LvcidPsyche/auto-browser releases

Auto Browser v1.1.0

This release turns the refactor work into the new stable architecture line.

Highlights

• Modular controller architecture: app factory, focused routers, middleware modules, browser services, action pipeline, and MCP tool packs.
• MCP-native improvements: tool annotations, resource listing/subscriptions, harness candidate tools, per-tool metrics, and response metadata.
• Governed skill induction foundation: contracts, tamper-checked traces, verifier adapters, staged skill candidates, signed provenance, and review-only graduation.
• Skill drift monitoring for re-checking staged candidates and marking degraded skills.
• Release hardening: route failure logging, JSON-safe descriptor cache, deep health packaging fallback, startup fail-closed router registration, safer drift artifact reads, and stable deep-health error responses.

Validation

• Local release audit passed with lint, mock evals, fixture evals, pip-audit, npm audit, wheel builds, coverage gate, compile checks, and tracked-file secret scan.
• Local controller suite: 462 passed, 2 skipped, 150 subtests passed.
• GitHub CI, CodeQL, and Dependency Graph passed on main commit 2c5fa58.
• GitHub code scanning and Dependabot both report 0 open alerts on main.

v1.0.6

Highlights

• Ships the Stage 0 convergence harness for Agent Skill Induction: task contracts, tamper-checked traces, deterministic verification, budgeted iteration, and staged skill induction.
• Adds UV/Stagehand verifier adapter boundaries, ensemble verifier plumbing, benchmark scaffolds, and a deterministic example contract.
• Adds full-profile MCP harness tools for convergence runs and staged candidate review.
• Hardens the controller surface: exact-match dashboard bearer exemptions, governed-only page JavaScript evaluation, webhook SSRF validation, trace redaction, and signed staged skill artifacts.
• Improves operator diagnostics with /version, clearer harness-unavailable errors, and better gateway/cron logging.

Validation

• scripts/release_audit.py --skip-doctor
• PYTHONPATH=client python -m pytest client/tests -q
• git diff --check

v1.0.5

Credibility hardening release for the authorized browser-control surface.

• Removes the social/Veo HTTP, MCP, startup, workflow, and browser-manager surface from the shipped controller package.
• Enforces governed write/action approvals at the tool gateway instead of relying on prompt hints.
• Adds fixture eval coverage for auth profile reuse, popup/download recovery, governed write blocking, approval-required upload, resume-after-failure, and multi-tab recovery.
• Hardens the release audit with pip-audit, npm audit, wheel builds/inspection, compile checks, fixture evals, and an 80% controller coverage gate.
• Bumps controller, client, LangChain integration, browser-node, docs, and UI metadata to 1.0.5.

Validation: PR #26 and main-branch CI passed, including lint, host tests, controller Docker tests, compose smoke, isolated session smoke, CodeQL, and Dependency Graph.

v1.0.4 Credibility Release

This release tightens Auto Browser around the authorized browser-workflow promise.

Highlights

• Governed workflow profile now enforces approval before write-sensitive agent actions.
• Social/Veo3 routes, startup clients, workflow actions, and MCP social tools are gated behind EXPERIMENTAL_SOCIAL and hidden by default.
• STEALTH_ENABLED now defaults to false.
• Agent evals now cover auth reuse, popup/download recovery, upload approval, resume recovery, multi-tab recovery, and fast-vs-governed divergence.
• Release audit now includes mock eval scoring, dependency audits, wheel builds, npm audit, and a controller coverage ratchet.

Validation

• GitHub PR #25 passed lint, host tests, controller Docker tests, compose smoke, and CodeQL.
• Local validation covered ruff, full controller tests, coverage gate, mock eval scoring, pip-audit, npm audit, compose config, Docker smoke, and wheel builds.

v1.0.3 - Agent reliability update

This release focuses on making auto-browser smoother and safer for long-running automated browser work.

Agent workflow reliability

• Added durable cancellation for background agent jobs across queue state, REST, MCP, the full tool gateway, and the operator dashboard.
• Hardened worker shutdown so in-flight jobs are persisted as interrupted and remain resumable instead of racing detached cancellation.
• Kept resumable job semantics visible through dashboard job timelines and MCP capability metadata.

Evaluation and release gates

• Added Markdown reporting for the repeatable agent eval matrix.
• Added CI validation for eval matrix shape so malformed eval cases cannot land unnoticed.
• Added a committed browser-node/package-lock.json so Node audit state is reproducible.

Codebase cleanup

• Extracted download capture from BrowserManager into DownloadCaptureService with focused coverage.
• Refreshed README, ROADMAP, and CHANGELOG for the v1.0.3 release line.

Validation

• PR #24 merged into main.
• Main CI passed at 1b51e7f5b5d62f5d2583d311d068c55995e8057a.
• Main CodeQL passed at 1b51e7f5b5d62f5d2583d311d068c55995e8057a.
• Open CodeQL alerts on main: 0.
• Open Dependabot alerts: 0.
• Local validation before release: ruff, compileall, controller tests (380 passed, 2 skipped, 26 subtests passed), client tests (3 passed), eval report generation, node --check, npm audit --omit=dev, pip-audit -r controller/requirements.txt, and wheel builds for controller, client, and langchain integration.

v1.0.2 - Security hardening update

This release focuses on closing the remaining security alerts before publishing the update.

Security fixes

• Upgraded the controller stack to patched FastAPI and Starlette releases.
• Removed raw exception string exposure from API boundaries, workflow state, CDP/OCR errors, delegation errors, tunnel startup, provider errors, and social cross-posting responses.
• Tightened default host policy so production deployments must configure explicit allowed hosts.
• Bounded and evicted rate-limit buckets to prevent unbounded key growth while hashing principal identifiers.
• Strengthened auth-profile and browser upload path containment to clear the remaining CodeQL path-injection alerts.

Validation

• PR #22 and PR #23 merged into main.
• Main CI passed at e646a48606188f76473703c51fe1be72619776a7.
• Main CodeQL passed at e646a48606188f76473703c51fe1be72619776a7.
• Open CodeQL alerts on main: 0.
• Open Dependabot alerts: 0.
• Local ruff, compile, controller tests, client tests, and package wheel builds completed before release.

[1.0.1] — 2026-04-25

Added

• Added regression coverage for Playwright session export script generation

Fixed

• Reapplied the closed CodeQL hardening fixes to the release line for workflow permissions, path validation, URL allowlist checks, reflected XSS, and stack-trace exposure
• Bound remaining route exceptions to fixed error responses so unexpected manager failures do not expose internals
• Corrected reusable auth profile export/import so archives round-trip through AUTH_ROOT/profiles
• Restored Python client package builds and updated the SDK to the current action and audit REST routes
• Rebuilt the operator dashboard tables with DOM text nodes and validated links instead of interpolating untrusted values into innerHTML
• Fixed the active-session dashboard stat update
• Updated the bundled operator UI version label to v1.0.1
• Redirected legacy /ui/ requests to /dashboard so secured deployments consistently land on the bootstrap-aware operator dashboard

[1.0.0] — 2026-04-21

Added

• Signed mesh envelopes, peer registry routes, and delegation plumbing for trusted node-to-node work distribution
• Session network inspection, CDP passthrough, workflow routes, social route surface, and the bootstrap-aware /dashboard
• Curator, Veo3/research, and social client packages merged into the controller tree for the 1.0 release line

Fixed

• Mesh recipient validation so signed envelopes cannot be replayed to the wrong node
• False-success delegation responses when tool/workflow/session handlers fail or require approval
• Session network and CDP wiring so session lifecycle hooks register inspectors and passthrough state correctly
• Windows agent-job persistence, audit retention ordering, and tar extraction safety in the host test path
• Legacy /ui/ routing and operator-auth bootstrap handling so secured deployments land on the current dashboard

What's new

• Deployment readiness advisor via GET /readiness and the browser.readiness_check MCP tool.
• Compliance templates for HIPAA, SOC2, GDPR, and PCI-DSS, with a startup manifest written to /data/compliance-manifest.json.
• Agent memory profiles with save/get/list/delete MCP tools and prompt injection for future sessions.
• GitHub Codespaces support through a devcontainer and Codespaces-specific compose override.
• LangChain / LangGraph / CrewAI integrations under integrations/langchain/ plus example docs.

Hardening and fixes

• Constant-time bearer token comparison for API auth.
• Safer storage access validation and lower-noise default PII matching.
• Vision targeting now defaults to VISION_MODEL=claude-haiku-4-5-20251001 and stays hidden unless ANTHROPIC_API_KEY is configured.
• MCP session persistence now records created_at and evicts the oldest sessions once the store exceeds 500 entries.
• SQLite-backed approval and audit stores now close connections correctly during host-side test runs.

Validation

• ruff check controller/app controller/tests integrations/langchain/auto_browser_langchain scripts/*.py --select E9,F,I
• python -m compileall integrations/langchain/auto_browser_langchain
• python -m pytest controller/tests -q -> 260 passed, 2 skipped, 1 warning, 3 subtests passed

What's new

• Strict input validation — All API request models now use extra=forbid with field-level constraints (min/max length, URL scheme validation, coordinate pair checks). Malformed inputs are rejected at the boundary instead of propagating.

• Proxy persona integration — proxy_persona parameter available in session creation, cron jobs, and the MCP tool gateway. Named proxy profiles resolve automatically from the persona store.

• Shared session observer — GET /share/{token} serves a live observer page with auto-refreshing screenshots. Dark theme, responsive layout, 5-second polling.

• Hardened proxy persona store — Normalizes entries on load (strips whitespace, validates server), atomic file writes via tmp+replace, sorted output for stable diffs.

• Hardened session share tokens — Validates scope, TTL, session_id, and expiry type. Rejects malformed payloads instead of silently accepting.

• Typed API endpoints — Cron job creation, proxy persona creation, and webhook triggers now use typed Pydantic models instead of raw dicts.

• MCP resources — resources/list and resources/read support for browser://sessions and per-session console logs.

Test coverage

211 tests passing (up from 165 in v0.5.3). New test files:

• test_input_validation.py — 251 lines covering all model validators
• test_session_share_proxy_store.py — 227 lines covering token lifecycle and persona CRUD

Breaking changes

• Request models now reject unknown fields (extra=forbid). Clients sending unrecognized keys will get 422 errors.
• HoverRequest and ClickRequest now require at least one target (selector, element_id, or coordinates).
• SelectOptionRequest now requires at least one choice (value, label, or index).

🤖 Generated with Claude Code

Witness-first governance release for auto-browser.

Highlights

• Added per-session, hash-chained Witness receipts for session lifecycle events, approvals, browser actions, takeovers, and auth-material handling.
• Added two protection modes: normal records serious concerns without adding workflow friction; confidential blocks unsafe high-risk execution when operator identity, isolation, or auth-state posture is too weak.
• Added session-level protection_mode plus the GET /sessions/{id}/witness inspection endpoint.
• Added the documented Witness environment surface: WITNESS_ROOT, WITNESS_ENABLED, and WITNESS_PROTECTION_MODE_DEFAULT.
• Added controller and HTTP coverage for Witness receipts, approval lifecycle recording, and confidential auth-material blocking.

Validation

• make lint
• make test-local
• make test
• Live smoke: /readyz returned ready; confidential auth-profile save returned 403 with the expected detail; normal browser actions recorded Witness receipts.

Maintenance release with no API changes and backwards-compatible fixes.

Highlights:

• Python 3.10 host compatibility for controller workflows
• make test-local for faster host-side iteration without Docker
• Direct HTTP coverage for /agent/providers and /sessions/{id}/agent/step
• Broader Ruff coverage across controller tests and Python helper scripts
• Cleaner make doctor behavior in restricted shells
• browser-node Xvfb startup cleanup for reliable reruns

Validation:

• make lint
• make test-local
• DOCTOR_BUILD=1 make doctor

What's fixed

Maintenance release — no API changes, all fixes are backwards compatible. 149 tests pass.

Bug fixes

• Network inspector memory leak — in-flight requests accumulated in _pending indefinitely when a session was detached (tab close, browser crash). detach() now schedules _flush_pending() which drains all pending entries as failed with failure_text = "session detached".
• Silent exception swallowing in approvals — FileApprovalStore._list_sync was swallowing corrupt file errors with bare except Exception: continue. Now logs at DEBUG.
• Non-atomic cron store writes — _save() used write_text() which could produce a corrupt/empty store on crash mid-write. Fixed with tmp-file + rename.

Refactoring

• _WithApproval mixin — approval_id: str | None = None was repeated across 9 social action request models and UploadRequest. Extracted to a shared base class.
• _MarkInterruptedMixin — mark_all_active_interrupted was implemented identically in FileSessionStore and RedisSessionStore. One implementation now.
• utils.utc_now() — _timestamp() was duplicated identically in 5 modules (audit, approvals, agent_jobs, browser_manager, session_tunnel). One shared function now.
• tool_inputs.py — ~280 lines of Pydantic input model definitions extracted from tool_gateway.py. Dispatch logic and schema definitions are separate modules. Re-exports preserve backwards compatibility.
• create_session decomposed — 190-line method split into 4 focused private helpers: _check_session_limit, _prepare_session_dirs, _build_context_kwargs, _cleanup_failed_session.
• agent_jobs.py — deleted dead hasattr(store, 'update_status') guard (always False); merged enqueue_step/enqueue_run into shared _enqueue().
• orchestrator.py — merged 90%-duplicate ProviderAPIError + Exception handlers into one block.
• mcp_transport.py — narrowed except Exception to except ValueError on JSON parse boundary.
• main.py — added @app.exception_handler(KeyError) → 404; removed redundant per-route except KeyError blocks across ~30 route handlers (~120 lines removed).

SQLite hardening (approvals store)

• WAL journal mode (PRAGMA journal_mode=WAL)
• PRAGMA synchronous=NORMAL for concurrent read performance

Full changelog

See CHANGELOG.md for the complete history.

[0.5.0] — 2026-03-25

Added

CDP Connect Mode

POST /sessions/cdp-attach and browser.cdp_attach MCP tool — attach to an existing Chrome
instance that is already running with --remote-debugging-port. Useful for connecting to a browser
the user already has open, or a browser managed by another process.

Network Inspector

Per-session request/response capture via Playwright's CDP event bridge.

• Captures: method, URL, resource type, status, timing, headers, body (text only, size-limited)
• GET /sessions/{id}/network-log REST endpoint
• browser.get_network_log MCP tool (supports limit, resource_type, url_pattern filters)
• Sensitive headers automatically masked (Authorization, Cookie, Set-Cookie, x-api-key)
• PII scrubbing applied to request/response bodies
• Config: NETWORK_INSPECTOR_ENABLED, NETWORK_INSPECTOR_MAX_ENTRIES, NETWORK_INSPECTOR_CAPTURE_BODIES, NETWORK_INSPECTOR_BODY_MAX_BYTES

PII Scrubbing Layer

Comprehensive multi-layer sensitive data redaction throughout the pipeline.

• 16 pattern classes: AWS access/secret keys, JWT tokens, Bearer tokens, PEM headers, API key URL params, password fields, credit cards (Luhn-validated), SSNs, emails, US/intl phones, GCP service account keys, Azure secrets, generic hex tokens, generic base64 secrets
• Screenshot pixel redaction: Pillow draws black rectangles over OCR bounding boxes where PII was detected
• Console log scrubbing: Applied to all get_console_messages responses
• Network body scrubbing: Applied to captured request/response bodies
• GET /pii-scrubber — live status endpoint (patterns active, enabled flags, scrub stats)
• browser.pii_scrubber_status MCP tool
• Config: PII_SCRUB_ENABLED, PII_SCRUB_SCREENSHOT, PII_SCRUB_NETWORK, PII_SCRUB_CONSOLE, PII_SCRUB_PATTERNS (comma-separated pattern names), PII_SCRUB_REPLACEMENT, PII_SCRUB_AUDIT_REPORT

Proxy Partitioning

Named proxy personas for per-agent static IP assignment — prevents shared network footprints.

• browser.list_proxy_personas, browser.create_proxy_persona, browser.delete_proxy_persona MCP tools
• REST: GET /proxy-personas, POST /proxy-personas, DELETE /proxy-personas/{name}
• Proxy config stored in JSON file (PROXY_PERSONA_FILE); passwords never returned in list/summary calls
• Session creation accepts proxy_persona param to route through a named proxy

Shadow Browsing

Flip a running headless session to a headed (visible) browser for live debugging.

• POST /sessions/{id}/shadow-browse — migrates cookies/storage to a new local-headed Playwright instance
• browser.enable_shadow_browse MCP tool
• Original session continues running; headed session is a fork with the same auth state
• Config: SHADOW_BROWSE_ENABLED

Session Forking

Branch a session's current state (cookies + local/session storage) into a new independent session.

• POST /sessions/{id}/fork — returns new session ID with full auth state cloned
• browser.fork_session MCP tool — optional name for the fork

Playwright Script Export

Export any session's recorded actions as a runnable Python Playwright script.

• GET /sessions/{id}/export-script — downloads .py file
• browser.export_script MCP tool
• Sensitive typed text replaced with <REDACTED> placeholders
• Supports: navigate, click, hover, type, press, scroll, wait, reload, go_back/forward, select_option, open_tab

Shared Session Links

HMAC-signed, TTL-enforced observer tokens for team handoffs.

• POST /sessions/{id}/share — creates a time-limited share token
• GET /share/{token}/observe — read-only session view (screenshot + metadata)
• browser.share_session MCP tool
• Config: SHARE_TOKEN_SECRET, SHARE_TOKEN_TTL_MINUTES (default: 60)

Vision-Grounded Targeting

Use Claude Vision to locate elements by natural language description instead of CSS selectors.

• browser.find_by_vision MCP tool — description + optional screenshot_path
• Returns pixel coordinates {x, y}, confidence, and selector_hint
• Falls back gracefully when ANTHROPIC_API_KEY is not set
• Config: ANTHROPIC_API_KEY, VISION_MODEL (default: claude-opus-4-5)

Cron / Webhook Triggers

Autonomous scheduled and webhook-triggered browser automation jobs.

• Full CRUD: GET/POST /crons, GET/DELETE /crons/{id}, POST /crons/{id}/trigger
• browser.list_cron_jobs, browser.create_cron_job, browser.delete_cron_job, browser.trigger_cron_job MCP tools
• APScheduler for cron expressions (optional install: pip install apscheduler)
• Webhook trigger with HMAC key (webhook_key) — compare via hmac.compare_digest
• Config: CRON_STORE_PATH, CRON_MAX_JOBS

MCP Resources Protocol

Live browser state exposed as MCP subscribable resources.

• Capabilities advertisement: {"resources": {"subscribe": false}}
• resources/list — enumerates all active sessions and their sub-resources
• resources/read — fetches live content:
  • browser://sessions → JSON list of all sessions
  • browser://{id}/screenshot → PNG as base64 blob
  • browser://{id}/dom → page HTML as text
  • browser://{id}/console → recent console messages as JSON
  • browser://{id}/network → recent network log as JSON

Expanded Tool Surface (30+ new MCP tools)

New tools beyond the existing core:
browser.get_network_log, browser.fork_session, browser.eval_js, browser.wait_for_selector,
browser.get_html, browser.find_elements, browser.drag_drop, browser.set_viewport,
browser.get_cookies, browser.set_cookies, browser.get_local_storage, browser.set_local_storage,
browser.export_script, browser.cdp_attach, browser.find_by_vision, browser.share_session,
browser.enable_shadow_browse, browser.list_proxy_personas, browser.create_proxy_persona,
browser.delete_proxy_persona, browser.list_cron_jobs, browser.create_cron_job,
browser.delete_cron_job, browser.trigger_cron_job, browser.pii_scrubber_status

Changed

• McpHttpTransport now accepts manager param for Resources protocol live data
• MCP server version bumped to 0.5.0

What's new

6 new REST action endpoints

All of these existed in the browser engine but had no REST surface — now they do:

| Endpoint | Description |
|---|---|
| POST /sessions/{id}/actions/hover | Hover over element or coordinates |
| POST /sessions/{id}/actions/select-option | Select a `` option by value, label, or index |
| POST /sessions/{id}/actions/wait | Pause for N milliseconds (max 30s) |
| POST /sessions/{id}/actions/reload | Reload the current page |
| POST /sessions/{id}/actions/go-back | Browser history back |
| POST /sessions/{id}/actions/go-forward | Browser history forward |

CI improvements

• Added ruff lint job (E9+F rules — syntax errors + unused imports)
• Fixed doctor.sh set -euo pipefail trap failing when no containers exist

Bug fixes

• Retry rate-limited host bridge requests
• Constrain auth bootstrap to writable CLI_HOME
• WaitRequest.wait_ms explicit default=0 for pydantic compatibility

Docs

• README: curl examples for all 6 new endpoints
• .env.example: 8 previously undocumented config vars documented
• 9 new unit tests for HoverRequest, WaitRequest, SelectOptionRequest

auto-browser v0.1.1

Patch release with final launch-readiness polish.

What changed

• add CODE_OF_CONDUCT.md
• add deployment failure-mode and troubleshooting notes
• add a copy-paste auth-profile walkthrough (examples/login-and-save-profile.md)
• tighten README launch guidance and contributor-facing links
• keep the launch audit green on the current VPS setup

Validation

• make release-audit passed
• 101 controller tests passed
• compose config validation passed
• secret-shaped token scan passed
• README demo GIF verified rendering on GitHub

Notes

This release does not change the core controller/browser behavior.
It is a launch-polish patch release on top of v0.1.0.

auto-browser v0.1.0

First public release.

What it is

An open-source MCP-native browser agent. Give your AI agent a real browser — with a human in the loop.

Works with Claude Desktop, Cursor, and any MCP client that speaks JSON-RPC tools.

What's included

• Playwright-powered browser with screenshots and structured element observations
• Human takeover via noVNC when flows get brittle
• Reusable named auth profiles — log in once, reuse across sessions
• Approval gates for write actions (post, upload, account changes)
• Audit trail and operator identity headers
• Stdio MCP bridge for Claude Desktop, Cursor, and other stdio-first clients
• HTTP MCP transport at /mcp
• REST API with curl-ready examples
• Docker Compose stack — zero config to start locally

Quickstart

```bash
git clone https://github.com/LvcidPsyche/auto-browser.git
cd auto-browser
docker compose up --build
```

Then point Claude Desktop at the stdio bridge — see examples/claude_desktop_config.json.

Not included

This is not a stealth or anti-bot system. It is for authorized browser workflows on sites and accounts you control.

If this is useful, a ⭐ helps others find it.