# cultguard-chrome continuation plan

## Goal

Resume Chromium work from `cultguard-chrome` instead of from the dotfiles repo, while preserving the currently verified live behavior and avoiding another round of guessing from a dirty tree.

## Verified live baseline

These facts were verified directly from the running desktop and the live Nix store on 2026-03-28.

- Desktop 0 is currently running:
  - `Chrome/143.0.7499.169`
  - CDP endpoint: `http://127.0.0.1:9222/json/version`
- The live fingerprint-guard extension is still the older store build:
  - path: `/nix/store/lglzpdn5mj45ibbj1vnsjmmi8m2p9mzw-chromium-fingerprint-guard`
  - manifest version: `1.3.0`
- The live Chromium derivation is:
  - output: `/nix/store/jr0yxr7lnmgv88g8r9459c1sg8bsgz3a-chromium-unwrapped-143.0.7499.169`
  - deriver: `/nix/store/5vq5qbr69mn09kspabm02s7r5p8gq2xc-chromium-unwrapped-143.0.7499.169.drv`
- The live 143 build includes:
  - `chrome-branding.patch`
  - `cdp-stealth.patch`
- The live 143 build does **not** include:
  - `gpu-profile.patch`
- The live 143 build still injects ambient GN compiler-wrapper wiring rather
  than the later pinned repo-managed shared-cache wrapper approach.
- The deployed `cdp-stealth.patch` store file matches the dotfiles copy byte-for-byte:
  - `/nix/store/ak1426qdvmx0wr60x58a7xk7gqvc3vz6-cdp-stealth.patch`
- The deployed VNC launcher includes the newer readiness logic:
  - `xdpyinfo` readiness loop
  - `Xvfb ... -ac`
  - store path: `/nix/store/my2ha3pk41r275pr5zhazcjynypahlf7-vnc-display/bin/vnc-display`
- The deployed Openbox/privacy launchers do **not** export `BASTION_CHROMIUM_GPU_PROFILE`:
  - desktop 0 launcher: `/nix/store/la26ygk8sz8f72h29wpy8rf6mzqsbh03-openbox-with-chrome/bin/openbox-with-chrome`
  - privacy desktop 1 launcher: `/nix/store/5z5gr9dgaxwryicfxsw431pc1r9vsf2p-privacy-desktop-1-launcher/bin/privacy-desktop-1-launcher`

## Dotfiles cleanup already completed

The dotfiles repo was cleaned up and committed so it only keeps the two changes that were directly verified as deployed:

- dotfiles commit: `eb7b2b8`
- kept:
  - `.config/home-manager/modules/artifacts/chromium-patched/patches/cdp-stealth.patch`
  - `.config/home-manager/modules/artifacts/vnc-display/default.nix`
- reverted from the dirty tree before commit:
  - cultguard-chrome input wiring in dotfiles
  - pinned shared-cache Chromium overlay changes
  - `gpu-profile.patch`
  - fingerprint-guard `1.4.0` edits
  - `BASTION_CHROMIUM_GPU_PROFILE` launcher env changes

## Important mismatch to preserve in mind

There is still a live-vs-source mismatch, but it is now more specific:

- the running desktop is on Chromium `143.0.7499.169`
- current committed dotfiles also resolves Chromium `143.0.7499.169`
- however, the GitHub-backed `cultguard-chrome` commit currently pinned in
  dotfiles (`e007347`) does **not** yet match the live browser derivation
  closely enough to avoid a full source rebuild during `home-manager switch`
- the local `cultguard-chrome` commit `ea4d999` *does* match the live browser
  derivation closely enough for a successful override-based switch without
  rebuilding Chromium from source

Do **not** assume version parity alone is enough. For the next cultguard-chrome
phase, treat the verified runtime/store facts above as the source of truth and
promote the live-matching derivation state before relying on plain GitHub-backed
switches.

## What to do next in cultguard-chrome

### Phase 1: match the live baseline first

Before adding new GPU/build-cache/dotfiles wiring again, bring this repo back to the deployed baseline:

1. Keep `patches/chrome-branding.patch`.
2. Keep `patches/cdp-stealth.patch`.
3. Remove or gate `patches/gpu-profile.patch` until it is re-proven.
4. Keep the fingerprint-guard behavior aligned with the live `1.3.0` extension until native GPU work is stable again.
5. Treat the pinned repo-managed cache-wrapper design as a separate improvement to re-validate, because it is not in the live 143 store build.

### Phase 2: prove local parity from this repo

Only after the local cultguard-chrome build matches the intended baseline should dotfiles be rewired to consume this repo again.

### Phase 3: re-enable dotfiles integration carefully

Reintroduce the cultguard-chrome input in dotfiles only on a dedicated branch or temporary override path, then validate with a non-switching build first.

## Local validation checklist

### Repo sanity

Run these from `/home/mnm/cultguard-chrome`:

```bash
nix flake show
nix flake check
nix run .#cultguard-chrome-sccache-infra -- setup-local
nice -n 20 ionice -c3 nix build .#cultguard-chrome \
  --max-jobs 1 \
  --cores 8 \
  -L
```

If you intentionally change the shared compiler-cache model, test that separately instead of mixing it into the baseline-parity pass.

### Dotfiles integration smoke test

Do this only after the cultguard-chrome build matches the intended baseline:

```bash
cd /home/mnm/dotfiles
nix eval ./.config/home-manager#homeConfigurations.mnm.activationPackage.drvPath
nix eval ./.config/home-manager#homeConfigurations.mnm.pkgs.chromium.drvPath
home-manager build --flake .config/home-manager#mnm
```

If dotfiles is rewired again to consume the local checkout, prefer a temporary local override first.

## Runtime verification checklist

The authoritative command matrix now also lives in `README.md` under
`## Validation matrix` so it can be wired into repo-local tooling later.

### Browser/runtime smoke

Use the live desktops after deployment:

```bash
curl -s http://127.0.0.1:9222/json/version
cat /nix/store/lglzpdn5mj45ibbj1vnsjmmi8m2p9mzw-chromium-fingerprint-guard/manifest.json
systemctl --user cat bastion-vnc-display.service
systemctl --user cat bastion-openbox.service
systemctl --user cat bastion-privacy-desktop-1.service
```

Expected baseline:

- desktop 0 reports Chrome `143.0.7499.169`
- fingerprint guard is still `1.3.0` until intentionally changed
- VNC launcher includes `xdpyinfo` readiness and `Xvfb -ac`
- desktop launchers do not export `BASTION_CHROMIUM_GPU_PROFILE` unless that change is being reintroduced deliberately

### Raw CDP regression check

Re-run the native CDP probe that motivated `cdp-stealth.patch`:

- attach to `localhost:9222`
- log a native `Error`
- confirm:
  - `Error.prepareStackTrace` is not hit
  - `Runtime.consoleAPICalled` still exposes a native `Error`
  - the eager preview stays absent
  - the description is the concise `Error: boom`

### Public stealth pages

Re-run these after any cultguard-chrome deployment:

- `bot.sannysoft.com`
- `arh.antoinevastel.com/bots/areyouheadless`
- Intoli `chrome-headless-test.html`
- `fpscanner.com/demo`
- AmiUnique

For FPScanner, repeat multiple times on both:

- `localhost:9222`
- `localhost:9211`

Record both the top-line verdict and the sub-signals. Previous work showed the top-line verdict can be noisy even when the underlying CDP/canvas/webdriver signals stay stable.

### Latest successful runtime sweep

The most recent validation sweep on 2026-03-28 confirmed:

- `bastion-vnc-display.service`
- `bastion-openbox.service`
- `bastion-privacy-namespaces.service`
- `bastion-privacy-desktop-{1..4}.service`

were all active after restart.

The same sweep also confirmed:

- `9222` and `9211..9214` all reported `Chrome/143.0.7499.169`
- `ns-mullvad-1..4` all returned distinct exit IPs
- raw CDP regression was clean on `9222` and `9211`
- `bot.sannysoft.com`, Antoine Vastel, and Intoli looked clean on both tested
  browsers
- FPScanner returned `Bot detected: false` in that sweep on both tested
  browsers, while keeping the historically more stable sub-signals clean

## References

### Repo/history references

- dotfiles commit with cleaned deployed state:
  - `eb7b2b8`
- cultguard-chrome commits:
  - `e4a1937` scaffold
  - `cc56dcb` docs for remote/local wiring
  - `01971f9` invalid secret-condition fix
  - `e007347` default Cachix cache name `cultguard`

### Session reference

- checkpoint:
  - `/home/mnm/.copilot/session-state/cd6eabe9-b034-4884-940e-7ce6d596bc74/checkpoints/018-splitting-cultguard-chrome.md`

### Live store references

- running Chromium output:
  - `/nix/store/jr0yxr7lnmgv88g8r9459c1sg8bsgz3a-chromium-unwrapped-143.0.7499.169`
- Chromium deriver:
  - `/nix/store/5vq5qbr69mn09kspabm02s7r5p8gq2xc-chromium-unwrapped-143.0.7499.169.drv`
- live `cdp-stealth.patch`:
  - `/nix/store/ak1426qdvmx0wr60x58a7xk7gqvc3vz6-cdp-stealth.patch`
- live fingerprint-guard extension:
  - `/nix/store/lglzpdn5mj45ibbj1vnsjmmi8m2p9mzw-chromium-fingerprint-guard`
- live VNC launcher:
  - `/nix/store/my2ha3pk41r275pr5zhazcjynypahlf7-vnc-display/bin/vnc-display`
- live desktop 0 launcher:
  - `/nix/store/la26ygk8sz8f72h29wpy8rf6mzqsbh03-openbox-with-chrome/bin/openbox-with-chrome`
- live privacy desktop 1 launcher:
  - `/nix/store/5z5gr9dgaxwryicfxsw431pc1r9vsf2p-privacy-desktop-1-launcher/bin/privacy-desktop-1-launcher`