From 3ed877a813723f7222b9f5ed804b195dbeb17117 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sat, 10 Jan 2026 01:08:05 +0000
Subject: [PATCH] fix: sandbox browser CDP proxy

---
 CHANGELOG.md                          |  1 +
 Dockerfile.sandbox-browser            |  1 +
 scripts/sandbox-browser-entrypoint.sh | 21 +++++++++++++++++++--
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 17d774c8f..a4a3ec328 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## Unreleased
 
+- Sandbox browser: proxy CDP out of the container so host port mappings work (fixes `attachOnly` “profile not running”). — thanks @steipete
 - Agents: gate heartbeat prompt to default agent sessions (including non-agent session keys). (#630) — thanks @adam91holt
 - Agent: fast abort on /stop and cancel tool calls between tool boundaries. (#617)
 - Models/Auth: add OpenCode Zen (multi-model proxy) onboarding. (#623) — thanks @magimetal
diff --git a/Dockerfile.sandbox-browser b/Dockerfile.sandbox-browser
index b6dee841b..3b18917b1 100644
--- a/Dockerfile.sandbox-browser
+++ b/Dockerfile.sandbox-browser
@@ -14,6 +14,7 @@ RUN apt-get update \
     jq \
     novnc \
     python3 \
+    socat \
     websockify \
     x11vnc \
     xvfb \
diff --git a/scripts/sandbox-browser-entrypoint.sh b/scripts/sandbox-browser-entrypoint.sh
index 901d9fc48..c241b2b6f 100755
--- a/scripts/sandbox-browser-entrypoint.sh
+++ b/scripts/sandbox-browser-entrypoint.sh
@@ -25,9 +25,15 @@ else
   CHROME_ARGS=()
 fi
 
+if [[ "${CDP_PORT}" -ge 65535 ]]; then
+  CHROME_CDP_PORT="$((CDP_PORT - 1))"
+else
+  CHROME_CDP_PORT="$((CDP_PORT + 1))"
+fi
+
 CHROME_ARGS+=(
-  "--remote-debugging-address=0.0.0.0"
-  "--remote-debugging-port=${CDP_PORT}"
+  "--remote-debugging-address=127.0.0.1"
+  "--remote-debugging-port=${CHROME_CDP_PORT}"
   "--user-data-dir=${HOME}/.chrome"
   "--no-first-run"
   "--no-default-browser-check"
@@ -42,6 +48,17 @@ CHROME_ARGS+=(
 
 chromium "${CHROME_ARGS[@]}" about:blank &
 
+for _ in $(seq 1 50); do
+  if curl -sS --max-time 1 "http://127.0.0.1:${CHROME_CDP_PORT}/json/version" >/dev/null; then
+    break
+  fi
+  sleep 0.1
+done
+
+socat \
+  TCP-LISTEN:"${CDP_PORT}",fork,reuseaddr,bind=0.0.0.0 \
+  TCP:127.0.0.1:"${CHROME_CDP_PORT}" &
+
 if [[ "${ENABLE_NOVNC}" == "1" && "${HEADLESS}" != "1" ]]; then
   x11vnc -display :1 -rfbport "${VNC_PORT}" -shared -forever -nopw -localhost &
   websockify --web /usr/share/novnc/ "${NOVNC_PORT}" "localhost:${VNC_PORT}" &