auto-browser

Name: auto-browser
Author: LvcidPsyche

by LvcidPsyche

Verified

Give your AI agent a real browser — with a human in the loop. Open-source MCP-native browser agent.

543stars

86forks

Python

Added 4/26/2026

View on GitHub Download ZIP Scan for vulnerabilities

AI Agentsai-agentai-agentsbrowser-automationclaudedocker

Installation

# Add to your Claude Code skills
git clone https://github.com/LvcidPsyche/auto-browser

Getting Started

Guides for using ai agents skills like auto-browser.

Caveman: Cut Claude Token Use by 65%
How agent-side prompt compression works, when to use it, and when not to.
What is an AI Skills Marketplace?
Definitions, how marketplaces work, and how to choose between them in 2026.
Getting Started with AI Skills

Security ReportVerified

Last scanned: 5/17/2026

{
  "issues": [],
  "status": "PASSED",
  "scannedAt": "2026-05-17T06:45:55.041Z",
  "semgrepRan": false,
  "npmAuditRan": true,
  "pipAuditRan": true
}

README.md

Agentic AI for Beginners

Build your first AI agent from scratch - tool use, ReAct pattern, memory, deployment

41 minBeginner

Comments (0)

to leave a comment.

No comments yet. Be the first to share your thoughts!

Related Skills

ECC

by affaan-m

The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.

212,121

vestige sandboxd

Auto Browser

Auto Browser demo

Give your AI agent a real browser, with a human in the loop.

Auto Browser is an MCP-native browser control plane for authorized workflows. It gives MCP clients, LLM agents, and operators a shared Playwright browser with human takeover, reusable auth profiles, approvals, audit trails, and local-first deployment.

Works with:

Claude Desktop
Cursor
any MCP client that can talk HTTP or stdio
direct REST callers when you want curl-first control

Why Auto Browser

MCP-native from day one. The browser surface is already packaged as an MCP server instead of bolted on after the fact.
Human takeover when the web gets brittle. noVNC keeps the same live session available when a person needs to step in.
Login once, reuse later. Save named auth profiles and reopen fresh sessions that are already signed in.
Local-first by default. Run the full stack on your own box with Docker Compose, or use Codespaces for a quick hosted demo.
Safety rails built in. Approvals, operator identity, PII scrubbing, Witness receipts, and policy presets are all part of the product surface.
Governed skill induction. Verified browser traces can become staged skill candidates with signed provenance, verifier adapters, and review-only graduation — agents that prove they can repeat themselves correctly, not just act once.

Release Highlights (v1.1.4)

v1.1.4 — documentation patch. Documents the single-writer chain-integrity invariant in the Witness recorder; no functional changes since v1.1.3.

Since v1.1.3

Background-task reliability keeps a strong reference to fire-and-forget work — network capture, the on-detach flush, approval webhooks, and post-session curator review — so it can no longer be garbage-collected mid-flight.
Audit attribution fix stops operator identity from sharing a single mutable default across request contexts.
Leaner controller removes the previously extracted social/Veo3 modules that were already unwired and excluded from the build.
Release gates in CI continue to enforce dependency audits, fixture evals, client tests, Python wheel builds, and the 80% controller coverage gate.

See CHANGELOG.md for the full release history.

Good Fits

internal dashboards and admin tools
operator-assisted QA and browser debugging
login-once, reuse-later account workflows
brittle sites where a human may need to recover the flow
MCP-powered agent workflows that need a real browser, not just HTML fetches

Not the Goal

CAPTCHA solving
unauthorized scraping or account automation
deceptive identity shaping or bypass tooling

What You Get

Browser Control	Operator Safety	Deployment and Integration
Playwright-backed sessions with screenshots, DOM summaries, OCR excerpts, tab controls, downloads, and network inspection	approval gates, operator identity headers, audit events, PII scrubbing, Witness receipts, and protection profiles	MCP over HTTP, bundled stdio bridge, REST API, Docker Compose, Codespaces, auth profiles, and optional per-session isolation

Quickstart

git clone https://github.com/LvcidPsyche/auto-browser.git
cd auto-browser
docker compose up --build

That is enough for local development with the default settings.

Optional:

cp .env.example .env
make doctor

Run make doctor from a normal terminal with local Docker access and permission to open localhost sockets.

Open:

API docs: http://127.0.0.1:8000/docs
Operator dashboard: http://127.0.0.1:8000/dashboard
Visual takeover: http://127.0.0.1:6080/vnc.html?autoconnect=true&resize=scale

All published ports bind to 127.0.0.1 by default.

Try It in Codespaces

Codespaces provisions the stack automatically. The dashboard and noVNC tabs are usually ready in about 90 seconds.

First Useful Demo

The highest-signal flow in this repo is:

create a session
log in manually if the site needs a human
save the session as a named auth profile
open a new session from that auth profile
continue work without reauthing

Start here:

Minimal session creation:

curl -s http://127.0.0.1:8000/sessions \
  -X POST \
  -H 'content-type: application/json' \
  -d '{"name":"demo","start_url":"https://example.com"}' | jq

Minimal observation:

curl -s http://127.0.0.1:8000/sessions/<session-id>/observe | jq

MCP Clients

Auto Browser exposes:

an HTTP MCP endpoint at http://127.0.0.1:8000/mcp
convenience endpoints at http://127.0.0.1:8000/mcp/tools and http://127.0.0.1:8000/mcp/tools/call
a bundled stdio bridge at scripts/mcp_stdio_bridge.py

The default MCP tool profile is curated, which keeps the browser surface compact for better tool selection. If you want the full internal tool surface, set:

MCP_TOOL_PROFILE=full

Raw tool-call example:

curl -s http://127.0.0.1:8000/mcp/tools/call \
  -X POST \
  -H 'content-type: application/json' \
  -d '{
    "name":"browser.create_session",
    "arguments":{
      "name":"demo",
      "start_url":"https://example.com"
    }
  }' | jq

Client setup guides:

Convergence Harness

Auto Browser ships a Stage 0 convergence harness for Agent Skill Induction. It runs a structured task contract, records tamper-checked traces, verifies completion, and writes a staged skill candidate with signed provenance. Generated skills are staged only — promotion stays explicit and reviewed.

Read-only inspection tools (harness.list_runs, harness.get_status, harness.get_trace) are exposed in the default curated MCP tool profile so agents can introspect harness state without elevated access. Convergence runs, drift checks, candidate management, and graduation require MCP_TOOL_PROFILE=full, or can be invoked directly over REST.

Start with docs/convergence-harness.md. A deterministic local smoke is:

python -m controller.harness.run --contract evals/contracts/example_read.json --mock-final-url https://example.com --mock-final-text "Example Domain"

For MCP clients, set MCP_TOOL_PROFILE=full to expose the harness.* tools.

Security and Compliance

For a real private deployment, set at least:

APP_ENV=production
API_BEARER_TOKEN=<strong-random-secret>
REQUIRE_OPERATOR_ID=true
AUTH_STATE_ENCRYPTION_KEY=<44-char-fernet-key>
REQUIRE_AUTH_STATE_ENCRYPTION=true
REQUEST_RATE_LIMIT_ENABLED=true
METRICS_ENABLED=true
STEALTH_ENABLED=false

COMPLIANCE_TEMPLATE can apply a preconfigured posture at startup:

Preset	Auth Encryption	Operator ID	PII Scrub	Isolation	Max Session Age
`strict`	required	required	all layers	`docker_ephemeral`	4h
`balanced`	-	required	network + text	shared	24h

Both presets require upload approvals and enable Witness receipts. Startup writes the applied policy to /data/compliance-manifest.json. The legacy names (HIPAA, SOC2, GDPR, PCI-DSS) still work as deprecated aliases and emit a warning at startup.

Example:

COMPLIANCE_TEMPLATE=strict docker compose up

For deployment details, hosted Witness notes, CLI auth modes, and reverse-SSH guidance, see:

Architecture at a Glance

flowchart LR
    User[Human operator] -->|watch / takeover| noVNC[noVNC]
    LLM[OpenAI / Claude / Gemini] -->|shared tools| Controller[Controller API]
    Controller -->|Playwright protocol| Browser[Browser node]
    noVNC --> Browser
    Browser --> Artifacts[(screenshots / traces / auth state)]
    Controller --> Artifacts
    Controller --> Policy[Allowlist + approval gates]

Core components:

browser-node/ runs Chromium, Xvfb, x11vnc, and noVNC
controller/ exposes the FastAPI controller, MCP transport, policy rails, and orchestration endpoints
data/ holds runtime artifacts, auth state, approvals, audit logs, and optional CLI caches
scripts/ contains local helpers for doctor, smoke tests, bridges, and release checks

Repo Guide

Path	What It Contains
`controller/`	controller API, MCP transport, tests, and packaging
`browser-node/`	browser runtime and Playwright connection layer
`examples/`	copy-paste flows and MCP client setup
`integrations/langchain/`	LangChain, LangGraph, and CrewAI adapters
`docs/`	architecture, deployment, hardening, and launch docs
`scripts/`	doctor,