Require Touch ID for Browser Automation

AI coding tools like Claude Code, Cursor, and Windsurf often use browser automation via MCP servers like Playwright. These tools launch Chrome with the --remote-debugging-port flag, which opens a control channel that other processes can exploit.

Remote debugging enables powerful automation capabilities, but it also creates security risks. Malware and phishing attacks have used this technique to inject scripts into authenticated browser sessions, stealing credentials or performing actions as the user.

Rather than blocking browser automation entirely (which would break legitimate workflows) or allowing it unconditionally (which leaves a security gap), Touch ID verification provides a middle ground. Users must confirm with their fingerprint before the browser launches in debugging mode.

This rule allows Chrome to run normally for everyday browsing. When any process launches Chrome with remote debugging enabled, the user must verify with Touch ID. Security teams gain visibility and control without disrupting normal browser use.

Touch ID rules require Santa 2026.1 or later. The feature works on any Mac with Touch ID hardware or an Apple Watch configured for authentication.

Important considerations:

• Agents on older Santa versions will fall back to ALLOWLIST behavior
• Users without Touch ID hardware will need an alternative verification method
• Consider combining with audit logging to track automation usage

This rule is ideal for:

• Organizations using AI coding assistants (Claude Code, Cursor, Windsurf)
• Teams running browser automation for testing
• Environments where browser debugging should be gated but not blocked

This rule only triggers when browsers launch with remote debugging flags. Normal browser usage is unaffected.

Scenarios that will trigger Touch ID:

• AI coding tools using Playwright MCP server
• Automated testing frameworks (Selenium, Puppeteer, Playwright)
• Developer tools that control browsers programmatically
• Browser extensions that require debugging access

All of these are legitimate uses that the rule allows after Touch ID verification.

1. Verify normal Chrome browsing works without Touch ID prompt: Open Chrome normally from Dock or Applications

2. Test that remote debugging triggers Touch ID: /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --remote-debugging-port=9222 (Should prompt for Touch ID)

3. Test with an AI coding tool that uses Playwright: Run a Playwright automation - should prompt for Touch ID

4. Verify Touch ID approval allows execution: After approving with Touch ID, Chrome should launch with debugging enabled

Monitor Touch ID verification events in Workshop to track browser automation usage:

• Query: event_type=Execution AND decision=REQUIRE_TOUCHID AND signing_id LIKE '%Chrome%'

This gives visibility into:

• Which users are running browser automation
• How frequently automation tools are used
• Whether automation is happening outside expected hours or contexts