Production-polish: failure-boundary hardening, API hygiene, CDP-filter CI, docs#10
Merged
Conversation
…rol security doc - processGone now fails pending eval/cookie futures before notifying the consumer (a host crash is the likeliest failure; in-flight round-trips otherwise hang forever). - dispose() is idempotent (a second call returns early) — an externally-owned controller disposed twice no longer throws via the ValueNotifier asserts. - enableAgentControl tolerates a partial native reply (returns null, not a TypeError); its dartdoc now states the token is REQUIRED (matches CdpRelay's 401 gate), replacing the stale "token is not the gate" claim. - _handleJsDialog reports a throwing app handler via FlutterError.reportError (still fails closed) instead of swallowing it. - Document external-controller ownership on CefWebView.controller (you dispose what you pass — the single most likely resource leak). Adds tests for processGone-fails-pending, dispose-twice, and the nullable reply. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ter suite in CI The CDP per-tile isolation filter suite had a stale assertion: it expected a browser-level Target.setAutoAttach(flatten) to be FORWARDED, but the relay correctly INTERCEPTS it (self-attaches + synthesizes attachedToTarget, H2) to prevent cross-tile control leak. The failure went unnoticed because CI never ran the suite. Fix the assertion to match the (correct) interception behavior, and wire run_filter_tests.sh into CI so the security keystone is gated on every PR; also analyze the sub-packages. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…e the example test - macos podspec 0.1.3 -> 0.2.0 to match its pubspec, with a 0.2.0 CHANGELOG entry (profiles, multi-view shared host, agent-control CDP relay, reliability). - Trim the root + platform-interface pubspec descriptions under pub.dev's 180-char limit. - Replace the example RunnerTests stub (it tested a non-existent verb and force-cast the result, crashing if ever run) with a real unknown-verb dispatch test. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… CdpRelay EINTR - Add removeJavaScriptChannel (stops delivery; the process-global page-side shim is intentionally left intact since tearing it down would also remove it from sibling views on a shared profile). - Mark sendPointer/sendKey @internal — they are raw wire encodings driven by CefWebView, not supported public API (adds the `meta` dep). - CdpRelay.writeAll now retries on EINTR — the last pipe writer still treating a signal as a dead socket (matches CefProfileHost + the C++ host side). Tests: removeJavaScriptChannel stops delivery; processGone reason default/passthrough; paintStalled callback. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- CONTRIBUTING.md: federated layout, building cef_host (cmake+ninja), and the exact local check sequence CI runs (analyze x4, flutter test, the CDP-filter security suite, the real-host integration probes). - README: a symptom-keyed Troubleshooting section (blank texture, hardware-access SIGABRT, ephemeral-profile downgrade, 'locked', paint-stall, CDP 401) and the cmake+ninja build prerequisite. - README API tour: document the previously-untoured public members — removeJavaScriptChannel, onProcessGone, onPaintStalled, setVisible, enableCdp/cdpPort (with the agent-control contrast). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Production-grade polish for
flutter_cefas a standalone (git-consumed) package, driven by an 8-dimension readiness audit. Verdict: well-engineered; the gap was failure-boundary hardening + enforcement + publishability polish — addressed here. (Publishing to pub.dev is deliberately out of scope per the maintainer; the package stays git-consumed, so the path-dep model is unchanged.)Correctness / failure boundary
processGonenow fails pending eval/cookie futures (was: hang forever on a host crash — the likeliest failure).dispose()is idempotent (no throw on double-dispose).enableAgentControltolerates a partial native reply (null, not aTypeError).CdpRelay.writeAllretries onEINTR(the last pipe writer still treating a signal as a dead socket).FlutterError.reportErrorinstead of swallowed.Security
enableAgentControldartdoc — the token is required (matches the 401 gate), not optional.setAutoAttachassertion that was failing — but CI never ran the suite. Fixed the assertion (the relay correctly intercepts a browser-levelsetAutoAttachto prevent cross-tile control leak) and wiredrun_filter_tests.shinto CI.API hygiene
removeJavaScriptChannel(Dart-only: stops delivery; the page-side shim is process-global on a shared profile, so tearing it down would hit siblings).sendPointer/sendKey@internal(raw wire encodings driven byCefWebView).CefWebView.controller.Packaging / CI
0.1.3→0.2.0+ a0.2.0CHANGELOG entry.RunnerTestsstub with a real dispatch test.Tests
New:
processGone-fails-pending, dispose-twice,enableAgentControl-nullable,removeJavaScriptChannel,processGone-reason,paintStalled— 58 controller tests total.Docs
cmake+ninjabuild prerequisite, and the previously-untoured public API (removeJavaScriptChannel,onProcessGone,onPaintStalled,setVisible,enableCdp/cdpPort).cef_host, and the exact local check sequence CI runs.Verification
flutter analyzeclean (package + sub-packages + example); 58 Dart tests pass; CDP filter suite ALL PASS; the shared-host channel integration probe passes against a realcef_host.Deferred to a follow-up PR — deeper consolidation
A coherent refactor wave best reviewed on its own: a shared Swift
CefWirecodec +CefOpenum, named wire constants incef_input, aCefMethods/CefEventssource of truth, and nativemain.mmtidy-ups. These touch the IPC opcode space across the Swift + native layers and want a build-verified pass. Tracked from the audit backlog.🤖 Generated with Claude Code