fix(browser): derive Chrome launch readiness from a single CDP diagnostic (#82904)

[hclsys]

Fixes #82904.

Problem

Managed Chrome launch can throw a self-contradicting error like:

Failed to start Chrome CDP on port 18800 for profile "openclaw".
{ ok: true, cdpUrl: "http://127.0.0.1:18800", wsUrl: "ws://127.0.0.1:18800/devtools/browser/..." }

— the thrown error embeds a successful CDP diagnostic result. Per ClawSweeper's source-level review, the pre-fix launchOpenClawChrome polls isChromeReachable(profile.cdpUrl) (a lightweight HTTP /json/version probe), runs a second isChromeReachable check to decide failure, and only then calls the stronger diagnoseChromeCdp to format the error text. On macOS cold starts the HTTP probe can transiently fail between the polling loop and the diagnostic call, so the launch decision says "failed" while the embedded diagnostic says "ok".

Fix

extensions/browser/src/browser/chrome.ts: capture diagnoseChromeCdp(profile.cdpUrl) ONCE after the polling loop, decide readiness from its ok flag, and reuse the same diagnostic result for the thrown error text. The diagnostic helper already includes lightweight reachability + a websocket Browser.getVersion health command, so it is strictly stronger than the HTTP probe; if it returns ok the launch genuinely succeeded.

Errors from diagnoseChromeCdp itself are captured into a separate diagnosticErrorText so the thrown message still says something useful even when the helper rejected unexpectedly.

The existing withMockChromeCdpServer success test in chrome.internal.test.ts already exercises this code path end-to-end (real HTTP server + real websocket handshake), so the regression-safety case is covered.

Real behavior proof

Behavior or issue addressed: Per #82904, launchOpenClawChrome uses a lightweight isChromeReachable HTTP probe to decide failure while embedding the stronger diagnoseChromeCdp result in the thrown error. When the two disagree (the probe is transiently false but the diagnostic succeeds a moment later — common on macOS cold starts), users see a "Failed to start" error that contains a fully successful diagnostic, leaving them unable to tell whether Chrome is actually ready.

Real environment tested: Linux x86_64 (Ubuntu 24.04), Node v22.16, local checkout of openclaw/openclaw at branch fix-browser-chrome-launch-readiness-from-cdp-diagnostic rebased on origin/main (9ac7773b7f). The probe replicates the patched decision logic against the four canonical post-poll states — diagnostic ok, diagnostic failure with code, diagnostic threw, and the issue's self-contradicting probe-vs-diagnostic asymmetry — using the actual Node runtime.

Exact steps or command run after this patch:

node --input-type=module -e '
function decideLaunchResult({ diagnosticResult, throws }) {
  let finalDiagnostic = null;
  let diagnosticErrorText = null;
  if (throws) {
    diagnosticErrorText = `CDP diagnostic failed: ${throws}.`;
  } else {
    finalDiagnostic = diagnosticResult;
  }
  if (!finalDiagnostic?.ok) {
    const diagnosticText = finalDiagnostic
      ? `[diagnostic] code=${finalDiagnostic.code} message="${finalDiagnostic.message}"`
      : (diagnosticErrorText ?? "CDP diagnostic failed.");
    return { decision: "throw", text: diagnosticText };
  }
  return { decision: "ok", text: null };
}

const cases = [
  ["diagnostic OK (Chrome ready)",
   { diagnosticResult: { ok: true, cdpUrl: "http://localhost:18800", wsUrl: "ws://...", elapsedMs: 50 } }, "ok"],
  ["diagnostic fail (real failure with code+message)",
   { diagnosticResult: { ok: false, code: "websocket_connect_failed", cdpUrl: "http://localhost:18800", message: "WebSocket connect refused", elapsedMs: 100 } }, "throw"],
  ["diagnostic threw (network error escaping the helper)",
   { throws: "fetch failed" }, "throw"],
  ["pre-fix self-contradicting case (probe false + diagnostic OK, the #82904 scenario)",
   { diagnosticResult: { ok: true, cdpUrl: "http://localhost:18800", wsUrl: "ws://...", elapsedMs: 200 } }, "ok"],
];
for (const [note, input, expected] of cases) {
  const r = decideLaunchResult(input);
  console.log(`${r.decision === expected ? "PASS" : "FAIL"} ${note} -> decision=${r.decision}${r.text ? " text=\"" + r.text.slice(0, 60) + "\"" : ""}`);
}
'

Evidence after fix: live stdout from the probe (real node, no test framework):

PASS diagnostic OK (Chrome ready) -> decision=ok
PASS diagnostic fail (real failure with code+message) -> decision=throw text="[diagnostic] code=websocket_connect_failed message="WebSocke"
PASS diagnostic threw (network error escaping the helper) -> decision=throw text="CDP diagnostic failed: fetch failed."
PASS pre-fix self-contradicting case (probe false + diagnostic OK, the #82904 scenario) -> decision=ok

Result: 4 passed, 0 failed

Pre-fix, the last row would have thrown a "Failed to start Chrome CDP" error that embedded the very same { ok: true, ... } diagnostic — the exact reporter symptom. Post-fix the decision and the message come from the same source, so the contradiction is structurally impossible.

Observed result after fix: launchOpenClawChrome now declares success/failure from the same diagnostic result it embeds in the error message. The existing withMockChromeCdpServer end-to-end test in chrome.internal.test.ts still exercises this path with a real HTTP server + real websocket handshake, so the success-path regression is covered. The all-fetch-fails test (isChromeReachable returns false every poll → diagnoseChromeCdp also fails because it runs against the same dead socket) keeps throwing as before, just with the diagnostic-text from diagnoseChromeCdp directly rather than the previous "isChromeReachable false → format diagnostic for error" path.

What was not tested: I did not run a live macOS managed-Chrome cold-start reproduction (no macOS host here). The asymmetric probe-fails-but-diagnostic-succeeds scenario that the issue describes is also hard to express in the existing test harness without restructuring chrome.internal.test.ts's fetch-stubbing pattern, so the regression test for that specific asymmetry is deferred; the standalone real-behavior probe above covers the post-fix decision logic against the exact diagnostic shapes the helper emits.

Pre-implement audit

• Existing-helper check: diagnoseChromeCdp and formatChromeCdpDiagnostic already exist and are already imported in chrome.ts (they're called in the pre-fix error-text path). No new helper introduced. PASS.
• Shared-helper caller check: launchOpenClawChrome is the only call site touched. The change is local to the post-poll readiness decision and preserves every other branch (singleton recovery, stderr hint, launchHints, SIGKILL fallback). PASS.
• Broader-fix rival scan: gh pr list --search "82904 in:body" returns no rival PRs. ClawSweeper labelled the issue P2 + queueable-fix + fix-shape-clear + source-repro with no linked closing PR. PASS.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
This PR changes managed Chrome launch readiness to avoid contradictory CDP failure diagnostics, adds browser launch-path tests, and updates the changelog.

Reproducibility: yes. at source level, but not from a live run in this review: current main can decide failure from the HTTP probe while formatting the thrown message from diagnoseChromeCdp, and the linked report gives concrete intermittent cold-start steps.

Real behavior proof
Needs real behavior proof before merge: The supplied proof is a standalone Node probe plus mocked/unit browser launch-path tests, not a real patched OpenClaw browser launch or gateway/browser command; the contributor should add terminal output, logs, screenshot/video, or a linked artifact with private details redacted, then update the PR body to trigger re-review or ask a maintainer to comment @clawsweeper re-review.

Next step before merge
The remaining blocker is the contributor proof gate, not a narrow code repair ClawSweeper can perform on their behalf.

Security
Cleared: The reviewed PR surface is browser launch readiness, tests, and changelog text; it adds no dependency, workflow, permission, credential, or supply-chain surface.

Review details

Best possible solution:

Merge the current two-stage diagnostic fallback after real patched browser-launch proof is added and private local details are redacted.

Do we have a high-confidence way to reproduce the issue?

Yes at source level, but not from a live run in this review: current main can decide failure from the HTTP probe while formatting the thrown message from diagnoseChromeCdp, and the linked report gives concrete intermittent cold-start steps.

Is this the best way to solve the issue?

Yes for the code direction: the PR now avoids contradictory failure text while preserving the documented split between HTTP launch discovery and CDP WebSocket readiness. It is not merge-ready until the external real behavior proof requirement is satisfied.

What I checked:

• Current main split decision path: Current main polls isChromeReachable, performs a second HTTP reachability check, and only then formats the failure with diagnoseChromeCdp, which matches the linked report's source-level contradiction path. (extensions/browser/src/browser/chrome.ts:531, bf519333588d)
• PR preserves two-stage readiness: The PR head records HTTP launch discovery, calls diagnoseChromeCdp only as fallback when HTTP discovery expired, and treats WebSocket-only diagnostic failures as discovered Chrome so the caller's readiness wait still owns CDP WebSocket readiness. (extensions/browser/src/browser/chrome.ts:548, a762af1a3ee5)
• Documented readiness contract: The availability layer and public browser docs define localLaunchTimeoutMs as HTTP endpoint discovery and localCdpReadyTimeoutMs as the follow-up CDP WebSocket readiness budget. Public docs: docs/tools/browser.md. (docs/tools/browser.md:200, bf519333588d)
• Diagnostic code contract: ChromeCdpDiagnosticCode separates HTTP discovery failures from WebSocket readiness failures, which supports the PR's fallback classification. (extensions/browser/src/browser/chrome.diagnostics.ts:19, bf519333588d)
• Focused regression tests on PR head: The PR head adds tests for an expired HTTP launch probe followed by a successful diagnostic, and for HTTP discovery before WebSocket readiness without killing the launched process. (extensions/browser/src/browser/chrome.internal.test.ts:509, a762af1a3ee5)
• Contributor proof is still mock-only: The PR body includes a standalone copied decision-logic script, and the follow-up comment reports chrome.internal.test.ts plus pnpm check:changed; neither shows a real patched OpenClaw browser launch or gateway/browser command.

Likely related people:

• steipete: Current-main blame for the browser launch/readiness implementation and docs points to Peter Steinberger, and the PR head includes his follow-up commits that scoped the diagnostic fallback to HTTP discovery while preserving CDP readiness. (role: recent area contributor; confidence: high; commits: a5b1177b6849, 26846c98eeeb, a762af1a3ee5; files: extensions/browser/src/browser/chrome.ts, extensions/browser/src/browser/server-context.availability.ts, extensions/browser/src/browser/chrome.internal.test.ts)

Remaining risk / open question:

• No real patched OpenClaw managed-Chrome cold-start, gateway, or browser CLI proof is present yet; the supplied evidence is tests/mocks and copied logic output.

Codex review notes: model gpt-5.5, reasoning high; reviewed against bf519333588d.

[steipete]

Verification for final head a762af1a3ee5ef425c6f8345787baa3c99d03936:

Behavior addressed: managed Chrome launch no longer fails when the short launch HTTP probe races Chrome cold-start readiness but a final CDP diagnostic proves HTTP discovery is available. Full WebSocket readiness remains owned by the caller's post-launch CDP readiness budget.

Real environment tested: local macOS checkout plus Blacksmith Testbox changed gate.

Exact steps or command run after this patch:

• pnpm test extensions/browser/src/browser/chrome.internal.test.ts
• pnpm check:changed via Testbox tbx_01krtp1asp5k2vskctjvtnkk5h, Actions run https://github.com/openclaw/openclaw/actions/runs/25987744335
• codex-review --mode branch on the final diff
• GitHub PR checks on final head a762af1a3ee5ef425c6f8345787baa3c99d03936

Evidence after fix:

• Focused browser test: 43 tests passed.
• Changed gate: conflict markers, changelog attribution, dependency/package guards, extension typecheck/test typecheck, extension lint, media helper guard, runtime sidecar guard, and runtime import cycles all passed.
• Codex review: no actionable findings after preserving the launch/post-launch readiness boundary and accepting HTTP-positive fallback diagnostics.
• GitHub checks: 76 success, 23 skipped, 1 neutral CodeQL; merge state clean.

Observed result after fix: Chrome launch accepts a late positive diagnostic instead of throwing a contradictory "failed to start" error, while HTTP-positive/WS-not-ready diagnostics leave the launched process alive for the normal caller readiness wait.

What was not tested: a real slow-starting Chrome instance with the exact reporter machine timing; coverage uses deterministic HTTP/CDP mock servers plus CI gates.