BrowserBridge
BETA3 External beta validation Local-first No analytics Origin-only

Secure local co-browsing control plane

BrowserBridge

Secure co-browsing between AI agents and your local browser.

BETA3 tests the governed operator path: native messaging, MCP, target-tab leases, policy, origin grants, approval-gated navigation, redacted DOM summary, limited experimental low-risk click and safe field fill/type, safe test submit only, Helper Health, diagnostics, panic, and tamper-evident local audit.

Download BETA3 Tester Onboarding What To Test Security Model

What BrowserBridge does

A visible, permissioned bridge between agents and your local browser.

BrowserBridge is a local-first secure browser control plane for AI agents. It connects agent harnesses to a user's real browser through native messaging, paired client identity, exact scopes, approval gates, panic controls, and local audit records.

The beta remains intentionally governed: every live browser action passes through target leases, origin grants, policy, one-time approval, panic checks, and audit.

Why it exists

Agent ecosystems need browser access without invisible control.

User-owned sessions

Work with the user's local browser session instead of forcing workflows into cloud browsers.

Human-visible interaction

Keep connection state, approvals, panic, and recovery visible to the user.

Compatibility without bypasses

Target MCP-compatible harnesses without stealth, anti-detection, or CAPTCHA bypass behavior.

Current BETA3 capabilities

Supported live actions are narrow and approval-bound.

BrowserBridge now exercises live navigation and redacted page summary through the same controls external testers need to evaluate: explicit target, explicit origin, explicit approval, audit, and panic. Click and fill/type remain limited experimental beta checks; submit is safe-test-only and not general website automation.

Transport

Native messaging path

Manifest V3 extension-to-companion status, panic, approval transport, and active-tab messages.

Observation

Read-only active-tab metadata

Origin-only metadata for the operator-selected target tab. Full URLs, query strings, and fragments are not persisted.

Navigation

Approval-gated active-tab navigation

Navigation is limited to validated origins and requires scope, session, tab, panic, audit, and approval checks.

Safety

Panic and recovery path

Panic blocks future action paths and is carried over the native messaging channel.

Policy

Pairing, sessions, scopes, approvals

Named paired clients, public-key identity, short-lived sessions, exact scopes, and one-time approvals.

Audit

Tamper-evident local audit chain

Local redaction-before-write audit events with hash-chain verification and export commands.

DOM Summary

Redacted page summary

Origin-granted DOM summary returns visible interactive element summaries and opaque handles only. No raw DOM, screenshots, cookies, storage, or full URL.

Click

Experimental low-risk element click

Low-risk element click is a limited beta path. It requires live controls, origin grant, target lease, fresh opaque handle, one-time approval, panic checks, and audit. High-risk, destructive, commerce, security, upload, and submit-like clicks remain gated or blocked.

Fill

Experimental safe field fill/type

Safe field handles support limited beta fill/type checks with exact preview and redacted audit. Password, MFA, payment, file, hidden, disabled, token-like, and secret-like inputs are blocked.

Submit

Safe test submit only

Submit remains highly restricted. Safe test submit is available only for controlled validation; login, payment, purchase, delete, publish, send, and security submits are blocked.

Control Plane

Policy, managed tabs, workspaces

Policy modes, per-origin grants, action limits, managed-tab state, workspace visibility, controller/observer roles, and runtime ownership are visible in Control Tower.

Supportability

Live-backed Control Tower

Control Tower shows live helper health, first-run status, troubleshooting, queue health, diagnostics export, feedback workflow, panic, audit summaries, and build identity.

External beta tester brief

What we are testing now.

BETA3 is about installability, trust, recovery, and operator clarity. Use safe HTTP/HTTPS test pages and avoid production accounts, account-security flows, admin consoles, payments, and sensitive data.

Test Flow

Install to first target

Download, verify checksum, install/update, reload the extension, run doctor, start MCP, confirm Helper Health, open a safe tab, and click Set Target Tab.

Test Flow

Governed browser actions

Validate navigation, DOM summary, limited low-risk click and safe field fill/type checks, safe test submit only, origin grants, action approvals, and panic blocking.

Recovery

Helper Health and Fix Now

Try stale helper, disconnected helper, stale target lease, queue stalled, MCP unreachable, and extension inactive states. Confirm the UI explains the next safe step.

Feedback Wanted

Report friction and ambiguity

Tell us where setup stalls, where labels are unclear, whether approvals feel trustworthy, whether diagnostics are useful, and whether recovery steps are actionable.

Include with every issue

Build identity, Helper Health state, policy mode, target lease state, queue summary, audit health, whether Set Target Tab was completed, and a redacted diagnostics bundle.

Feedback Process Troubleshooting Capability Matrix

Live capability status

Clear runtime states, no hidden automation.

BrowserBridge tools distinguish fresh live metadata from unavailable live state and explicit demo mode. Production harnesses should never receive stale mock-shaped tabs. HARNESS2 adds stress coverage for restarts, reconnects, approval reuse, active-tab expiry, and multi-agent ownership.

Live Active Tab

Fresh extension metadata exists and returns origin-only tab data.

MCP Only

MCP is reachable, but the extension/native path has no fresh metadata.

Pending Approval

Navigation is the broadly supported live action. Limited low-risk click and safe field fill/type checks are experimental, and submit is safe-test-only; every governed action is one-time and approval-bound.

Panic Mode

Panic blocks action paths and clears pending approvals fail-closed.

Security-first architecture

Native messaging is transport, not permission.

A successful handshake never grants browser capability. Every live path still depends on paired identity, valid session, exact scope, tab target validation, one-time approval, panic checks, and audit.

Local by default

Companion and MCP surfaces are loopback-only by default. Trusted tailnet MCP binds require explicit opt-in.

Minimal extension permissions

The current beta extension uses only nativeMessaging, activeTab, and origin-scoped scripting, with no host permissions, content scripts, debugger, raw DOM persistence, or screenshots.

Redacted evidence

Audit records avoid raw tokens, pairing codes, credentials, typed input, full URLs, queries, and fragments.

What it explicitly does not do

BETA3 is not general browser automation.

These limits are intentional. They keep the alpha focused on a reviewable security model before any broader live control is designed.

Coordinate or selector click High-risk/destructive click Auth/password/MFA/payment typing Unknown or sensitive field fill General live form submit Raw DOM persistence Screenshots Content scripts Host permissions Broad tabs permission Full URL persistence Unauthenticated remote listeners SSH/Tailscale activation Cloud services Analytics Stealth or anti-detection CAPTCHA bypass

Trusted tailnet testing

Remote MCP bind is explicit.

BrowserBridge MCP HTTP is loopback-only by default. Beta testers can opt in to a non-loopback bind for trusted tailnet lab validation with --allow-remote. Authentication, exact scopes, approvals, panic checks, and audit still apply. 

browserbridge-mcp http \
  --host 100.66.42.21 \
  --port 7332 \
  --allow-remote

Never expose BrowserBridge MCP directly to the public internet.

Install path

Download, verify, load, then start MCP.

Start from the latest public R2 artifact. The tester path covers checksum verification, install/update, extension load, native doctor, MCP startup, Helper Health, Set Target Tab, and diagnostics.

Full path: External Beta Onboarding and Operator Install/Update.

External beta install/update

curl -LO https://pub-94e17e3158894cbba8864e5d1eab3045.r2.dev/downloads/latest.tar.gz
curl -LO https://pub-94e17e3158894cbba8864e5d1eab3045.r2.dev/downloads/latest.sha256
shasum -a 256 -c latest.sha256
./scripts/install-or-update.sh update --from-latest
./scripts/install-or-update.sh doctor --from-latest

Then reload the Chrome extension, start MCP, and use Control Tower to set the target tab.

Supported and target integrations

Profiles describe connection shape. They do not grant capability.

Audit and panic controls

Local evidence before broader capability.

The unified audit bus records companion, MCP, native messaging, approval, transport, and security-failure events through one local ingestion path. Redaction happens before persistence, then records are chained with hashes for tamper-evidence.

Panic is fail-closed: it blocks new action paths and prevents approval reuse from becoming a capability bypass.

Release verification

Verify BETA3 before external beta testing.

Source repo remains private. Public downloads are hosted via R2, with stable latest links and versioned artifacts for repeatable verification.

Latest download: latest.tar.gz

Verify public latest

curl -LO https://pub-94e17e3158894cbba8864e5d1eab3045.r2.dev/downloads/latest.tar.gz
curl -LO https://pub-94e17e3158894cbba8864e5d1eab3045.r2.dev/downloads/latest.sha256
curl -LO https://pub-94e17e3158894cbba8864e5d1eab3045.r2.dev/downloads/latest.manifest.json
shasum -a 256 -c latest.sha256

Roadmap

Security gates remain ahead of capability expansion.

  1. M0-M10Foundation, specs, mock policy path, and integration profiles.
  2. M11-M17Native messaging trust boundary and unified local audit event bus.
  3. M18-M22Tamper-evident audit, secure store abstraction, native status/panic, active-tab metadata, and approval-gated navigation.
  4. M23-RC1Private alpha packaging, smoke tests, release verification, and onboarding docs.
  5. NAV1Active-tab-bound navigation wrapper, Control Tower refresh readiness, and approval recheck.
  6. LIVE2Navigation lifecycle state, Control Tower execution timeline, freshness retry, panic denial, and audit QA.
  7. CLICK1Coordinate-click approval scaffold and execution research under the pre-CONTROL2 permission boundary.
  8. CONTROL-REFINE1Pre-smoke Control Tower polish for scaffold-only labels, recent decisions, pause/disconnect retirement, stricter sensitive-input checks, and QA11.
  9. CONTROL2-EGoverned low-risk element click after origin grant, target lease, opaque handle, one-time approval, panic checks, and audit.
  10. CONTROL2-FGGoverned safe field fill, governed safe field type, and safe fixture submit gate; generic current-tab type and general submit remain blocked.
  11. BETA3External tester onboarding, first-run guidance, Helper Health, troubleshooting, redacted diagnostics export, feedback workflow, capability matrix, and readiness review.
  12. SHIP-UX2UI platform hardening: safe rendering, accessibility, focus stability, state gallery, semantic visual regression, real options support page, and dark mode tokens.
  13. NextExternal tester feedback triage, OpenClaw runtime validation, and any broader submit/upload/download expansion only through separate high-risk design gates.

Troubleshooting

Recover safely without widening permissions.

Getting Started Onboarding Security boundaries macOS quickstart Install/update External beta onboarding Capability matrix Feedback process Alpha smoke test Release verification Troubleshooting Reset and recovery