feat(browse-gpt): upgrade BrowseGPT to AI SDK 6

[Kylejeong2]

Summary

• Bump ai and @AI-SDK packages; tool inputSchema; convertToModelMessages
• Client: DefaultChatTransport, sendMessage, parts-based message UI

Made with Cursor

[claude]

Claude finished @Kylejeong2's task —— View job

---

Code Review Progress

Reviewing the BrowseGPT AI SDK 6 upgrade changes...

Todo List

• Analyze package.json dependency updates
• Review API route changes (route.ts)
• Examine UI component changes (page.tsx)
• Check TypeScript configuration updates (tsconfig.json)
• Review package-lock.json changes
• Provide comprehensive feedback on code quality, bugs, performance, and security

---

Code Review Feedback

🎉 Positive Changes

• Clean AI SDK 6 migration: Well-executed upgrade with proper use of new APIs
• Improved type safety: Good use of TypeScript types and proper message handling
• Better UI architecture: Parts-based message handling with proper type guards
• Dependency cleanup: Significant reduction in package-lock.json size suggests removed unused dependencies

🐛 Bugs & Issues

Critical Issues

1. API endpoint mismatch (route.ts:49):

   model: openai('gpt-4.1')

   ❌ gpt-4.1 is not a valid OpenAI model. Should be gpt-4o, gpt-4-turbo, or another valid model.

2. Inconsistent error handling (route.ts:75, 131):

   • googleSearch and getPageContent tools have different parameter validation
   • Missing validation for required sessionId parameter before browser connection

Type Safety Issues

3. Loose typing (page.tsx:28-33):

   type ToolPartLoose = {
     type: string;
     state?: string;
     input?: Record<string, unknown>;
     output?: Record<string, unknown>;
   };

   ❌ Using Record<string, unknown> defeats TypeScript's type safety. Consider stricter interfaces.

4. Type assertion without validation (page.tsx:63, 89, 91):

   • Multiple as type assertions without runtime validation could cause runtime errors

⚡ Performance Concerns

5. Heavy computation in render (page.tsx:61-82):

   • Complex data processing in useEffect on every message change
   • Consider memoization with useMemo for expensive computations

6. Missing request deduplication (route.ts:48-171):

   • No mechanism to prevent duplicate identical requests
   • Could lead to unnecessary browser sessions and API calls

🔒 Security Issues

7. XSS vulnerability (page.tsx:182-189):

   <iframe
     src={`${debuggerUrl}&navBar=false`}
     sandbox="allow-same-origin allow-scripts"
     allow="clipboard-read; clipboard-write"
   />

   ⚠️ Insufficient iframe sandboxing with clipboard access. Consider more restrictive sandboxing.

8. Input sanitization (route.ts:84):

   await page.goto(`https://www.google.com/search?q=${encodeURIComponent(query)}`);

   ✅ Good: Uses encodeURIComponent for URL safety

9. Environment variable handling (route.ts:9-10):

   • Uses ! assertion for env vars but no runtime validation
   • Should validate environment variables exist at startup

🧪 Test Coverage Gaps

10. No error boundary testing: Complex tool execution needs comprehensive error handling tests
11. Missing integration tests: Browser automation logic should have integration tests
12. Type guard validation: isToolUIPart function needs unit tests

📝 Code Quality Improvements

13. Magic numbers (route.ts:43, 87, 142):

    • maxDuration = 300, waitForTimeout(500) should be constants
    • Consider moving timeouts to configuration

14. Repeated code patterns (route.ts:102-106, 149-153):

    • Duplicate generateText calls with same model/pattern
    • Extract into shared utility function

15. Incomplete error messages (route.ts:114, 160):

    • Generic error messages don't provide actionable debugging info
    • Should include operation context and suggestions

🔧 Recommended Fixes

High Priority

1. Fix the OpenAI model name in route.ts:49
2. Add proper type interfaces replacing ToolPartLoose
3. Validate required parameters in tool functions
4. Add environment variable validation

Medium Priority

1. Implement request deduplication
2. Add proper error boundaries in React components
3. Extract repeated patterns into utility functions
4. Add comprehensive logging for debugging

Low Priority

1. Add integration tests for browser automation
2. Implement caching for repeated operations
3. Add performance monitoring

📊 Overall Assessment

Code Quality: 7/10 - Good structure with room for improvement
Security: 6/10 - Some concerns with iframe sandboxing and type safety
Performance: 7/10 - Generally efficient with some optimization opportunities
Maintainability: 8/10 - Well-organized with clear separation of concerns

The AI SDK 6 upgrade is well-implemented overall, but several critical issues should be addressed before merging, particularly the invalid model name and type safety concerns.

---