Conversation
|
Firetiger deploy monitoring skipped This PR didn't match the auto-monitor filter configured on your GitHub connection:
Reason: PR adds browser-scoped session client functionality but does not appear to modify API endpoints (packages/api/cmd/api/) or Temporal workflows (packages/api/lib/temporal) as specified in the filter. To monitor this PR anyway, reply with |
Bind browser subresource calls to a browser session's base_url and expose raw HTTP through request and stream helpers so metro-routed access feels like normal httpx usage. Made-with: Cursor
Prevent browser-scoped raw HTTP helpers from letting user params override internal routing query keys, and clean up wording around browser session base_url routing. Made-with: Cursor
Keep the browser-scoped request helpers aligned with repo linting and reserve internal raw-request query keys without exposing implementation details. Made-with: Cursor
Keep the browser-scoped test file aligned with the repo lint configuration so the follow-up typing fixes pass CI. Made-with: Cursor
Tighten browser-scoped helper typing and test casts so the Python SDK passes the repository's lint and pyright checks cleanly. Made-with: Cursor
Replace the handwritten Python browser-scoped façade with deterministic generated bindings from the browser resource graph, and enforce regeneration during lint. Made-with: Cursor
Keep the browser-scoped Python generator compatible with the repo lint pipeline by suppressing strict pyright diagnostics that are not meaningful for the AST-walking build script. Made-with: Cursor
Keep the Python generator and generated browser-scoped façade aligned with pyright and mypy so the deterministic regeneration path passes the repo lint pipeline. Made-with: Cursor
Sort the generator script imports and keep the deterministic browser-scoped generation path aligned with the repo lint pipeline. Made-with: Cursor
8f1d506 to
a80716b
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issue. You can view the agent here.
Reviewed by Cursor Bugbot for commit a80716b. Configure here.
| headers=_normalize_headers(headers), | ||
| content=_normalize_binary_content(content), | ||
| json_data=json, | ||
| timeout=_normalize_timeout(timeout), |
There was a problem hiding this comment.
Timeout normalization loses default timeout fallback
Medium Severity
_normalize_timeout converts NotGiven to None before passing to FinalRequestOptions.construct(timeout=...). The kernel's _build_request falls back to self.timeout only when isinstance(options.timeout, NotGiven) — but since None is not NotGiven, the fallback is bypassed. This means calls to b.request(...) without an explicit timeout get timeout=None (no timeout / wait forever) instead of using the kernel's configured default. The stream method handles this correctly by resolving NotGiven against self._http.timeout before normalizing.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit a80716b. Configure here.
Summary
kernel.for_browser(...)andasync_kernel.for_browser(...)to create browser-scoped clients from browser session responsesbase_urlso callers stop repeating the browser idbrowser.request(...)andbrowser.stream(...)while keeping the internal/curl/rawtransport path hiddenTest plan
uv run python -m pytest tests/test_browser_scoped.py -o addopts= -qMade with Cursor
Note
Medium Risk
Introduces a new client path that rewrites request URLs and injects JWT/session IDs for browser-session HTTP, so mistakes could misroute requests or leak/override auth/query parameters. Most changes are additive but touch request construction and transport reuse for both sync and async clients.
Overview
Adds
Kernel.for_browser(...)/AsyncKernel.for_browser(...)to create a browser-session-scoped client that automatically injects the session id into browser subresource calls and routes those calls via the session’sbase_url.The new
BrowserScopedClient/AsyncBrowserScopedClientalso exposesrequest()andstream()helpers that proxy arbitrary HTTP through the session’s internal/curl/rawendpoint, while preventing caller-supplied query params from overriding reservedurl/jwtvalues.Includes an AST-based generator (
scripts/generate_browser_scoped.py) that produces committedgenerated_bindings.pywrappers overresources.browsers.*, updatesscripts/lintto regenerate/verify the file, tweaksbase_urlfield docs in browser response types, and adds focused tests covering routing, JWT extraction, and param sanitization.Reviewed by Cursor Bugbot for commit a80716b. Bugbot is set up for automated code reviews on this repo. Configure here.