refactor: route browser control via gateway/node

2026-01-27 03:23:42 +00:00
parent b151b8d196
commit e7fdccce39
91 changed files with 1909 additions and 1608 deletions
--- a/docs/gateway/tailscale.md
+++ b/docs/gateway/tailscale.md
@@ -100,35 +100,13 @@ clawdbot gateway --tailscale funnel --auth password
 - Serve/Funnel only expose the **Gateway control UI + WS**. Nodes connect over
  the same Gateway WS endpoint, so Serve can work for node access.

-## Browser control server (remote Gateway + local browser)
+## Browser control (remote Gateway + local browser)

-If you run the Gateway on one machine but want to drive a browser on another machine, use a **separate browser control server**
-and publish it through Tailscale **Serve** (tailnet-only):
+If you run the Gateway on one machine but want to drive a browser on another machine,
+run a **node host** on the browser machine and keep both on the same tailnet.
+The Gateway will proxy browser actions to the node; no separate control server or Serve URL needed.

-```bash
-# on the machine that runs Chrome
-clawdbot browser serve --bind 127.0.0.1 --port 18791 --token <token>
-tailscale serve https / http://127.0.0.1:18791
-```
-
-Then point the Gateway config at the HTTPS URL:
-
-```json5
-{
-  browser: {
-    enabled: true,
-    controlUrl: "https://<magicdns>/"
-  }
-}
-```
-
-And authenticate from the Gateway with the same token (prefer env):
-
-```bash
-export CLAWDBOT_BROWSER_CONTROL_TOKEN="<token>"
-```
-
-Avoid Funnel for browser control endpoints unless you explicitly want public exposure.
+Avoid Funnel for browser control; treat node pairing like operator access.

 ## Tailscale prerequisites + limits