Conversation
|
Firetiger deploy monitoring skipped This PR didn't match the auto-monitor filter configured on your GitHub connection:
Reason: PR modifies client library code (browser session client) rather than API endpoints or Temporal workflows in packages/api/ To monitor this PR anyway, reply with |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Bind browser subresource calls to a browser session's base_url and expose raw HTTP through fetch so metro-routed access feels like normal JavaScript networking. Made-with: Cursor
Fail fast when browser-scoped clients do not have a session base_url, route subresource calls through the browser session base directly, and clean up browser-vm wording. Made-with: Cursor
Fail fast when browser-scoped clients are missing a browser session base_url, route subresource calls through the session base consistently, and keep lint output clean. Made-with: Cursor
Replace the handwritten Node browser-scoped façade with deterministic generated bindings from the browser resource graph, and enforce regeneration during lint and build. Made-with: Cursor
rgarcia
force-pushed
the
raf/browser-scoped-client
branch
from
c5731cb to
e730af8
Compare
Sayan-
reviewed
Apr 21, 2026
Route direct-to-VM browser requests through the shared client cache so the SDK no longer needs the generated browser session wrapper layer. Made-with: Cursor
Trim the node browser routing changes down to the cache/interceptor shape from PR #100 and remove the leftover browser-scoped example and priming surface. Made-with: Cursor
rgarcia
changed the title
Shorten the browserRouting allowlist field to subresources so the direct-to-VM configuration reads more cleanly without changing behavior. Made-with: Cursor
Keep the node browser-routing example showing both direct subresource routing and the cache-backed /curl/raw path. Made-with: Cursor
Bring back the cache-backed browser fetch helper so raw HTTP stays on the SDK's language-native surface instead of falling through to manual /curl/raw requests. Made-with: Cursor
Remove the unnecessary generated resource and dependency diffs from the node branch and keep BrowserRouteCache.set() as a direct assignment without trimming user input. Made-with: Cursor
Tighten the browser routing files to the repo's formatter expectations so the node CI lint job passes cleanly again. Made-with: Cursor
Split browser.fetch into its own helper, remove unused browser transport code, and simplify withOptions cache sharing so the routing layer stays easier to reason about. Made-with: Cursor
Remove the public browser routing constructor knobs and read direct-to-VM subresource rollout from KERNEL_BROWSER_ROUTING_SUBRESOURCES instead, defaulting to curl while leaving browser.fetch cache-backed.
Keep the routing wrapper from stripping runtime-specific fetch init options when requests fall through or route directly to the VM, and share the browser fetch helpers so routed methods stay type-safe and covered by regression tests. Made-with: Cursor
Only parse cloned JSON responses for browser metadata endpoints so unrelated API calls don't pay the route cache warm-up cost, and cover the regression with a focused routing fetch test. Made-with: Cursor
Drop cached browser routing entries after successful DELETE /browsers/:id responses so stale base URLs are not reused, and cover both the success and failure paths in the routing tests. Made-with: Cursor
Restore the generated internal types file so browser routing changes stay in custom code only. Move joinURL into lib and keep browser.fetch limited to the SDK's existing HTTPMethod union. Made-with: Cursor
Restore src/internal/types.ts byte-for-byte to the generated base version. This drops the file from the PR so browser routing changes stay out of generated code. Made-with: Cursor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issue. You can view the agent here.
Reviewed by Cursor Bugbot for commit a7ff9bc. Configure here.
Sayan-
approved these changes
Apr 24, 2026
Contributor
Sayan-
left a comment
Sayan-
left a comment
There was a problem hiding this comment.
great stuff - thanks for iterating on the shape!
Warm the browser route cache from browser pool acquire responses and evict released sessions after successful pool releases. Keep this behavior in the routing middleware so generated resource methods stay untouched. Made-with: Cursor
Sayan-
approved these changes
Apr 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
browserRoutingclient constructor config and move rollout control toKERNEL_BROWSER_ROUTING_SUBRESOURCEScurlwhen the env var is unset, and treat an explicit empty string as disabling browser subresource routingBrowserRouteCachepublic for debugging while making the routing fetch wrapper fully internal to the client constructor andwithOptions()browsers.fetch()cache-backed so raw HTTP continues to go directly to the browser VM’s/curl/rawpath with no control-plane fallbackRollout behavior
curlsubresources directly to the browser VM"": disable browser subresource routing entirelybrowsers.fetch()still always goes direct to the browser VM because it resolves through the shared browser route cache and/curl/rawTest plan
./node_modules/.bin/jest tests/lib/browser-routing.test.ts./node_modules/.bin/eslint src/client.ts src/lib/browser-routing.ts src/index.ts tests/lib/browser-routing.test.ts examples/browser-routing.ts./node_modules/.bin/tsc -p tsconfig.json --noEmitKERNEL_API_KEY=... KERNEL_BASE_URL=https://api.onkernel.com ./node_modules/.bin/ts-node examples/browser-routing.tsNote
Medium Risk
Adds a fetch wrapper that transparently rewrites some
/browsers/:id/*API calls to hit per-session VMbase_urlwith JWT injection, which could change request routing/headers in production if misconfigured. Behavior is gated by env var allowlisting and includes cache eviction logic tied to delete/release flows.Overview
Introduces a public
BrowserRouteCacheand an internalcreateRoutingFetchwrapper that sniffs browser (and browser-pool acquire) JSON responses to cache{session_id, base_url, jwt}, then conditionally rewrites allowlisted browser subresource requests to go directly to the browser VM (strippingAuthorizationand addingjwtas a query param).Rollout is controlled via
KERNEL_BROWSER_ROUTING_SUBRESOURCES(defaults to routingcurl; empty string disables routing), and cached routes are evicted after successfulbrowsers.deleteByIDorbrowserPools.release. Addsbrowsers.fetch()implemented via/curl/rawusing the shared cache (no control-plane fallback), exportsBrowserFetchInit/BrowserRouteCachetypes, plus new tests and an example.Reviewed by Cursor Bugbot for commit 81e47ca. Bugbot is set up for automated code reviews on this repo. Configure here.