feat(shell): use Rust browser connection module

- Remove TS Playwright browser runtime and vendored Rust duplicate from docker-git
- Install ProverCoderAI/rust-browser-connection as the single noVNC/CDP browser provider
- Preserve invariant: generated Playwright MCP startup calls docker-git-browser-connection start --project <id> exactly once before MCP config

Author: skulidropek

packages/app/src/lib/core/templates-entrypoint.ts

@@ -27,10 +27,9 @@ import { renderEntrypointGitConfig, renderEntrypointGitHooks } from "./templates
 import { renderEntrypointGrokConfig } from "./templates-entrypoint/grok.js"
 import { renderEntrypointDockerGitBootstrap } from "./templates-entrypoint/nested-docker-git.js"
 import { renderEntrypointOpenCodeConfig } from "./templates-entrypoint/opencode.js"
-import { renderEntrypointPlaywrightBrowserRuntime } from "./templates-entrypoint/playwright-browser.js"
 import { renderEntrypointProjectAgentRules } from "./templates-entrypoint/project-rules.js"
 import { renderEntrypointRtkConfig } from "./templates-entrypoint/rtk.js"
-import { renderEntrypointBackgroundTasks } from "./templates-entrypoint/tasks.js"
+import { renderEntrypointBackgroundTasks, renderEntrypointRustBrowserConnection } from "./templates-entrypoint/tasks.js"
 import {
   renderEntrypointBashCompletion,
   renderEntrypointBashHistory,
@@ -60,7 +59,7 @@ export const renderEntrypoint = (config: TemplateConfig): string =>
     renderEntrypointProjectAgentRules(),
     renderEntrypointAgentsNotice(config),
     renderEntrypointDockerSocket(config),
-    renderEntrypointPlaywrightBrowserRuntime(config),
+    renderEntrypointRustBrowserConnection(),
     renderEntrypointMcpPlaywright(config),
     renderEntrypointGitConfig(config),
     renderEntrypointClaudeConfig(config),

packages/app/src/lib/core/templates-entrypoint/playwright-browser.ts

@@ -268,3 +268,51 @@ fi
 
 ${renderAgentLaunch(config)}
 ) &`
+// CHANGE: start the external Rust browser module from the project entrypoint.
+// WHY: issue #347 moves browser ownership to ProverCoderAI/rust-browser-connection while keeping docker-git as caller.
+// QUOTE(ТЗ): "Вынести noVNC + MCP Playright в единый модуль."
+// REF: issue-347
+// SOURCE: n/a
+// FORMAT THEOREM: MCP_PLAYWRIGHT_ENABLE=1 -> eventually running(DOCKER_GIT_BROWSER_CONTAINER_NAME)
+// PURITY: SHELL
+// EFFECT: generated bash calls docker-git-browser-connection, which calls Docker.
+// INVARIANT: browser shares the project container network namespace, so CDP is http://127.0.0.1:9223 from agents.
+// COMPLEXITY: O(1) entrypoint orchestration; Docker build/run is delegated to Rust.
+export const renderEntrypointRustBrowserConnection = (): string => [
+  '# Unified Rust browser connection (noVNC + CDP) for MCP Playwright + Hermes — per #347.',
+  '# Defaults are safe no-ops unless MCP Playwright is enabled.',
+  'docker_git_start_rust_browser_connection() {',
+  '  if [[ "${MCP_PLAYWRIGHT_ENABLE:-0}" != "1" ]]; then',
+  '    return 0',
+  '  fi',
+  '',
+  '  local browser_bin=""',
+  '  local candidate',
+  '  for candidate in /root/.cargo/bin/docker-git-browser-connection /usr/local/cargo/bin/docker-git-browser-connection $(command -v docker-git-browser-connection 2>/dev/null || true); do',
+  '    if [[ -x "$candidate" ]]; then',
+  '      browser_bin="$candidate"',
+  '      break',
+  '    fi',
+  '  done',
+  '',
+  '  if [[ -z "$browser_bin" ]]; then',
+  '    echo "[browser] WARNING: docker-git-browser-connection not found; Playwright MCP browser is unavailable" >&2',
+  '    MCP_PLAYWRIGHT_ENABLE=0',
+  '    export MCP_PLAYWRIGHT_ENABLE',
+  '    return 0',
+  '  fi',
+  '',
+  '  local project_container="${DOCKER_GIT_PROJECT_CONTAINER_NAME:-$(hostname)}"',
+  '  local network_mode="container:${project_container}"',
+  '  mkdir -p /var/log',
+  '  "$browser_bin" start --project "$project_container" --network "$network_mode" >> /var/log/docker-git-browser.log 2>&1 || {',
+  '    echo "[browser] WARNING: Rust browser connection failed; see /var/log/docker-git-browser.log" >&2',
+  '    MCP_PLAYWRIGHT_ENABLE=0',
+  '    export MCP_PLAYWRIGHT_ENABLE',
+  '    return 0',
+  '  }',
+  '  echo "[browser] Rust browser connection is ready via $browser_bin on $network_mode"',
+  '}',
+  '',
+  'docker_git_start_rust_browser_connection',
+].join("\n")

packages/app/src/lib/core/templates-entrypoint/tasks.ts

@@ -2,19 +2,34 @@
 import type { TemplateConfig } from "./domain.js"
 import type { ResolvedComposeResourceLimits } from "./resource-limits.js"
 import { renderEntrypoint } from "./templates-entrypoint.js"
-import { type ComposeResourceLimits, renderDockerCompose } from "./templates/docker-compose.js"
-import { renderDockerfile } from "./templates/dockerfile.js"
-import { renderPlaywrightBrowserRuntime } from "./templates/playwright-browser-runtime.js"
 import {
-  renderPlaywrightBrowserDockerfile,
-  renderPlaywrightCdpGuard,
-  renderPlaywrightStartExtra
-} from "./templates/playwright.js"
+  type ComposeResourceLimits,
+  type DockerComposeRenderOptions,
+  renderDockerCompose
+} from "./templates/docker-compose.js"
+import { renderDockerfile } from "./templates/dockerfile.js"
+
+// NOTE (Rust migration #347):
+// The unified single-browser (noVNC + CDP) is now managed by the Rust binary
+// `docker-git-browser-connection` (separate repo ProverCoderAI/rust-browser-connection).
+// It guarantees exactly one `dg-{project}-browser` container per project.
+// Old separate Dockerfile.browser / docker-git-browser-runtime.sh / cdp-guard
+// have been replaced to avoid duplication with TS code.
+// The Rust CLI is started in background from entrypoint (see renderEntrypointRustBrowserConnection).
+// MCP Playwright connects to the CDP exposed by the shared browser container.
 
 export type FileSpec =
   | { readonly _tag: "File"; readonly relativePath: string; readonly contents: string; readonly mode?: number }
   | { readonly _tag: "Dir"; readonly relativePath: string }
 
+export type TemplateRenderOptions = {
+  readonly compose: DockerComposeRenderOptions
+}
+
+const defaultTemplateRenderOptions: TemplateRenderOptions = {
+  compose: { enableLocalDockerSocket: false }
+}
+
 const renderGitignore = (): string =>
   `# docker-git project files
 # NOTE: bootstrap secrets stay local-only and should not be committed.
@@ -51,39 +66,21 @@ const renderConfigJson = (config: TemplateConfig): string =>
 
 export const planFiles = (
   config: TemplateConfig,
-  composeResourceLimits?: ResolvedComposeResourceLimits | ComposeResourceLimits
+  composeResourceLimits?: ResolvedComposeResourceLimits | ComposeResourceLimits,
+  options: TemplateRenderOptions = defaultTemplateRenderOptions
 ): ReadonlyArray<FileSpec> => {
-  const maybePlaywrightFiles = config.enableMcpPlaywright
-    ? ([
-      { _tag: "File", relativePath: "Dockerfile.browser", contents: renderPlaywrightBrowserDockerfile() },
-      {
-        _tag: "File",
-        relativePath: "docker-git-cdp-guard",
-        contents: renderPlaywrightCdpGuard(),
-        mode: 0o755
-      },
-      {
-        _tag: "File",
-        relativePath: "mcp-playwright-start-extra.sh",
-        contents: renderPlaywrightStartExtra(),
-        mode: 0o755
-      },
-      {
-        _tag: "File",
-        relativePath: "docker-git-browser-runtime.sh",
-        contents: renderPlaywrightBrowserRuntime(),
-        mode: 0o755
-      }
-    ] satisfies ReadonlyArray<FileSpec>)
-    : ([] satisfies ReadonlyArray<FileSpec>)
+  // Old separate browser files removed — unified browser is provided by Rust module
+  // (started via background task in entrypoint.sh).
+  // No more duplication with packages/browser-connection or playwright-browser TS.
+  const maybePlaywrightFiles: ReadonlyArray<FileSpec> = []
 
   return [
     { _tag: "File", relativePath: "Dockerfile", contents: renderDockerfile(config) },
     { _tag: "File", relativePath: "entrypoint.sh", contents: renderEntrypoint(config), mode: 0o755 },
     {
       _tag: "File",
       relativePath: "docker-compose.yml",
-      contents: renderDockerCompose(config, composeResourceLimits)
+      contents: renderDockerCompose(config, composeResourceLimits, options.compose)
     },
     { _tag: "File", relativePath: ".dockerignore", contents: renderDockerignore() },
     { _tag: "File", relativePath: "docker-git.json", contents: renderConfigJson(config) },

packages/app/src/lib/core/templates.ts

@@ -68,7 +68,32 @@ RUN set -eu; \
     openssh-server git gh ca-certificates curl unzip bsdutils sudo tmux \
     make docker.io docker-compose-v2 bash-completion zsh zsh-autosuggestions xauth \
     ncurses-term jq \
- && rm -rf /var/lib/apt/lists/*
+    rustc cargo \
+  && rm -rf /var/lib/apt/lists/*
+
+ENV PATH="/root/.cargo/bin:/usr/local/cargo/bin:\${PATH}"
+
+# CHANGE: install the unified Rust browser connection with a current Rust toolchain.
+# WHY: rust-browser-connection uses a Cargo.lock format newer than Ubuntu apt cargo; silently ignoring install failures leaves MCP Playwright without the noVNC/CDP browser module.
+# QUOTE(ТЗ): "добиться что бы всё работало и этому были доказательства"
+# REF: issue-347
+# SOURCE: n/a
+# FORMAT THEOREM: image_build_success -> executable(docker-git-browser-connection) on PATH
+# PURITY: SHELL
+# EFFECT: Docker build downloads rustup and installs the GitHub Rust crate.
+# INVARIANT: generated project images fail fast instead of booting with MCP_PLAYWRIGHT_ENABLE=1 and no browser binary.
+# COMPLEXITY: O(network + cargo_build)
+RUN set -eu; \
+  curl --proto '=https' --tlsv1.2 -fsSL https://sh.rustup.rs -o /tmp/rustup-init.sh; \
+  sh /tmp/rustup-init.sh -y --profile minimal --default-toolchain stable; \
+  rm -f /tmp/rustup-init.sh; \
+  rustc --version; \
+  cargo --version
+
+# Install unified Rust browser connection (noVNC + CDP + single dg-*-browser guarantee)
+# Replaces all previous TS/MCP browser-connection duplication (per issue #347)
+RUN cargo install --git https://github.com/ProverCoderAI/rust-browser-connection --branch main docker-git-browser-connection --locked \
+  && docker-git-browser-connection --version
 
 # Passwordless sudo for all users (container is disposable)
 RUN printf "%s\\n" "ALL ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/zz-all \
@@ -198,8 +223,9 @@ if [[ "$MCP_PLAYWRIGHT_CDP_GUARD" == "1" ]]; then
   exec playwright-mcp --cdp-endpoint "$CDP_ENDPOINT" --cdp-timeout "$MCP_PLAYWRIGHT_CDP_TIMEOUT" "\${EXTRA_ARGS[@]}" "$@"
 fi
 
-# kechangdev/browser-vnc binds Chromium CDP on 127.0.0.1:9222; it also host-checks HTTP requests.
-# When the guard is disabled, preserve the old behavior by converting the HTTP endpoint to WS.
+# Unified Rust browser (docker-git-browser-connection) now provides the single
+# dg-$PROJECT-browser container with CDP on :9223 (reachable by name when --network is passed).
+# MCP Playwright connects directly to ws://dg-...-browser:9223 — no more separate browser-vnc or cdp-guard duplication (per #347).
 fetch_cdp_version() {
   curl -sSf --connect-timeout 3 --max-time 10 -H 'Host: 127.0.0.1:9222' "\${CDP_ENDPOINT%/}/json/version" 2>/dev/null
 }
@@ -236,9 +262,9 @@ RUN chmod +x /usr/local/bin/docker-git-playwright-mcp`
 
 const renderDockerfilePlaywrightRuntime = (config: TemplateConfig): string =>
   config.enableMcpPlaywright
-    ? `# docker-git nested Playwright browser runtime context
-COPY Dockerfile.browser docker-git-cdp-guard mcp-playwright-start-extra.sh docker-git-browser-runtime.sh /opt/docker-git/browser/
-RUN chmod +x /opt/docker-git/browser/docker-git-cdp-guard /opt/docker-git/browser/mcp-playwright-start-extra.sh /opt/docker-git/browser/docker-git-browser-runtime.sh`
+    ? `# Unified Rust browser (dg-*-browser) is started by docker-git-browser-connection binary
+# No more COPY of separate browser files — single session guaranteed by Rust module (see entrypoint and rust-browser-connection repo)
+# Old browser-vnc + cdp-guard duplication removed per #347`
     : ""
 
 /**