gsd-build · glittercowboy · May 1, 2026 · May 1, 2026 · May 1, 2026 · May 1, 2026
diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.26.2
 require (
 	github.com/coder/websocket v1.8.14
 	github.com/creack/pty v1.1.24
-	github.com/gsd-build/protocol-go v0.32.0
+	github.com/gsd-build/protocol-go v0.33.0
 	github.com/spf13/cobra v1.10.2
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 )

diff --git a/go.sum b/go.sum
@@ -3,8 +3,8 @@ github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6p
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
-github.com/gsd-build/protocol-go v0.32.0 h1:4Vk/8GFH8s539xx01EFENO7snhJkndvnp9OxiANoCSI=
-github.com/gsd-build/protocol-go v0.32.0/go.mod h1:vECSwMFp59Ihu5ZH4aLF5fuW9zJ4a3ZXCYngmzfBn8s=
+github.com/gsd-build/protocol-go v0.33.0 h1:/UBKhB5bcW7QVvGNDH0h7KZIaVVqvE9/OtYi0uH4RrI=
+github.com/gsd-build/protocol-go v0.33.0/go.mod h1:vECSwMFp59Ihu5ZH4aLF5fuW9zJ4a3ZXCYngmzfBn8s=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=

diff --git a/internal/browser/manager.go b/internal/browser/manager.go
@@ -187,6 +187,7 @@ func (m *Manager) sendFrame(ctx context.Context, browserID string) {
 		DevicePixelRatio: frame.DevicePixelRatio,
 		CapturedAt:       frame.CapturedAt,
 	})
+	m.sendRefs(ctx, browserID)
 	m.mu.Lock()
 	if current := m.byID[browserID]; current == state && frame.Sequence > current.lastFrameSeq {
 		current.lastFrameSeq = frame.Sequence
@@ -205,6 +206,52 @@ func (m *Manager) sendFrame(ctx context.Context, browserID string) {
 	}
 }
 
+func (m *Manager) sendRefs(ctx context.Context, browserID string) {
+	m.mu.Lock()
+	state, ok := m.byID[browserID]
+	if !ok {
+		m.mu.Unlock()
+		return
+	}
+	req := state.openRequest
+	m.mu.Unlock()
+
+	refsCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+	refs, err := m.service.Refs(refsCtx, browserID)
+	if err != nil {
+		return
+	}
+
+	out := make([]protocol.BrowserRef, 0, len(refs.Refs))
+	for _, ref := range refs.Refs {
+		out = append(out, protocol.BrowserRef{
+			Ref:  ref.Ref,
+			Key:  ref.Key,
+			Role: ref.Role,
+			Name: ref.Name,
+			X:    ref.X,
+			Y:    ref.Y,
+			W:    ref.W,
+			H:    ref.H,
+		})
+	}
+
+	capturedAt := refs.CapturedAt
+	if capturedAt == "" {
+		capturedAt = time.Now().UTC().Format(time.RFC3339Nano)
+	}
+	_ = m.sender.Send(ctx, &protocol.BrowserRefs{
+		Type:       protocol.MsgTypeBrowserRefs,
+		BrowserID:  browserID,
+		SessionID:  req.SessionID,
+		ChannelID:  req.ChannelID,
+		Version:    refs.Version,
+		Refs:       out,
+		CapturedAt: capturedAt,
+	})
+}
+
 func (m *Manager) GrantForTask(taskID string) (Grant, bool) {
 	if taskID == "" {
 		return Grant{}, false
@@ -430,6 +477,55 @@ func (m *Manager) Tool(ctx context.Context, msg *protocol.BrowserToolCall) error
 		m.mu.Unlock()
 		return fmt.Errorf("browser control belongs to %s", state.owner)
 	}
+	req := state.openRequest
+	risk := classifyBrowserTool(msg.Method, msg.ParamsJSON)
+	if msg.Method == "vault_save" {
+		m.mu.Unlock()
+		if err := m.sender.Send(ctx, &protocol.BrowserToolResult{
+			Type:      protocol.MsgTypeBrowserToolResult,
+			BrowserID: msg.BrowserID,
+			GrantID:   msg.GrantID,
+			TaskID:    msg.TaskID,
+			ToolUseID: msg.ToolUseID,
+			OK:        false,
+			Error:     "agent-initiated vault_save is not allowed",
+		}); err != nil {
+			return fmt.Errorf("send browser vault_save rejection: %w", err)
+		}
+		return fmt.Errorf("agent-initiated vault_save is not allowed")
+	}
+	if browserRiskRequiresApproval(risk) {
+		previousOwner := state.owner
+		previousVersion := state.controlVersion
+		state.owner = OwnerApproval
+		state.controlVersion++
+		nextVersion := state.controlVersion
+		m.mu.Unlock()
+		requestID := fmt.Sprintf("browser_sensitive_%d", time.Now().UnixNano())
+		if err := m.sender.Send(ctx, &protocol.BrowserSensitiveActionRequest{
+			Type:      protocol.MsgTypeBrowserSensitiveActionRequest,
+			BrowserID: msg.BrowserID,
+			RequestID: requestID,
+			SessionID: req.SessionID,
+			ChannelID: req.ChannelID,
+			TaskID:    msg.TaskID,
+			ToolUseID: msg.ToolUseID,
+			Category:  string(risk),
+			Summary:   browserApprovalSummary(msg.Method, risk),
+			ExpiresAt: time.Now().Add(2 * time.Minute).UTC().Format(time.RFC3339Nano),
+		}); err != nil {
+			m.mu.Lock()
+			if current := m.byID[msg.BrowserID]; current == state &&
+				current.owner == OwnerApproval &&
+				current.controlVersion == nextVersion {
+				current.owner = previousOwner
+				current.controlVersion = previousVersion
+			}
+			m.mu.Unlock()
+			return fmt.Errorf("send browser sensitive action request: %w", err)
+		}
+		return fmt.Errorf("browser action requires approval: %s", risk)
+	}
 	m.mu.Unlock()
 	result, err := m.service.Tool(ctx, msg.BrowserID, msg.Method, msg.ParamsJSON)
 	if err != nil {
@@ -446,3 +542,7 @@ func (m *Manager) Tool(ctx context.Context, msg *protocol.BrowserToolCall) error
 		Error:      result.Error,
 	})
 }
+
+func browserApprovalSummary(method string, risk BrowserRisk) string {
+	return fmt.Sprintf("Run browser method %s (%s)", method, risk)
+}