@growthub/cli 0.14.1 → 0.14.3

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/adapters/sandboxes/default-local-agent-host.js

@@ -36,27 +36,95 @@ import { registerSandboxAdapter } from "./sandbox-adapter-registry.js";
 const MAX_OUTPUT_BYTES = 1024 * 256;
 const TELEMETRY_MARKER = "GROWTHUB_AGENT_TELEMETRY:";
 
+/**
+ * Browser access — the product's OWN agent browser primitive, surfaced.
+ *
+ * The upstream Paperclip server already gives every agent browser access
+ * through one boolean: the agent config's `chrome` primitive (see
+ * `ui/src/components/agent-config-primitives.tsx` — "Enable Claude's Chrome
+ * integration by passing --chrome") gated by the chrome-lease service in
+ * `server/src/services/chrome-lease.ts` before `adapter.execute()`. The
+ * sandbox row's `browserAccess` is the SAME bit on the governed Data Model
+ * side, so a row stays portable to the upstream adapter registry without
+ * translation — exactly like the host slugs themselves.
+ *
+ * When `browserAccess` is on, each host engages its FIRST-PARTY browser
+ * integration — nothing is invented or injected by this adapter:
+ *
+ *   native-flag   the host CLI has a first-party browser flag and
+ *                 argv(request) appends it (Claude Code `--chrome`,
+ *                 Codex `--enable browser_use --enable in_app_browser`).
+ *   env-signal    the host CLI has no documented one-shot browser flag; it
+ *                 receives GROWTHUB_SANDBOX_BROWSER_ACCESS=1 (mirroring the
+ *                 upstream browser-isolation context) and its own browser
+ *                 integration — whatever the operator has configured in that
+ *                 host — honors the row's setting. We never fabricate a flag
+ *                 or write host config we cannot verify against the upstream
+ *                 tool, the same rule the auth catalog follows for login
+ *                 subcommands.
+ *
+ * In the orchestration graph this is what makes browser access node-level
+ * and host-agnostic: thinAdapter / ai-agent nodes execute through this same
+ * catalog, so every node inherits the row's browser grant regardless of
+ * which host runs it.
+ */
+
 /**
  * Canonical Paperclip host catalog — slugs mirror `AGENT_ADAPTER_TYPES`.
  *
  * Each entry declares the binary the operator must have on PATH and how to
- * invoke it for one-shot prompt execution. `argv` returns the argv array the
- * adapter should pass; `inputMode` chooses whether the user's command is sent
- * via stdin or as a positional argument. `installHint` is surfaced verbatim
- * when the binary is not found, so operators get an actionable error.
+ * invoke it for one-shot prompt execution. `argv(request)` receives the sealed
+ * RunRequest and returns the argv array the adapter should pass — hosts with
+ * native capability flags (network sandbox mode, browser access) derive them
+ * deterministically from the governed row's saved settings. `inputMode`
+ * chooses whether the user's command is sent via stdin or as a positional
+ * argument. `installHint` is surfaced verbatim when the binary is not found,
+ * so operators get an actionable error. `browser` declares how the host's
+ * first-party browser integration is engaged (see above).
  */
 const HOST_CATALOG = {
   claude_local: {
     label: "Claude Code (local)",
     binary: "claude",
-    argv: () => ["-p", "--output-format", "text"],
+    argv: (request = {}) => {
+      const args = ["-p", "--output-format", "text"];
+      if (request.browserAccess) {
+        // Claude Code's first-party Chrome integration — the same flag the
+        // upstream server adapter passes when the agent config's `chrome`
+        // primitive is on.
+        args.push("--chrome");
+      }
+      return args;
+    },
+    browser: { lane: "native-flag", flags: ["--chrome"] },
     inputMode: "stdin",
     installHint: "Install Claude Code: npm i -g @anthropic-ai/claude-code"
   },
   codex_local: {
     label: "Codex CLI (local)",
     binary: "codex",
-    argv: () => ["exec", "--skip-git-repo-check", "--sandbox", "read-only", "-"],
+    argv: (request = {}) => {
+      // INTENTIONAL: networkAllow alone selects `workspace-write`. Codex's
+      // `read-only` sandbox blocks ALL outbound network, so workspace-write is
+      // the least-privileged Codex mode where the row's network grant can take
+      // effect — and writes are confined to the sealed ephemeral workdir the
+      // adapter spawns into (cwd), never the operator's repo. Browser flags
+      // remain gated on browserAccess only; network alone never opens a browser.
+      const netOn = Boolean(request.networkAllow);
+      const browserOn = Boolean(request.browserAccess);
+      const args = [
+        "exec",
+        "--skip-git-repo-check",
+        "--sandbox",
+        netOn ? "workspace-write" : "read-only",
+      ];
+      if (browserOn) {
+        args.push("--enable", "browser_use", "--enable", "in_app_browser");
+      }
+      args.push("-");
+      return args;
+    },
+    browser: { lane: "native-flag", flags: ["--enable", "browser_use", "--enable", "in_app_browser"] },
     inputMode: "stdin",
     installHint: "Install Codex CLI: npm i -g @openai/codex"
   },
@@ -64,6 +132,7 @@ const HOST_CATALOG = {
     label: "Cursor Agent (local)",
     binary: "cursor-agent",
     argv: () => ["--print"],
+    browser: { lane: "env-signal" },
     inputMode: "stdin",
     installHint: "Install Cursor Agent CLI: curl https://cursor.com/install -fsS | bash"
   },
@@ -71,6 +140,7 @@ const HOST_CATALOG = {
     label: "Gemini CLI (local)",
     binary: "gemini",
     argv: () => ["-p", "-"],
+    browser: { lane: "env-signal" },
     inputMode: "stdin",
     installHint: "Install Gemini CLI: npm i -g @google/gemini-cli"
   },
@@ -78,6 +148,7 @@ const HOST_CATALOG = {
     label: "OpenCode (local)",
     binary: "opencode",
     argv: () => ["run", "--quiet"],
+    browser: { lane: "env-signal" },
     inputMode: "stdin",
     installHint: "Install OpenCode: npm i -g opencode-ai"
   },
@@ -85,6 +156,7 @@ const HOST_CATALOG = {
     label: "Pi (local)",
     binary: "pi",
     argv: () => ["run", "--stdin"],
+    browser: { lane: "env-signal" },
     inputMode: "stdin",
     installHint: "Install Pi CLI: refer to your Paperclip Pi distribution"
   },
@@ -92,6 +164,7 @@ const HOST_CATALOG = {
     label: "Qwen Code (local)",
     binary: "qwen",
     argv: () => ["-p"],
+    browser: { lane: "env-signal" },
     inputMode: "stdin",
     installHint: "Install Qwen Code CLI: refer to your Qwen distribution"
   },
@@ -99,6 +172,7 @@ const HOST_CATALOG = {
     label: "Hermes Paperclip (local)",
     binary: "hermes",
     argv: () => ["run", "--stdin"],
+    browser: { lane: "env-signal" },
     inputMode: "stdin",
     installHint: "Install Hermes Paperclip adapter: npm i -g hermes-paperclip-adapter"
   },
@@ -106,6 +180,7 @@ const HOST_CATALOG = {
     label: "OpenClaw Gateway (local)",
     binary: "openclaw",
     argv: () => ["gateway", "exec", "--stdin"],
+    browser: { lane: "env-signal" },
     inputMode: "stdin",
     installHint: "Install OpenClaw Gateway: refer to your Paperclip distribution"
   }
@@ -292,12 +367,13 @@ async function run(request) {
     GROWTHUB_SANDBOX_AGENT_HOST: hostSlug,
     GROWTHUB_SANDBOX_NET_ALLOW: request.networkAllow ? "1" : "0",
     GROWTHUB_SANDBOX_NET_ALLOWLIST: Array.isArray(request.allowList) ? request.allowList.join(",") : "",
+    GROWTHUB_SANDBOX_BROWSER_ACCESS: request.browserAccess ? "1" : "0",
     ...(request.env || {})
   };
 
   const timeoutMs = Number.isFinite(request.timeoutMs) && request.timeoutMs > 0 ? request.timeoutMs : 60000;
   const startedAt = Date.now();
-  const argv = host.argv(command);
+  const argv = host.argv(request);
 
   return await new Promise((resolve) => {
     let stdout = Buffer.alloc(0);
@@ -385,6 +461,8 @@ async function run(request) {
           binary: host.binary,
           argv,
           inputMode: host.inputMode,
+          browserAccess: Boolean(request.browserAccess),
+          browserLane: request.browserAccess ? host.browser.lane : null,
           timedOut,
           signal: signal || null,
           tokens: telemetry.tokens,

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/adapters/sandboxes/default-local-process.js

@@ -108,6 +108,7 @@ async function run(request) {
     GROWTHUB_SANDBOX_RUN_ID: request.runId || "",
     GROWTHUB_SANDBOX_NET_ALLOW: request.networkAllow ? "1" : "0",
     GROWTHUB_SANDBOX_NET_ALLOWLIST: Array.isArray(request.allowList) ? request.allowList.join(",") : "",
+    GROWTHUB_SANDBOX_BROWSER_ACCESS: request.browserAccess ? "1" : "0",
     ...(request.env || {})
   };
 
@@ -177,7 +178,8 @@ async function run(request) {
           timedOut,
           signal: signal || null,
           networkAllow: Boolean(request.networkAllow),
-          allowList: Array.isArray(request.allowList) ? request.allowList : []
+          allowList: Array.isArray(request.allowList) ? request.allowList : [],
+          browserAccess: Boolean(request.browserAccess)
         }
       });
     });

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/adapters/sandboxes/index.js

@@ -10,6 +10,7 @@
 import "./default-local-process.js";
 import "./default-local-agent-host.js";
 import "./default-local-intelligence.js";
+import "./adapters/local-intelligence-browser-access.js";
 import { loadAllSandboxAdapters } from "./adapter-loader.js";
 
 let baseLoaded = true; // default-local-process registered via static import

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/adapters/sandboxes/sandbox-adapter-registry.js

@@ -27,6 +27,9 @@
  *     timeoutMs:       number,            // hard cap, capped at SANDBOX_MAX_TIMEOUT_MS
  *     networkAllow:    boolean,           // allow outbound network from inside the sandbox
  *     allowList:       string[],          // hostnames the user explicitly allowed
+ *     browserAccess:   boolean,           // row-level browser capability (implies networkAllow);
+ *                                         // adapters surface it natively where the target supports
+ *                                         // it and always publish GROWTHUB_SANDBOX_BROWSER_ACCESS
  *     env:             Record<string,string>, // server-resolved env (NEVER sent to browser)
  *     envRefSlugs:     string[],          // ref slugs resolved (kept for record metadata)
  *     envRefsMissing:  string[],          // slugs the server could not resolve (audit-only)
@@ -99,7 +102,8 @@ function describeRegisteredSandboxAdapters() {
           slug,
           label: host?.label || slug,
           binary: host?.binary || null,
-          installHint: host?.installHint || null
+          installHint: host?.installHint || null,
+          browserLane: host?.browser?.lane || "env-signal"
         }))
       : null
   }));

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/data-model/field-contracts.js

@@ -11,6 +11,7 @@ const SANDBOX_ENVIRONMENT_FIELDS = {
     options: ["local", "serverless"]
   },
   networkAllow: { editor: "boolean-toggle" },
+  browserAccess: { editor: "boolean-toggle" },
   lifecycleStatus: {
     editor: "select",
     options: ["draft", "live"]

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/orchestration-agent-swarm.js

@@ -288,6 +288,7 @@ async function runThroughAdapter({
   timeoutMs,
   networkAllow,
   allowList,
+  browserAccess,
   env,
   envRefSlugs,
   envRefsMissing,
@@ -331,6 +332,7 @@ async function runThroughAdapter({
       timeoutMs,
       networkAllow,
       allowList,
+      browserAccess: browserAccess === true,
       env,
       envRefSlugs,
       envRefsMissing,
@@ -400,6 +402,7 @@ async function runOrchestratorPhase({ orchestratorNode, subagents, inputPayload,
     timeoutMs: clampPositiveInt(orchestratorNode?.config?.timeoutMs, DEFAULT_ORCHESTRATOR_TIMEOUT_MS),
     networkAllow: executionContext.networkAllow === true,
     allowList: executionContext.allowList || [],
+    browserAccess: executionContext.browserAccess === true,
     env,
     envRefSlugs: executionContext.envRefSlugs || [],
     envRefsMissing: executionContext.envRefsMissing || [],
@@ -488,6 +491,9 @@ async function dispatchSubagentTask({
     command,
     timeoutMs: clampPositiveInt(subagentConfig.timeoutMs, executionContext.timeoutMs || DEFAULT_SUBAGENT_TIMEOUT_MS),
     networkAllow: subagentConfig.networkAccess === true && executionContext.networkAllow === true,
+    // Browser is a superset of network: a subagent only inherits the row's
+    // browser access through the same node-level network gate.
+    browserAccess: subagentConfig.networkAccess === true && executionContext.browserAccess === true,
     allowList: executionContext.allowList || [],
     env,
     envRefSlugs: executionContext.envRefSlugs || [],
@@ -568,6 +574,7 @@ async function runSynthesisPhase({ synthesisNode, swarmConfig, tasks, inputPaylo
     timeoutMs: clampPositiveInt(cfg.timeoutMs, DEFAULT_SYNTHESIS_TIMEOUT_MS),
     networkAllow: executionContext.networkAllow === true,
     allowList: executionContext.allowList || [],
+    browserAccess: executionContext.browserAccess === true,
     env,
     envRefSlugs: executionContext.envRefSlugs || [],
     envRefsMissing: executionContext.envRefsMissing || [],
@@ -822,6 +829,7 @@ async function runAgentSwarmGraphIfPresent({
     envRefsMissing: executionContext?.envRefsMissing || [],
     networkAllow: executionContext?.networkAllow === true,
     allowList: executionContext?.allowList || [],
+    browserAccess: executionContext?.browserAccess === true,
     timeoutMs: clampPositiveInt(timeoutMs, DEFAULT_SUBAGENT_TIMEOUT_MS),
     sandboxName: executionContext?.sandboxName || row?.Name || "swarm",
     onEvent: executionContext?.onEvent,

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/orchestration-graph-runner.js

@@ -281,6 +281,9 @@ async function runOrchestrationGraphIfPresent({ workspaceConfig, row, timeoutMs,
 
   const apiNode = extractApiRegistryCallNode(graph);
   if (!apiNode?.config) {
+    if ((Array.isArray(graph.nodes) ? graph.nodes : []).some((node) => node?.type === "ai-agent")) {
+      return null;
+    }
     return {
       ok: false,
       exitCode: 1,

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/orchestration-graph.js

@@ -157,9 +157,10 @@ function validateOrchestrationGraph(graph) {
     } else {
       const hasThinAdapter = graph.nodes.some((n) => n?.type === "thinAdapter");
       const hasApi = graph.nodes.some((n) => n?.type === "api-registry-call");
+      const hasAiAgent = graph.nodes.some((n) => n?.type === "ai-agent");
       const hasResult = graph.nodes.some((n) => n?.type === "tool-result");
-      if (!hasThinAdapter && !hasApi) errors.push("orchestrationGraph requires an api-registry-call node");
-      if (!hasThinAdapter && !hasResult) errors.push("orchestrationGraph requires a tool-result node");
+      if (!hasThinAdapter && !hasApi && !hasAiAgent) errors.push("orchestrationGraph requires an executable node");
+      if (!hasThinAdapter && !hasAiAgent && !hasResult) errors.push("orchestrationGraph requires a tool-result node");
     }
   }
   if (!Array.isArray(graph.edges)) {
@@ -712,6 +713,7 @@ function buildCanonicalNode(nodeId, registryRow = {}, options = {}) {
 function getNextCanonicalNodeId(graph) {
   const parsed = parseOrchestrationGraph(graph) || graph;
   if ((parsed?.nodes || []).some((n) => n?.type === "thinAdapter")) return null;
+  if ((parsed?.nodes || []).some((n) => n?.type === "ai-agent")) return null;
   const ids = new Set((parsed?.nodes || []).map((n) => String(n.id)));
   for (const id of CANONICAL_NODE_ORDER) {
     if (!ids.has(id)) return id;

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/orchestration-publish.js

@@ -0,0 +1,179 @@
+/**
+ * Orchestration publish helpers — shared by the Workflows surface (client)
+ * and POST /api/workspace/workflow/publish (server-authoritative publish).
+ *
+ * These were previously private functions inside app/workflows/WorkflowSurface.jsx.
+ * They are extracted so the *server* owns publish computation (version bump,
+ * delta records, draft → live promotion) and the client only renders state.
+ * Pure functions; the only dependency is the orchestration-graph parser.
+ */
+
+import { parseOrchestrationGraph } from "@/lib/orchestration-graph";
+
+function nodeSandboxRecordRef(objectId, rowName, nodeId) {
+  return {
+    objectId: String(objectId || "").trim(),
+    rowName: String(rowName || "").trim(),
+    nodeId: String(nodeId || "").trim()
+  };
+}
+
+function withGraphSandboxRecordRefs(graph, objectId, rowName) {
+  const parsed = parseOrchestrationGraph(graph) || graph;
+  if (!parsed || typeof parsed !== "object") return parsed;
+  return {
+    ...parsed,
+    nodes: (Array.isArray(parsed.nodes) ? parsed.nodes : []).map((node) => ({
+      ...node,
+      config: {
+        ...(node?.config || {}),
+        sandboxRecordRef: nodeSandboxRecordRef(objectId, rowName, node?.id)
+      }
+    }))
+  };
+}
+
+function patchSandboxRowInConfig(workspaceConfig, objectId, rowIndex, fields) {
+  const objects = Array.isArray(workspaceConfig?.dataModel?.objects) ? workspaceConfig.dataModel.objects : [];
+  return {
+    ...workspaceConfig,
+    dataModel: {
+      ...workspaceConfig.dataModel,
+      objects: objects.map((object) => {
+        if (object?.id !== objectId) return object;
+        const rows = Array.isArray(object.rows) ? object.rows : [];
+        return {
+          ...object,
+          rows: rows.map((row, index) => (index === rowIndex ? { ...row, ...fields } : row)),
+        };
+      }),
+    },
+  };
+}
+
+function normalizeDeltaTags(tags) {
+  return Array.from(new Set((Array.isArray(tags) ? tags : [])
+    .map((tag) => String(tag || "").trim().toLowerCase())
+    .filter(Boolean)));
+}
+
+function inferDeltaTagsForWorkflowNode(node, config) {
+  const tags = [];
+  const type = String(node?.type || "").trim();
+  const action = String(config?.action || node?.id || "").trim();
+  if (type === "thinAdapter") tags.push("model", "prompt", "routing");
+  if (type === "ai-agent") tags.push("model", "prompt", "output");
+  if (type === "data-action" || type === "data-trigger") tags.push("input", "output");
+  if (type === "flow-control") tags.push("routing");
+  if (type === "core-action") tags.push("runtime");
+  if (type === "human-input") tags.push("input");
+  if (action.includes("search") || action.includes("filter")) tags.push("evaluation", "guardrail");
+  if (action.includes("delete") || config?.confirmationRequired) tags.push("guardrail");
+  if (action.includes("http") || config?.url || config?.method) tags.push("routing", "input", "output");
+  if (action.includes("email")) tags.push("input", "output");
+  if (action.includes("delay") || config?.duration || config?.unit) tags.push("runtime");
+  if (config?.objectId || config?.fieldMap || config?.filters) tags.push("input", "output");
+  if (config?.model || config?.prompt) tags.push("model", "prompt");
+  return normalizeDeltaTags(tags);
+}
+
+function getNodeDeltaRecords(previousGraph, nextGraph) {
+  const previousNodes = new Map(
+    (Array.isArray(previousGraph?.nodes) ? previousGraph.nodes : [])
+      .map((node) => [String(node?.id || ""), node])
+      .filter(([id]) => id)
+  );
+
+  return (Array.isArray(nextGraph?.nodes) ? nextGraph.nodes : [])
+    .map((node) => {
+      const nodeId = String(node?.id || "").trim();
+      if (!nodeId) return null;
+      const previous = previousNodes.get(nodeId);
+      const config = node?.config && typeof node.config === "object" && !Array.isArray(node.config) ? node.config : {};
+      const previousConfig = previous?.config && typeof previous.config === "object" && !Array.isArray(previous.config)
+        ? previous.config
+        : {};
+      const currentComparable = JSON.stringify({
+        type: node?.type || "",
+        sandbox: node?.sandbox || "",
+        label: node?.label || "",
+        subtitle: node?.subtitle || "",
+        config
+      });
+      const previousComparable = JSON.stringify({
+        type: previous?.type || "",
+        sandbox: previous?.sandbox || "",
+        label: previous?.label || "",
+        subtitle: previous?.subtitle || "",
+        config: previousConfig
+      });
+      const explicitTags = normalizeDeltaTags(config.deltaTags);
+      const deltaTags = explicitTags.length > 0 ? explicitTags : inferDeltaTagsForWorkflowNode(node, config);
+      const changeReason = String(config.changeReason || "").trim();
+      const changed = currentComparable !== previousComparable;
+      if (!changed && !changeReason && deltaTags.length === 0) return null;
+      return {
+        nodeId,
+        nodeType: String(node?.type || ""),
+        label: String(node?.label || node?.sandbox || nodeId),
+        sandboxRecordRef: config.sandboxRecordRef || null,
+        changeReason,
+        deltaTags,
+        requiresRetest: config.requiresRetest !== false,
+        previous: previous ? {
+          type: String(previous.type || ""),
+          sandbox: String(previous.sandbox || ""),
+          label: String(previous.label || "")
+        } : null,
+        next: {
+          type: String(node.type || ""),
+          sandbox: String(node.sandbox || ""),
+          label: String(node.label || "")
+        }
+      };
+    })
+    .filter(Boolean);
+}
+
+/**
+ * Resolve which live field this row publishes into and which draft field
+ * feeds it.
+ *
+ * Precedence (matching the Workflows surface):
+ *   1. An explicit `requestedField` ("orchestrationConfig" | "orchestrationGraph")
+ *      — the surface preserves the URL-selected field when no live graph
+ *      exists yet, so the publish request may carry it.
+ *   2. Whichever live field is populated.
+ *   3. Whichever DRAFT field is populated — a row whose only state is
+ *      `orchestrationDraftGraph` publishes into `orchestrationGraph`,
+ *      never silently into `orchestrationConfig`.
+ *   4. Default `orchestrationConfig`.
+ */
+function resolveWorkflowFieldNames(row, requestedField) {
+  const hasGraphValue = (value) => Boolean(String(value ?? "").trim());
+  const draftFor = (live) => (live === "orchestrationConfig" ? "orchestrationDraftConfig" : "orchestrationDraftGraph");
+  if (requestedField === "orchestrationConfig" || requestedField === "orchestrationGraph") {
+    return { liveField: requestedField, draftField: draftFor(requestedField) };
+  }
+  let liveField;
+  if (hasGraphValue(row?.orchestrationConfig)) {
+    liveField = "orchestrationConfig";
+  } else if (hasGraphValue(row?.orchestrationGraph)) {
+    liveField = "orchestrationGraph";
+  } else if (!hasGraphValue(row?.orchestrationDraftConfig) && hasGraphValue(row?.orchestrationDraftGraph)) {
+    liveField = "orchestrationGraph";
+  } else {
+    liveField = "orchestrationConfig";
+  }
+  return { liveField, draftField: draftFor(liveField) };
+}
+
+export {
+  getNodeDeltaRecords,
+  inferDeltaTagsForWorkflowNode,
+  nodeSandboxRecordRef,
+  normalizeDeltaTags,
+  patchSandboxRowInConfig,
+  resolveWorkflowFieldNames,
+  withGraphSandboxRecordRefs
+};

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/orchestration-run-console.js

@@ -685,6 +685,7 @@ function normalizeRunConsoleRecord(record) {
       envRefsMissing: Array.isArray(record.envRefsMissing) ? record.envRefsMissing.slice() : [],
       networkAllow: Boolean(record.networkAllow),
       allowList: Array.isArray(record.allowList) ? record.allowList.slice() : [],
+      browserAccess: Boolean(record.browserAccess),
       adapterMeta,
       templateTrace
     },