swallow/maestro
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
maestro/docs/tools/browse-sessions.md
clade 7049a874f3 feat: initial public release (MAESTRO v0.1.0) 
Open-source release of MAESTRO, an agent orchestration platform that runs
LLM-driven tasks through sandboxed tools, with a web UI. Apache-2.0.
See README.md and docs/ (getting-started, configuration, architecture).
2026-06-03 04:01:14 +00:00

49 lines
2.1 KiB
Markdown
Raw Blame History

# Browser Sessions
Save a logged-in browser session per site so scheduled tasks can scrape authenticated
pages without you being present.
## How to add a session
1. Open Settings → ツール設定 → Browser Sessions.
2. Click **Add site session**.
3. Fill in:
- **Label**: human-readable name (e.g., "My Twitter").
- **Start URL**: the page that proves you're logged in (e.g., `https://twitter.com/home`).
- **Logged-in selector** (optional): a CSS selector that only exists when logged in.
- **Login URL pattern** (optional): a glob that matches the site's login page (e.g., `https://twitter.com/i/flow/login**`).
4. Click **Open login window** — a browser appears inside the dialog.
5. Log in normally. Solve any CAPTCHA / 2FA.
6. Click **Save**. The session is captured, encrypted, and stored.
## How to use a session in a task
When creating a local or scheduled task, pick the saved session from the
**Browser session** dropdown. The agent's `BrowseWeb` calls inside that task
will run with your saved cookies / localStorage.
## Expiry
If the session expires (cookie rotation, password change, etc.) the next task
will fail with `AUTH_SESSION_EXPIRED`, the session will be marked **Expired**
in the settings list, and a comment will be posted on the task notifying you.
Click **Re-login** in the Browser Sessions list to capture a fresh state.
## Security
- Sessions are encrypted with a personal key derived per user. Other users
cannot read them. Admins can revoke and delete sessions, but cannot decrypt them.
- Sessions are not shared with org / public visibility — they are always bound to
the task owner.
- Audit logs record every save / use / decrypt with timestamp, actor, and result.
## Limitations (v1)
- Sessions are read-only snapshots — cookie mutations during a task run are NOT
written back. Sites that rotate refresh tokens on every request may need
re-login periodically.
- IndexedDB and sessionStorage are not captured by `Playwright.context.storageState`,
so sites that depend heavily on them may not work.
- One profile, one site. Cross-domain SSO sessions need every involved origin
visited during the initial login.
Reference in New Issue View Git Blame Copy Permalink