fix(browser): evict stale extension relay targets from cache

[vincentkoc]

Summary

• Problem: extension relay cached targets can remain in /json/list after CDP sessions die, causing stale tab listings and follow-up tab not found failures.
• Why it matters: users see false-positive tab availability and cannot reliably recover from stale relay sessions.
• What changed: relay now evicts stale targets on Target.targetDestroyed/Target.targetCrashed, and also prunes cached targets when forwarded CDP commands fail with missing-target/session errors.
• What did NOT change (scope boundary): no protocol shape changes for relay clients and no changes to non-extension browser profiles.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Browser extension relay returns stale tab cache after CDP connections die #6175
• Related Browser extension relay: CDP session stale after OAuth/SPA redirect chains #16726

User-visible / Behavior Changes

• /json/list no longer keeps stale extension-tab cache entries after target-destroy/crash events.
• After a command fails with target/session-missing errors, stale cached targets are removed instead of lingering.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 22 + pnpm
• Model/provider: n/a
• Integration/channel (if any): Chrome extension relay (profile=chrome)
• Relevant config (redacted): default relay auth + loopback

Steps

1. Attach extension target and verify it appears in /json/list.
2. Send Target.targetDestroyed and verify target is removed.
3. Simulate forwarded command failure with "No target with given id" and verify stale target is removed.

Expected

• Cached tab list tracks live relay sessions and removes stale entries.

Actual

• Verified via new relay regression tests.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: pnpm vitest run src/browser/extension-relay.test.ts
• Edge cases checked: stale eviction on both extension events and command-error path.
• What you did not verify: full end-to-end manual browser extension session on Windows.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: Revert this PR.
• Files/config to restore: src/browser/extension-relay.ts.
• Known bad symptoms reviewers should watch for: over-eager target eviction from /json/list.

Risks and Mitigations

• Risk: Missing-target errors that are transient could remove a target entry too aggressively.
  • Mitigation: eviction is limited to known missing-target/session error classes and target/session IDs tied to the failing command.

[greptile-apps]

Greptile Summary

Prevents stale extension relay targets from persisting in /json/list after CDP sessions terminate. The implementation adds proper cache eviction on target lifecycle events (Target.targetDestroyed, Target.targetCrashed) and removes stale entries when forwarded commands fail with missing-target errors.

Key changes:

• Added helper functions (dropConnectedTargetSession, dropConnectedTargetsByTargetId) to remove targets from cache with proper cleanup
• Enhanced Target.detachedFromTarget event handler to use new helpers and support both sessionId and targetId-based removal
• New event handlers for Target.targetDestroyed and Target.targetCrashed that remove all sessions for affected targets
• Error-based pruning via pruneStaleTargetsFromCommandFailure that detects missing-target/session errors and removes stale cache entries
• Broadcasts Target.detachedFromTarget events to CDP clients when targets are pruned

Test coverage: Two new tests verify target removal on explicit destroy events and error-based pruning scenarios.

The implementation correctly handles edge cases like multiple sessions per target and defensive error matching.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The implementation is well-structured, defensive, and thoroughly tested. Changes follow existing patterns in the codebase, error matching is specific to known missing-target scenarios, and cache eviction properly broadcasts detached events to CDP clients. The changes are backward compatible with no protocol modifications. Tests verify both event-based and error-based cache eviction paths.
• No files require special attention

_{Last reviewed commit: 7cc58a5}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dce97cbf23

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid evicting reused sessions on late command errors

This eviction path assumes cmd.sessionId still identifies the stale target that produced the error, but this relay explicitly supports session ID reuse in Target.attachedToTarget (same session mapped to a new target). If an old in-flight command returns "No target with given id" after that remap, this block drops the current target for that session and broadcasts a synthetic detach, causing /json/list to lose a live tab and forcing unnecessary reattach failures. The prune logic needs to verify the failing command still matches the currently mapped target (for example via targetId correlation) before deleting by sessionId.

Useful? React with 👍 / 👎.