feat(browser): add sensitive action controls and read-only noise reduction (#22867)

Author: cynthialong0-0

docs/cli/settings.md

@@ -101,6 +101,13 @@ they appear in the UI.
 | Disable Loop Detection        | `model.disableLoopDetection` | Disable automatic detection and prevention of infinite loops.                          | `false`     |
 | Skip Next Speaker Check       | `model.skipNextSpeakerCheck` | Skip the next speaker check.                                                           | `true`      |
 
+### Agents
+
+| UI Label                  | Setting                                  | Description                                                                                   | Default |
+| ------------------------- | ---------------------------------------- | --------------------------------------------------------------------------------------------- | ------- |
+| Confirm Sensitive Actions | `agents.browser.confirmSensitiveActions` | Require manual confirmation for sensitive browser actions (e.g., fill_form, evaluate_script). | `false` |
+| Block File Uploads        | `agents.browser.blockFileUploads`        | Hard-block file upload requests from the browser agent.                                       | `false` |
+
 ### Context
 
 | UI Label                             | Setting                                           | Description                                                                                                                                                                                                                                 | Default |

docs/reference/configuration.md

@@ -1210,6 +1210,17 @@ their corresponding top-level category object in your `settings.json` file.
   - **Description:** Disable user input on browser window during automation.
   - **Default:** `true`
 
+- **`agents.browser.confirmSensitiveActions`** (boolean):
+  - **Description:** Require manual confirmation for sensitive browser actions
+    (e.g., fill_form, evaluate_script).
+  - **Default:** `false`
+  - **Requires restart:** Yes
+
+- **`agents.browser.blockFileUploads`** (boolean):
+  - **Description:** Hard-block file upload requests from the browser agent.
+  - **Default:** `false`
+  - **Requires restart:** Yes
+
 #### `context`
 
 - **`context.fileName`** (string | string[]):

packages/cli/src/config/settingsSchema.ts

@@ -1198,6 +1198,26 @@ const SETTINGS_SCHEMA = {
               'Disable user input on browser window during automation.',
             showInDialog: false,
           },
+          confirmSensitiveActions: {
+            type: 'boolean',
+            label: 'Confirm Sensitive Actions',
+            category: 'Advanced',
+            requiresRestart: true,
+            default: false,
+            description:
+              'Require manual confirmation for sensitive browser actions (e.g., fill_form, evaluate_script).',
+            showInDialog: true,
+          },
+          blockFileUploads: {
+            type: 'boolean',
+            label: 'Block File Uploads',
+            category: 'Advanced',
+            requiresRestart: true,
+            default: false,
+            description:
+              'Hard-block file upload requests from the browser agent.',
+            showInDialog: true,
+          },
         },
       },
     },

packages/core/src/agents/browser/browserAgentFactory.test.ts

@@ -11,8 +11,10 @@ import {
 } from './browserAgentFactory.js';
 import { injectAutomationOverlay } from './automationOverlay.js';
 import { makeFakeConfig } from '../../test-utils/config.js';
+import { PolicyDecision, PRIORITY_SUBAGENT_TOOL } from '../../policy/types.js';
 import type { Config } from '../../config/config.js';
 import type { MessageBus } from '../../confirmation-bus/message-bus.js';
+import type { PolicyEngine } from '../../policy/policy-engine.js';
 import type { BrowserManager } from './browserManager.js';
 
 // Create mock browser manager
@@ -300,6 +302,116 @@ describe('browserAgentFactory', () => {
     });
   });
 
+  describe('Policy Registration', () => {
+    let mockPolicyEngine: {
+      addRule: ReturnType<typeof vi.fn>;
+      hasRuleForTool: ReturnType<typeof vi.fn>;
+      removeRulesForTool: ReturnType<typeof vi.fn>;
+      getRules: ReturnType<typeof vi.fn>;
+    };
+
+    beforeEach(() => {
+      mockPolicyEngine = {
+        addRule: vi.fn(),
+        hasRuleForTool: vi.fn().mockReturnValue(false),
+        removeRulesForTool: vi.fn(),
+        getRules: vi.fn().mockReturnValue([]),
+      };
+      vi.spyOn(mockConfig, 'getPolicyEngine').mockReturnValue(
+        mockPolicyEngine as unknown as PolicyEngine,
+      );
+    });
+
+    it('should register sensitive action rules', async () => {
+      mockConfig = makeFakeConfig({
+        agents: {
+          browser: {
+            confirmSensitiveActions: true,
+          },
+        },
+      });
+      vi.spyOn(mockConfig, 'getPolicyEngine').mockReturnValue(
+        mockPolicyEngine as unknown as PolicyEngine,
+      );
+
+      await createBrowserAgentDefinition(mockConfig, mockMessageBus);
+
+      expect(mockPolicyEngine.addRule).toHaveBeenCalledWith(
+        expect.objectContaining({
+          toolName: 'mcp_browser_agent_fill',
+          decision: PolicyDecision.ASK_USER,
+          priority: 999,
+        }),
+      );
+
+      expect(mockPolicyEngine.addRule).toHaveBeenCalledWith(
+        expect.objectContaining({
+          toolName: 'mcp_browser_agent_upload_file',
+          decision: PolicyDecision.ASK_USER,
+          priority: 999,
+        }),
+      );
+
+      expect(mockPolicyEngine.addRule).toHaveBeenCalledWith(
+        expect.objectContaining({
+          toolName: 'mcp_browser_agent_evaluate_script',
+          decision: PolicyDecision.ASK_USER,
+          priority: 999,
+        }),
+      );
+    });
+
+    it('should register fill rule even when confirmSensitiveActions is disabled', async () => {
+      await createBrowserAgentDefinition(mockConfig, mockMessageBus);
+
+      expect(mockPolicyEngine.addRule).toHaveBeenCalledWith(
+        expect.objectContaining({
+          toolName: 'mcp_browser_agent_fill',
+        }),
+      );
+
+      expect(mockPolicyEngine.addRule).not.toHaveBeenCalledWith(
+        expect.objectContaining({
+          toolName: 'mcp_browser_agent_upload_file',
+        }),
+      );
+    });
+
+    it('should register ALLOW rules for read-only tools', async () => {
+      mockBrowserManager.getDiscoveredTools.mockResolvedValue([
+        { name: 'take_snapshot', description: 'Take snapshot' },
+        { name: 'take_screenshot', description: 'Take screenshot' },
+        { name: 'list_pages', description: 'list all pages' },
+      ]);
+
+      await createBrowserAgentDefinition(mockConfig, mockMessageBus);
+
+      expect(mockPolicyEngine.addRule).toHaveBeenCalledWith(
+        expect.objectContaining({
+          toolName: 'mcp_browser_agent_take_snapshot',
+          decision: PolicyDecision.ALLOW,
+          priority: PRIORITY_SUBAGENT_TOOL,
+        }),
+      );
+
+      expect(mockPolicyEngine.addRule).toHaveBeenCalledWith(
+        expect.objectContaining({
+          toolName: 'mcp_browser_agent_take_screenshot',
+          decision: PolicyDecision.ALLOW,
+          priority: PRIORITY_SUBAGENT_TOOL,
+        }),
+      );
+
+      expect(mockPolicyEngine.addRule).toHaveBeenCalledWith(
+        expect.objectContaining({
+          toolName: 'mcp_browser_agent_list_pages',
+          decision: PolicyDecision.ALLOW,
+          priority: PRIORITY_SUBAGENT_TOOL,
+        }),
+      );
+    });
+  });
+
   describe('cleanupBrowserAgent', () => {
     it('should call close on browser manager', async () => {
       await cleanupBrowserAgent(

packages/core/src/agents/browser/browserAgentFactory.ts

@@ -21,6 +21,8 @@ import type { LocalAgentDefinition } from '../types.js';
 import type { MessageBus } from '../../confirmation-bus/message-bus.js';
 import type { AnyDeclarativeTool } from '../../tools/tools.js';
 import { BrowserManager } from './browserManager.js';
+import { BROWSER_AGENT_NAME } from './browserAgentDefinition.js';
+import { MCP_TOOL_PREFIX } from '../../tools/mcp-tool.js';
 import {
   BrowserAgentDefinition,
   type BrowserTaskResultSchema,
@@ -30,6 +32,11 @@ import { createAnalyzeScreenshotTool } from './analyzeScreenshot.js';
 import { injectAutomationOverlay } from './automationOverlay.js';
 import { injectInputBlocker } from './inputBlocker.js';
 import { debugLogger } from '../../utils/debugLogger.js';
+import {
+  PolicyDecision,
+  PRIORITY_SUBAGENT_TOOL,
+  type PolicyRule,
+} from '../../policy/types.js';
 
 /**
  * Creates a browser agent definition with MCP tools configured.
@@ -86,9 +93,79 @@ export async function createBrowserAgentDefinition(
     browserManager,
     messageBus,
     shouldDisableInput,
+    browserConfig.customConfig.blockFileUploads,
   );
   const availableToolNames = mcpTools.map((t) => t.name);
 
+  // Register high-priority policy rules for sensitive actions which is not
+  // able to be overwrite by YOLO mode.
+  const policyEngine = config.getPolicyEngine();
+
+  if (policyEngine) {
+    const existingRules = policyEngine.getRules();
+
+    const restrictedTools = ['fill', 'fill_form'];
+
+    // ASK_USER for upload_file and evaluate_script when sensitive action
+    // need confirmation.
+    if (browserConfig.customConfig.confirmSensitiveActions) {
+      restrictedTools.push('upload_file', 'evaluate_script');
+    }
+
+    for (const toolName of restrictedTools) {
+      const rule = generateAskUserRules(toolName);
+      if (!existingRules.some((r) => isRuleEqual(r, rule))) {
+        policyEngine.addRule(rule);
+      }
+    }
+
+    // Reduce noise for read-only tools in default mode
+    const readOnlyTools = [
+      'take_snapshot',
+      'take_screenshot',
+      'list_pages',
+      'list_network_requests',
+    ];
+    for (const toolName of readOnlyTools) {
+      if (availableToolNames.includes(toolName)) {
+        const rule = generateAllowRules(toolName);
+        if (!existingRules.some((r) => isRuleEqual(r, rule))) {
+          policyEngine.addRule(rule);
+        }
+      }
+    }
+  }
+
+  function generateAskUserRules(toolName: string): PolicyRule {
+    return {
+      toolName: `${MCP_TOOL_PREFIX}${BROWSER_AGENT_NAME}_${toolName}`,
+      decision: PolicyDecision.ASK_USER,
+      priority: 999,
+      source: 'BrowserAgent (Sensitive Actions)',
+      mcpName: BROWSER_AGENT_NAME,
+    };
+  }
+
+  function generateAllowRules(toolName: string): PolicyRule {
+    return {
+      toolName: `${MCP_TOOL_PREFIX}${BROWSER_AGENT_NAME}_${toolName}`,
+      decision: PolicyDecision.ALLOW,
+      priority: PRIORITY_SUBAGENT_TOOL,
+      source: 'BrowserAgent (Read-Only)',
+      mcpName: BROWSER_AGENT_NAME,
+    };
+  }
+
+  // Check if policy rule the same in all the attributes that we care about
+  function isRuleEqual(rule1: PolicyRule, rule2: PolicyRule) {
+    return (
+      rule1.toolName === rule2.toolName &&
+      rule1.decision === rule2.decision &&
+      rule1.priority === rule2.priority &&
+      rule1.mcpName === rule2.mcpName
+    );
+  }
+
   // Validate required semantic tools are available
   const requiredSemanticTools = [
     'click',

packages/core/src/agents/browser/mcpToolWrapper.test.ts

@@ -301,4 +301,55 @@ describe('mcpToolWrapper', () => {
       expect(mockBrowserManager.callTool).toHaveBeenCalledTimes(3);
     });
   });
+
+  describe('Hard Block: upload_file', () => {
+    beforeEach(() => {
+      mockMcpTools.push({
+        name: 'upload_file',
+        description: 'Upload a file',
+        inputSchema: {
+          type: 'object',
+          properties: { path: { type: 'string' } },
+        },
+      });
+    });
+
+    it('should block upload_file when blockFileUploads is true', async () => {
+      const tools = await createMcpDeclarativeTools(
+        mockBrowserManager,
+        mockMessageBus,
+        false,
+        true, // blockFileUploads
+      );
+
+      const uploadTool = tools.find((t) => t.name === 'upload_file')!;
+      const invocation = uploadTool.build({ path: 'test.txt' });
+      const result = await invocation.execute(new AbortController().signal);
+
+      expect(result.error).toBeDefined();
+      expect(result.llmContent).toContain('File uploads are blocked');
+      expect(mockBrowserManager.callTool).not.toHaveBeenCalled();
+    });
+
+    it('should NOT block upload_file when blockFileUploads is false', async () => {
+      const tools = await createMcpDeclarativeTools(
+        mockBrowserManager,
+        mockMessageBus,
+        false,
+        false, // blockFileUploads
+      );
+
+      const uploadTool = tools.find((t) => t.name === 'upload_file')!;
+      const invocation = uploadTool.build({ path: 'test.txt' });
+      const result = await invocation.execute(new AbortController().signal);
+
+      expect(result.error).toBeUndefined();
+      expect(result.llmContent).toBe('Tool result');
+      expect(mockBrowserManager.callTool).toHaveBeenCalledWith(
+        'upload_file',
+        expect.anything(),
+        expect.anything(),
+      );
+    });
+  });
 });