fix: don't misroute telemetry/events to the browser VM

The direct-to-VM routing allowlist matched on the subresource SEGMENT
("telemetry"), so the new historical GET /browsers/{id}/telemetry/events
endpoint (served by the control plane from S2) was routed to the session VM —
which only serves the live telemetry/stream SSE — once a session was route-cached,
yielding failures / wrong data.

Fix the granularity:
- Allowlist entries are now full path-prefixes ("curl", "telemetry/stream").
- Matching is segment-boundary aware: "telemetry/stream" matches
  "telemetry/stream[/...]" but NOT "telemetry/events" or "telemetry/streamfoo".
- Safe by default: any path not in the allowlist (including future browser
  sub-endpoints) goes to the control plane — slower, never misrouted.

All in src/kernel/lib/ (Stainless-preserved), so durable across regens. Adds a
regression vector and updates the default-config assertion.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: IlyaasK

src/kernel/lib/browser_routing/routing.py

@@ -41,7 +41,10 @@ class BrowserRoutingConfig:
 def browser_routing_config_from_env() -> BrowserRoutingConfig:
     raw = os.environ.get("KERNEL_BROWSER_ROUTING_SUBRESOURCES")
     if raw is None:
-        return BrowserRoutingConfig(subresources=("curl", "telemetry"))
+        # Path prefixes eligible for direct-to-VM routing. "telemetry/stream" is
+        # the live SSE endpoint (VM); "telemetry/events" is a historical read
+        # served by the control plane (S2) and must NOT be here.
+        return BrowserRoutingConfig(subresources=("curl", "telemetry/stream"))
     if raw.strip() == "":
         return BrowserRoutingConfig()
 
@@ -188,6 +191,21 @@ def _session_id_from_browser_pool_release_request(request: httpx.Request, path:
     return normalized or None
 
 
+def _matches_direct_vm_prefix(tail: str, prefixes: tuple[str, ...]) -> bool:
+    """Whether tail (the path after browsers/{id}/) is covered by an allow prefix,
+    matching on segment boundaries: "telemetry/stream" matches "telemetry/stream"
+    and "telemetry/stream/...", but not "telemetry/events" or "telemetry/streamfoo".
+    Keeps historical control-plane reads (e.g. telemetry/events, served from S2)
+    off the VM.
+    """
+    tail = tail.strip("/")
+    for prefix in prefixes:
+        prefix = prefix.strip("/")
+        if prefix and (tail == prefix or tail.startswith(prefix + "/")):
+            return True
+    return False
+
+
 def rewrite_direct_vm_options(
     options: FinalRequestOptions,
     *,
@@ -199,7 +217,7 @@ def rewrite_direct_vm_options(
         return options
 
     session_id, subresource, suffix = match
-    if subresource not in set(config.subresources):
+    if not _matches_direct_vm_prefix(f"{subresource}{suffix}", config.subresources):
         return options
 
     route = cache.get(session_id)

tests/test_browser_routing.py

@@ -337,7 +337,23 @@ def test_browser_route_from_browser_requires_base_url_and_jwt() -> None:
 
 def test_browser_routing_config_from_env_defaults_to_curl(monkeypatch: pytest.MonkeyPatch) -> None:
     monkeypatch.delenv("KERNEL_BROWSER_ROUTING_SUBRESOURCES", raising=False)
-    assert browser_routing_config_from_env().subresources == ("curl", "telemetry")
+    assert browser_routing_config_from_env().subresources == ("curl", "telemetry/stream")
+
+
+def test_direct_vm_routing_allowlist_segment_boundary() -> None:
+    # Pins the fix: telemetry/stream (live SSE) routes to the VM; telemetry/events
+    # (historical, served by the control plane from S2) does NOT; and a
+    # stream-prefixed-but-different path is not matched.
+    from kernel.lib.browser_routing.routing import _matches_direct_vm_prefix
+
+    prefixes = ("curl", "telemetry/stream")
+    assert _matches_direct_vm_prefix("telemetry/stream", prefixes) is True
+    assert _matches_direct_vm_prefix("telemetry/stream/x", prefixes) is True
+    assert _matches_direct_vm_prefix("telemetry/events", prefixes) is False
+    assert _matches_direct_vm_prefix("telemetry/streaming-config", prefixes) is False
+    assert _matches_direct_vm_prefix("telemetry", prefixes) is False
+    assert _matches_direct_vm_prefix("curl/raw", prefixes) is True
+    assert _matches_direct_vm_prefix("fs/read", prefixes) is False
 
 
 def test_browser_routing_config_from_env_empty_string_disables_routing(monkeypatch: pytest.MonkeyPatch) -> None: