From 6f4bee81281094fc4d67f22c56edc773918f7e84 Mon Sep 17 00:00:00 2001
From: Matt <matt@letsbe.solutions>
Date: Mon, 8 Dec 2025 20:27:39 +0100
Subject: [PATCH] feat: add MCP Browser Sidecar to sysadmin stack
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add mcp-browser service for LLM-driven browser automation:
- Session-based browser management
- Domain allowlisting for security
- Resource limits (CPU/memory)
- Screenshots volume

Also add MCP_BROWSER_URL environment variable to agent.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 script/stacks/sysadmin/docker-compose.yml | 43 +++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/script/stacks/sysadmin/docker-compose.yml b/script/stacks/sysadmin/docker-compose.yml
index 17ca8b3..0fe5389 100644
--- a/script/stacks/sysadmin/docker-compose.yml
+++ b/script/stacks/sysadmin/docker-compose.yml
@@ -38,6 +38,9 @@ services:
       - PLAYWRIGHT_DEFAULT_TIMEOUT_MS=60000
       - PLAYWRIGHT_NAVIGATION_TIMEOUT_MS=120000
 
+      # MCP Browser Sidecar connection (for LLM-driven browser control)
+      - MCP_BROWSER_URL=http://mcp-browser:8931
+
     volumes:
       # Docker socket for container management
       - /var/run/docker.sock:/var/run/docker.sock
@@ -73,8 +76,48 @@ services:
           cpus: '0.25'
           memory: 256M
 
+  mcp-browser:
+    image: code.letsbe.solutions/letsbe/mcp-browser:latest
+    container_name: {{ customer }}-mcp-browser
+
+    environment:
+      # Session limits
+      - MAX_SESSIONS=${MAX_SESSIONS:-3}
+      - IDLE_TIMEOUT_SECONDS=${IDLE_TIMEOUT_SECONDS:-300}
+      - MAX_SESSION_LIFETIME_SECONDS=${MAX_SESSION_LIFETIME_SECONDS:-1800}
+      - MAX_ACTIONS_PER_SESSION=${MAX_ACTIONS_PER_SESSION:-50}
+
+      # Logging
+      - LOG_LEVEL=${LOG_LEVEL:-INFO}
+      - LOG_JSON=${LOG_JSON:-true}
+
+      # Screenshots
+      - SCREENSHOTS_DIR=/screenshots
+
+    volumes:
+      # Screenshots storage
+      - mcp_screenshots:/screenshots
+
+    # Security options for Chromium sandboxing
+    security_opt:
+      - seccomp=unconfined
+
+    restart: unless-stopped
+
+    # Resource limits for browser automation
+    deploy:
+      resources:
+        limits:
+          cpus: '1.5'
+          memory: 1G
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+
 volumes:
   agent_home:
     name: {{ customer }}-agent-home
   playwright_artifacts:
     name: {{ customer }}-playwright-artifacts
+  mcp_screenshots:
+    name: {{ customer }}-mcp-screenshots