feat: agent file transfers

[andyMrtnzP]

Summary by CodeRabbit

Release Notes

• New Features
  • Added token-gated HTTP upload and single-use download endpoints with automatic download tracking and cleanup via handles.
  • Introduced a new file-transfers skill for detecting and guiding file upload/download workflows in agent runs.
• Bug Fixes
  • Updated the 1.6.2 “Latest”/“Bug Fixes” changelog organization while preserving the existing Docker-related fix entry.
• Documentation
  • Refreshed README tool listings and added a dedicated file upload/download guide.
• Tests
  • Added and updated test coverage for download storage, HTTP auth resolution, and agent file-transfer behavior.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f4e769e7-7d77-4feb-8528-4e264ec39a0b

📥 Commits

Reviewing files that changed from the base of the PR and between c87d5bc and 3fed48d.

📒 Files selected for processing (4)

• src/skills/file-transfers.md
• src/tools/agent.ts
• src/tools/schemas.ts
• test/tools/agent.spec.ts

✅ Files skipped from review due to trivial changes (1)

• src/skills/file-transfers.md

🚧 Files skipped from review as they are similar to previous changes (3)

• src/tools/schemas.ts
• test/tools/agent.spec.ts
• src/tools/agent.ts

---

Walkthrough

The PR replaces the standalone browserless_download MCP tool with integrated file transfer capabilities in browserless_agent. It adds a persistent download store module, a token-gated HTTP auth resolver, POST /upload and GET /download/:id HTTP routes, new uploadFile/getDownloads agent command schemas, upload normalization and download formatting logic, a new file-transfers skill with detection triggers and system prompt guidance, and removes the deprecated download tool and its types.

Changes

File Transfer Feature

Layer / File(s)	Summary
Download store and HTTP auth infrastructure src/lib/download-store.ts, src/lib/http-auth.ts, test/lib/download-store.spec.ts, test/lib/http-auth.spec.ts	Introduces the download-store module with StoredDownload interface, browserless-download:// URI scheme, 15-minute TTL, and storeDownload/getDownload/consumeDownload/clearSession helpers. Adds http-auth module with resolveBrowserlessAuth resolving Bearer/API-key/JWT tokens. Both modules are covered by new test suites.
Token-gated upload and download HTTP routes src/resources/upload-route.ts, src/resources/download-route.ts	Adds registerUploadRoute (POST /upload: auth, multipart parse, size enforcement via FILE_TRANSFER_MAX_BYTES, storeDownload, JSON handle response) and registerDownloadRoute (GET /download/:id: auth, single-use consumeDownload, file streaming with Content-Type/Content-Disposition, best-effort disk deletion).
Agent command schemas and file transfer normalization src/tools/schemas.ts, src/tools/agent.ts, test/tools/agent.spec.ts	Adds Zod schemas for uploadFile and getDownloads commands registered in AgentCommandSchema. Introduces normalizeUploadCommand (converts handle/path to base64, enforces size limits) and formatDownloads (returns transport-specific MCP Content[] with curl or path instructions). Updates browserless_agent description with fileTransferModeNote and adds auto-drain of Chrome-captured downloads after each batch.
file-transfers skill: detection, prompt, and docs src/skills/index.ts, src/skills/system-prompt.ts, src/skills/file-transfers.md, test/skills/skills.spec.ts	Adds file-transfers to SKILL_SPECS triggered by file input in snapshot or uploadFile/getDownloads method names. Extends the system prompt with file-transfer rules and fileTransferModeNote helper. Adds the skill to SKILL_TOOL_DESCRIPTION and introduces the complete file-transfers.md guide.
Server wiring, tool removal, and type cleanup src/index.ts, src/@types/types.d.ts, test/tools/annotations.spec.ts	Refactors hybridAuthenticate to use resolveBrowserlessAuth, registers HTTP routes on httpStream startup, calls clearSession on disconnect, removes registerDownloadTool. Deletes src/tools/download.ts and drops DownloadParams/DownloadParamsSchema types; adds 'file-transfers' to SkillId.
README and CHANGELOG README.md, CHANGELOG.md	Removes browserless_download from the Tools table, adds/expands entries for browserless_map, browserless_crawl, browserless_performance, and browserless_agent. Populates CHANGELOG 1.6.2 "Latest" with file transfer feature bullets.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant MCPServer as MCP Server (index.ts)
  participant UploadRoute as POST /upload
  participant BrowserlessAgent as browserless_agent
  participant BrowserlessAPI
  participant DownloadRoute as GET /download/:id
  participant DownloadStore as download-store

  rect rgba(100, 149, 237, 0.5)
    note over Client,DownloadStore: File Upload Flow
    Client->>UploadRoute: POST /upload (multipart file + token)
    UploadRoute->>UploadRoute: resolveBrowserlessAuth → 401 if invalid
    UploadRoute->>DownloadStore: storeDownload(filename, mimeType, bytes)
    DownloadStore-->>UploadRoute: StoredDownload {id, path}
    UploadRoute-->>Client: {ok, handle:"browserless-download://id", filename, size}
  end

  rect rgba(144, 238, 144, 0.5)
    note over Client,DownloadStore: Agent Upload + Auto-Download Flow
    Client->>BrowserlessAgent: uploadFile [{handle:"browserless-download://id"}]
    BrowserlessAgent->>DownloadStore: getDownload(handle) → base64 content
    BrowserlessAgent->>BrowserlessAPI: uploadFile with base64 content
    BrowserlessAPI-->>BrowserlessAgent: result
    BrowserlessAgent->>BrowserlessAPI: getDownloads (auto-drain)
    BrowserlessAPI-->>BrowserlessAgent: DownloadEntry[]
    BrowserlessAgent->>DownloadStore: storeDownload (persist captured bytes)
    BrowserlessAgent-->>Client: Content[] with curl/path instructions
  end

  rect rgba(255, 165, 0, 0.5)
    note over Client,DownloadStore: Single-use File Download Flow
    Client->>DownloadRoute: GET /download/:id + token
    DownloadRoute->>DownloadStore: consumeDownload(id) → single-use record
    DownloadRoute->>DownloadRoute: readFile(record.path)
    DownloadRoute-->>Client: file bytes (Content-Type, Content-Disposition)
    DownloadRoute->>DownloadStore: rm(record.path)
  end

  MCPServer->>DownloadStore: clearSession(sessionId) on disconnect

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐇 A bunny hops through files with glee,
No more lone download tool to see!
Uploads staged with handles bright,
Downloads served in single-byte might,
The agent now transfers with flair —
Base64? Only when nothing's there!
🌟 File transfers done right, I declare!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is empty and does not follow the required template structure, missing all critical sections including Summary, Related issues, Changes, Test plan, and Checklist.	Add a comprehensive description following the template, including a summary of changes, related issues, test plan results, and checklist confirmation items.
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: agent file transfers' clearly and concisely describes the main feature addition in the changeset, which implements file upload/download capabilities for the agent tool.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/agent-file-transfers

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

README.md (1)

34-34: ⚡ Quick win

Verify the browserless_agent file-transfer description is complete.

Line 34 now claims that browserless_agent handles "file upload/download (captured downloads auto-surface as handles; bytes never enter context)." This aligns with the changelog's intent, but ensure that the README's brevity does not omit important caveats:

• The stdio vs. httpStream transport distinction mentioned in the changelog (file saved locally in stdio, HTTP endpoints for httpStream) is not reflected here.
• The "auto-surface" behavior and its mechanics (e.g., when downloads appear, what metadata is included) should be explained or linked to the file-transfers skill documentation if users need to understand it.

Consider whether a brief note or link to the file-transfers skill section would improve clarity for users unfamiliar with the feature.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` at line 34, The browserless_agent description on line 34 of
README.md is incomplete regarding file transfer functionality. Expand the file
upload/download description to clarify the distinction between stdio and
httpStream transports and their different behaviors (file saved locally in stdio
versus HTTP endpoints for httpStream). Additionally, explain the "auto-surface"
behavior mechanics including when downloads appear and what metadata is
included. Consider adding a brief reference or link to the file-transfers skill
documentation to guide users who need detailed understanding of this feature.

src/resources/download-route.ts (1)

56-59: 💤 Low value

Consider RFC 5987 encoding for non-ASCII filenames.

The current sanitization only strips double quotes, which handles the immediate injection risk. However, filenames with non-ASCII characters or semicolons may display incorrectly in some browsers. Consider using the filename*= parameter with UTF-8 encoding for broader compatibility.

♻️ Optional: Improved Content-Disposition header

+    const safeFilename = record.filename.replace(/["\\]/g, '');
+    const encodedFilename = encodeURIComponent(record.filename);
     c.header(
       'Content-Disposition',
-      `attachment; filename="${record.filename.replace(/"/g, '')}"`,
+      `attachment; filename="${safeFilename}"; filename*=UTF-8''${encodedFilename}`,
     );

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/resources/download-route.ts` around lines 56 - 59, The
Content-Disposition header in the download-route.ts file currently only strips
double quotes from the filename, which doesn't properly handle non-ASCII
characters or special characters like semicolons that may cause display issues
in some browsers. Update the header construction to use RFC 5987 encoding by
adding a filename* parameter with UTF-8 encoding alongside the standard filename
parameter. This involves encoding the filename using appropriate character
encoding and using the filename*= format as specified in RFC 5987 for better
cross-browser compatibility.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/skills/file-transfers.md`:
- Line 81: The inline code span `< ` in the selector description line contains
invalid internal spacing that violates markdownlint rule MD038. Remove the space
inside the code span or reword the sentence to eliminate the space-padded inline
code. Instead of using backticks around `< `, restructure the text to describe
the deep selector syntax without spaces inside the code formatting, such as
using a different phrasing that avoids the problematic spacing pattern entirely.

In `@src/tools/agent.ts`:
- Around line 177-183: The code at line 177 interpolates the resolved `token`
value directly into the `tokenQ` variable, which then gets included in the error
message text. This can leak the actual Browserless API key to the user or model
output. Instead of interpolating the actual token value with `?token=${token ??
'<YOUR_BROWSERLESS_TOKEN>'}`, use only the placeholder
`?token=<YOUR_BROWSERLESS_TOKEN>` unconditionally so the real token is never
embedded in the error message. Alternatively, refactor the curl example to use
an Authorization header approach with Bearer token instead of query parameters,
which avoids the token in the URL entirely.

In `@src/tools/schemas.ts`:
- Around line 466-507: The file source validation in the z.object() schema for
the files array item currently allows zero or multiple sources to pass
validation, deferring failures to runtime. Add a schema-level constraint using
.refine() or .superRefine() to the z.object() that validates exactly one of the
three fields (content, handle, or path) is provided. The constraint should count
the number of defined fields among these three and ensure exactly one is
present, throwing a validation error with a clear message if zero or multiple
are provided.

---

Nitpick comments:
In `@README.md`:
- Line 34: The browserless_agent description on line 34 of README.md is
incomplete regarding file transfer functionality. Expand the file
upload/download description to clarify the distinction between stdio and
httpStream transports and their different behaviors (file saved locally in stdio
versus HTTP endpoints for httpStream). Additionally, explain the "auto-surface"
behavior mechanics including when downloads appear and what metadata is
included. Consider adding a brief reference or link to the file-transfers skill
documentation to guide users who need detailed understanding of this feature.

In `@src/resources/download-route.ts`:
- Around line 56-59: The Content-Disposition header in the download-route.ts
file currently only strips double quotes from the filename, which doesn't
properly handle non-ASCII characters or special characters like semicolons that
may cause display issues in some browsers. Update the header construction to use
RFC 5987 encoding by adding a filename* parameter with UTF-8 encoding alongside
the standard filename parameter. This involves encoding the filename using
appropriate character encoding and using the filename*= format as specified in
RFC 5987 for better cross-browser compatibility.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2a5a2e64-ae83-4868-9c73-553a04dc1d67

📥 Commits

Reviewing files that changed from the base of the PR and between a928e2d and d062a03.

📒 Files selected for processing (20)

• CHANGELOG.md
• README.md
• src/@types/types.d.ts
• src/index.ts
• src/lib/download-store.ts
• src/lib/http-auth.ts
• src/resources/download-route.ts
• src/resources/upload-route.ts
• src/skills/file-transfers.md
• src/skills/index.ts
• src/skills/system-prompt.ts
• src/tools/agent.ts
• src/tools/download.ts
• src/tools/schemas.ts
• test/lib/download-store.spec.ts
• test/lib/http-auth.spec.ts
• test/skills/skills.spec.ts
• test/tools/agent.spec.ts
• test/tools/annotations.spec.ts
• test/tools/download.spec.ts

💤 Files with no reviewable changes (3)

• test/tools/download.spec.ts
• src/tools/download.ts
• test/tools/annotations.spec.ts