feat: ship remote login token service

[Priveetee]

Summary

• add the TypeType-Token side of the YouTube remote browser login flow
• expose only the internal HTTP/WebSocket API consumed by TypeType-Server
• run the interactive Google/YouTube login browser headed under Xvfb
• capture YouTube session credentials and the session poToken, then call back to Server
• switch the capture probe to YouTube Music because it emits the expected pot query
• keep public BotGuard PO token minting on the existing /potoken flow

Production behavior

• TypeType-Token remains internal only; the frontend never contacts it directly.
• Every remote-login call requires X-Internal-Token.
• Each remote login uses a disposable Playwright browser context.
• Context cleanup runs on success, timeout, cancel, WebSocket disconnect, and internal error.
• Cookies, poToken, internal token, frame payloads, keyboard input, and sensitive URLs are not logged.
• Remote login runs headed by default because Google Sign-In blocks the headless Playwright profile.
• Frame streaming is bounded by TTL, max sessions, FPS, frame byte limit, and backpressure.

Deployment requirements

• deploy the production image built from this merge, not the older ghcr.io/priveetee/typetype-token:latest digest
• configure Token:
  • YOUTUBE_REMOTE_LOGIN_ENABLED=true
  • YOUTUBE_REMOTE_LOGIN_INTERNAL_TOKEN=<shared secret>
  • YOUTUBE_REMOTE_LOGIN_CALLBACK_ORIGIN=http://typetype-server:8080
  • YOUTUBE_REMOTE_LOGIN_MAX_SESSIONS=2
  • YOUTUBE_REMOTE_LOGIN_FRAME_FPS=10
  • YOUTUBE_REMOTE_LOGIN_MAX_FRAME_BYTES=524288
• keep the Docker defaults:
  • YOUTUBE_REMOTE_LOGIN_HEADLESS=false
  • YOUTUBE_REMOTE_LOGIN_DISABLE_AUTOMATION_CONTROLLED=true
  • YOUTUBE_REMOTE_LOGIN_PROBE_URL=https://music.youtube.com/watch?v=09839DpTctU
• configure Server with the same internal token and callback base URL
• ensure the TypeType nginx /api/ proxy forwards WebSocket upgrades

Runtime verification

• beta Token image validated: ghcr.io/priveetee/typetype-token-beta@sha256:0a78b0fdf70c594a8271a2d5ed68e96872a9065d7ab8579a4fc91871c574e999
• beta Token container runs through xvfb-run with headed Chromium
• beta /health returns 200
• direct Token start/cancel smoke returns 201 then 204
• Google Sign-In passes in the beta remote browser
• YouTube Music probe emits googlevideo.com/videoplayback?...pot=...
• Server callback completes the session after capture

Tests

• bun run lint
• bun test
• bun run build
• dev branch checks are green:
  • CI
  • Coverage
  • Docker

Rollback

• disable youtubeRemoteLoginEnabled in Server admin settings to hide the feature immediately
• rollback Token to the previous production digest if remote login smoke fails
• public /potoken, /subtitles, and /health remain separate from the remote-login setting