to authorize through that owning tab rather than only
activeTab(). Return or clear the selection only after the owning-tab
authorization succeeds, while preserving the existing selection and status
emissions.
- Around line 462-463: Guard deferred tab restoration with the service’s
disposed state: update restorePersistedTabs() and its tabRestorationPromise
continuation so they exit without creating WebContentsView instances after
disposal. Ensure dispose() marks the service disposed before clearing fallback
services, and apply the same guard to the related restoration paths.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 386d8640-3d9d-4b38-9cf4-ba0d422c4ef5

📥 Commits

Reviewing files that changed from the base of the PR and between 1f90002 and 991ec5f.

⛔ Files ignored due to path filters (3)
  • docs/ARCHITECTURE.md is excluded by !docs/**
  • docs/features/chat/README.md is excluded by !docs/**
  • docs/features/proof.md is excluded by !docs/**
📒 Files selected for processing (13)
  • apps/ade-cli/src/adeRpcServer.test.ts
  • apps/ade-cli/src/adeRpcServer.ts
  • apps/ade-cli/src/services/builtInBrowser/desktopBridgeClient.test.ts
  • apps/ade-cli/src/services/builtInBrowser/desktopBridgeClient.ts
  • apps/ade-cli/src/services/builtInBrowser/desktopBridgeMethods.ts
  • apps/desktop/resources/agent-skills/ade-browser/SKILL.md
  • apps/desktop/src/main/main.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserAgentAccess.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserSecurity.test.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.test.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.ts
  • apps/desktop/src/main/services/computerUse/computerUseArtifactBrokerService.test.ts
  • apps/desktop/src/main/services/computerUse/computerUseArtifactBrokerService.ts
🚧 Files skipped from review as they are similar to previous changes (7)
  • apps/desktop/resources/agent-skills/ade-browser/SKILL.md
  • apps/ade-cli/src/services/builtInBrowser/desktopBridgeClient.ts
  • apps/desktop/src/main/main.ts
  • apps/ade-cli/src/adeRpcServer.test.ts
  • apps/ade-cli/src/services/builtInBrowser/desktopBridgeClient.test.ts
  • apps/ade-cli/src/adeRpcServer.ts
  • apps/desktop/src/main/services/builtInBrowser/builtInBrowserService.test.ts

@arul28

arul28 commented Jul 14, 2026

Copy link
Copy Markdown
Owner Author

Addressed the two CodeRabbit outside-diff findings in f51e6e0:

  • Browser selections now retain their originating tab id. selectCurrent and clearSelection authorize against that tab lease, stale selections clear when the owner tab closes/disappears, and a named cross-agent regression proves another active-tab owner cannot read or clear the selection.
  • Browser window services now mark themselves disposed before teardown. Deferred restoration exits before creating views after disposal, suppresses post-disposal completion/error work, and setBounds cannot recreate a view after its wait resumes. A deferred-migration regression proves zero resurrected views.

Focused result: 82 browser-service tests passed, desktop typecheck passed, and focused lint/diff checks are clean.

@arul28

arul28 commented Jul 14, 2026

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f51e6e09cb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/desktop/src/main/services/chat/agentChatService.ts
@arul28

arul28 commented Jul 14, 2026

Copy link
Copy Markdown
Owner Author

@codex review

1 similar comment
@arul28

arul28 commented Jul 14, 2026

Copy link
Copy Markdown
Owner Author

@codex review

@arul28
arul28 merged commit c14af93 into main Jul 14, 2026
33 checks passed
@arul28
arul28 deleted the ade/global-human-auth-browser-2683f0cc branch July 14, 2026 06:03

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0a27caeb1e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

profile,
collection,
restoredState: stateStore?.restore(collection.key) ?? null,
onStateChange: (state) => stateStore?.record(collection.key, state),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Persist tab collections with a window-scoped key

When the same project is open in more than one ADE window, each window gets a separate in-memory service, but persisted state is restored and recorded under only collection.key (the project hash). That makes both windows write to the same state-store entry, so whichever window emits status last overwrites the other window's tab list; after restart the supposedly independent per-window tab collections restore the last writer's tabs. Include a window-specific component in the persisted key for project/window collections.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant