storage bypass + update deployment (#18)

* dunno if we're going to do this

* better deployment

Author: ak--47

.gcloudignore

@@ -14,6 +14,7 @@ scripts
 .claude
 .prettierrc
 service-account.json
+gcp-service-account-key.json
 
 # Ignore node_modules (generated during npm install)
 node_modules

.github/workflows/deploy.yml

@@ -0,0 +1,112 @@
+name: Deploy to GCP
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
+  REGION: us-central1
+  UI_SERVICE_NAME: npc-mixpanel
+  API_SERVICE_NAME: npc-mixpanel-api
+
+jobs:
+  deploy:
+    name: Build and Deploy
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
+        with:
+          project_id: ${{ secrets.GCP_PROJECT_ID }}
+
+      - name: Configure Docker for GCR
+        run: gcloud auth configure-docker
+
+      # Build container image once
+      - name: Build and push container image
+        run: |
+          echo "Building container image..."
+          docker build -t gcr.io/${{ env.PROJECT_ID }}/npc-mixpanel:${{ github.sha }} .
+          docker push gcr.io/${{ env.PROJECT_ID }}/npc-mixpanel:${{ github.sha }}
+          echo "Container image pushed successfully"
+
+      # Deploy UI service (private, behind IAP)
+      - name: Deploy UI to Cloud Run
+        run: |
+          echo "Deploying UI service to Cloud Run..."
+          gcloud run deploy ${{ env.UI_SERVICE_NAME }} \
+            --image gcr.io/${{ env.PROJECT_ID }}/npc-mixpanel:${{ github.sha }} \
+            --region ${{ env.REGION }} \
+            --platform managed \
+            --no-allow-unauthenticated \
+            --memory 8Gi \
+            --cpu 4 \
+            --timeout 3600 \
+            --max-instances 10 \
+            --min-instances 0 \
+            --concurrency 10 \
+            --session-affinity \
+            --port 8080 \
+            --set-env-vars "NODE_ENV=production,RUNTIME_CONTEXT=npc-ui"
+
+      # Deploy API service (public, allow-unauthenticated)
+      - name: Deploy API to Cloud Run
+        run: |
+          echo "Deploying API service to Cloud Run..."
+          gcloud run deploy ${{ env.API_SERVICE_NAME }} \
+            --image gcr.io/${{ env.PROJECT_ID }}/npc-mixpanel:${{ github.sha }} \
+            --region ${{ env.REGION }} \
+            --platform managed \
+            --allow-unauthenticated \
+            --memory 8Gi \
+            --cpu 4 \
+            --timeout 3600 \
+            --max-instances 10 \
+            --min-instances 0 \
+            --concurrency 1 \
+            --port 8080 \
+            --set-env-vars "NODE_ENV=production,RUNTIME_CONTEXT=npc-api"
+
+      # Deployment summary
+      - name: Deployment Summary
+        run: |
+          UI_URL=$(gcloud run services describe ${{ env.UI_SERVICE_NAME }} \
+            --region ${{ env.REGION }} \
+            --format='value(status.url)' 2>/dev/null || echo "")
+
+          API_URL=$(gcloud run services describe ${{ env.API_SERVICE_NAME }} \
+            --region ${{ env.REGION }} \
+            --format='value(status.url)' 2>/dev/null || echo "")
+
+          echo "## Deployment Complete!" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### UI Service (Cloud Run - Private)" >> $GITHUB_STEP_SUMMARY
+          if [ -n "$UI_URL" ]; then
+            echo "**URL:** $UI_URL" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "**Service:** ${{ env.UI_SERVICE_NAME }}" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "_Protected by IAP - only authorized users can access_" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### API Service (Cloud Run - Public)" >> $GITHUB_STEP_SUMMARY
+          if [ -n "$API_URL" ]; then
+            echo "**URL:** $API_URL" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "**Service:** ${{ env.API_SERVICE_NAME }}" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "_Public endpoint - authenticated via user_id + safe_word_" >> $GITHUB_STEP_SUMMARY

.gitignore

@@ -15,4 +15,5 @@ env.yaml
 CLAUDE.md
 vscode-profile-*
 spec-*.jsonc
-service-account.json
+service-account.json
+gcp-service-account-key.json

cloudbuild-api.yaml

@@ -7,7 +7,7 @@ steps:
   - name: 'gcr.io/cloud-builders/docker'
     args: ['push', 'gcr.io/$PROJECT_ID/${_SERVICE_NAME}:latest']
 
-  # Deploy to Cloud Run
+  # Deploy to Cloud Run (API service - public, allow-unauthenticated)
   - name: 'gcr.io/cloud-builders/gcloud'
     args:
       - 'run'
@@ -16,15 +16,15 @@ steps:
       - '--image=gcr.io/$PROJECT_ID/${_SERVICE_NAME}:latest'
       - '--region=${_REGION}'
       - '--platform=managed'
-      - '--no-allow-unauthenticated'
+      - '--allow-unauthenticated'
       - '--memory=8Gi'
       - '--cpu=4'
       - '--timeout=3600'
       - '--max-instances=10'
       - '--min-instances=0'
       - '--concurrency=1'
       - '--port=8080'
-      - '--env-vars-file=.env.yaml'
+      - '--set-env-vars=NODE_ENV=production,RUNTIME_CONTEXT=npc-api'
 
 # Substitution variables
 substitutions:

cloudbuild.yaml

@@ -7,7 +7,7 @@ steps:
   - name: 'gcr.io/cloud-builders/docker'
     args: ['push', 'gcr.io/$PROJECT_ID/${_SERVICE_NAME}:latest']
 
-  # Deploy to Cloud Run
+  # Deploy to Cloud Run (UI service - private, behind IAP)
   - name: 'gcr.io/cloud-builders/gcloud'
     args:
       - 'run'
@@ -25,7 +25,7 @@ steps:
       - '--concurrency=10'
       - '--session-affinity'
       - '--port=8080'
-      - '--env-vars-file=.env.yaml'
+      - '--set-env-vars=NODE_ENV=production,RUNTIME_CONTEXT=npc-ui'
 
 # Substitution variables
 substitutions:

meeple/browser.js

@@ -46,16 +46,32 @@ export async function setUserAgent(page, userAgent, additionalHeaders = {}, log
 
 /**
  * Launch a new browser instance with proper configuration
+ *
+ * DevTools Debugging:
+ * - Set NODE_ENV=dev and headless=false to auto-open DevTools
+ * - Use 'debugger' statements in injected code to pause execution
+ * - Example: NODE_ENV=dev npm run local (with headless: false in config)
+ *
  * @param {boolean} headless - Whether to run in headless mode
  * @param {Function} log - Logging function
  * @returns {Promise<Browser>} - Browser instance
  */
 export async function launchBrowser(headless = true, log = console.log) {
 	try {
+		// Auto-open DevTools in development mode when not headless
+		const isDev = process.env.NODE_ENV === 'dev' || process.env.NODE_ENV === 'development';
+		const shouldOpenDevTools = isDev && !headless;
+
+		if (shouldOpenDevTools) {
+			log('🔧 Opening DevTools automatically (NODE_ENV=dev, headless=false)');
+		}
+
 		const browser = await puppeteer.launch({
 			// @ts-ignore
 			headless: headless ? 'new' : false,
 			args: puppeteerArgs,
+			// Auto-open DevTools for debugging
+			devtools: shouldOpenDevTools,
 			// No userDataDir - don't persist data for cloud functions
 			defaultViewport: {
 				width: 1366 + Math.floor(Math.random() * 200),
@@ -73,6 +89,19 @@ export async function launchBrowser(headless = true, log = console.log) {
 
 		// Browser-level security setup (URL-specific permissions will be set per page)
 
+		// Close the initial blank page that Puppeteer creates automatically
+		// This prevents the "multiple about:blank pages" issue in headful mode
+		try {
+			const pages = await browser.pages();
+			if (pages.length > 0 && pages[0].url() === 'about:blank') {
+				await pages[0].close();
+				log('🧹 Closed initial blank page');
+			}
+		} catch (err) {
+			// Non-critical error, just log and continue
+			log(`⚠️ Could not close initial blank page: ${err.message}`);
+		}
+
 		log(`🚀 Browser launched (headless: ${headless})`);
 		return browser;
 	} catch (error) {
@@ -91,9 +120,21 @@ export async function createPage(browser, log = console.log) {
 	try {
 		const page = await browser.newPage();
 
-		// CRITICAL: Enable CSP bypass at page level immediately
+		// CRITICAL: Enable ALL security bypasses at page level immediately
 		await page.setBypassCSP(true);
 
+		// Disable JavaScript domain security
+		await page.evaluateOnNewDocument(() => {
+			// Override document.domain to allow cross-origin access
+			try {
+				Object.defineProperty(document, 'domain', {
+					get() { return window.location.hostname; },
+					set(val) { return val; },
+					configurable: true
+				});
+			} catch (e) {}
+		});
+
 		// Set random realistic user agent
 		const randomAgent = agents[Math.floor(Math.random() * agents.length)];
 		const { userAgent, ...headers } = randomAgent;

meeple/entities.js

@@ -480,6 +480,44 @@ export const puppeteerArgs = [
 	'--ignore-certificate-errors-spki-list',
 	'--ignore-urlfetcher-cert-requests',
 
+	// Aggressive cross-origin and script loading bypasses
+	'--disable-web-security',
+	'--disable-features=CrossOriginOpenerPolicy',
+	'--disable-features=CrossOriginEmbedderPolicy',
+	'--disable-features=StrictOriginIsolation',
+	'--disable-features=OriginIsolation',
+	'--disable-site-isolation-trials',
+	'--disable-features=SameSiteByDefaultCookies',
+	'--disable-features=CookiesWithoutSameSiteMustBeSecure',
+	'--disable-features=ScriptStreamingOnPreload',
+	'--disable-features=PerformanceObserver',
+	'--disable-features=PermissionsPolicy',
+	'--disable-features=DocumentPolicy',
+	'--disable-features=FeaturePolicy',
+	'--disable-features=FeaturePolicyForPermissions',
+	'--disable-features=InterestCohort',
+	'--disable-features=ConversionMeasurement',
+	'--disable-features=AttributionReporting',
+	'--disable-features=Fledge',
+	'--disable-features=Topics',
+	'--disable-features=BrowsingTopics',
+	'--disable-features=PrivacySandboxAdsAPIs',
+	'--disable-features=TrustTokens',
+	'--disable-features=ReduceUserAgent',
+	'--disable-features=UserAgentClientHint',
+	'--disable-features=WebBundles',
+	'--disable-features=SubresourceWebBundles',
+	'--unsafely-treat-insecure-origin-as-secure=*',
+
+	// Storage access bypasses - critical for localStorage/sessionStorage
+	'--disable-features=BlockInsecurePrivateNetworkRequests',
+	'--allow-file-access-from-files',
+	'--allow-file-access',
+	'--disable-storage-key-api',
+	'--unlimited-storage',
+	'--disable-features=StorageAccessAPI',
+	'--disable-features=StoragePartitioning',
+
 	// Enhanced stealth - disable automation detection
 	'--exclude-switches=enable-automation',
 	'--disable-automation',