feat: add MCP Browser Sidecar to sysadmin stack

Add mcp-browser service for LLM-driven browser automation:
- Session-based browser management
- Domain allowlisting for security
- Resource limits (CPU/memory)
- Screenshots volume

Also add MCP_BROWSER_URL environment variable to agent.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

script/stacks/sysadmin/docker-compose.yml

@@ -38,6 +38,9 @@ services:
       - PLAYWRIGHT_DEFAULT_TIMEOUT_MS=60000
       - PLAYWRIGHT_NAVIGATION_TIMEOUT_MS=120000
 
+      # MCP Browser Sidecar connection (for LLM-driven browser control)
+      - MCP_BROWSER_URL=http://mcp-browser:8931
+
     volumes:
       # Docker socket for container management
       - /var/run/docker.sock:/var/run/docker.sock
@@ -73,8 +76,48 @@ services:
           cpus: '0.25'
           memory: 256M
 
+  mcp-browser:
+    image: code.letsbe.solutions/letsbe/mcp-browser:latest
+    container_name: {{ customer }}-mcp-browser
+
+    environment:
+      # Session limits
+      - MAX_SESSIONS=${MAX_SESSIONS:-3}
+      - IDLE_TIMEOUT_SECONDS=${IDLE_TIMEOUT_SECONDS:-300}
+      - MAX_SESSION_LIFETIME_SECONDS=${MAX_SESSION_LIFETIME_SECONDS:-1800}
+      - MAX_ACTIONS_PER_SESSION=${MAX_ACTIONS_PER_SESSION:-50}
+
+      # Logging
+      - LOG_LEVEL=${LOG_LEVEL:-INFO}
+      - LOG_JSON=${LOG_JSON:-true}
+
+      # Screenshots
+      - SCREENSHOTS_DIR=/screenshots
+
+    volumes:
+      # Screenshots storage
+      - mcp_screenshots:/screenshots
+
+    # Security options for Chromium sandboxing
+    security_opt:
+      - seccomp=unconfined
+
+    restart: unless-stopped
+
+    # Resource limits for browser automation
+    deploy:
+      resources:
+        limits:
+          cpus: '1.5'
+          memory: 1G
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+
 volumes:
   agent_home:
     name: {{ customer }}-agent-home
   playwright_artifacts:
     name: {{ customer }}-playwright-artifacts
+  mcp_screenshots:
+    name: {{ customer }}-mcp-screenshots

script/start.sh

@@ -142,7 +142,7 @@ parse_json() {
 
     # Registration token (can also be set via environment variable)
     local json_token=$(echo "$json" | jq -r '.registration_token // empty')
-    [[ -n "$json_token" ]] && SYSADMIN_REGISTRATION_TOKEN="$json_token"
+    [[ -n "$json_token" ]] && SYSADMIN_REGISTRATION_TOKEN="$json_token" || true
 }
 
 # =============================================================================