feat(deploy): add Agent Browser verification command

[Abdulmuiz44]

Summary

Implements codra deploy verify <url> on top of the Agent Browser integration template merged in #34.

Command

codra deploy verify <url> [--screenshot-out <path>] [--vision] [--json] [--allow-warnings] [--agent-browser-bin <path>]

Behavior

• Validates public http/https URLs (blocks localhost/private networks by default)
• Shells out to agent-browser --json check with optional screenshot/vision flags
• Parses Agent Browser JSON and prints a Codra-friendly human or --json summary
• Exits non-zero on fail, and on warn unless --allow-warnings
• Prints install guidance when agent-browser is missing

Testing

• cargo test -p codra-deploy -p codra-cli
• Unit tests mock Agent Browser output (no real browser in CI)

Docs

• Updated docs/codra-deploy/README.md and docs/codra-deploy/agent-browser.md

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 364053c7e0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reject URLs with userinfo before safety checks

When the deploy verifier is used on untrusted or pasted URLs, this parser keeps the entire authority before the port as the host, so https://example.com@127.0.0.1/ passes assert_safe_url because example.com@127.0.0.1 is not recognized as a private IPv4 address. Browsers and HTTP clients interpret the part after @ as the actual host, so this bypasses the new localhost/private-network block and lets agent-browser navigate to loopback/internal services despite the documented safety default.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Invoke a URL navigation flow instead of checkbox check

For normal Agent Browser installs, this command does not run a smoke check against the URL: the current Agent Browser command reference documents agent-browser check <sel> as the checkbox action, with URL navigation handled by open <url> (see https://agent-browser.dev/commands). In that environment codra deploy verify https://example.com tries to check a checkbox matching the URL selector rather than opening the deployed page, so the new verifier either fails immediately or reports on the wrong browser state instead of validating the deployment.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Point missing-binary guidance at the published package

When agent-browser is missing, the only recovery command printed here sends users to @talocode/agent-browser, but the Agent Browser installation docs list the global package as agent-browser (npm install -g agent-browser, followed by agent-browser install; see https://agent-browser.dev/installation). In the missing-binary path this leaves users with install guidance that does not install the documented CLI binary, so they cannot recover from the error by following Codra's message.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Block IPv4-mapped IPv6 loopback literals

When the target is written as an IPv4-mapped IPv6 literal such as http://[::ffff:127.0.0.1]/ or http://[::ffff:192.168.1.10]/, parse_host hands this function ::ffff:..., but these checks only catch ::1, ULA, and fe8-feb prefixes. Those literals route to loopback/private IPv4 addresses in browsers, so they bypass the new private-network block even though the verifier is supposed to reject localhost/internal targets by default.

Useful? React with 👍 / 👎.