fix(browser): honor profile attachOnly for loopback CDP

[vincentkoc]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: attachOnly was only read from top-level browser.attachOnly; profile-level browser.profiles.<name>.attachOnly was ignored.
• Why it matters: loopback proxy CDP profiles (for example localhost + reverse proxy/tunnel) could still trigger local launch/port checks and fail with Port <n> is already in use.
• What changed: added attachOnly to profile schema/types, resolved per-profile attach-only with fallback to global, and switched browser availability checks/status output to use profile-level resolved value.
• What did NOT change (scope boundary): no change to remote CDP behavior or launch logic when profile/global attachOnly are both false.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: attachOnly + localhost CDP fails when port is in use by proxy #20595
• Related fix(browser): skip port check when attachOnly is enabled #20611

User-visible / Behavior Changes

• browser.profiles.<name>.attachOnly is now supported and takes precedence over top-level browser.attachOnly for that profile.
• Browser status endpoint now reports attach-only based on the selected profile's resolved setting.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node 22 + pnpm
• Model/provider: N/A
• Integration/channel (if any): Browser CDP
• Relevant config (redacted): browser profile with loopback cdpUrl and attachOnly: true

Steps

1. Configure browser.attachOnly=false and browser.profiles.remote.attachOnly=true with loopback cdpUrl.
2. Request browser availability/start for that profile when CDP endpoint is not reachable.
3. Confirm attach-only error path is used and no local launch is attempted.

Expected

• Profile is treated as attach-only without requiring global attachOnly.

Actual

• Verified via tests; profile-level attach-only is honored and launch path is skipped.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: profile-level attachOnly fallback/override in config resolution and runtime ensure path.
• Edge cases checked: global attachOnly fallback still applies when profile override is absent.
• What you did not verify: full Nginx + Cloudflare tunnel live environment.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: remove profile-level attachOnly and use top-level browser.attachOnly only.
• Files/config to restore: browser config profile entries.
• Known bad symptoms reviewers should watch for: profile unexpectedly launching locally despite attachOnly: true.

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: Existing configs that used unsupported browser.profiles.<name>.attachOnly silently may change behavior now.
  • Mitigation: behavior change is intentional and scoped to explicit profile opt-in; tests cover override/fallback resolution.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2fddb4e5bc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[greptile-apps]

Greptile Summary

This PR adds profile-level attachOnly configuration support, allowing individual browser profiles to override the global browser.attachOnly setting. The implementation follows a clean fallback pattern where profile-specific settings take precedence over global settings.

Key changes:

• Added attachOnly?: boolean to BrowserProfileConfig type and schema
• Profile resolution uses profile.attachOnly ?? resolved.attachOnly for proper fallback
• Updated runtime checks to use resolved profile-level value instead of global setting
• Added comprehensive test coverage for both fallback and override scenarios

Implementation quality:

• Type-safe with proper optional-to-required resolution pattern
• Backwards compatible (optional field with sensible defaults)
• Clean separation between config (optional) and resolved (required) types
• Well-tested with clear test cases covering the core scenarios

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The change is well-contained, backwards compatible, and follows existing patterns in the codebase. The resolution logic using nullish coalescing (??) correctly handles the fallback from profile to global config. Test coverage validates both the override and fallback paths, and the change only affects the browser launch decision logic which is already well-tested.
• No files require special attention

_{Last reviewed commit: 2fddb4e}

[vincentkoc]

Addressed this review point in latest commits:

• Moved attach-only/remote websocket-failure handling ahead of the loopback ownership error path in ensureBrowserAvailable.
• Added regression coverage for the exact HTTP reachable + WS handshake fails + attachOnly=true + loopback scenario, asserting we surface the attach-only websocket error (not Port ... is in use).

Validation run:

• pnpm vitest run src/browser/server-context.remote-tab-ops.test.ts