refactor: Implement multi-tenant browser session isolation (#41)

Refactors browser session management to provide complete multi-tenant
isolation, resolving security risks from shared browser sessions.

## Changes

- **Security Fix**: Each task now gets isolated browser session instead
of shared default
- **Session Management**: Added automatic expiration (10min) and cleanup
(2min intervals)
- **Skills Updated**: All 7 skills now use `GetOrCreateTaskSession()`
for isolation
- **Testing**: Added comprehensive multi-tenant isolation tests
- **Documentation**: Complete security and performance impact
documentation

## Security Benefits

- ✅ Complete tenant isolation (cookies, auth, storage, cache)
- ✅ Prevents session hijacking across tenant boundaries
- ✅ GDPR compliant for multi-tenant deployments
- ✅ Automatic cleanup prevents resource leaks

## Performance Impact

- ~1-2s overhead per task for session creation
- Trade-off: Security vs speed (appropriate for multi-tenant safety)

Fixes #40

Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Eden Reich <edenreich@users.noreply.github.com>

---------

Signed-off-by: Eden Reich <eden.reich@gmail.com>
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
Co-authored-by: Eden Reich <edenreich@users.noreply.github.com>

Author: edenreich

.adl-ignore

@@ -20,6 +20,7 @@ skills/wait_for_condition.go
 skills/write_to_csv.go
 internal/playwright/playwright.go
 
+go.mod
 .gitattributes
 
 # Add your own files to ignore here:

README.md

@@ -15,18 +15,12 @@ A production-ready [Agent-to-Agent (A2A)](https://github.com/inference-gateway/a
 ## Quick Start
 
 ```bash
-# Run the agent locally
+# Run the agent
 go run .
 
-# Or with Docker (Chromium only - smallest image)
+# Or with Docker
 docker build -t browser-agent .
 docker run -p 8080:8080 browser-agent
-
-# Build with specific browser engine
-docker build --build-arg BROWSER_ENGINE=firefox -t browser-agent:firefox .
-
-# Run with Xvfb enabled (for extensions or specific rendering features)
-docker run -p 8080:8080 -e BROWSER_XVFB_ENABLED=true browser-agent
 ```
 
 ## Features
@@ -76,6 +70,7 @@ The following custom configuration variables are available:
 | **Browser** | `BROWSER_HEADER_DNT` | Header_dnt configuration | `1` |
 | **Browser** | `BROWSER_HEADER_UPGRADE_INSECURE_REQUESTS` | Header_upgrade_insecure_requests configuration | `1` |
 | **Browser** | `BROWSER_HEADLESS` | Headless configuration | `true` |
+| **Browser** | `BROWSER_SESSION_TIMEOUT` | Session_timeout configuration | `2m` |
 | **Browser** | `BROWSER_STEALTH_MODE` | Stealth_mode configuration | `false` |
 | **Browser** | `BROWSER_USER_AGENT` | User_agent configuration | `Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36` |
 | **Browser** | `BROWSER_VIEWPORT_HEIGHT` | Viewport_height configuration | `1080` |
@@ -169,10 +164,10 @@ docker run --rm -it --network host ghcr.io/inference-gateway/a2a-debugger:latest
 
 ### Docker
 
-The Docker image can be built with custom version information and browser selection using build arguments:
+The Docker image can be built with custom version information using build arguments:
 
 ```bash
-# Build with default values from ADL (Chromium only)
+# Build with default values from ADL
 docker build -t browser-agent .
 
 # Build with custom version information
@@ -181,42 +176,15 @@ docker build \
   --build-arg AGENT_NAME="My Custom Agent" \
   --build-arg AGENT_DESCRIPTION="Custom agent description" \
   -t browser-agent:1.2.3 .
-
-# Build with specific browser engine
-docker build --build-arg BROWSER_ENGINE=firefox -t browser-agent:firefox .
-
-# Build with all browsers (larger image)
-docker build --build-arg BROWSER_ENGINE=all -t browser-agent:all .
 ```
 
 **Available Build Arguments:**
 - `VERSION` - Agent version (default: `0.4.1`)
 - `AGENT_NAME` - Agent name (default: `browser-agent`)
 - `AGENT_DESCRIPTION` - Agent description (default: `AI agent for browser automation and web testing using Playwright`)
-- `BROWSER_ENGINE` - Browser to install (`chromium`, `firefox`, `webkit`, or `all`) (default: `chromium`)
 
 These values are embedded into the binary at build time using linker flags, making them accessible at runtime without requiring environment variables.
 
-#### Xvfb Configuration
-
-By default, the browser runs in native headless mode. For cases requiring a virtual display (e.g., extensions, specific rendering features), you can enable Xvfb:
-
-```bash
-# Run with Xvfb enabled
-docker run -p 8080:8080 \
-  -e BROWSER_XVFB_ENABLED=true \
-  browser-agent
-
-# Customize Xvfb display settings
-docker run -p 8080:8080 \
-  -e BROWSER_XVFB_ENABLED=true \
-  -e BROWSER_XVFB_DISPLAY=:99 \
-  -e BROWSER_XVFB_SCREEN_RESOLUTION=1920x1080x24 \
-  browser-agent
-```
-
-**Security Note:** Xvfb is configured without the `-ac` flag (access control disabled) for security. The X server uses `-nolisten tcp` to prevent network access.
-
 ## License
 
 MIT License - see LICENSE file for details

agent.yaml

@@ -14,6 +14,7 @@ spec:
       headless: true
       engine: "chromium"
       stealth_mode: false
+      session_timeout: "2m"
       user_agent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
       viewport_width: 1920
       viewport_height: 1080

config/config.go

@@ -1,4 +1,5 @@
 # Inference Gateway
+ENVIRONMENT=development
 DEEPSEEK_API_KEY=
 GOOGLE_API_KEY=
 

example/.env.example

@@ -88,7 +88,7 @@ services:
     environment:
       DEEPSEEK_API_KEY: ${DEEPSEEK_API_KEY}
       GOOGLE_API_KEY: ${GOOGLE_API_KEY}
-      ENVIRONMENT: development
+      ENVIRONMENT: ${ENVIRONMENT:-production}
       SERVER_READ_TIMEOUT: 530s
       SERVER_WRITE_TIMEOUT: 530s
       CLIENT_TIMEOUT: 530s

example/docker-compose.yaml

@@ -11,6 +11,7 @@ All tests use mocks for fast execution (~0.18s). No browser downloads required.
 go test -v ./internal/playwright
 
 # Generate mocks (after interface changes)
+# Note: counterfeiter is declared as a tool in go.mod
 go run github.com/maxbrunsfeld/counterfeiter/v6 -o internal/playwright/mocks/browser_automation.go internal/playwright BrowserAutomation
 ```