Check hasActivePlaywrightConnection before closing so repeated or
cold-start stop calls correctly return { stopped: false } instead of
always claiming a session was terminated.
Loopback ws:// profiles are locally-managed and need the normal
launch/attach/probe flow. Only skip throwaway WebSocket probes and
use lazy connection for remote (non-loopback) WebSocket profiles.
- Sign up and dashboard links now point to cloud.browser-use.com
- Added pay-as-you-go pricing bullet with concurrent session info
- Moved auto-create-on-connect note to shared WebSocket endpoints section
- Restructured opening paragraph to fix Mintlify underline rendering
Add Ollama as a auth provider in onboarding with Cloud + Local mode
selection, browser-based sign-in via /api/me, smart model suggestions
per mode, and graceful fallback when the default model is unavailable.
- Extract shared ollama-models.ts
- Auto-pull missing models during onboarding
- Non-interactive mode support for CI/automation
Closes#8239Closes#3494
Co-Authored-By: Jeffrey Morgan <jmorganca@gmail.com>
The nodes tool was missing from OWNER_ONLY_TOOL_NAME_FALLBACKS in
tool-policy.ts. applyOwnerOnlyToolPolicy() correctly removed gateway
and cron for non-owners but kept nodes, which internally issues
privileged gateway calls: node.pair.approve (operator.pairing) and
node.invoke (operator.write).
A non-owner sender could approve pending node pairings and invoke
arbitrary node commands, extending to system.run on paired nodes.
Add nodes to the fallback owner-only set. Non-owners no longer receive
the nodes tool after policy application; owners retain it.
Fixes GHSA-r26r-9hxr-r792
Plugin subagent dispatch used a hardcoded synthetic client carrying
operator.admin, operator.approvals, and operator.pairing for all
runtime.subagent.* calls. Plugin HTTP routes with auth:"plugin" require
no gateway auth by design, so an unauthenticated external request could
drive admin-only gateway methods (sessions.delete, agent.run) through
the subagent runtime.
Propagate the real gateway client into the plugin runtime request scope
when one is available. Plugin HTTP routes now run inside a scoped
runtime client: auth:"plugin" routes receive a non-admin synthetic
operator.write client; gateway-authenticated routes retain admin-capable
scopes. The security boundary is enforced at the HTTP handler level.
Fixes GHSA-xw77-45gv-p728
device.token.rotate accepted attacker-controlled scopes and forwarded
them to rotateDeviceToken without verifying the caller held those
scopes. A pairing-scoped token could rotate up to operator.admin on
any already-paired device whose approvedScopes included admin.
Add a caller-scope subsetting check before rotateDeviceToken: the
requested scopes must be a subset of client.connect.scopes via the
existing roleScopesAllow helper. Reject with missing scope: <scope>
if not.
Also add server.device-token-rotate-authz.test.ts covering both the
priv-esc path and the admin-to-node-invoke chain.
Fixes GHSA-4jpw-hj22-2xmc
Replace dynamic import with static import since pw-session.ts is already
statically imported in this module, eliminating INEFFECTIVE_DYNAMIC_IMPORT
build warnings.
Previously stop was a no-op for remote WebSocket profiles since there is
no local Chrome process to kill. Now it closes the cached Playwright CDP
connection, properly disconnecting from the cloud browser session.
Cloud WebSocket endpoints like Browser Use provision sessions on demand.
Skip the up-front reachability gate so the first tab operation triggers
the Playwright connectOverCDP call instead of erroring with unreachable.
For cloud browser providers like Browser Use and Browserbase, each raw
WebSocket health check provisions a new ephemeral browser session. Check
the cached Playwright connection state instead, which reflects whether
we actually have an active connection without side effects.
