Drive-by: browser/server.py was never linted (pre-commit ruff is scoped to
backend/), so #909 left an unused noqa + a 101-char line. Cleaned up while
editing this file for the proxy fix.
Prod smoke: tradein-browser fetched avito but got the ~400KB soft-block stub
(preloadedState present but priceDetailed=0, firewall=0) — because camoufox ran
with NO proxy (datacenter IP). Root cause: server.py read SCRAPER_PROXY_URL, but
the proxy in backend/.env.runtime is named AVITO_PROXY_URL (mobileproxy, #623) —
the same var curl_cffi-avito uses. So the var was empty in the browser container.
Fix: read AVITO_PROXY_URL first, SCRAPER_PROXY_URL as a generic fallback. One-line
env-name swap; the value is the working mobileproxy egress already on the host.
After deploy, re-run tradein-mvp/scripts/browser-smoke.sh — expect real data
(priceDetailed>0, ~1.4MB, firewall 0). IP rotation (AVITO_PROXY_ROTATE_URL) stays
backend-side and keeps working (same proxy endpoint, changing egress IP).
Refs #905, #883, #623
Reusable smoke test for the camoufox HTTP service. Run from the deploy host:
docker exec -i tradein-backend sh < tradein-mvp/scripts/browser-smoke.sh
Reports health, byte count, preloadedState presence, firewall-block detection
+ first 200 bytes of the response. Avoids long one-line curl commands that get
mangled on terminal paste.
Refs #905, #883
The playwright WS-server path (camoufox.server.launch_server) is incompatible
with playwright >=1.45: camoufox 0.4.11's launchServer.js requires
playwright/driver/package/lib/browserServerImpl.js, which no longer exists in
any playwright 1.45-1.60 → tradein-browser crash-looped with MODULE_NOT_FOUND
('Server process terminated unexpectedly'). Verified by running the built image.
Pivot (no playwright protocol between containers):
- browser/server.py: aiohttp service holding a local AsyncCamoufox (headless,
os/locale/geoip/humanize, proxy from SCRAPER_PROXY_URL). POST /fetch {url} →
new_page/goto/content/close → {html}; GET /health. Page-recycle every N +
crash-recovery (relaunch + 1 retry), serialized via asyncio.Lock.
- browser/Dockerfile: +aiohttp (camoufox fetch-as-root/#908 block untouched).
- backend BrowserFetcher: playwright.connect → httpx POST to the browser service
(one retry on transport/HTTP error). All playwright imports dropped.
- config: browser_ws_endpoint → browser_http_endpoint (http://tradein-browser:3000).
Verified by a REAL local image build + run: image builds, container stays Up
(Restarts=0, no crash-loop), GET /health=200, POST /fetch launches camoufox and
drives Firefox (only NS_ERROR_UNKNOWN_HOST = no DNS egress in the local build env,
proving the full HTTP→camoufox→Firefox chain; real fetch validates on prod with
network+proxy). 7 unit tests + ruff clean.
Dormant: scraper_fetch_mode stays curl_cffi. Refs #905, #883, #884
CI build-browser (and the deploy) went red on #907's browser image:
PermissionError: [Errno 13] Permission denied:
'/usr/local/lib/python3.12/site-packages/camoufox/GeoLite2-City.mmdb'
camoufox fetch with geoip=True downloads TWO things: the Firefox build (→
$HOME/.cache, correctly routed to /home/app via ENV HOME, the #899 fix) AND the
GeoLite2 mmdb, which it writes INTO the camoufox package dir in site-packages.
Since the browser image pip-installs camoufox as root, that dir is root-owned, so
running fetch as the app user can't write the mmdb → build fails.
Fix: run fetch as root (writes both the mmdb and — via ENV HOME — Firefox into
/home/app/.cache), then chown the Firefox cache to app. The mmdb stays root-owned
in site-packages but world-readable, which is all the runtime app user needs.
Verified by a real local image build (camoufox fetch now completes, image exports).
The deploy was gated off by the failed build-browser job (not partially applied),
so prod was never broken.
Refs #905, #883, #899
The new browser service references ghcr.io/lekss361/gendesign-tradein-browser;
without a build job the deploy's compose-up would fail pulling a missing image.
Adds build-browser job (mirrors build-backend, context ./tradein-mvp/browser),
a browser path-filter (tradein-mvp/browser/**), IMAGE_BROWSER env, and wires
build-browser into deploy needs + the no-failure gate.
Refs #905
Per user decision: reviewer = Opus (merge-authority needs strong reasoning on verdict);
остальные loop-роли остаются Sonnet. Реверсит только model-часть aa3d012 (reviewer→sonnet).
- start-bot.ps1: $model = reviewer? opus : sonnet + --model $model
- auto-code-reviewer.md: frontmatter model: opus + doc reviewer на Opus
Prod deploy 2026-05-31 13:50 failed on 095: 'cannot drop column sale_type_text
of table listings because view v_data_quality depends on it'. The view (recreated
in 094) has a CTE 'SELECT * FROM listings' which records a column-level dependency
on EVERY listings column incl sale_type_text — so the bare DROP COLUMN aborts the
whole migration (exit 1), blocking 095/096/097 from applying.
Fix: DROP VIEW v_data_quality -> DROP COLUMN sale_type_text -> recreate the view
with the identical 094 DDL (sale_type_text was never an output column, only pulled
in implicitly via SELECT *; after the drop, * no longer includes it). Verified
v_data_quality is the only object doing SELECT * FROM listings — listings_search_mv
and v_price_divergence reference explicit columns, so no other dependency blocks.
095 never applied on prod (transaction rolled back atomically, not in
_schema_migrations) → next deploy re-runs the corrected file. Editing the merged
migration in place is the correct recovery (a new 098 would not help: the runner
hits 095 first and keeps failing).
Refs #731
Build-verify on the deploy host (2026-05-31) showed the camoufox Firefox build
landed in /root/.cache/camoufox (RUN python -m camoufox fetch ran as root), but
the runtime app user (uid 1000) resolves the cache to /home/app/.cache/camoufox
→ 'browser not found' the moment scraper_fetch_mode flips to browser.
Fix: run the fetch AFTER USER app + set explicit ENV HOME=/home/app (Docker does
not auto-set HOME from USER, and camoufox/platformdirs keys the cache off $HOME).
Now build-time fetch and runtime both use /home/app/.cache/camoufox.
Verified: A) 'camoufox path' as app = /home/app/.cache/camoufox; B) that dir was
empty pre-fix while /root/.cache was root-only (Permission denied to app).
Dormant change — scraper_fetch_mode default stays curl_cffi (no runtime behavior
change), unblocks Phase 1 (#883).
Refs #884, #883
p3 naming-consistency (cadastral cols 0% filled). Migration 094_cadastral_unify.sql
(idempotent DO-block IF EXISTS): drop+recreate listings_search_mv (MV) +
v_data_quality (view), RENAME deals/house_metadata kadastr_num->cadastral_number,
DROP listings.kadastr_num + listings_kadastr_idx. Code SQL-string renames in
search_query/estimator/base (Lot dataclass field NOT renamed). 240 tests pass.
WARN: destructive DDL auto-applies to prod on deploy -> MERGE-GATE post-demo.
Reviewer: verify recreated MV/view DDL vs LIVE pg_get_viewdef before apply
(reconstructed from migration history 050/046, not live capture).
Refs #732
CLIENT-VISIBLE pricing (killer-factor, demo 2026-06-01). The same-building
anchor replaced headline median/range/confidence with an over-confident
premium on as few as 2 same-building asking comps. Human-chosen (Anton)
3-part safe-guard, all implemented:
1. min_comps 2 -> 4: anchor fires only with >=4 same-building comps.
2. confidence cap: at <5 anchor comps, confidence cannot be 'high' -> medium.
3. MAD-clip: drop price_per_m2 outliers among anchor comps before aggregation
(k=estimate_sb_mad_k=3.5); if <min_comps survive, anchor does NOT fire
(fallback to radius-median). Guards against price typos inflating anchor.
Anchor still REPLACES the headline (uplift-no-replace variant NOT chosen).
quarter-index/radius-tier/asking-sold untouched. 8 new unit tests; 61 anchor
tests pass, ruff clean.
MERGE-GATE (client-visible, like #764/#858): do NOT merge without a green
backtest #763 (held-out MAPE <= 18.7% + canonical A/B Малышева 125 /
Заводская 44а). Backtest needs live DB — pre-merge human/qa step.
Refs #755, #694