fix(mcp): isolate agents from shared browser

{  "message": "Bad credentials",  "documentation_url": "https://docs.github.com/rest",  "status": "401"} · {  "message": "Bad credentials",  "documentation_url": "https://docs.github.com/rest",  "status": "401"} · commit 7adcec898d94 · 2026-04-16T09:03:34.000Z
diff --git a/packages/api/src/services/agents.ts b/packages/api/src/services/agents.ts
@@ -55,18 +55,18 @@ const sourceLabel = (request: CreateAgentRequest): string =>
 
 const pickDefaultCommand = (provider: CreateAgentRequest["provider"]): string => {
   if (provider === "codex") {
-    return "codex"
+    return "MCP_PLAYWRIGHT_ISOLATED=1 codex"
   }
   if (provider === "opencode") {
     return "opencode"
   }
   if (provider === "claude") {
-    return "claude"
+    return "MCP_PLAYWRIGHT_ISOLATED=1 claude"
   }
   return ""
 }
 
-const buildCommand = (request: CreateAgentRequest): string => {
+export const buildCommand = (request: CreateAgentRequest): string => {
   const direct = request.command?.trim() ?? ""
   if (direct.length > 0) {
     return direct
diff --git a/packages/api/tests/agents.test.ts b/packages/api/tests/agents.test.ts
@@ -0,0 +1,23 @@
+import { describe, expect, it } from "vitest"
+
+import { buildCommand } from "../src/services/agents.js"
+
+describe("agent service", () => {
+  it("starts default Codex agents with isolated Playwright MCP", () => {
+    expect(buildCommand({ provider: "codex" })).toBe("MCP_PLAYWRIGHT_ISOLATED=1 codex")
+    expect(buildCommand({ provider: "codex", args: ["exec", "hello world"] })).toBe(
+      "MCP_PLAYWRIGHT_ISOLATED=1 codex 'exec' 'hello world'"
+    )
+  })
+
+  it("starts default Claude agents with isolated Playwright MCP", () => {
+    expect(buildCommand({ provider: "claude" })).toBe("MCP_PLAYWRIGHT_ISOLATED=1 claude")
+    expect(buildCommand({ provider: "claude", args: ["-p", "hello world"] })).toBe(
+      "MCP_PLAYWRIGHT_ISOLATED=1 claude '-p' 'hello world'"
+    )
+  })
+
+  it("does not rewrite custom agent commands", () => {
+    expect(buildCommand({ provider: "codex", command: "codex --help" })).toBe("codex --help")
+  })
+})
diff --git a/packages/app/src/docker-git/cli/usage.ts b/packages/app/src/docker-git/cli/usage.ts
@@ -93,7 +93,7 @@ Container runtime env (set via .orch/env/project.env):
   DOCKER_GIT_ZSH_AUTOSUGGEST=1|0        Enable zsh-autosuggestions (default: 1)
   DOCKER_GIT_ZSH_AUTOSUGGEST_STYLE=...  zsh-autosuggestions highlight style (default: fg=8,italic)
   DOCKER_GIT_ZSH_AUTOSUGGEST_STRATEGY=...  Suggestion sources (default: history completion)
-  MCP_PLAYWRIGHT_ISOLATED=1|0           Isolated browser contexts (recommended for many Codex; default: 1)
+  MCP_PLAYWRIGHT_ISOLATED=1|0           Isolated browser contexts; default 0 shares the VNC session
   MCP_PLAYWRIGHT_CDP_GUARD=1|0          Guard CDP so MCP cannot close/crash shared Chromium (default: 1)
   MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE=1|0  Block destructive Browser.close/crash CDP methods (default: 1)
   MCP_PLAYWRIGHT_CDP_ENDPOINT=http://...  Override CDP endpoint (default: http://dg-<repo>-browser:9223)
diff --git a/packages/app/src/lib/core/templates-entrypoint/agent.ts b/packages/app/src/lib/core/templates-entrypoint/agent.ts
@@ -52,8 +52,13 @@ fi`
 
 const renderAgentPromptCommand = (mode: AgentMode): string =>
   Match.value(mode).pipe(
-    Match.when("claude", () => String.raw`claude --dangerously-skip-permissions -p \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
-    Match.when("codex", () => String.raw`codex exec \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
+    Match.when(
+      "claude",
+      () =>
+        String
+          .raw`MCP_PLAYWRIGHT_ISOLATED=1 claude --dangerously-skip-permissions -p \"\$(cat \"$AGENT_PROMPT_FILE\")\"`
+    ),
+    Match.when("codex", () => String.raw`MCP_PLAYWRIGHT_ISOLATED=1 codex exec \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
     Match.when("gemini", () => String.raw`gemini --approval-mode=yolo \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
     Match.exhaustive
   )
diff --git a/packages/app/src/lib/core/templates-entrypoint/base.ts b/packages/app/src/lib/core/templates-entrypoint/base.ts
@@ -29,7 +29,7 @@ AGENT_MODE="\${AGENT_MODE:-}"
 AGENT_AUTO="\${AGENT_AUTO:-}"
 MCP_PLAYWRIGHT_ENABLE="\${MCP_PLAYWRIGHT_ENABLE:-${config.enableMcpPlaywright ? "1" : "0"}}"
 MCP_PLAYWRIGHT_CDP_ENDPOINT="\${MCP_PLAYWRIGHT_CDP_ENDPOINT:-}"
-MCP_PLAYWRIGHT_ISOLATED="\${MCP_PLAYWRIGHT_ISOLATED:-1}"
+MCP_PLAYWRIGHT_ISOLATED="\${MCP_PLAYWRIGHT_ISOLATED:-0}"
 MCP_PLAYWRIGHT_CDP_GUARD="\${MCP_PLAYWRIGHT_CDP_GUARD:-1}"
 MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE="\${MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE:-1}"
 
diff --git a/packages/app/src/lib/core/templates-entrypoint/nested-docker-git.ts b/packages/app/src/lib/core/templates-entrypoint/nested-docker-git.ts
@@ -116,7 +116,7 @@ CODEX_AUTO_UPDATE=1
 DOCKER_GIT_ZSH_AUTOSUGGEST=1
 DOCKER_GIT_ZSH_AUTOSUGGEST_STYLE=fg=8,italic
 DOCKER_GIT_ZSH_AUTOSUGGEST_STRATEGY=history completion
-MCP_PLAYWRIGHT_ISOLATED=1
+MCP_PLAYWRIGHT_ISOLATED=0
 EOF
 fi
 
diff --git a/packages/app/src/lib/core/templates/dockerfile.ts b/packages/app/src/lib/core/templates/dockerfile.ts
@@ -172,7 +172,7 @@ if [[ -z "$JSON" ]]; then
 fi
 
 EXTRA_ARGS=()
-if [[ "\${MCP_PLAYWRIGHT_ISOLATED:-1}" == "1" ]]; then
+if [[ "\${MCP_PLAYWRIGHT_ISOLATED:-0}" == "1" ]]; then
   EXTRA_ARGS+=(--isolated)
 fi
 
diff --git a/packages/app/src/lib/usecases/actions/prepare-files.ts b/packages/app/src/lib/usecases/actions/prepare-files.ts
@@ -230,7 +230,7 @@ const defaultProjectEnvContents = [
   "DOCKER_GIT_ZSH_AUTOSUGGEST=1",
   "DOCKER_GIT_ZSH_AUTOSUGGEST_STYLE=fg=8,italic",
   "DOCKER_GIT_ZSH_AUTOSUGGEST_STRATEGY=history completion",
-  "MCP_PLAYWRIGHT_ISOLATED=1",
+  "MCP_PLAYWRIGHT_ISOLATED=0",
   "MCP_PLAYWRIGHT_CDP_GUARD=1",
   "MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE=1",
   ""
diff --git a/packages/lib/src/core/templates-entrypoint/agent.ts b/packages/lib/src/core/templates-entrypoint/agent.ts
@@ -51,8 +51,13 @@ fi`
 
 const renderAgentPromptCommand = (mode: AgentMode): string =>
   Match.value(mode).pipe(
-    Match.when("claude", () => String.raw`claude --dangerously-skip-permissions -p \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
-    Match.when("codex", () => String.raw`codex exec \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
+    Match.when(
+      "claude",
+      () =>
+        String
+          .raw`MCP_PLAYWRIGHT_ISOLATED=1 claude --dangerously-skip-permissions -p \"\$(cat \"$AGENT_PROMPT_FILE\")\"`
+    ),
+    Match.when("codex", () => String.raw`MCP_PLAYWRIGHT_ISOLATED=1 codex exec \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
     Match.when("gemini", () => String.raw`gemini --approval-mode=yolo \"\$(cat \"$AGENT_PROMPT_FILE\")\"`),
     Match.exhaustive
   )
diff --git a/packages/lib/src/core/templates-entrypoint/base.ts b/packages/lib/src/core/templates-entrypoint/base.ts
@@ -28,7 +28,7 @@ AGENT_MODE="\${AGENT_MODE:-}"
 AGENT_AUTO="\${AGENT_AUTO:-}"
 MCP_PLAYWRIGHT_ENABLE="\${MCP_PLAYWRIGHT_ENABLE:-${config.enableMcpPlaywright ? "1" : "0"}}"
 MCP_PLAYWRIGHT_CDP_ENDPOINT="\${MCP_PLAYWRIGHT_CDP_ENDPOINT:-}"
-MCP_PLAYWRIGHT_ISOLATED="\${MCP_PLAYWRIGHT_ISOLATED:-1}"
+MCP_PLAYWRIGHT_ISOLATED="\${MCP_PLAYWRIGHT_ISOLATED:-0}"
 MCP_PLAYWRIGHT_CDP_GUARD="\${MCP_PLAYWRIGHT_CDP_GUARD:-1}"
 MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE="\${MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE:-1}"
 
diff --git a/packages/lib/src/core/templates-entrypoint/nested-docker-git.ts b/packages/lib/src/core/templates-entrypoint/nested-docker-git.ts
@@ -115,7 +115,7 @@ CODEX_AUTO_UPDATE=1
 DOCKER_GIT_ZSH_AUTOSUGGEST=1
 DOCKER_GIT_ZSH_AUTOSUGGEST_STYLE=fg=8,italic
 DOCKER_GIT_ZSH_AUTOSUGGEST_STRATEGY=history completion
-MCP_PLAYWRIGHT_ISOLATED=1
+MCP_PLAYWRIGHT_ISOLATED=0
 EOF
 fi
 
diff --git a/packages/lib/src/core/templates/dockerfile.ts b/packages/lib/src/core/templates/dockerfile.ts
@@ -171,7 +171,7 @@ if [[ -z "$JSON" ]]; then
 fi
 
 EXTRA_ARGS=()
-if [[ "\${MCP_PLAYWRIGHT_ISOLATED:-1}" == "1" ]]; then
+if [[ "\${MCP_PLAYWRIGHT_ISOLATED:-0}" == "1" ]]; then
   EXTRA_ARGS+=(--isolated)
 fi
 
diff --git a/packages/lib/src/usecases/actions/prepare-files.ts b/packages/lib/src/usecases/actions/prepare-files.ts
@@ -229,7 +229,7 @@ const defaultProjectEnvContents = [
   "DOCKER_GIT_ZSH_AUTOSUGGEST=1",
   "DOCKER_GIT_ZSH_AUTOSUGGEST_STYLE=fg=8,italic",
   "DOCKER_GIT_ZSH_AUTOSUGGEST_STRATEGY=history completion",
-  "MCP_PLAYWRIGHT_ISOLATED=1",
+  "MCP_PLAYWRIGHT_ISOLATED=0",
   "MCP_PLAYWRIGHT_CDP_GUARD=1",
   "MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE=1",
   ""
diff --git a/packages/lib/tests/core/templates.test.ts b/packages/lib/tests/core/templates.test.ts
@@ -167,6 +167,7 @@ describe("renderEntrypoint auth bridge", () => {
       "\"codex\")",
       "\"claude\")",
       "\"gemini\")",
+      'MCP_PLAYWRIGHT_ISOLATED="${MCP_PLAYWRIGHT_ISOLATED:-0}"',
       "\"20-agents-skills::.agents/skills\"",
       "\"30-agents-dot-skills::.agents/.skills\"",
       "\"80-codex-skills::.codex/skills\"",
@@ -176,7 +177,8 @@ describe("renderEntrypoint auth bridge", () => {
       "$project_dir/.gemini/settings.json",
       "$project_dir/.gemini/commands",
       "$project_dir/.gemini/skills",
-      "codex exec"
+      "MCP_PLAYWRIGHT_ISOLATED=1 codex exec",
+      "MCP_PLAYWRIGHT_ISOLATED=1 claude --dangerously-skip-permissions -p"
     ])
     expect(entrypoint).not.toContain("codex --approval-mode full-auto")
     expect(entrypoint).not.toContain("\"40-claude-skills::.claude/skills\"")
@@ -190,7 +192,7 @@ describe("renderEntrypoint auth bridge", () => {
       ". /etc/profile 2>/dev/null || true;",
       String.raw`. \"$AGENT_ENV_FILE\" 2>/dev/null || true;`,
       "AGENT_PROMPT_FILE=\"/run/docker-git/agent-prompt.txt\"",
-      "claude --dangerously-skip-permissions -p",
+      "MCP_PLAYWRIGHT_ISOLATED=1 claude --dangerously-skip-permissions -p",
       "CLAUDE_GLOBAL_PROMPT_FILE=\"/home/dev/.claude/CLAUDE.md\"",
       "CLAUDE_AUTO_SYSTEM_PROMPT=\"${CLAUDE_AUTO_SYSTEM_PROMPT:-1}\"",
       "docker-git-managed:claude-md",
diff --git a/packages/lib/tests/usecases/mcp-playwright.test.ts b/packages/lib/tests/usecases/mcp-playwright.test.ts
@@ -129,6 +129,7 @@ describe("enableMcpPlaywrightProjectFiles", () => {
         expect(dockerfileAfter).toContain("MCP_PLAYWRIGHT_RETRY_ATTEMPTS")
         expect(dockerfileAfter).toContain("MCP_PLAYWRIGHT_RETRY_DELAY")
         expect(dockerfileAfter).toContain("MCP_PLAYWRIGHT_CDP_GUARD")
+        expect(dockerfileAfter).toContain('if [[ "${MCP_PLAYWRIGHT_ISOLATED:-0}" == "1" ]]; then')
         expect(dockerfileAfter).toContain("fetch_cdp_version()")
         expect(dockerfileAfter).toContain("waiting for browser sidecar")
         expect(dockerfileAfter).toContain('exec playwright-mcp --cdp-endpoint "$CDP_ENDPOINT"')
diff --git a/packages/lib/tests/usecases/prepare-files.test.ts b/packages/lib/tests/usecases/prepare-files.test.ts
@@ -210,7 +210,8 @@ describe("prepareProjectFiles", () => {
         expect(entrypoint).toContain('OPENCODE_CONFIG_DIR="/home/dev/.config/opencode"')
         expect(entrypoint).toContain('su - dev -s /bin/bash -c "bash -lc')
         expect(entrypoint).toContain('. /etc/profile 2>/dev/null || true;')
-        expect(entrypoint).toContain("codex exec")
+        expect(entrypoint).toContain("MCP_PLAYWRIGHT_ISOLATED=1 codex exec")
+        expect(entrypoint).toContain("MCP_PLAYWRIGHT_ISOLATED=1 claude --dangerously-skip-permissions -p")
         expect(entrypoint).not.toContain("codex --approval-mode full-auto")
         expect(entrypoint).toContain("docker_git_sync_project_codex_skills()")
         expect(entrypoint).toContain('project_skills_root="$codex_home/skills/.docker-git-project"')
@@ -285,6 +286,7 @@ describe("prepareProjectFiles", () => {
         expect(composeAfter).toContain("container_name: dg-test-browser\n    restart: unless-stopped")
         expect(composeAfter).toContain(`      - ${path.join(outDir, ".orch/env/global.env")}`)
         expect(composeAfter).toContain(`      - ${path.join(outDir, ".orch/env/project.env")}`)
+        expect(envProjectAfter).toContain("MCP_PLAYWRIGHT_ISOLATED=0")
         expect(envProjectAfter).toContain("MCP_PLAYWRIGHT_CDP_GUARD=1")
         expect(envProjectAfter).toContain("MCP_PLAYWRIGHT_BLOCK_BROWSER_CLOSE=1")
         expect(composeAfter).toContain("docker-git-shared")

Original file line number	Diff line number	Diff line change
`@@ -55,18 +55,18 @@ const sourceLabel = (request: CreateAgentRequest): string =>`
`55`	`55`
`56`	`56`	`const pickDefaultCommand = (provider: CreateAgentRequest["provider"]): string => {`
`57`	`57`	`if (provider === "codex") {`
`58`		`- return "codex"`
	`58`	`+ return "MCP_PLAYWRIGHT_ISOLATED=1 codex"`
`59`	`59`	`}`
`60`	`60`	`if (provider === "opencode") {`
`61`	`61`	`return "opencode"`
`62`	`62`	`}`
`63`	`63`	`if (provider === "claude") {`
`64`		`- return "claude"`
	`64`	`+ return "MCP_PLAYWRIGHT_ISOLATED=1 claude"`
`65`	`65`	`}`
`66`	`66`	`return ""`
`67`	`67`	`}`
`68`	`68`
`69`		`-const buildCommand = (request: CreateAgentRequest): string => {`
	`69`	`+export const buildCommand = (request: CreateAgentRequest): string => {`
`70`	`70`	`const direct = request.command?.trim() ?? ""`
`71`	`71`	`if (direct.length > 0) {`
`72`	`72`	`return direct`