browser: add authenticated loopback bridge for sandbox runtime

- add loopback HTTP bridge with bearer auth for runtime command execution

- route dedicated sandbox provider command execution through bridge

- add bridge auth unit tests and provider/cli test updates

Co-Authored-By: GPT-5 Codex <codex@openai.com>

Author: dcramer

specs/browser.md

@@ -46,6 +46,7 @@ It does not own:
 9. Runtime/doctor guidance MUST NOT document host-runtime bypasses for sandbox provider.
 10. Sandbox browser runtime MUST be dedicated-container only; legacy shared-executor Chromium launch paths are unsupported.
 11. Dedicated browser containers MUST be scope-keyed (effective user scope) so independent scopes do not share a runtime container.
+12. Dedicated runtime command execution MUST traverse an authenticated loopback bridge (bearer token) rather than unauthenticated control surfaces.
 
 ## Integration Contract
 
@@ -109,3 +110,4 @@ Expected failure semantics:
 - [x] Docs match actual runtime behavior and contain no host-bypass guidance.
 - [x] Dedicated browser runtime uses scope-keyed container naming.
 - [x] Legacy shared-executor browser runtime path removed from active behavior.
+- [x] Dedicated runtime command execution uses authenticated loopback bridge.

src/ash/browser/bridge.py

@@ -0,0 +1,241 @@
+"""Authenticated loopback bridge for browser runtime command execution."""
+
+from __future__ import annotations
+
+import json
+import secrets
+import subprocess
+import threading
+from collections.abc import Callable
+from dataclasses import dataclass
+from http import HTTPStatus
+from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
+from urllib.error import HTTPError, URLError
+from urllib.request import Request, urlopen
+
+from ash.sandbox.executor import ExecutionResult
+
+BridgeExecutor = Callable[[str, int, dict[str, str]], ExecutionResult]
+
+
+@dataclass(slots=True)
+class BrowserExecBridge:
+    """Loopback HTTP bridge with bearer-token auth."""
+
+    token: str
+    base_url: str
+    _server: ThreadingHTTPServer
+    _thread: threading.Thread
+
+    @classmethod
+    def start(
+        cls,
+        *,
+        executor: BridgeExecutor,
+        host: str = "127.0.0.1",
+        token: str | None = None,
+    ) -> BrowserExecBridge:
+        if host not in {"127.0.0.1", "localhost"}:
+            raise ValueError(f"bridge_loopback_required:{host}")
+
+        bridge_token = (token or secrets.token_hex(24)).strip()
+        if not bridge_token:
+            raise ValueError("bridge_token_required")
+
+        class _BridgeServer(ThreadingHTTPServer):
+            daemon_threads = True
+            allow_reuse_address = True
+
+            def __init__(self) -> None:
+                super().__init__((host, 0), _BridgeHandler)
+                self.bridge_token = bridge_token
+                self.bridge_executor = executor
+
+        class _BridgeHandler(BaseHTTPRequestHandler):
+            server: _BridgeServer
+
+            def do_POST(self) -> None:  # noqa: N802
+                if self.path != "/exec":
+                    self._write_json(
+                        HTTPStatus.NOT_FOUND, {"error": "bridge_route_not_found"}
+                    )
+                    return
+                expected = f"Bearer {self.server.bridge_token}"
+                if (self.headers.get("Authorization") or "") != expected:
+                    self._write_json(
+                        HTTPStatus.UNAUTHORIZED, {"error": "bridge_unauthorized"}
+                    )
+                    return
+                try:
+                    content_length = int(self.headers.get("Content-Length") or "0")
+                except ValueError:
+                    self._write_json(
+                        HTTPStatus.BAD_REQUEST,
+                        {"error": "bridge_invalid_content_length"},
+                    )
+                    return
+                body = self.rfile.read(max(0, content_length))
+                try:
+                    payload = json.loads(body.decode("utf-8", errors="replace"))
+                except json.JSONDecodeError:
+                    self._write_json(
+                        HTTPStatus.BAD_REQUEST, {"error": "bridge_invalid_json"}
+                    )
+                    return
+                command = payload.get("command")
+                timeout_seconds = payload.get("timeout_seconds")
+                environment = payload.get("environment") or {}
+                if not isinstance(command, str) or not command.strip():
+                    self._write_json(
+                        HTTPStatus.BAD_REQUEST, {"error": "bridge_invalid_command"}
+                    )
+                    return
+                if not isinstance(timeout_seconds, int) or timeout_seconds <= 0:
+                    self._write_json(
+                        HTTPStatus.BAD_REQUEST, {"error": "bridge_invalid_timeout"}
+                    )
+                    return
+                if not isinstance(environment, dict) or not all(
+                    isinstance(k, str) and isinstance(v, str)
+                    for k, v in environment.items()
+                ):
+                    self._write_json(
+                        HTTPStatus.BAD_REQUEST, {"error": "bridge_invalid_environment"}
+                    )
+                    return
+                try:
+                    result = self.server.bridge_executor(
+                        command, timeout_seconds, environment
+                    )
+                except Exception as e:
+                    self._write_json(
+                        HTTPStatus.INTERNAL_SERVER_ERROR,
+                        {"error": f"bridge_executor_failed:{e}"},
+                    )
+                    return
+                self._write_json(
+                    HTTPStatus.OK,
+                    {
+                        "exit_code": result.exit_code,
+                        "stdout": result.stdout,
+                        "stderr": result.stderr,
+                        "timed_out": result.timed_out,
+                    },
+                )
+
+            def _write_json(
+                self, status: HTTPStatus, payload: dict[str, object]
+            ) -> None:
+                body = json.dumps(payload, ensure_ascii=True).encode("utf-8")
+                self.send_response(int(status))
+                self.send_header("Content-Type", "application/json")
+                self.send_header("Content-Length", str(len(body)))
+                self.end_headers()
+                self.wfile.write(body)
+
+            def log_message(self, format: str, *args: object) -> None:
+                _ = (format, args)
+                return
+
+        server = _BridgeServer()
+        thread = threading.Thread(
+            target=server.serve_forever,
+            name="ash-browser-bridge",
+            daemon=True,
+        )
+        thread.start()
+        port = int(server.server_address[1])
+        return cls(
+            token=bridge_token,
+            base_url=f"http://127.0.0.1:{port}",
+            _server=server,
+            _thread=thread,
+        )
+
+    def stop(self) -> None:
+        self._server.shutdown()
+        self._server.server_close()
+        self._thread.join(timeout=2.0)
+
+
+def request_bridge_exec(
+    *,
+    base_url: str,
+    token: str,
+    command: str,
+    timeout_seconds: int,
+    environment: dict[str, str] | None = None,
+) -> ExecutionResult:
+    payload = json.dumps(
+        {
+            "command": command,
+            "timeout_seconds": timeout_seconds,
+            "environment": environment or {},
+        },
+        ensure_ascii=True,
+    ).encode("utf-8")
+    request = Request(  # noqa: S310
+        f"{base_url.rstrip('/')}/exec",
+        method="POST",
+        data=payload,
+        headers={
+            "Content-Type": "application/json",
+            "Authorization": f"Bearer {token}",
+        },
+    )
+    try:
+        with urlopen(request, timeout=max(5, timeout_seconds + 10)) as response:  # noqa: S310
+            body = response.read().decode("utf-8", errors="replace")
+    except HTTPError as e:
+        if e.code == int(HTTPStatus.UNAUTHORIZED):
+            raise ValueError("bridge_unauthorized") from None
+        raise ValueError(f"bridge_http_error:{e.code}") from None
+    except URLError as e:
+        raise ValueError(f"bridge_unreachable:{e}") from e
+    parsed = json.loads(body)
+    return ExecutionResult(
+        exit_code=int(parsed.get("exit_code", 1)),
+        stdout=str(parsed.get("stdout") or ""),
+        stderr=str(parsed.get("stderr") or ""),
+        timed_out=bool(parsed.get("timed_out")),
+    )
+
+
+def make_docker_exec_bridge_executor(*, container_name: str) -> BridgeExecutor:
+    def _execute(
+        command: str, timeout_seconds: int, environment: dict[str, str]
+    ) -> ExecutionResult:
+        env_args: list[str] = []
+        for key, value in environment.items():
+            env_args.extend(["-e", f"{key}={value}"])
+        args = [
+            "docker",
+            "exec",
+            *env_args,
+            container_name,
+            "bash",
+            "-lc",
+            command,
+        ]
+        try:
+            proc = subprocess.run(  # noqa: S603
+                args,
+                capture_output=True,
+                text=True,
+                timeout=max(5, timeout_seconds + 10),
+                check=False,
+            )
+        except subprocess.TimeoutExpired:
+            return ExecutionResult(
+                exit_code=-1,
+                stdout="",
+                stderr="bridge_command_timed_out",
+                timed_out=True,
+            )
+        return ExecutionResult(
+            exit_code=int(proc.returncode),
+            stdout=proc.stdout or "",
+            stderr=proc.stderr or "",
+        )
+
+    return _execute

src/ash/browser/providers/sandbox.py

@@ -17,6 +17,11 @@
 from typing import Any
 from urllib.parse import urlparse
 
+from ash.browser.bridge import (
+    BrowserExecBridge,
+    make_docker_exec_bridge_executor,
+    request_bridge_exec,
+)
 from ash.browser.providers.base import (
     ProviderExtractResult,
     ProviderGotoResult,
@@ -35,6 +40,8 @@ class _RemoteSandboxRuntime:
     base_dir: str
     container_name: str | None = None
     host_port: int | None = None
+    bridge_base_url: str | None = None
+    bridge_token: str | None = None
 
 
 class SandboxBrowserProvider:
@@ -65,6 +72,7 @@ def __init__(
         self._session_targets: dict[str, str] = {}
         self._runtime: _RemoteSandboxRuntime | None = None
         self._active_scope_hash: str | None = None
+        self._bridge: BrowserExecBridge | None = None
         self._runtime_lock = asyncio.Lock()
         self.runs_in_sandbox_executor = True
         self._runtime_restart_attempts = max(0, int(runtime_restart_attempts))
@@ -939,17 +947,29 @@ async def _launch_runtime(self, *, scope_hash: str) -> _RemoteSandboxRuntime:
                 )
                 raise ValueError(f"sandbox_browser_launch_failed: {message}")
 
+        if self._bridge is not None:
+            self._bridge.stop()
+            self._bridge = None
+        bridge = BrowserExecBridge.start(
+            executor=make_docker_exec_bridge_executor(container_name=container_name)
+        )
+        self._bridge = bridge
         host_port = await self._docker_resolve_host_port(container_name, 9222)
         runtime = _RemoteSandboxRuntime(
             port=9222,
             pid=0,
             base_dir="/tmp/ash-browser/runtime",  # noqa: S108 - container-local runtime path
             container_name=container_name,
             host_port=host_port,
+            bridge_base_url=bridge.base_url,
+            bridge_token=bridge.token,
         )
         try:
             await self._wait_for_cdp_ready(runtime=runtime)
         except ValueError as e:
+            bridge.stop()
+            if self._bridge is bridge:
+                self._bridge = None
             await self._kill_runtime(runtime)
             raise e
         logger.info(
@@ -997,6 +1017,9 @@ async def _is_runtime_healthy(self, runtime: _RemoteSandboxRuntime) -> bool:
         return ws_ok
 
     async def _kill_runtime(self, runtime: _RemoteSandboxRuntime) -> None:
+        if self._bridge is not None:
+            self._bridge.stop()
+            self._bridge = None
         if runtime.container_name:
             _ = await self._execute_host_command(
                 ["docker", "rm", "-f", runtime.container_name],
@@ -1153,47 +1176,38 @@ async def _execute_sandbox_command(
             raise ValueError(
                 "sandbox_browser_runtime_unavailable: dedicated_container_missing"
             )
-        env_args: list[str] = []
-        for key, value in (environment or {}).items():
-            env_args.extend(["-e", f"{key}={value}"])
-        result = await self._execute_host_command(
-            [
-                "docker",
-                "exec",
-                *env_args,
-                active_runtime.container_name,
-                "bash",
-                "-lc",
-                command,
-            ],
-            timeout_seconds=max(5, timeout_seconds + 10),
+        if not active_runtime.bridge_base_url or not active_runtime.bridge_token:
+            raise ValueError("sandbox_browser_runtime_unavailable: bridge_missing")
+        result = await self._execute_via_bridge(
+            runtime=active_runtime,
+            command=command,
+            timeout_seconds=timeout_seconds,
+            environment=environment,
         )
         if result.timed_out:
             raise ValueError(
                 f"sandbox_browser_action_timeout:{phase}:{max(5, timeout_seconds + 10)}s"
             )
         return result
 
-    _MAX_LAUNCH_ATTEMPTS = 3
-    _MAX_LAUNCH_TOTAL_SECONDS = 45.0
+    async def _execute_via_bridge(
+        self,
+        *,
+        runtime: _RemoteSandboxRuntime,
+        command: str,
+        timeout_seconds: int,
+        environment: dict[str, str] | None = None,
+    ) -> ExecutionResult:
+        if not runtime.bridge_base_url or not runtime.bridge_token:
+            raise ValueError("sandbox_browser_runtime_unavailable: bridge_missing")
+        return await asyncio.to_thread(
+            request_bridge_exec,
+            base_url=runtime.bridge_base_url,
+            token=runtime.bridge_token,
+            command=command,
+            timeout_seconds=max(1, timeout_seconds),
+            environment=environment or {},
+        )
+
     _HTTP_READY_TIMEOUT_SECONDS = 12.0
     _WS_READY_TIMEOUT_SECONDS = 8.0
-    _CHROMIUM_RUNTIME_FLAGS = (
-        "--headless=new",
-        "--no-sandbox",
-        "--disable-setuid-sandbox",
-        "--disable-dev-shm-usage",
-        "--disable-gpu",
-        "--no-first-run",
-        "--no-default-browser-check",
-        "--disable-sync",
-        "--disable-background-networking",
-        "--disable-component-update",
-        "--disable-features=Translate,MediaRouter",
-        "--disable-session-crashed-bubble",
-        "--hide-crash-restore-bubble",
-        "--password-store=basic",
-        "--disable-breakpad",
-        "--disable-crash-reporter",
-        "--metrics-recording-only",
-    )