doctor: warn when running browser is snap-confined

[mvanhorn]

Summary

Refs #191.

Linux Ubuntu/Lubuntu users typically have chromium and firefox installed
as snaps. Snap confinement runs the browser in a restricted mount namespace
that blocks binding to CDP port 9222 even with --no-sandbox, so
browser-harness's auto-discovery fails silently or with "Connection
Refused" -- exactly the failure the reporter hit on Lubuntu.

This adds the smallest of the four "Suggestions for Improvement" in
the issue: a [WARN] row in --doctor that surfaces the snap browser path
and points at non-snap install options. Catching it here saves the user the
"why is CDP refusing the connection?" troubleshooting round-trip.

What this is NOT

Per @Alezander9's ask for a structured timeline before broader changes,
this PR deliberately stays narrow:

• Doctor warning only. No changes to _chrome_running, no changes to
  daemon startup, no headless bootstrap mode, no python3-pip doc work.
• No new dependency. Uses the same subprocess.check_output(['ps', '-A', '-o', ...]) pattern _chrome_running already uses.
• Linux-only behavior. Non-Linux platforms short-circuit to None.

Implementation

File	Change
src/browser_harness/admin.py	New _detect_snap_browser() helper (~30 lines). One new [WARN] line in run_doctor.
tests/unit/test_admin.py	8 new tests + 1 patch to the existing run_doctor test.

_detect_snap_browser scans ps -A -o args= on Linux for processes whose
argv[0] starts with /snap/{chromium,firefox,google-chrome}/ and whose
basename matches a Chromium-family browser. Returns the path on hit,
None otherwise. ps failures (binary missing, timeout, OSError) also
return None -- the doctor degrades to the existing checks instead of
failing.

The doctor row is shown only when the function returns a hit:

  [WARN] snap-confined browser detected — /snap/chromium/2876/usr/lib/chromium-browser/chromium: install a non-snap chromium/chrome (e.g. https://www.google.com/chrome/?platform=linux or `apt install chromium-browser` from a non-snap PPA) for reliable CDP attach

Verification

.venv/bin/python -m pytest tests/unit/test_admin.py -v
# 37 passed in 0.07s

.venv/bin/python -m pytest tests/
# 103 passed in 0.39s

8 new tests cover:

• non-Linux short-circuit
• ps failure short-circuit
• no-browser-running skip
• /snap/chromium/... chromium hit
• /snap/firefox/... firefox hit
• non-browser snap ignored (e.g. /snap/code/...)
• non-snap /usr/bin/chromium ignored
• run_doctor emits the warning when a snap browser is detected
• run_doctor skips the row when no snap browser is detected

Notes

• I picked _detect_snap_browser (returns the path) instead of a bool so
  the warning message can include the actual snap path -- helpful for the
  "is this still my snap or a stale process?" debugging step.
• The other three "Suggestions for Improvement" in Setup challenges: Snap confinement and environment-specific blockers #191 (headless
  bootstrap mode, python3-pip docs, portable-binary discovery in
  _chrome_running) feel like they want a separate maintainer scope per
  the structured-timeline ask in the thread. Happy to take any of them
  in follow-up PRs once direction is clearer.
• The new helper is private (underscore prefix) so it doesn't add a
  public API commitment.

---

Summary by cubic

Warns Linux users when a running browser is snap‑confined in --doctor, to explain CDP attach failures on port 9222 and suggest non‑snap installs. Addresses #191 by showing the snap path and clear next steps.

• New Features
  • Added _detect_snap_browser() that scans ps -A -o args= for /snap/{chromium,firefox,google-chrome}/ and returns the path on hit.
  • --doctor now prints [WARN] snap-confined browser detected — <path> with guidance to install a non-snap Chrome/Chromium for reliable CDP.
  • Linux-only with graceful fallback on ps errors; no new dependencies. Tests cover detection and doctor output.

^{Written for commit 91cbb95. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 2 files