Implement BrowserAutomationReceipt and visible automation session controls

[mdheller]

Parent spec

SourceOS-Linux/sourceos-spec#99

Intent

BearBrowser must make browser automation explicit, user-visible, revocable, and receipt-backed. The log lesson behind this issue is that native automation transports can exist below the UI unless we force every automation session to have a visible owner, permission scope, transport state, and revocation path.

Required behavior

When any browser automation transport starts, BearBrowser must create or update a BrowserAutomationReceipt-compatible record with:

• stable receipt id: urn:srcos:receipt:browser-automation:<local-id>
• sessionRef
• ownerRef
• transport: native_pipe, cdp, webdriver, extension, or accessibility
• permission scope, e.g. read_dom, click, type, download, upload, inspect_network, inspect_cookies, use_credentials
• origin: local, remote, or workspace
• userVisible: true
• revocable: true
• policyDecisionRef
• evidenceRefs
• capturedAt

UI requirements

Add a visible automation session surface that shows:

1. which agent/plugin/workspace owns the session
2. active transport
3. controlled tab/window/page scope
4. granted permissions
5. local/remote/workspace origin
6. evidence receipt id
7. one-click revoke/kill control

Runtime requirements

• No automation session may run without an owner.
• No automation session may run without a policy decision.
• Revocation must terminate the transport and invalidate the session token/pipe/bridge.
• Orphaned browser automation events must be rejected or quarantined, not silently accepted.
• Logs should emit compact receipt references, not raw high-leakage topology unless debug mode is explicitly enabled.

Acceptance criteria

• A fixture/example BrowserAutomationReceipt exists and validates against sourceos-spec once the schema lands.
• Starting an automation transport produces a receipt.
• Revoking an automation transport updates or closes the receipt with a terminal state.
• UI shows session ownership and revocation status.
• Tests cover at least: successful local automation, denied policy decision, missing owner, revoked session, orphan event.

Notes

This should align with SourceOS receipt conventions and not create a parallel browser governance stack.

[mdheller]

Implementation handoff update

The upstream contract layer has landed in SourceOS-Linux/sourceos-spec via PR #101, merged at commit 5e3ba19d54ba479c03088a6d504948f48f8dcb52.

Primary contract files to consume:

• schemas/BrowserAutomationReceipt.json
• examples/browserautomationreceipt.json
• docs/runtime-observability-contracts.md
• docs/adr/0012-runtime-observability-capability-governance.md

Implementation focus for this repo:

1. Emit BrowserAutomationReceipt when a browser assistance session starts, updates, terminates, or is revoked.
2. Include sessionRef, capabilityLedgerRef, ownerRef, transport, permissionScope, origin, startedAt, terminalState, policyDecisionRef, and non-empty evidenceRefs.
3. Surface visible session ownership, transport, scope, permissions, evidence receipt id, and revocation status in the UI.
4. Ensure revocation updates terminal state and prevents stale session reuse.
5. Add tests for active, revoked, denied, missing-owner, and orphan-session cases.

Validation expectation:

• Use the upstream schema and canonical example as fixtures.
• Do not create a parallel local schema unless it is generated or copied with a clear sync path from sourceos-spec.
• Logs should reference compact receipt ids/evidence refs rather than dumping full session topology by default.