Standing Order Agent / Module 02
Module 02

One browser contract, four execution modes.

Browser Control manages isolation, session lifecycle, evidence, network policy, and user takeover. Stop & Shop selectors and grocery semantics live elsewhere.

4browser modes
1session per household run
3evidence channels
0shared profiles
Flow

Browser provider architecture

Browser control module
Browser control module
Session Manager selects the configured provider, restores encrypted state, executes asserted actions, records evidence, and pauses for takeover on challenges or unknown state.
Modes

Choose runtime without changing the retailer workflow

ModeUseStrengthConstraint
Local headlessCI and stable automated runsFast, reproducible, disposableSome auth or anti-bot flows may require presence
Local visibleDiscovery, MFA, debuggingUser can see and take over immediatelyRequires a desktop/display
Remote CDPUser- or team-controlled ChromeReuse remote browser infrastructureEndpoint is highly sensitive; isolation is weaker
Managed cloudHosted scheduled runsLifecycle, recordings, debug/takeover linksCost, retention, residency, vendor dependency
Lifecycle

Every session follows the same controls

  1. 01

    Allocate

    Acquire a household-scoped lease, provider capacity, allowed origins, and an empty disposable context.

  2. 02

    Restore

    Decrypt only the approved storage-state artifact through a vault reference. Never inject a raw password from application storage.

  3. 03

    Validate

    Confirm retailer origin, authenticated account fingerprint, delivery context, and current session state.

  4. 04

    Execute

    Run one retailer operation with explicit preconditions, stable locators, timeout, and postconditions.

  5. 05

    Evidence

    Record redacted step result, optional screenshot, trace, and network metadata with the workflow trace ID.

  6. 06

    Persist or destroy

    Export a minimized encrypted state when policy allows; always destroy the temporary profile and revoke the lease.

Safety controls

Browser access is equivalent to account access

Origin allowlist

Reject unexpected domains, lookalike hostnames, downloads, arbitrary navigation, and unapproved external resources.

Dedicated profile

Never attach to the user’s everyday Chrome profile. Remote debugging uses a dedicated non-default user-data directory.

Short-lived takeover

Authenticate the application user again, issue a single-user expiring link, and audit when control changes hands.

Challenge handling

Pause on MFA, CAPTCHA, access denial, or unknown state. The system never attempts to bypass retailer controls.