feat: token-auth removal, security hardening, Stripe-style compat layer (v0.9.2)

- Remove token auth entirely; only Ed25519 pubkey auth or --no-auth - Add 32 MB message-size cap in serve and client (DoS protection) - Set Unix socket to 0o600 after bind in native_host (multi-user hardening) - Enforce browser-cli/VERSION user-agent on all TCP connections - Add PROTOCOL_MIN_CLIENT check (>= 0.9.0) server- and client-side - Include server_version + min_client_version in challenge frame - Add browser_cli/version_manager.py: parse_version, get_installed_version - Add browser_cli/compat.py: Stripe-style versioning layer with adapt_request / adapt_response hooks; baseline 0.9.2, no shims needed yet - Fix BrowserCLI key handling: no Path() wrap for agent specs - Fix _multi_browser_targets() to forward key to remote_browser_targets() Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-02 21:59:46 +02:00
parent b98c4ae116
commit c1a5ef9dd7
17 changed files with 267 additions and 237 deletions
@@ -168,19 +168,16 @@ def test_clients_reads_registry_with_trailing_garbage(tmp_path):
    assert "0.8.2" in result.output

 def test_clients_remote_uses_remote_endpoint_without_local_registry():
-    def fake_send_command(command, args=None, profile=None, remote=None, token=None, key=None):
+    def fake_send_command(command, args=None, profile=None, remote=None, key=None):
        assert command == "clients.list"
        assert profile is None
        assert remote == "127.0.0.1:8765"
-        assert token == "test"
        return [{"name": "Chrome", "version": "1", "extensionVersion": "2.3.4"}]

    with patch.dict(os.environ, {}, clear=True), patch(
        "browser_cli.cli.REGISTRY_PATH", Path("/nonexistent/browser-cli-registry.json")
-    ), patch("browser_cli.cli.send_command", side_effect=fake_send_command) as send_command, patch(
-        "browser_cli.cli.save_remote_token"
-    ):
-        result = CliRunner().invoke(main, ["--remote", "127.0.0.1:8765", "--token", "test", "clients"])
+    ), patch("browser_cli.cli.send_command", side_effect=fake_send_command) as send_command:
+        result = CliRunner().invoke(main, ["--remote", "127.0.0.1:8765", "clients"])

    assert result.exit_code == 0
    send_command.assert_called_once()
@@ -194,7 +191,7 @@ def test_clients_remote_respects_global_browser_route():
        result = CliRunner().invoke(main, ["--remote", "127.0.0.1:8765", "--browser", "work", "clients"])

    assert result.exit_code == 1
-    send_command.assert_called_once_with("clients.list", profile="work", remote="127.0.0.1:8765", token=None, key=None)
+    send_command.assert_called_once_with("clients.list", profile="work", remote="127.0.0.1:8765", key=None)


 def test_clients_browser_alias_resolves_to_remote():
@@ -207,15 +204,13 @@ def test_clients_browser_alias_resolves_to_remote():
        display_name="192.168.188.104:automatisation",
        socket_path="",
        remote="192.168.188.104:8765",
-        token="tok",
    )
    all_remote_targets = [resolved_target]

-    def fake_send_command(command, args=None, profile=None, remote=None, token=None, key=None):
+    def fake_send_command(command, args=None, profile=None, remote=None, key=None):
        assert command == "clients.list"
        assert profile == "automatisation"
        assert remote == "192.168.188.104:8765"
-        assert token == "tok"
        return [{"name": "Chrome", "version": "147.0.0.0", "extensionVersion": "0.8.5"}]

    with patch.dict(os.environ, {}, clear=True), patch(
@@ -287,17 +282,17 @@ def test_tabs_list_with_remote_uses_only_remote_targets():
        side_effect=AssertionError("local targets should not be used for explicit remote"),
    ), patch(
        "browser_cli.commands.tabs.remote_browser_targets",
-        return_value=[BrowserTarget("work", "remote-host:work", "", remote="remote-host:8765", token="secret")],
+        return_value=[BrowserTarget("work", "remote-host:work", "", remote="remote-host:8765")],
    ), patch(
        "browser_cli.commands.tabs.send_command",
        return_value=[{"id": 1, "windowId": 1, "active": True, "title": "Remote", "url": "https://example.com"}],
-    ) as send_command, patch("browser_cli.cli.save_remote_token"):
-        result = CliRunner().invoke(main, ["--remote", "remote-host:8765", "--token", "secret", "tabs", "list"])
+    ) as send_command:
+        result = CliRunner().invoke(main, ["--remote", "remote-host:8765", "tabs", "list"])

    assert result.exit_code == 0
    assert "remote-host:work" in result.output
    assert "Remote" in result.output
-    send_command.assert_called_once_with("tabs.list", {}, profile="work", remote="remote-host:8765", token="secret")
+    send_command.assert_called_once_with("tabs.list", {}, profile="work", remote="remote-host:8765")


 def test_tabs_list_with_explicit_browser_does_not_show_browser_column():
@@ -634,14 +629,6 @@ def test_convert_html_to_markdown_indents_multiline_list_items():
        "  Local LLMs / API Modelle / Spezialmodelle"
    ) in markdown

-def test_remote_token_is_saved_when_passed_on_cli():
-    endpoint = "browser-host.example:8765"
-    with patch("browser_cli.cli.save_remote_token") as save_remote_token:
-        result = CliRunner().invoke(main, ["--remote", endpoint, "--token", "secret", "completion", "bash", "--script"])
-
-    assert result.exit_code == 0
-    save_remote_token.assert_called_once_with(endpoint, "secret")
-

 def test_tabs_list_multi_browser_queries_remote_target():
    endpoint = "browser-host.example:8765"
@@ -650,7 +637,6 @@ def test_tabs_list_multi_browser_queries_remote_target():
        "browser-host.example:work",
        "",
        remote=endpoint,
-        token="secret",
    )

    with patch("browser_cli.commands.tabs.active_browser_targets", return_value=[remote_target, BrowserTarget("local", "local", "/tmp/local.sock")]), patch(
@@ -660,5 +646,5 @@ def test_tabs_list_multi_browser_queries_remote_target():
        result = CliRunner().invoke(main, ["tabs", "list"])

    assert result.exit_code == 0
-    send_command.assert_any_call("tabs.list", {}, profile="work", remote=endpoint, token="secret")
+    send_command.assert_any_call("tabs.list", {}, profile="work", remote=endpoint)
    assert "browser-host.example:work" in result.output