Maximize what the real detectors exercise on CI:
- BotD: assert the aggregate detect().bot==false AND every individual detector
via getDetections() (webDriver/userAgent/appVersion/plugins/process/...). This
restores the per-detector granularity of the deleted hand-rolled test_botd_*,
but from the real library, with diagnostics on which detector flagged.
- FpJS: visitorId present + stable across two launches, AND a rich component
surface (>=15 signals — a suppressed/thin surface is itself a tell). We don't
hard-assert zero errored components (some are legitimately unsupported per
browser); visitorId stability is the authoritative aggregate check.
All 3 green locally against firefox-9.
Instead of only our hand-rolled signal checks, load the actual MIT detection
libraries against the patched binary and assert it isn't flagged:
- BotD (the client-side bot detector FingerprintJS Pro itself uses): detect()
must return bot=false (no automation/headless tell).
- FingerprintJS OSS: visitorId present and stable across two fresh launches
with the same seed (drift = per-session entropy = a bot tell).
Hermetic: the libs are vendored (tests/vendor/, pinned, MIT) and served from a
localhost server — no external CDN (Firefox tracking-protection blocks it
anyway), no IP/network dependency, runs identically on a dev box and the GitHub
runner. Both green locally against firefox-9.
feder-cr