invisible_playwright/tests/vendor/README.md

# Vendored detection libraries (test-only)

These are upstream, unmodified, MIT-licensed browser-fingerprinting / bot-detection
libraries, vendored so the detector e2e tests run **hermetically and identically**
on a dev box and on a GitHub runner (no external CDN at test time — Firefox
tracking-protection blocks the openfpcdn.io CDN anyway, and we want CI offline).

They are served from a localhost HTTP server and loaded into the patched Firefox;
the tests assert the REAL detectors don't flag the stealth build (BotD: `bot===false`)
and that the fingerprint is stable (FingerprintJS: same `visitorId` across launches).

| File | Package | Version | Source | License |
|---|---|---|---|---|
| `botd-2.0.0.esm.js` | `@fingerprintjs/botd` | 2.0.0 | https://cdn.jsdelivr.net/npm/@fingerprintjs/botd@2.0.0/dist/botd.esm.js | MIT |
| `fingerprintjs-5.2.0.umd.min.js` | `@fingerprintjs/fingerprintjs` | 5.2.0 | https://cdn.jsdelivr.net/npm/@fingerprintjs/fingerprintjs@5.2.0/dist/fp.umd.min.js | MIT |

Both are MIT (Copyright © FingerprintJS, Inc.). To update: download the pinned
dist from jsdelivr, drop it here, and bump the version in the filename + this table.
test(e2e): run the real detectors (BotD + FingerprintJS OSS) on CI Instead of only our hand-rolled signal checks, load the actual MIT detection libraries against the patched binary and assert it isn't flagged: - BotD (the client-side bot detector FingerprintJS Pro itself uses): detect() must return bot=false (no automation/headless tell). - FingerprintJS OSS: visitorId present and stable across two fresh launches with the same seed (drift = per-session entropy = a bot tell). Hermetic: the libs are vendored (tests/vendor/, pinned, MIT) and served from a localhost server — no external CDN (Firefox tracking-protection blocks it anyway), no IP/network dependency, runs identically on a dev box and the GitHub runner. Both green locally against firefox-9. 2026-06-09 17:53:11 +02:00			`# Vendored detection libraries (test-only)`

			`These are upstream, unmodified, MIT-licensed browser-fingerprinting / bot-detection`
			`libraries, vendored so the detector e2e tests run hermetically and identically`
			`on a dev box and on a GitHub runner (no external CDN at test time — Firefox`
			`tracking-protection blocks the openfpcdn.io CDN anyway, and we want CI offline).`

			`They are served from a localhost HTTP server and loaded into the patched Firefox;`
			the tests assert the REAL detectors don't flag the stealth build (BotD: `bot===false`)
			and that the fingerprint is stable (FingerprintJS: same `visitorId` across launches).

			`\| File \| Package \| Version \| Source \| License \|`
			`\|---\|---\|---\|---\|---\|`
			\| `botd-2.0.0.esm.js` \| `@fingerprintjs/botd` \| 2.0.0 \| https://cdn.jsdelivr.net/npm/@fingerprintjs/botd@2.0.0/dist/botd.esm.js \| MIT \|
			\| `fingerprintjs-5.2.0.umd.min.js` \| `@fingerprintjs/fingerprintjs` \| 5.2.0 \| https://cdn.jsdelivr.net/npm/@fingerprintjs/fingerprintjs@5.2.0/dist/fp.umd.min.js \| MIT \|

			`Both are MIT (Copyright © FingerprintJS, Inc.). To update: download the pinned`
			`dist from jsdelivr, drop it here, and bump the version in the filename + this table.`