Add browser-jail design, threat model, and Phase 0 spike artifacts
Three coordinated docs that anchor the FreeBSD-hosted headless browser
work:
- docs/internal/BROWSER-JAIL.md — full design (architecture, MCP tool
surface, isolation model, auth via better-auth, PF egress policy,
screenshot retention, audit logging) and a threat-model section
covering SSRF, credential leakage, cross-session bleed, audit
poisoning, and resource exhaustion.
- docs/internal/VISION-GROUNDING-FINDINGS.md — spike methodology
(3 deterministic HTML fixtures, DOM-extracted ground truth,
30 px tolerance, identical prompt across models). Claude Opus 4.7
column complete: 17/17 PASS, mean 1 px, max 8 px. GPT-4o, GLM-4V,
and UI-TARS columns pending — harness ready under
tmp/browser-jail-spike/.
- doc/BROWSER-JAIL-HANDOFF.md — Codex handoff for Phase 0.5 (FreeBSD
viability spike) and Phase 1 (jail HTTP service + controlplane MCP
proxy + PF rules) with per-commit validation requirements.
Runtime constraint baked in: Node v22+ everywhere on the FreeBSD path,
no Bun. CDP client is puppeteer-core against system-pkg Chromium —
full Playwright avoided due to FreeBSD bundling gaps.
3070fa323f