Origin allowlist
Reject unexpected domains, lookalike hostnames, downloads, arbitrary navigation, and unapproved external resources.
Browser Control manages isolation, session lifecycle, evidence, network policy, and user takeover. Stop & Shop selectors and grocery semantics live elsewhere.
| Mode | Use | Strength | Constraint |
|---|---|---|---|
| Local headless | CI and stable automated runs | Fast, reproducible, disposable | Some auth or anti-bot flows may require presence |
| Local visible | Discovery, MFA, debugging | User can see and take over immediately | Requires a desktop/display |
| Remote CDP | User- or team-controlled Chrome | Reuse remote browser infrastructure | Endpoint is highly sensitive; isolation is weaker |
| Managed cloud | Hosted scheduled runs | Lifecycle, recordings, debug/takeover links | Cost, retention, residency, vendor dependency |
Acquire a household-scoped lease, provider capacity, allowed origins, and an empty disposable context.
Decrypt only the approved storage-state artifact through a vault reference. Never inject a raw password from application storage.
Confirm retailer origin, authenticated account fingerprint, delivery context, and current session state.
Run one retailer operation with explicit preconditions, stable locators, timeout, and postconditions.
Record redacted step result, optional screenshot, trace, and network metadata with the workflow trace ID.
Export a minimized encrypted state when policy allows; always destroy the temporary profile and revoke the lease.
Reject unexpected domains, lookalike hostnames, downloads, arbitrary navigation, and unapproved external resources.
Never attach to the user’s everyday Chrome profile. Remote debugging uses a dedicated non-default user-data directory.
Authenticate the application user again, issue a single-user expiring link, and audit when control changes hands.
Pause on MFA, CAPTCHA, access denial, or unknown state. The system never attempts to bypass retailer controls.