Browser Runtime Authority

Browser Runtime Authority

TIN-1131 owns the browser-runtime contract for web RBE proofs.

The machine-checkable contract is docs/contracts/browser-runtime-authority.json. Validate it with:

just browser-runtime-authority-contract-check

The current authority is worker-image Chromium, not npm lifecycle downloads:

  • browser: Chromium
  • source: pkgs.chromium from the locked nixpkgs flake input
  • nixpkgs revision: 9b008d60392981ad674e04016d25619281550a9d
  • Chromium version: 138.0.7204.49
  • proved worker image digest: sha256:a567696e341f6eb0589ece9efd6014a2133a4f10831bdad31e8dd84055eff8a0
  • runtime path in the REAPI worker: /bin/chromium
  • canonical environment: GF_RBE_CHROMIUM_EXECUTABLE=/bin/chromium

A second proved runtime is carried in the worker image:

  • browser: WebKit (proved for one consumer static-smoke target class — the Jesssullivan/darkmap.phasi.space //:playwright_webkit_shell_smoke and //:playwright_webkit_mobile_hud_smoke targets, cell proof run 27330688866 on 2026-06-11)
  • source: playwright-driver.browsers (WebKit only) from the nixpkgs-opentofu flake input
  • nixpkgs revision: 68a8af93ff4297686cb68880845e61e5e2e41d92 (nixpkgs-unstable)
  • playwright-driver version: 1.59.1
  • runtime: webkit-2272 (WebKit ~26.x)
  • proved worker image digest: sha256:9db80cc90cb6736430cdbfcf0a0773fd89073d897ec084b9b141ded1d58661af (the first image published from main with the gf-webkit-launcher shim)
  • runtime path in the REAPI worker: the absolute Nix store path the gf-webkit-launcher shim, which unsets the image-global LD_LIBRARY_PATH (the nixos-24.11 glibc poisons the unstable-glibc webkit closure — GLIBC_PRIVATE symbol mismatch, proved by darkmap run 27329374675), exports the WebKit-scoped FONTCONFIG_FILE (nixpkgs’ fontconfig_file override only wraps chromium/firefox — a silent no-op for webkit), then execs <gfWebkitBrowsers>/webkit-2272/pw_run.sh — deliberately not a /bin symlink, because pw_run.sh resolves its sibling browser tree via dirname $0, which breaks through symlinks
  • canonical environment: GF_RBE_WEBKIT_EXECUTABLE=<gf-webkit-launcher store path> (shim → webkit-2272/pw_run.sh)
  • consumer alignment: consumers must pin @playwright/test exactly to the worker playwright-driver version (1.59.1) because WebKit revisions are playwright-version-locked, unlike the CDP-stable worker Chromium lane
  • the same writable HOME/XDG_CONFIG_HOME/XDG_CACHE_HOME scratch-space and no-download consumption contract as the Chromium authority applies

This is deliberately target-class scoped. It is enough for the proved //docs-site:playwright_chromium_smoke Playwright class, the proved tinyland-inc/omux.xoxd.ai //:playwright_chromium_smoke and Jesssullivan/jesssullivan.github.io //:playwright_chromium_smoke Playwright smoke classes, the proved tinyland-inc/omux.xoxd.ai //:playwright_local_route_smoke public local-server Playwright route-smoke class, the proved tinyland-inc/omux.xoxd.ai //:puppeteer_local_route_smoke public local-server Puppeteer route-smoke class, the proved tinyland-inc/tinyland.dev //:puppeteer_local_route_smoke private local-server Puppeteer route-smoke class, the proved Jesssullivan/MassageIthaca //:playwright_tmd_smoke Playwright TMD smoke class, the proved tinyland-inc/tinyland.dev //:playwright_local_route_smoke local-server Playwright route-smoke class, the proved tinyland-inc/omux.xoxd.ai //:puppeteer_chromium_smoke Puppeteer class, the proved Jesssullivan/jesssullivan.github.io //:puppeteer_chromium_smoke Puppeteer class, the proved Jesssullivan/darkmap.phasi.space //:playwright_webkit_shell_smoke and //:playwright_webkit_mobile_hud_smoke WebKit static-smoke class, and future browser target classes that explicitly consume the same pinned worker runtimes. It does not prove broad Playwright, broad Puppeteer, Firefox, deployed-environment E2E, or browser-download-at-action-time tests; the WebKit runtime authority is proved for one darkmap static-smoke target class only, and every new WebKit target class still requires its own forced proof.

Allowed Shape

Browser-backed REAPI proof targets must launch an already-provisioned browser from a declared runtime authority.

For the current worker-image authority:

  • Playwright targets use playwright-core.
  • The test harness passes executablePath from GF_RBE_CHROMIUM_EXECUTABLE, PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH, or CHROME_BIN.
  • Puppeteer targets set PUPPETEER_SKIP_DOWNLOAD=true and PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true during npm lifecycle execution, then launch Chromium by explicit executablePath.
  • Targets that depend on the full playwright package set PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 and still use the pinned worker Chromium unless a separate browser toolchain target class is proved.
  • The test creates writable HOME, XDG_CONFIG_HOME, and XDG_CACHE_HOME directories under remote worker scratch space before launching Chromium.

For rules_js / npm_translate_lock, skip browser downloads at lifecycle time in the Bazel module or extension call:

npm.npm_translate_lock(
    # ...
    lifecycle_hooks_envs = {
        "puppeteer": {
            "PUPPETEER_SKIP_DOWNLOAD": "true",
            "PUPPETEER_SKIP_CHROMIUM_DOWNLOAD": "true",
        },
        "playwright": {
            "PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD": "1",
        },
    },
)

Forbidden Shape

The following do not count as browser RBE proof and should fail review:

  • playwright install during a remote action
  • Puppeteer postinstall downloading Chrome or chrome-headless-shell
  • npm or pnpm lifecycle hooks fetching browser binaries during REAPI actions
  • ad hoc curl, wget, npx, or package-manager browser installation in a Bazel test
  • reusing RustFS as browser artifact, CAS, action-cache, or publication authority

The failed public consumer run 25747017023 is the evidence for this rule: puppeteer@23.11.1 attempted to fetch Chrome from googlechromelabs.github.io inside the remote proof path. The corrected proof run 25747764617 passed only after browser downloads were disabled in the consumer Bazel npm lifecycle environment.

The later omux proof run 25826953857 is the positive Puppeteer evidence for the same policy. It tested tinyland-inc/omux.xoxd.ai //:puppeteer_chromium_smoke with puppeteer-core@24.43.1, GF_RBE_CHROMIUM_EXECUTABLE=/bin/chromium, forced execution, 137 remote processes, remote sveltekit_sync, remote vite_build, remote test-setup.sh, and no browser download inside the REAPI action.

The public omux Playwright proof run 25897326537 extends that same static output browser-smoke policy to Playwright. It tested tinyland-inc/omux.xoxd.ai //:playwright_chromium_smoke from public main commit d3608a5a6325adee0a5e625cf7ad76b470e7b83f with PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1, forced execution, proof nonce 20260515T024138Z-25897326537-1, 6 remote processes, remote @tailwindcss/oxide and esbuild lifecycle hooks, remote sveltekit_sync, remote vite_build, remote test-setup.sh, remote generate-xml.sh, and a passing Playwright Chromium static-output smoke using /bin/chromium. This is one public omux Playwright target class; it does not prove broad Playwright, Vitest browser mode, hosted E2E, or Firefox; WebKit is proved separately for one consumer static-smoke target class (run 27330688866).

The public omux local-server Playwright proof run 26005817853 extends that same browser runtime authority to one route-smoke target that serves declared adapter-static output inside the Bazel test action. It tested tinyland-inc/omux.xoxd.ai //:playwright_local_route_smoke from public main commit cd730bdc432b6eb2af4cac7032c040e4ab734da7 with GitHub App checkout, PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1, forced execution, proof nonce 20260517T232840Z-26005817853-1, 13 remote processes, remote @tailwindcss/oxide and esbuild lifecycle hooks, remote sveltekit_sync, remote vite_build, remote test-setup.sh playwright_local_route_smoke_/playwright_local_route_smoke, remote generate-xml.sh, and a passing Playwright local route smoke using /bin/chromium. The target verifies /agent-snippet from declared adapter-static output; it does not prove all omux routes, hosted E2E, or broad Playwright.

The public omux local-server Puppeteer proof run 26037732121 extends that same browser runtime authority to Puppeteer over a local route smoke. It tested tinyland-inc/omux.xoxd.ai //:puppeteer_local_route_smoke from public main commit 50e0b796cbc44bc82de67891b1999e7e48cff473 with GitHub App checkout, PUPPETEER_SKIP_DOWNLOAD=true, PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true, forced execution, proof nonce 20260518T135044Z-26037732121-1, 10 remote processes, remote @tailwindcss/oxide and esbuild lifecycle hooks, remote sveltekit_sync, remote vite_build, remote test-setup.sh puppeteer_local_route_smoke_/puppeteer_local_route_smoke, remote generate-xml.sh, and a passing Puppeteer local route smoke using /bin/chromium. The target verifies /agent-snippet from declared adapter-static output; it does not prove all omux routes, hosted E2E, or broad Puppeteer.

The public jesssullivan.github.io Puppeteer proof run 25777472760 repeats that policy against a second consumer. It tested Jesssullivan/jesssullivan.github.io //:puppeteer_chromium_smoke with GF_RBE_CHROMIUM_EXECUTABLE=/bin/chromium, forced execution, 855 remote processes, remote Puppeteer lifecycle-hook execution for puppeteer@23.11.1, remote test-setup.sh, and no browser download inside the REAPI action.

The public jesssullivan.github.io Playwright proof run 25894297074 extends that policy to a second Playwright target class. It tested Jesssullivan/jesssullivan.github.io //:playwright_chromium_smoke with PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1, forced execution, proof nonce 20260515T005745Z-25894297074-1, 855 remote processes, remote lifecycle-hook execution without browser download, remote test-setup.sh, and a passing Playwright Chromium runtime smoke using /bin/chromium. This is a runtime smoke over the public consumer workspace; it does not prove built app output, hosted E2E, or broad Playwright.

The private MassageIthaca Playwright proof run 25953478878 extends that policy to one private TMD browser-smoke target class. It tested Jesssullivan/MassageIthaca //:playwright_tmd_smoke from consumer commit 08555e16b9ee0504b1b23e6373b5b6bbfb799f5f with repo-scoped deploy-key checkout, PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1, forced execution, proof nonce 20260516T050753Z-25953478878-1, 3318 remote processes, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote vite_build_bin_/vite_build_bin, remote test-setup.sh, remote generate-xml.sh, and a passing Playwright TMD smoke using /bin/chromium. This is one private browser target class; it does not prove all MassageIthaca tests, hosted E2E, or broad Playwright.

The private tinyland.dev local-server Playwright proof run 25989829826 extends the policy from static output to one local route smoke. It tested tinyland-inc/tinyland.dev //:playwright_local_route_smoke from consumer main commit efa977e701c449dce84065e138f3c8a303ce8334 with GitHub App checkout, verified private tummycrypt_tinyland_schemas:0.2.4 distdir staging, PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1, forced execution, proof nonce 20260517T114200Z-25989829826-1, 53 remote processes, remote TypeScript tsc, remote Vite build-tool execution, remote test-setup.sh playwright_local_route_smoke_/playwright_local_route_smoke, remote generate-xml.sh, and a passing Playwright route smoke using /bin/chromium. The target starts a loopback SvelteKit Node server inside the Bazel test action, fetches /legal/privacy, renders the returned HTML through page.setContent with JavaScript disabled, and asserts DOM textContent. This is one private local-server route-smoke class; it does not prove all Playwright, all tinyland.dev routes, deployed E2E, or broad web RBE.

The private tinyland.dev local-server Puppeteer proof run 26051698671 extends the same route-smoke policy to Puppeteer. It tested tinyland-inc/tinyland.dev //:puppeteer_local_route_smoke from consumer main commit dcb859f658092dc2a6c0f33223cb9ec9a4055c18 with GitHub App checkout, verified private tummycrypt_tinyland_schemas:0.2.4 distdir staging, PUPPETEER_SKIP_DOWNLOAD=true, PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true, forced execution, proof nonce 20260518T181314Z-26051698671-1, 132 remote processes, remote @tailwindcss/oxide, sharp, and esbuild lifecycle hooks, remote TypeScript tsc, remote Svelte and Vite build-tool execution, remote test-setup.sh puppeteer_local_route_smoke_/puppeteer_local_route_smoke, remote generate-xml.sh, and a passing Puppeteer route smoke using /bin/chromium. The target starts a loopback SvelteKit Node server inside the Bazel test action, fetches /legal/privacy, renders the returned HTML through page.setContent with JavaScript disabled, and asserts DOM textContent. This is one private local-server route-smoke class; it does not prove all Puppeteer, all tinyland.dev routes, deployed E2E, or broad web RBE.

The consumer WebKit proof run 27330688866 promotes the worker WebKit lane from candidate to proved for one static-smoke target class. The consumer dispatch was Jesssullivan/darkmap.phasi.space browser-rbe-proof run 27330681726 (workflow_dispatch, target //:webkit_smoke_suite, force_execution=true) on 2026-06-11, against worker image digest sha256:9db80cc90cb6736430cdbfcf0a0773fd89073d897ec084b9b141ded1d58661af — the first image published from main with the gf-webkit-launcher shim, with the consumer GF_REAPI_CELL_IMAGE_DIGEST variable already flipped to it. The consumer pins @playwright/test exactly to 1.59.1, matching webkit-2272. The cell proof reported 1703 processes: 985 internal, 718 remote, //:playwright_webkit_shell_smoke passed in 4.5s, //:playwright_webkit_mobile_hud_smoke passed in 14.1s, and Executed 2 out of 2 tests: 2 tests pass. with no action-time browser download. The negative control is the first dispatch (darkmap run 27329374675, cell run 27329382732): both targets failed in 1.1s on the image-global LD_LIBRARY_PATH glibc poisoning before the PR #885 shim landed — the proof lane demonstrably fails closed on WebKit launch failures. This proves one consumer WebKit static-smoke class; it does not prove all WebKit targets, broad Playwright, Firefox, or deployed E2E.

Proof Contract

A browser-backed target class is promoted only when the proof artifact records:

  • bazel_command=test
  • --remote_executor and --remote_accept_cached=false
  • nonzero remote processes
  • remote test-setup.sh evidence for the browser test target
  • worker image digest and platform identity
  • the browser runtime path used by the test
  • no action-time browser installation

The current proved browser targets are:

  • //docs-site:playwright_chromium_smoke, from run 25712694947, with 1060 remote processes and a passing playwright-core smoke using /bin/chromium.
  • tinyland-inc/omux.xoxd.ai //:puppeteer_chromium_smoke, from run 25826953857, with 137 remote processes, remote sveltekit_sync, remote vite_build, and a passing puppeteer-core smoke using /bin/chromium.
  • tinyland-inc/omux.xoxd.ai //:playwright_chromium_smoke, from run 25897326537, with proof nonce 20260515T024138Z-25897326537-1, 6 remote processes, remote lifecycle-hook execution, remote sveltekit_sync, remote vite_build, remote test-setup, remote generate-xml, and a passing Playwright Chromium static-output smoke using /bin/chromium.
  • tinyland-inc/omux.xoxd.ai //:playwright_local_route_smoke, from run 26005817853, with 13 remote processes, proof nonce 20260517T232840Z-26005817853-1, GitHub App checkout, remote @tailwindcss/oxide and esbuild lifecycle-hook execution, remote sveltekit_sync, remote vite_build, remote test-setup, remote generate-xml, and a passing local-server Playwright route smoke using /bin/chromium.
  • tinyland-inc/omux.xoxd.ai //:puppeteer_local_route_smoke, from run 26037732121, with 10 remote processes, proof nonce 20260518T135044Z-26037732121-1, GitHub App checkout, remote @tailwindcss/oxide and esbuild lifecycle-hook execution, remote sveltekit_sync, remote vite_build, remote test-setup, remote generate-xml, and a passing local-server Puppeteer route smoke using /bin/chromium.
  • Jesssullivan/jesssullivan.github.io //:puppeteer_chromium_smoke, from run 25777472760, with 855 remote processes, remote Puppeteer lifecycle-hook execution, remote test-setup, and a passing Chromium smoke using /bin/chromium.
  • Jesssullivan/jesssullivan.github.io //:playwright_chromium_smoke, from run 25894297074, with 855 remote processes, proof nonce 20260515T005745Z-25894297074-1, remote lifecycle-hook execution without browser download, remote test-setup, and a passing Playwright Chromium runtime smoke using /bin/chromium.
  • Jesssullivan/MassageIthaca //:playwright_tmd_smoke, from run 25953478878, with 3318 remote processes, proof nonce 20260516T050753Z-25953478878-1, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote vite_build_bin_/vite_build_bin, remote test-setup, remote generate-xml, and a passing Playwright TMD smoke using /bin/chromium.
  • tinyland-inc/tinyland.dev //:playwright_local_route_smoke, from run 25989829826, with 53 remote processes, proof nonce 20260517T114200Z-25989829826-1, GitHub App checkout, verified tummycrypt_tinyland_schemas:0.2.4 private distdir staging, remote TypeScript tsc, remote Vite build tool execution, remote test-setup, remote generate-xml, and a passing local-server Playwright route smoke using /bin/chromium.
  • tinyland-inc/tinyland.dev //:puppeteer_local_route_smoke, from run 26051698671, with 132 remote processes, proof nonce 20260518T181314Z-26051698671-1, GitHub App checkout, verified tummycrypt_tinyland_schemas:0.2.4 private distdir staging, remote TypeScript tsc, remote Svelte and Vite build-tool execution, remote test-setup, remote generate-xml, and a passing local-server Puppeteer route smoke using /bin/chromium.
  • Jesssullivan/darkmap.phasi.space //:playwright_webkit_shell_smoke and //:playwright_webkit_mobile_hud_smoke, from run 27330688866 (consumer dispatch 27330681726 for //:webkit_smoke_suite with force_execution=true), with 718 remote processes, worker image digest sha256:9db80cc90cb6736430cdbfcf0a0773fd89073d897ec084b9b141ded1d58661af, @playwright/test pinned exactly to 1.59.1, and passing WebKit smokes in 4.5s and 14.1s through the gf-webkit-launcher shim resolved from GF_RBE_WEBKIT_EXECUTABLE.

GloriousFlywheel