Hosted Browser Operations
Hosted browser support is a session-attached capability. Operators should treatBrowserbase and Stagehand as provider infrastructure behind Rhone-owned browserbindings, cleanup jobs, assets, checkpoints, and tool executions.
Rollout Gates
Keep hosted browser capability gated by the deployed Rhone browser service and advertised capabilities.extensions.browser.hosted value.
Keep human handoff gated separately by a configured handoff base URL and the advertised capabilities.extensions.browser.human_handoff value.
Keep local browser mode on the client_tools boundary. Local mode must not use hosted Browserbase bindings or hosted handoff routes.
Keep vendor server-side cache disabled. Requests that try to enable hosted browser server cache fail with browser.policy_denied .
Keep hosted stealth mode disabled. Requests that try to enable stealth fail with browser.policy_denied .
Provider Outage
Confirm whether failures are isolated to browser tools by checking tool_execution_summaries for browser_* tool names and provider.execution_failed / browser.provider_unavailable errors.
Check browser_cleanup_jobs for cleanup backlog growth. Provider outages may delay context/session deletion but should not block canonical Rhone state.
Disable affected hosted browser bindings with provider deletion requested when sessions no longer need browser control.
Do not manually resume runs waiting on browser handoff. Resolve the checkpoint and resume through the canonical checkpoint/run APIs only.
Cleanup Backlog
Open Data Explorer and select browser_cleanup_jobs .
Filter by status in ("failed", "dead_lettered") and group by job_kind .
Use the session Browser Runtime card to retry failed or dead-lettered cleanup jobs after verifying the provider outage is resolved.
If jobs repeatedly dead-letter, inspect last_error , preserve the job row for audit, and schedule provider-side remediation outside the request path.
Handoff Revoke
Use revoke when a human handoff is stale, abandoned, or incorrectly assigned.
Open the session Browser Runtime card.
Confirm control_mode = human_handoff .
Use Revoke handoff. This calls the canonical browser handoff revoke mutation, restores agent control, rotates the browser lease epoch, and emits browser.handoff.revoked .
If the run is waiting on a checkpoint, revoke does not resume it. The run still requires checkpoint resolution and runs/{id}:resume .
Purge Failure
Browser purge has two independent effects:
Canonical browser rows become unavailable immediately.
Provider cleanup is scheduled through durable browser_cleanup_jobs .
If purge cleanup fails:
Verify the session/browser exact reads no longer expose active canonical browser state.
Inspect browser_cleanup_jobs for provider_session_end and provider_context_delete rows.
Retry failed cleanup jobs from the session Browser Runtime card or let the worker retry schedule continue.
Escalate dead-lettered provider cleanup to provider-side deletion while retaining the Rhone cleanup job row as the audit record.
Artifact Review
Screenshots and downloads must be opened through Rhone asset proxy routes.
Recording refs are opaque provider refs by default and are not raw provider URLs.
Public/product surfaces must not render raw provider artifact URLs.