Conversation
…ies and fix delimiter in CategoryFor
… and category validation
…alloc in filewriter, fix session doc
This binary is tracked on main and was incidentally deleted earlier on this branch. Restoring it keeps the 13.4MB binary out of this PR's diff. Removing the tracked binary from main should be done in a separate PR.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
archandatta
force-pushed
the
archand/kernel-1116/cdp-foundation
branch
from
092a265 to
7550bc1
Compare
…116/cdp-foundation
| _ = m.injectScript(ctx, p.SessionID) | ||
| } | ||
| }) | ||
| } |
There was a problem hiding this comment.
Injected script never runs on already-loaded pages
Medium Severity
handleAttachedToTarget calls injectScript, which only uses Page.addScriptToEvaluateOnNewDocument. This registers interaction.js for future navigations but never evaluates it on the current document. Pages already loaded when the monitor attaches (via attachExistingTargets or after reconnect) won't have click, keydown, or scroll-settled tracking until their next navigation. A Runtime.evaluate call with the same script source is needed alongside the addScriptToEvaluateOnNewDocument registration to cover the current page.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit bf4b04c. Configure here.
| _, err := m.send(ctx, "Page.addScriptToEvaluateOnNewDocument", map[string]any{ | ||
| "source": injectedJS, | ||
| }, sessionID) | ||
| return err |
There was a problem hiding this comment.
Interaction script not injected into current document
Medium Severity
injectScript only calls Page.addScriptToEvaluateOnNewDocument, which registers the interaction-tracking JS for future navigations. The already-loaded document in an attached target never receives the script. When the monitor attaches to existing pages (via attachExistingTargets at startup or after reconnect), clicks, keydowns, and scroll events on those pages won't be captured until the user navigates away. A companion Runtime.evaluate call is needed to inject into the current document.
Reviewed by Cursor Bugbot for commit 8e94162. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 6 total unresolved issues (including 5 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 5465e59. Configure here.
| key: e.key, | ||
| selector: sel(t), tag: t.tagName || '' | ||
| })); | ||
| }, true); |
There was a problem hiding this comment.
Sensitive input detection bypassed by shadow DOM retargeting
Medium Severity
The keydown handler uses e.target to check isSensitiveInput, but e.target is retargeted across shadow DOM boundaries. When a <input type="password"> lives inside a web component's shadow DOM (common with Material UI, Lit, Shoelace, etc.), e.target at the document level resolves to the shadow host custom element — not the inner password input. Since the shadow host typically isn't an INPUT/TEXTAREA, isEditable returns false and isSensitiveInput returns false, allowing the actual e.key character to be captured. Using e.composedPath()[0] instead of e.target would resolve this, as it returns the real originating element even across shadow boundaries.
Reviewed by Cursor Bugbot for commit 5465e59. Configure here.
| // | ||
| // Lock ordering (outer → inner): | ||
| // | ||
| // restartMu → lifeMu → pendReqMu → computed.mu → pendMu → sessionsMu | ||
| // | ||
| // Never acquire a lock that appears later in this order while holding an | ||
| // earlier one, to prevent deadlock. |
There was a problem hiding this comment.
this is missing a lot of introductory context about what these locks control / what the Monitor struct is responsible for. This file is the entrypoint to the package and reading this I am very lost
maybe a lib/cdpmonitor/README.md would be helpful
There was a problem hiding this comment.
lmk if this is clear enough, or if there other details that would be worth adding! fd4d4d3
4 participants
Introduces the foundational layer of the CDP monitor as a standalone reviewablechunk. No Monitor struct wiring, just the primitives that everything else builds on.
types.go: CDP wire format (cdpMessage), all event type constants, internal state structs (networkReqState, targetInfo, CDP param shapes).
util.go: Console arg extraction, MIME allow-list (isCapturedMIME), resource type filter (isTextualResource), per-MIME body size caps (bodyCapFor), UTF-8-safe body truncation (truncateBody).
computed.go: State machine for the three derived events: network_idle (500ms debounce after all requests finish), layout_settled (1s after page_load with no layout shifts), navigation_settled (fires once all three flags converge). Timer invalidation via navSeq prevents stale AfterFunc callbacks from publishing for a previous navigation.
domains.go: isPageLikeTarget predicate (pages and iframes get Page.* / PerformanceTimeline.*; workers don't), bindingName constant, interaction.js embed.
interaction.js: Injected script tracking clicks, keydowns, and scroll-settled events via the __kernelEvent CDP binding.
Note
High Risk
High risk because it introduces a new CDP WebSocket ingestion pipeline with complex concurrency/reconnect logic and begins capturing potentially sensitive browser data (network headers/bodies and interaction events). Failures could impact stability (goroutine/connection lifecycles) and data correctness in the event stream.
Overview
Adds a new
cdpmonitorpackage that connects to Chrome DevTools over WebSocket, auto-attaches to targets, translates CDP notifications into structuredevents.Events (console, network, page lifecycle, layout shifts), and emits computed meta-events (network_idle,layout_settled,navigation_settled).The monitor now includes reconnection on upstream DevTools URL changes with backoff, bounded cleanup of in-flight requests/commands, optional screenshot capture via ffmpeg (rate-limited + downscaling), and injected
interaction.jsfor click/key/scroll events with basic suppression heuristics for sensitive inputs. API wiring is updated to pass a logger intocdpmonitor.Newand to depend on acdpMonitorControllerinterface with test stubs; extensive new tests/fixtures validate protocol round-tripping and lifecycle behaviors.Reviewed by Cursor Bugbot for commit fd4d4d3. Bugbot is set up for automated code reviews on this repo. Configure here.