browser: route existing-session user profile through browser nodes

[mbelinky]

Summary

• Problem: the browser tool hard-blocked profile="user" / existing-session when targeting a browser node, even though the docs describe node-host browser proxy as the default remote-gateway path.
• Why it matters: remote gateways could drive the node-managed openclaw browser, but they could not reach the real signed-in Chrome session on the browser machine.
• What changed: removed the existing-session node hard-block, kept sandbox rejection, preserved explicit target="host" pinning, and added focused regression coverage for omitted target, explicit target="node", and explicit target="host".
• What did NOT change (scope boundary): this does not change sandbox behavior, does not broaden target="host" semantics, and does not touch Chrome MCP session management beyond allowing the browser-tool routing layer to use the existing node proxy path.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: profile="user" / existing-session Chrome MCP is hard-blocked for target="node" despite node-host browser docs #48677
• Related #
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: extensions/browser/src/browser-tool.ts treated Chrome MCP existing-session profiles as host-local only and threw before node routing could run.
• Missing detection / guardrail: there was no browser-tool test covering profile="user" with node routing semantics.
• Contributing context (if known): the docs evolved toward node-host browser proxy as the remote-gateway story, but the tool routing guard still reflected the older local-only assumption.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: extensions/browser/src/browser-tool.test.ts
• Scenario the test should lock in: profile="user" should auto-route through a connected browser node when target is omitted, should work with explicit target="node", and should still stay on host when target="host" is explicit.
• Why this is the smallest reliable guardrail: the bug sits in browser-tool target resolution before any live browser I/O, so the focused tool test covers the decision logic directly without requiring live Chrome.
• Existing test that already covers this (if any): none for the node-routing path.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

• Remote gateways can now use profile="user" through a connected browser node instead of being hard-blocked.
• Explicit target="host" still pins the host and prevents node auto-routing.

Diagram (if applicable)

Before:
remote gateway + browser node + profile="user" -> browser tool hard-block -> failure

After:
remote gateway + browser node + profile="user" -> node proxy routing -> existing-session browser on node

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:
  • N/A

Repro + Verification

Environment

• OS: macOS local dev host for focused tests; bug originally reproduced on a remote gateway + browser-node setup
• Runtime/container: Node.js workspace via pnpm
• Model/provider: N/A
• Integration/channel (if any): browser tool
• Relevant config (redacted): browser-capable node connected; browser.profiles.user.driver = "existing-session"

Steps

1. Connect a browser-capable node.
2. Invoke the browser tool with profile="user" and either no target or target="node".
3. Verify routing uses the node proxy instead of throwing.

Expected

• profile="user" can route through the connected browser node.
• Explicit target="host" still stays on host.

Actual

• Matches expected with the new routing logic and focused tests.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: focused browser-tool test file passes from a clean worktree; omitted target and explicit target="node" both route through the node proxy; explicit target="host" remains host-pinned.
• Edge cases checked: profile="user" still rejects target="sandbox" and still falls back to host when no browser node is available.
• What you did not verify: a fresh live Chrome attach end-to-end from this clean worktree after pushing the branch.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:
  • N/A

Risks and Mitigations

• Risk: remote callers that intentionally depended on the old hard-block could now reach the node path.
  • Mitigation: that path was already documented as the remote-browser architecture, and explicit target="host" pinning still preserves the old host-only intent when needed.
• Risk: future refactors could accidentally re-break the host pinning contract while fixing node routing.
  • Mitigation: the new focused tests lock both behaviors in the same file.

[greptile-apps]

Greptile Summary

This PR fixes a bug where the browser tool unconditionally hard-blocked profile="user" (existing-session) when a browser node was connected, preventing remote gateways from reaching the signed-in Chrome session on the browser node as documented. The fix removes the blanket node guard, retains the sandbox rejection and explicit target="host" pinning, and adds a post-resolution fallback to "host" when no node is available. Three focused regression tests lock in omitted-target auto-routing, explicit target="node", and explicit target="host" pinning.

Confidence Score: 5/5

Safe to merge — the change is narrowly scoped, the fallback-to-host logic is correct, sandbox rejection is preserved, and focused tests cover all three relevant routing branches.

All findings are P2 or lower. The routing logic is correct, the sandbox guard and explicit host-pin are preserved, and the new tests close the coverage gap that originally allowed this bug to exist.

No files require special attention.

_{Reviews (1): Last reviewed commit: "browser: route user profile through brow..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 06b641efb1

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d6ada08a5c

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[mbelinky]

Follow-up on the remaining security-bot concern: I do not think it blocks this PR.

This patch is aligning existing-session (profile=\"user\") with the browser-node routing model that the docs already describe for remote gateways; it is not inventing a new node-target concept. The explicit contracts still hold:

• target=\"host\" stays pinned to host
• target=\"node\" / node=<id> remain explicit node routing
• target=\"sandbox\" is still rejected for existing-session
• omitted target still falls back to host when node routing is unavailable

The sandbox-policy point is broader than this PR: today allowHostControl is documented and implemented as a host-target gate, not a generic non-sandbox browser gate, and node browser routing already exists for the managed browser path. If we want a stronger trust model around node browser delegation, that should be handled as a separate policy design change rather than by keeping this existing-session bug in place.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🟠 High	Automatic routing of existing-session (profile=user) to browser nodes may expose node-local browser data without explicit opt-in

1. 🟠 Automatic routing of existing-session (profile=user) to browser nodes may expose node-local browser data without explicit opt-in

Property	Value
Severity	High
CWE	CWE-862
Location	extensions/browser/src/browser-tool.ts:403-463

Description

The browser tool now allows existing-session profiles (e.g. profile="user") to be routed through a connected browser node proxy when available.

This introduces a security risk in deployments where:

• tool callers are not fully trusted (e.g., untrusted prompts/users can invoke the tool), and
• browser nodes run under real user accounts with existing Chrome/Chromium profiles.

Because existing-session attachment uses Chrome DevTools MCP and may be configured with userDataDir, routing to a node means the tool can attach to and control a node-host browser profile (cookies/logins/history) and potentially select a sensitive local profile directory on that node.

Key issue:

• The tool will attempt resolveBrowserNodeTarget(...) even for existing-session profiles, and when a node is found it will send the request to node.invoke / browser.proxy.
• There is no requirement for an explicit target="node" or explicit node pin (node=<id>) when using profile="user".

Vulnerable behavior (new/changed logic):

nodeTarget = await resolveBrowserNodeTarget({ requestedNode, target, sandboxBridgeUrl });
...
const proxyRequest = nodeTarget ? async (...) => callBrowserProxy({ nodeId: nodeTarget.nodeId, ... }) : null;

This can unexpectedly move an existing-session attachment from the local host to a node, expanding the attack surface to the node's filesystem/profile context.

Recommendation

Require explicit opt-in before routing existing-session profiles to a browser node.

Options:

1. Conservative default: keep existing-session profiles on host unless target="node" or node=<id|name> is explicitly provided.
2. Add a config gate such as gateway.nodes.browser.allowExistingSessionOnNode: true (default false).
3. Enforce node-side allowlisting for sensitive profiles (e.g., profile=user) by default.

Example (option 1):

if (isUserBrowserProfile && !requestedNode && target !== "node") {
  target = "host";
}

This ensures node-hosted existing-session attachments cannot occur implicitly and prevents accidental exposure of node-local browser profiles.

---

Analyzed PR: #68891 at commit 9b50845

_{Last updated on: 2026-04-19T10:20:55Z}