The sites domain keeps browser sessions, signs in with encrypted credentials, and performs actions without giving secrets, raw DOM, or selectors to the model.
| Executor | Role |
|---|---|
open_sites | Opens named, isolated Playwright contexts. |
login_sites | Signs in through the vault without returning credentials. |
read_sites | Reads text and produces redacted screenshots. |
act_sites | Reduces a natural-language action to a closed, verifiable primitive. |
delete_sites | Closes one session or revokes all sessions owned by the user. |
The executors are thin clients. State, browser, and controls live in the session broker on port 8771. Every operation verifies both the session ID and its owner.
Only the broker calls the vault. The form origin must exactly match the credential domain and is checked again before filling and submitting. The broker selects credential fields itself.
Chat does not require a rigid syntax. For example, credentials for telepass.com, user xxxxx, password yyyyy and remember telepass.com credentials usr:xxxxx, pwd:yyyyy are equivalent. Values are extracted and redacted before the planner; recognized labels come from the translatable detection lexicon.
As a hidden-input fallback, use metnos-cli credentials add telepass.com --binding web --host telepass.com. The password is requested interactively and must not be placed in shell arguments. The binding must be the form's exact host: telepass.com and login.telepass.com are distinct.
Usernames, passwords, and broker-owned fields are covered by both DOM overlays and Playwright's native screenshot mask. No screenshot is captured between credential fill and submit.
The operation vocabulary is closed: goto, click, fill, submit, and wait. Targets are selected by accessible role and name; a local VLM may only choose among broker-enumerated candidates.
The planner decomposes a task into elementary actions. For one action, the executor may run a bounded agentic loop: observe accessible candidates and redacted screenshots, try deterministic resolvers first, propose one broker-owned ID, verify the effect, and observe again. Prompts contain goal, state, observed, history, and constraints. The primitive remains fixed by the action; observed is untrusted page data, and models cannot produce selectors, URLs, credentials, or consent.
Redirects, custom menus, and popups are observation-driven: targets must be visible, topmost, and stable; an out-of-bound popup requests only its observed document host. Widgets, telemetry, and images do not automatically extend the allowlist.
Navigation, submit, POST, download, and credential use require consent. After external content is ingested, tainted-turn rules apply. One batch gate shows a description and redacted screenshot; approval uses an opaque token, and DOM changes invalidate the action.
Sessions allow HTTP(S) to exact hosts only. Service workers and WebRTC are disabled; WebSockets are filtered where supported. Adding a host requires explicit approval.