Browser agents should know where they are allowed to go and when they need host confirmation.
Domain policy from the CLI
web agent \
--url https://www.sec.gov/edgar/search/ \
--allow-domain sec.gov \
"Find Apple's latest 10-Q filings and return filing metadata."
--allow-domain sec.gov constrains the browser run to the allowed domain. The CLI agent command exposes domain allow-listing only; use the SDK when you need the full policy object.
Domain policy in the SDK
const agent = web.agent({
model,
browser: {
policy: { allowedDomains: ["sec.gov"] },
},
});
Approval modes
| Mode | Use it when |
|---|
ask | Your app or CLI should ask a human before risky actions. |
delegated | The configured harness can continue within the policy boundary. |
never | The run should fail or stop instead of requesting confirmation. |
web agent \
--approval ask \
--url https://example.com/account \
--allow-domain example.com \
"Open the account page and summarize the billing status. Do not change settings."
const agent = web.agent({
model,
browser: { policy: { allowedDomains: ["example.com"] } },
approval: "ask",
onConfirm: async (request) => {
await notifyReviewer(request.message, request.evidence);
return { approved: false, reason: "Manual review required." };
},
});
High-impact actions
Require clear approval before actions involving:
- Authentication.
- Account creation.
- Sensitive data.
- External submissions.
- Payments or purchases.
- Legal acceptance.
- Destructive changes.
- Permission changes.
- CAPTCHA resolution.
- File uploads.
- Out-of-scope navigation.
Approval policy is not a sandbox for arbitrary JavaScript. It is a browser-agent decision boundary. Use domain policy, server-side authorization, and application checks for defense in depth.
