v1.0.0 — Mesh Delegation, Dashboard, Workflow Surfaces & Hardening

[1.0.0] — 2026-04-21

Added

• Signed mesh envelopes, peer registry routes, and delegation plumbing for trusted node-to-node work distribution
• Session network inspection, CDP passthrough, workflow routes, social route surface, and the bootstrap-aware /dashboard
• Curator, Veo3/research, and social client packages merged into the controller tree for the 1.0 release line

Fixed

• Mesh recipient validation so signed envelopes cannot be replayed to the wrong node
• False-success delegation responses when tool/workflow/session handlers fail or require approval
• Session network and CDP wiring so session lifecycle hooks register inspectors and passthrough state correctly
• Windows agent-job persistence, audit retention ordering, and tar extraction safety in the host test path
• Legacy /ui/ routing and operator-auth bootstrap handling so secured deployments land on the current dashboard

v0.7.0 — Readiness, Compliance, Memory Profiles & Integrations

What's new

• Deployment readiness advisor via GET /readiness and the browser.readiness_check MCP tool.
• Compliance templates for HIPAA, SOC2, GDPR, and PCI-DSS, with a startup manifest written to /data/compliance-manifest.json.
• Agent memory profiles with save/get/list/delete MCP tools and prompt injection for future sessions.
• GitHub Codespaces support through a devcontainer and Codespaces-specific compose override.
• LangChain / LangGraph / CrewAI integrations under integrations/langchain/ plus example docs.

Hardening and fixes

• Constant-time bearer token comparison for API auth.
• Safer storage access validation and lower-noise default PII matching.
• Vision targeting now defaults to VISION_MODEL=claude-haiku-4-5-20251001 and stays hidden unless ANTHROPIC_API_KEY is configured.
• MCP session persistence now records created_at and evicts the oldest sessions once the store exceeds 500 entries.
• SQLite-backed approval and audit stores now close connections correctly during host-side test runs.

Validation

• ruff check controller/app controller/tests integrations/langchain/auto_browser_langchain scripts/*.py --select E9,F,I
• python -m compileall integrations/langchain/auto_browser_langchain
• python -m pytest controller/tests -q -> 260 passed, 2 skipped, 1 warning, 3 subtests passed

v0.6.0 — Input Validation Hardening & Proxy Persona Integration

What's new

• Strict input validation — All API request models now use extra=forbid with field-level constraints (min/max length, URL scheme validation, coordinate pair checks). Malformed inputs are rejected at the boundary instead of propagating.

• Proxy persona integration — proxy_persona parameter available in session creation, cron jobs, and the MCP tool gateway. Named proxy profiles resolve automatically from the persona store.

• Shared session observer — GET /share/{token} serves a live observer page with auto-refreshing screenshots. Dark theme, responsive layout, 5-second polling.

• Hardened proxy persona store — Normalizes entries on load (strips whitespace, validates server), atomic file writes via tmp+replace, sorted output for stable diffs.

• Hardened session share tokens — Validates scope, TTL, session_id, and expiry type. Rejects malformed payloads instead of silently accepting.

• Typed API endpoints — Cron job creation, proxy persona creation, and webhook triggers now use typed Pydantic models instead of raw dicts.

• MCP resources — resources/list and resources/read support for browser://sessions and per-session console logs.

Test coverage

211 tests passing (up from 165 in v0.5.3). New test files:

• test_input_validation.py — 251 lines covering all model validators
• test_session_share_proxy_store.py — 227 lines covering token lifecycle and persona CRUD

Breaking changes

• Request models now reject unknown fields (extra=forbid). Clients sending unrecognized keys will get 422 errors.
• HoverRequest and ClickRequest now require at least one target (selector, element_id, or coordinates).
• SelectOptionRequest now requires at least one choice (value, label, or index).

---

🤖 Generated with Claude Code

v0.5.3 — Witness receipts and protection profiles

Witness-first governance release for auto-browser.

Highlights

• Added per-session, hash-chained Witness receipts for session lifecycle events, approvals, browser actions, takeovers, and auth-material handling.
• Added two protection modes: normal records serious concerns without adding workflow friction; confidential blocks unsafe high-risk execution when operator identity, isolation, or auth-state posture is too weak.
• Added session-level protection_mode plus the GET /sessions/{id}/witness inspection endpoint.
• Added the documented Witness environment surface: WITNESS_ROOT, WITNESS_ENABLED, and WITNESS_PROTECTION_MODE_DEFAULT.
• Added controller and HTTP coverage for Witness receipts, approval lifecycle recording, and confidential auth-material blocking.

Validation

• make lint
• make test-local
• make test
• Live smoke: /readyz returned ready; confidential auth-profile save returned 403 with the expected detail; normal browser actions recorded Witness receipts.

v0.5.2

Maintenance release with no API changes and backwards-compatible fixes.

Highlights:

• Python 3.10 host compatibility for controller workflows
• make test-local for faster host-side iteration without Docker
• Direct HTTP coverage for /agent/providers and /sessions/{id}/agent/step
• Broader Ruff coverage across controller tests and Python helper scripts
• Cleaner make doctor behavior in restricted shells
• browser-node Xvfb startup cleanup for reliable reruns

Validation:

• make lint
• make test-local
• DOCTOR_BUILD=1 make doctor

v0.5.1 — Code quality hardening & bug fixes

What's fixed

Maintenance release — no API changes, all fixes are backwards compatible. 149 tests pass.

Bug fixes

• Network inspector memory leak — in-flight requests accumulated in _pending indefinitely when a session was detached (tab close, browser crash). detach() now schedules _flush_pending() which drains all pending entries as failed with failure_text = "session detached".
• Silent exception swallowing in approvals — FileApprovalStore._list_sync was swallowing corrupt file errors with bare except Exception: continue. Now logs at DEBUG.
• Non-atomic cron store writes — _save() used write_text() which could produce a corrupt/empty store on crash mid-write. Fixed with tmp-file + rename.

Refactoring

• _WithApproval mixin — approval_id: str | None = None was repeated across 9 social action request models and UploadRequest. Extracted to a shared base class.
• _MarkInterruptedMixin — mark_all_active_interrupted was implemented identically in FileSessionStore and RedisSessionStore. One implementation now.
• utils.utc_now() — _timestamp() was duplicated identically in 5 modules (audit, approvals, agent_jobs, browser_manager, session_tunnel). One shared function now.
• tool_inputs.py — ~280 lines of Pydantic input model definitions extracted from tool_gateway.py. Dispatch logic and schema definitions are separate modules. Re-exports preserve backwards compatibility.
• create_session decomposed — 190-line method split into 4 focused private helpers: _check_session_limit, _prepare_session_dirs, _build_context_kwargs, _cleanup_failed_session.
• agent_jobs.py — deleted dead hasattr(store, 'update_status') guard (always False); merged enqueue_step/enqueue_run into shared _enqueue().
• orchestrator.py — merged 90%-duplicate ProviderAPIError + Exception handlers into one block.
• mcp_transport.py — narrowed except Exception to except ValueError on JSON parse boundary.
• main.py — added @app.exception_handler(KeyError) → 404; removed redundant per-route except KeyError blocks across ~30 route handlers (~120 lines removed).

SQLite hardening (approvals store)

• WAL journal mode (PRAGMA journal_mode=WAL)
• PRAGMA synchronous=NORMAL for concurrent read performance

Full changelog

See CHANGELOG.md for the complete history.

v0.5.0 — CDP Connect, Network Inspector, PII Scrubbing, Crons, Vision Targeting

[0.5.0] — 2026-03-25

Added

CDP Connect Mode

POST /sessions/cdp-attach and browser.cdp_attach MCP tool — attach to an existing Chrome
instance that is already running with --remote-debugging-port. Useful for connecting to a browser
the user already has open, or a browser managed by another process.

Network Inspector

Per-session request/response capture via Playwright's CDP event bridge.

• Captures: method, URL, resource type, status, timing, headers, body (text only, size-limited)
• GET /sessions/{id}/network-log REST endpoint
• browser.get_network_log MCP tool (supports limit, resource_type, url_pattern filters)
• Sensitive headers automatically masked (Authorization, Cookie, Set-Cookie, x-api-key)
• PII scrubbing applied to request/response bodies
• Config: NETWORK_INSPECTOR_ENABLED, NETWORK_INSPECTOR_MAX_ENTRIES, NETWORK_INSPECTOR_CAPTURE_BODIES, NETWORK_INSPECTOR_BODY_MAX_BYTES

PII Scrubbing Layer

Comprehensive multi-layer sensitive data redaction throughout the pipeline.

• 16 pattern classes: AWS access/secret keys, JWT tokens, Bearer tokens, PEM headers, API key URL params, password fields, credit cards (Luhn-validated), SSNs, emails, US/intl phones, GCP service account keys, Azure secrets, generic hex tokens, generic base64 secrets
• Screenshot pixel redaction: Pillow draws black rectangles over OCR bounding boxes where PII was detected
• Console log scrubbing: Applied to all get_console_messages responses
• Network body scrubbing: Applied to captured request/response bodies
• GET /pii-scrubber — live status endpoint (patterns active, enabled flags, scrub stats)
• browser.pii_scrubber_status MCP tool
• Config: PII_SCRUB_ENABLED, PII_SCRUB_SCREENSHOT, PII_SCRUB_NETWORK, PII_SCRUB_CONSOLE, PII_SCRUB_PATTERNS (comma-separated pattern names), PII_SCRUB_REPLACEMENT, PII_SCRUB_AUDIT_REPORT

Proxy Partitioning

Named proxy personas for per-agent static IP assignment — prevents shared network footprints.

• browser.list_proxy_personas, browser.create_proxy_persona, browser.delete_proxy_persona MCP tools
• REST: GET /proxy-personas, POST /proxy-personas, DELETE /proxy-personas/{name}
• Proxy config stored in JSON file (PROXY_PERSONA_FILE); passwords never returned in list/summary calls
• Session creation accepts proxy_persona param to route through a named proxy

Shadow Browsing

Flip a running headless session to a headed (visible) browser for live debugging.

• POST /sessions/{id}/shadow-browse — migrates cookies/storage to a new local-headed Playwright instance
• browser.enable_shadow_browse MCP tool
• Original session continues running; headed session is a fork with the same auth state
• Config: SHADOW_BROWSE_ENABLED

Session Forking

Branch a session's current state (cookies + local/session storage) into a new independent session.

• POST /sessions/{id}/fork — returns new session ID with full auth state cloned
• browser.fork_session MCP tool — optional name for the fork

Playwright Script Export

Export any session's recorded actions as a runnable Python Playwright script.

• GET /sessions/{id}/export-script — downloads .py file
• browser.export_script MCP tool
• Sensitive typed text replaced with <REDACTED> placeholders
• Supports: navigate, click, hover, type, press, scroll, wait, reload, go_back/forward, select_option, open_tab

Shared Session Links

HMAC-signed, TTL-enforced observer tokens for team handoffs.

• POST /sessions/{id}/share — creates a time-limited share token
• GET /share/{token}/observe — read-only session view (screenshot + metadata)
• browser.share_session MCP tool
• Config: SHARE_TOKEN_SECRET, SHARE_TOKEN_TTL_MINUTES (default: 60)

Vision-Grounded Targeting

Use Claude Vision to locate elements by natural language description instead of CSS selectors.

• browser.find_by_vision MCP tool — description + optional screenshot_path
• Returns pixel coordinates {x, y}, confidence, and selector_hint
• Falls back gracefully when ANTHROPIC_API_KEY is not set
• Config: ANTHROPIC_API_KEY, VISION_MODEL (default: claude-opus-4-5)

Cron / Webhook Triggers

Autonomous scheduled and webhook-triggered browser automation jobs.

• Full CRUD: GET/POST /crons, GET/DELETE /crons/{id}, POST /crons/{id}/trigger
• browser.list_cron_jobs, browser.create_cron_job, browser.delete_cron_job, browser.trigger_cron_job MCP tools
• APScheduler for cron expressions (optional install: pip install apscheduler)
• Webhook trigger with HMAC key (webhook_key) — compare via hmac.compare_digest
• Config: CRON_STORE_PATH, CRON_MAX_JOBS

MCP Resources Protocol

Live browser state exposed as MCP subscribable resources.

• Capabilities advertisement: {"resources": {"subscribe": false}}
• resources/list — enumerates all active sessions and their sub-resources
• resources/read — fetches live content:
  • browser://sessions → JSON list of all sessions
  • browser://{id}/screenshot → PNG as base64 blob
  • browser://{id}/dom → page HTML as text
  • browser://{id}/console → recent console messages as JSON
  • browser://{id}/network → recent network log as JSON

Expanded Tool Surface (30+ new MCP tools)

New tools beyond the existing core:
browser.get_network_log, browser.fork_session, browser.eval_js, browser.wait_for_selector,
browser.get_html, browser.find_elements, browser.drag_drop, browser.set_viewport,
browser.get_cookies, browser.set_cookies, browser.get_local_storage, browser.set_local_storage,
browser.export_script, browser.cdp_attach, browser.find_by_vision, browser.share_session,
browser.enable_shadow_browse, browser.list_proxy_personas, browser.create_proxy_persona,
browser.delete_proxy_persona, browser.list_cron_jobs, browser.create_cron_job,
browser.delete_cron_job, browser.trigger_cron_job, browser.pii_scrubber_status

Changed

• McpHttpTransport now accepts manager param for Resources protocol live data
• MCP server version bumped to 0.5.0

---

v0.2.0 — REST API surface completion + CI hardening

What's new

6 new REST action endpoints

All of these existed in the browser engine but had no REST surface — now they do:

Endpoint	Description
POST /sessions/{id}/actions/hover	Hover over element or coordinates
POST /sessions/{id}/actions/select-option	Select a `` option by value, label, or index
POST /sessions/{id}/actions/wait	Pause for N milliseconds (max 30s)
POST /sessions/{id}/actions/reload	Reload the current page
POST /sessions/{id}/actions/go-back	Browser history back
POST /sessions/{id}/actions/go-forward	Browser history forward

CI improvements

• Added ruff lint job (E9+F rules — syntax errors + unused imports)
• Fixed doctor.sh set -euo pipefail trap failing when no containers exist

Bug fixes

• Retry rate-limited host bridge requests
• Constrain auth bootstrap to writable CLI_HOME
• WaitRequest.wait_ms explicit default=0 for pydantic compatibility

Docs

• README: curl examples for all 6 new endpoints
• .env.example: 8 previously undocumented config vars documented
• 9 new unit tests for HoverRequest, WaitRequest, SelectOptionRequest

v0.1.1 — Launch polish

auto-browser v0.1.1

Patch release with final launch-readiness polish.

What changed

• add CODE_OF_CONDUCT.md
• add deployment failure-mode and troubleshooting notes
• add a copy-paste auth-profile walkthrough (examples/login-and-save-profile.md)
• tighten README launch guidance and contributor-facing links
• keep the launch audit green on the current VPS setup

Validation

• make release-audit passed
• 101 controller tests passed
• compose config validation passed
• secret-shaped token scan passed
• README demo GIF verified rendering on GitHub

Notes

This release does not change the core controller/browser behavior.
It is a launch-polish patch release on top of v0.1.0.

v0.1.0 — Initial public release

auto-browser v0.1.0

First public release.

What it is

An open-source MCP-native browser agent. Give your AI agent a real browser — with a human in the loop.

Works with Claude Desktop, Cursor, and any MCP client that speaks JSON-RPC tools.

What's included

• Playwright-powered browser with screenshots and structured element observations
• Human takeover via noVNC when flows get brittle
• Reusable named auth profiles — log in once, reuse across sessions
• Approval gates for write actions (post, upload, account changes)
• Audit trail and operator identity headers
• Stdio MCP bridge for Claude Desktop, Cursor, and other stdio-first clients
• HTTP MCP transport at /mcp
• REST API with curl-ready examples
• Docker Compose stack — zero config to start locally

Quickstart

```bash
git clone https://github.com/LvcidPsyche/auto-browser.git
cd auto-browser
docker compose up --build
```

Then point Claude Desktop at the stdio bridge — see examples/claude_desktop_config.json.

Not included

This is not a stealth or anti-bot system. It is for authorized browser workflows on sites and accounts you control.

---

If this is useful, a ⭐ helps others find it.