feat: add Cloudflare Containers as alternative browser provider

[dcartertwo]

Summary

Add Cloudflare Containers as a drop-in alternative to BrowserBase for running headless browser sessions. Selectable via BROWSER_PROVIDER=cloudflare env var.

Why Containers instead of Browser Rendering?

We initially built on Cloudflare Browser Rendering (Durable Object + @cloudflare/playwright), but every request was flagged as a bot because Browser Rendering injects automatic headers (cf-biso-devtools, Signature-agent, etc.) that cannot be removed. Sites with Cloudflare bot protection (Turnstile, managed challenges) blocked us immediately.

Cloudflare Containers runs standard Chromium with standard Playwright inside Docker containers on Cloudflare's edge — no bot-detection headers injected.

Architecture

React (browser) → Next.js API route (/api/chat) → Cloudflare Worker
                                                     ↓
                                                  getContainer(env.LOGIN_SESSIONS, sessionId)
                                                     ↓
                                                  Docker Container (standard-2: 1 vCPU, 6 GiB RAM)
                                                     ├── Node.js HTTP server (port 3000)
                                                     ├── Standard Playwright + system Chromium
                                                     ├── Stealth measures (navigator.webdriver, plugins, UA, etc.)
                                                     └── Same REST endpoints as original design

What's included

Next.js app changes:

• Provider factory pattern (BROWSER_PROVIDER=browserbase|cloudflare)
• Extracted BrowserBase provider to providers/browserbase.ts
• New Cloudflare provider client in providers/cloudflare.ts (retry with backoff, 429 handling, SessionExpiredError)
• BrowserSession abstraction — all browser functions take session instead of page
• Screenshot preview (<img> fallback when no liveViewUrl)
• Session expiry handling in frontend

Worker + Container:

• worker/src/index.ts — Worker using getContainer() for session routing
• worker/src/login-browser-container.ts — Container class (standard-2, 15min sleep)
• worker/container/src/server.ts — Node.js HTTP server with all browser operations
• worker/container/src/stealth.ts — Stealth patches (21/23 bot tests pass)
• worker/Dockerfile — node:22-slim + system chromium (~357MB image)

Stealth results (bot.sannysoft.com)

Test	Result
WebDriver (New)	✅ missing (passed)
WebDriver Advanced	✅ passed
Plugins is of type PluginArray	✅ passed
Chrome object	✅ present (passed)
17 other tests	✅ all passed
WebGL Vendor/Renderer	❌ no webgl context (expected in headless)

Testing performed

• ✅ npm run build — zero errors
• ✅ Worker tsc --noEmit — zero errors
• ✅ wrangler deploy — container deployed successfully
• ✅ Health endpoint responds
• ✅ Session creation + page navigation (example.com)
• ✅ Page context extraction (HTML + screenshot)
• ✅ Bot detection tests (21/23 pass)
• ✅ Full end-to-end via Next.js API (GitHub login page correctly identified as credential_login_form with 2 inputs + submit button)
• ✅ Session close works cleanly
• ✅ BrowserBase path unchanged (backward compatible)

Environment variables

# Choose provider
BROWSER_PROVIDER=cloudflare  # or "browserbase" (default)

# Cloudflare provider
CF_BROWSER_WORKER_URL=https://your-worker.workers.dev
CF_BROWSER_API_KEY=your-secret

# BrowserBase provider (unchanged)
BROWSERBASE_API_KEY=...
BROWSERBASE_PROJECT_ID=...