@hybridaione/hybridclaw 0.1.19 → 0.1.20

package/.env.example

@@ -5,3 +5,10 @@ HYBRIDAI_API_KEY=
 DISCORD_TOKEN=                    # Enable Discord integration when set
 WEB_API_TOKEN=                    # Protect /api/* endpoints (Bearer token)
 GATEWAY_API_TOKEN=                # Client token override (defaults to WEB_API_TOKEN)
+
+# Optional browser settings
+BROWSER_ALLOW_PRIVATE_NETWORK=    # Set true to allow localhost/private network navigation in browser tools
+BROWSER_PERSIST_PROFILE=          # Default true; set false for ephemeral browser profile
+BROWSER_PERSIST_SESSION_STATE=    # Default true; set false to disable auto save/restore state files
+BROWSER_PROFILE_ROOT=             # Optional profile root path (default: /workspace/.hybridclaw-runtime/browser-profiles in container)
+BROWSER_CDP_URL=                  # Optional CDP endpoint (e.g. ws://127.0.0.1:9222/devtools/browser/...)

package/.hybridclaw/container-image-state.json

@@ -1,5 +1,5 @@
 {
   "imageName": "hybridclaw-agent",
-  "fingerprint": "dd50e47197b2010c0b7e61fed0dd603106b5249d99f6a7fe846039932d2d53c6",
-  "recordedAt": "2026-03-02T17:02:41.340Z"
+  "fingerprint": "3d8807c236f660de18d8e98a9539ca1862a2ed522f1a9acf9de862c5d12c4c75",
+  "recordedAt": "2026-03-02T20:30:27.276Z"
 }

package/CHANGELOG.md

@@ -8,6 +8,22 @@
 
 ### Fixed
 
+## [0.1.20](https://github.com/HybridAIOne/hybridclaw/tree/v0.1.20)
+
+### Added
+
+- **Browser auth policy clarification**: Added explicit runtime guidance that user-directed login/auth-flow testing is allowed with browser tools on the requested domain.
+
+### Changed
+
+- **Persistent browser login continuity**: Browser tooling now persists per-session profile/state by default (`AGENT_BROWSER_PROFILE` + `AGENT_BROWSER_SESSION_NAME`) with configurable overrides (`BROWSER_PERSIST_PROFILE`, `BROWSER_PERSIST_SESSION_STATE`, `BROWSER_PROFILE_ROOT`, `BROWSER_CDP_URL`).
+- **Safety prompt alignment**: System safety hook now explicitly rejects fabricated “public-only/unauthenticated browser” limitations and prioritizes real tool/policy outcomes.
+- **Documentation refresh**: Updated README and website docs (`docs/index.html`) with authenticated browser-flow support and browser session persistence behavior.
+
+### Fixed
+
+- **Audit secret leakage risk**: Structured audit tool-call arguments now redact sensitive fields (password/token/secret/etc.), including `browser_type.text`, to avoid credential plaintext in audit trails.
+
 ## [0.1.19](https://github.com/HybridAIOne/hybridclaw/tree/v0.1.19)
 
 ### Added

package/README.md

@@ -246,6 +246,11 @@ Browser tooling notes:
 
 - The shipped container image preinstalls `agent-browser` and Chromium (Playwright).
 - You can override the binary via `AGENT_BROWSER_BIN` if needed.
+- User-directed authenticated browser-flow testing is supported (including filling/submitting login forms on the requested site).
+- Browser auth/session state now persists per HybridClaw session by default via a dedicated profile directory under `/workspace/.hybridclaw-runtime/browser-profiles`.
+- Session cookies/localStorage are also auto-saved/restored via `agent-browser` session-state files.
+- Optional overrides: `BROWSER_PERSIST_PROFILE=false` (disable profile persistence), `BROWSER_PERSIST_SESSION_STATE=false` (disable state file persistence), `BROWSER_PROFILE_ROOT=/path` (custom profile root), `BROWSER_CDP_URL=ws://...` (force CDP attachment to an existing browser).
+- Structured audit logs redact sensitive browser/tool arguments (password/token/secret fields and typed form text).
 - Navigation to private/loopback hosts is blocked by default (set `BROWSER_ALLOW_PRIVATE_NETWORK=true` to override).
 - Screenshot/PDF outputs are constrained to `/workspace/.browser-artifacts`.
 

package/SECURITY.md

@@ -22,6 +22,14 @@ System prompts include safety constraints for every conversation turn:
 
 Implementation: [src/prompt-hooks.ts](./src/prompt-hooks.ts)
 
+### 1.1) Browser Authentication Flows
+
+User-directed browser authentication testing is permitted when the user explicitly asks for it:
+
+- Browser tools may fill credentials and submit login forms for the requested site.
+- Credentials must be used only for the requested auth flow on the intended domain.
+- Credentials must not be echoed in assistant prose, written to workspace files, or sent to unrelated domains.
+
 ### 2) Runtime Tool Blocking
 
 Before tool execution, HybridClaw applies policy hooks that block known dangerous patterns:

package/container/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "hybridclaw-agent",
-  "version": "0.1.19",
+  "version": "0.1.20",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "hybridclaw-agent",
-      "version": "0.1.19",
+      "version": "0.1.20",
       "dependencies": {
         "@mozilla/readability": "^0.6.0",
         "agent-browser": "^0.15.1",

package/container/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hybridclaw-agent",
-  "version": "0.1.19",
+  "version": "0.1.20",
   "type": "module",
   "scripts": {
     "build": "tsc",

package/container/src/browser-tools.ts

@@ -1,4 +1,5 @@
 import { execFile, spawnSync } from 'child_process';
+import { createHash } from 'crypto';
 import { lookup } from 'dns/promises';
 import fs from 'fs';
 import net from 'net';
@@ -19,6 +20,8 @@ const BROWSER_TMP_HOME = path.join(BROWSER_RUNTIME_ROOT, 'home');
 const BROWSER_NPM_CACHE = path.join(BROWSER_RUNTIME_ROOT, 'npm-cache');
 const BROWSER_XDG_CACHE = path.join(BROWSER_RUNTIME_ROOT, 'cache');
 const BROWSER_PLAYWRIGHT_CACHE = path.join(BROWSER_RUNTIME_ROOT, 'ms-playwright');
+const BROWSER_PROFILE_ROOT = path.join(BROWSER_RUNTIME_ROOT, 'browser-profiles');
+const ENV_FALSEY = new Set(['0', 'false', 'no', 'off']);
 
 type BrowserRunner = {
   cmd: string;
@@ -28,6 +31,8 @@ type BrowserRunner = {
 type BrowserSession = {
   sessionKey: string;
   socketDir: string;
+  profileDir?: string;
+  stateName?: string;
   createdAt: number;
   lastUsedAt: number;
 };
@@ -44,6 +49,45 @@ function normalizeSessionKey(sessionId: string): string {
   return normalized || 'default';
 }
 
+function envFlagEnabled(name: string, defaultValue: boolean): boolean {
+  const raw = process.env[name];
+  if (raw == null || raw.trim() === '') return defaultValue;
+  return !ENV_FALSEY.has(raw.trim().toLowerCase());
+}
+
+function deriveStableId(raw: string, maxLength = 40): string {
+  const base =
+    String(raw || 'default')
+      .toLowerCase()
+      .replace(/[^a-z0-9_-]+/g, '_')
+      .replace(/^_+|_+$/g, '') || 'default';
+  const hash = createHash('sha256').update(raw).digest('hex').slice(0, 10);
+  const headLength = Math.max(1, maxLength - hash.length - 1);
+  return `${base.slice(0, headLength)}_${hash}`;
+}
+
+function shouldPersistProfiles(): boolean {
+  return envFlagEnabled('BROWSER_PERSIST_PROFILE', true);
+}
+
+function shouldPersistSessionState(): boolean {
+  return envFlagEnabled('BROWSER_PERSIST_SESSION_STATE', true);
+}
+
+function resolveProfileRoot(): string {
+  const configured = String(process.env.BROWSER_PROFILE_ROOT || '').trim();
+  if (!configured) return ensureWritableDir(BROWSER_PROFILE_ROOT);
+  const resolved = path.isAbsolute(configured) ? configured : path.resolve(WORKSPACE_ROOT, configured);
+  return ensureWritableDir(resolved);
+}
+
+function resolveCdpUrl(explicit?: string): string | undefined {
+  const direct = String(explicit || '').trim();
+  if (direct) return direct;
+  const configured = String(process.env.BROWSER_CDP_URL || '').trim();
+  return configured || undefined;
+}
+
 function resolveRunner(): BrowserRunner | null {
   if (cachedRunner !== undefined) {
     return cachedRunner;
@@ -86,12 +130,27 @@ function getSession(sessionId: string): BrowserSession {
   }
 
   fs.mkdirSync(BROWSER_SOCKET_ROOT, { recursive: true, mode: 0o700 });
-  const socketDir = path.join(BROWSER_SOCKET_ROOT, sessionKey);
+  const runtimeKey = deriveStableId(sessionKey, 32);
+  const socketDir = path.join(BROWSER_SOCKET_ROOT, runtimeKey);
   fs.mkdirSync(socketDir, { recursive: true, mode: 0o700 });
 
+  let profileDir: string | undefined;
+  if (shouldPersistProfiles()) {
+    try {
+      profileDir = ensureWritableDir(path.join(resolveProfileRoot(), runtimeKey));
+    } catch {
+      // Fallback to ephemeral browser context if profile dir cannot be created.
+      profileDir = undefined;
+    }
+  }
+
+  const stateName = shouldPersistSessionState() ? deriveStableId(sessionKey, 48) : undefined;
+
   const session: BrowserSession = {
     sessionKey,
     socketDir,
+    profileDir,
+    stateName,
     createdAt: Date.now(),
     lastUsedAt: Date.now(),
   };
@@ -290,24 +349,34 @@ async function runAgentBrowser(
   const xdgCacheDir = ensureWritableDir(BROWSER_XDG_CACHE);
   const playwrightBrowsersPath = resolvePlaywrightBrowsersPath();
   const args = [...runner.prefixArgs];
-  if (options.cdpUrl && options.cdpUrl.trim()) {
-    args.push('--cdp', options.cdpUrl.trim());
+  const cdpUrl = resolveCdpUrl(options.cdpUrl);
+  if (cdpUrl) {
+    args.push('--cdp', cdpUrl);
   }
   args.push('--json', command, ...commandArgs);
 
+  const browserEnv: NodeJS.ProcessEnv = {
+    ...process.env,
+    AGENT_BROWSER_SOCKET_DIR: session.socketDir,
+    AGENT_BROWSER_SESSION: 'default',
+    HOME: homeDir,
+    XDG_CACHE_HOME: xdgCacheDir,
+    NPM_CONFIG_CACHE: npmCacheDir,
+    npm_config_cache: npmCacheDir,
+    PLAYWRIGHT_BROWSERS_PATH: playwrightBrowsersPath,
+  };
+  if (session.stateName) {
+    browserEnv.AGENT_BROWSER_SESSION_NAME = session.stateName;
+  }
+  if (!cdpUrl && session.profileDir) {
+    browserEnv.AGENT_BROWSER_PROFILE = session.profileDir;
+  }
+
   try {
     const { stdout, stderr } = await execFileAsync(runner.cmd, args, {
       timeout: timeoutMs,
       maxBuffer: 2 * 1024 * 1024,
-      env: {
-        ...process.env,
-        AGENT_BROWSER_SOCKET_DIR: session.socketDir,
-        HOME: homeDir,
-        XDG_CACHE_HOME: xdgCacheDir,
-        NPM_CONFIG_CACHE: npmCacheDir,
-        npm_config_cache: npmCacheDir,
-        PLAYWRIGHT_BROWSERS_PATH: playwrightBrowsersPath,
-      },
+      env: browserEnv,
     });
 
     const output = String(stdout || '').trim();

package/docs/index.html

@@ -1010,7 +1010,7 @@
     </div>
     <div class="feature-card">
       <h3 style="color: var(--accent-1);">Safety Model</h3>
-      <p>Trust-model acceptance is required during onboarding, execution uses runtime guardrails by default, and TUI blocks on unapproved instruction changes.</p>
+      <p>Trust-model acceptance is required during onboarding, execution uses runtime guardrails by default, user-directed browser auth-flow testing is supported, and TUI blocks on unapproved instruction changes.</p>
     </div>
     <div class="feature-card">
       <h3 style="color: var(--accent-1);">Prompt Orchestration</h3>
@@ -1102,7 +1102,7 @@
     <div class="tool-pill">
       <div class="tool-pill-icon">&#x1f5a5;&#xfe0f;</div>
       <div class="tool-pill-name">browser_*</div>
-      <div class="tool-pill-desc">Navigate, snapshot, click, type, screenshot, PDF</div>
+      <div class="tool-pill-desc">Navigate, snapshot, click, type, auth-flow testing, screenshot, PDF</div>
     </div>
     <div class="tool-pill">
       <div class="tool-pill-icon">&#x1f551;</div>
@@ -1201,6 +1201,10 @@
       <div class="faq-q">Is it safe to let the agent run shell commands?</div>
       <div class="faq-a">Yes. All tools execute inside ephemeral Docker containers with read-only filesystems, memory caps, and a deny-list of 28+ dangerous command patterns. The host machine is never exposed.</div>
     </div>
+    <div class="faq-item">
+      <div class="faq-q">Can browser tools test real login flows?</div>
+      <div class="faq-a">Yes, when explicitly requested by the user for the intended site. Runtime guidance allows authenticated browser-flow testing, while sensitive credential values are redacted from structured audit tool-argument logs.</div>
+    </div>
     <div class="faq-item">
       <div class="faq-q">Is the audit trail immutable?</div>
       <div class="faq-a">Audit logs are append-only and hash-chained per session, so modifications are tamper-evident. Use <code>hybridclaw audit verify &lt;sessionId&gt;</code> to validate integrity, and <code>hybridclaw audit approvals --denied</code> to review denied actions.</div>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hybridaione/hybridclaw",
-  "version": "0.1.19",
+  "version": "0.1.20",
   "type": "module",
   "description": "Personal AI assistant bot for Discord, powered by HybridAI",
   "publishConfig": {

package/src/audit-events.ts

@@ -35,6 +35,31 @@ function summarizeToolResult(text: string): string {
   return truncateAuditText(text, 280);
 }
 
+const SENSITIVE_ARG_KEY_RE = /(pass(word)?|secret|token|api[_-]?key|authorization|cookie|credential|session)/i;
+
+function sanitizeAuditArguments(toolName: string, value: unknown): unknown {
+  if (Array.isArray(value)) {
+    return value.map((entry) => sanitizeAuditArguments(toolName, entry));
+  }
+  if (!value || typeof value !== 'object') {
+    return value;
+  }
+
+  const out: Record<string, unknown> = {};
+  for (const [key, raw] of Object.entries(value as Record<string, unknown>)) {
+    if (SENSITIVE_ARG_KEY_RE.test(key)) {
+      out[key] = '[REDACTED]';
+      continue;
+    }
+    if (toolName === 'browser_type' && key === 'text') {
+      out[key] = '[REDACTED]';
+      continue;
+    }
+    out[key] = sanitizeAuditArguments(toolName, raw);
+  }
+  return out;
+}
+
 export function emitToolExecutionAuditEvents(input: {
   sessionId: string;
   runId: string;
@@ -44,6 +69,7 @@ export function emitToolExecutionAuditEvents(input: {
   toolExecutions.forEach((execution, index) => {
     const toolCallId = `${runId}:tool:${index + 1}`;
     const argumentsObject = parseJsonObject(execution.arguments || '{}');
+    const auditArguments = sanitizeAuditArguments(execution.name, argumentsObject);
 
     recordAuditEvent({
       sessionId,
@@ -52,7 +78,7 @@ export function emitToolExecutionAuditEvents(input: {
         type: 'tool.call',
         toolCallId,
         toolName: execution.name,
-        arguments: argumentsObject,
+        arguments: auditArguments,
       },
     });
 

package/src/prompt-hooks.ts

@@ -71,6 +71,12 @@ function buildSafetyHook(context: PromptHookContext): string {
     'Use bash for execution/build/validation tasks, not for file authoring.',
     'After file changes, run commands only when asked; otherwise explicitly offer to run them immediately.',
     'Only skip file creation when the user explicitly asks for snippet-only or explanation-only output.',
+    '',
+    '## Browser Auth Handling',
+    'When the user explicitly asks for login/auth-flow testing, browser tools may be used on the requested site, including filling credentials and submitting forms.',
+    'Do not invent blanket restrictions such as "browser tools are only for public/unauthenticated pages" unless an actual tool/policy error says so.',
+    'If earlier assistant messages claimed stricter login limits, treat those as stale and follow this policy and real tool outcomes.',
+    'Use provided credentials only for the requested auth flow; do not echo them in prose, write them to files, or send them to unrelated domains.',
   ];
 
   if (accepted) {