add passwords + 2FA so the agent can log into sites

[laithrw]

domain-scoped secrets stored in the OS keychain (values never touch the model), TOTP/2FA, and allow/deny domain rules — modeled on browser-use's sensitive_data + allowed_domains.

• new browser-use-secrets crate: keychain SecretStore + RFC 6238 TOTP
• agent substitutes name at fill time, gated on the page domain; secret values are redacted from anything it reports back
• nav guard blocks navigation to non-allowed sites (+ redirect catch)
• manage it three ways: the CLI (secrets/domains subcommands), the new /secrets and /domains slash commands in the TUI (with masked input + how-it-works help), or the agent reads them automatically per task

---

Summary by cubic

Adds domain‑scoped passwords and 2FA with an encrypted store so the agent can log into sites securely, with per‑domain navigation rules and a TUI/CLI manager. Values stay encrypted and are redacted from outputs; adds an email config panel and clearer nav‑guard hints.

• New Features

  • New browser-use-secrets: AES‑256‑GCM encrypted store for passwords and TOTP seeds with RFC 6238/base32 validation.
  • Per‑session ScriptSecurity: injects secret metadata, resolves <secret>name</secret> at runtime gated by the current domain, and enforces allow/deny navigation with redirect catch; system prompt add‑on lists credential names by domain (names only).
  • Management: TUI /secrets, /domains, and /email panels (masked input, search/scroll) plus /import-passwords for 1Password; CLI secrets/domains; agent exposes read‑only browser secrets|domains.
  • Email 2FA via AgentMail (provision inbox and poll one‑time codes).

• Bug Fixes

  • Nav guard: shows user hints when a navigate is blocked and waits for load to catch server/JS redirects.
  • Email: surfaces AgentMail errors in the TUI and clears cached inbox on token changes.
  • Cloud profiles and cookie sync: reuse cloud profile IDs; suggest by matching domains; refresh stale cloud cookies from local profiles with a permission‑gated fallback; auto‑detect the local profile when there’s a single match; re‑resolve policy each run; stricter, fail‑closed redaction and encrypted‑store safety; UX tweaks (paste works, Esc clears search, deferred deletion until save, imports count only successful writes).

^{Written for commit 402edba. Summary will update on new commits.}

[cubic-dev-ai]

10 issues found across 17 files

<sub>Tip: instead of fixing issues one by one fix them all with cubic

Re-trigger cubic</sub>

[cubic-dev-ai]

1 issue found across 8 files (changes from recent commits).

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Fix all with cubic | Re-trigger cubic</sub>

[cubic-dev-ai]

9 issues found across 16 files (changes from recent commits).

<sub>Tip: instead of fixing issues one by one fix them all with cubic
Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Fix all with cubic | Re-trigger cubic</sub>

[gitguardian]

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

---

^{_{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}}