fix(browser): authenticate sandbox browser bridge server

src/agents/sandbox/context.ts

@@ -2,6 +2,8 @@ import fs from "node:fs/promises";
 import type { OpenClawConfig } from "../../config/config.js";
 import type { SandboxContext, SandboxWorkspaceInfo } from "./types.js";
 import { DEFAULT_BROWSER_EVALUATE_ENABLED } from "../../browser/constants.js";
+import { ensureBrowserControlAuth, resolveBrowserControlAuth } from "../../browser/control-auth.js";
+import { loadConfig } from "../../config/config.js";
 import { defaultRuntime } from "../../runtime.js";
 import { resolveUserPath } from "../../utils.js";
 import { syncSkillsToWorkspace } from "../skills.js";
@@ -76,12 +78,30 @@ export async function resolveSandboxContext(params: {
 
   const evaluateEnabled =
     params.config?.browser?.evaluateEnabled ?? DEFAULT_BROWSER_EVALUATE_ENABLED;
+
+  const bridgeAuth = cfg.browser.enabled
+    ? await (async () => {
+        // Sandbox browser bridge server runs on a loopback TCP port; always wire up
+        // the same auth that loopback browser clients will send (token/password).
+        const cfgForAuth = params.config ?? loadConfig();
+        let browserAuth = resolveBrowserControlAuth(cfgForAuth);
+        try {
+          const ensured = await ensureBrowserControlAuth({ cfg: cfgForAuth });
+          browserAuth = ensured.auth;
+        } catch (error) {
+          const message = error instanceof Error ? error.message : JSON.stringify(error);
+          defaultRuntime.error?.(`Sandbox browser auth ensure failed: ${message}`);
+        }
+        return browserAuth;
+      })()
+    : undefined;
   const browser = await ensureSandboxBrowser({
     scopeKey,
     workspaceDir,
     agentWorkspaceDir,
     cfg,
     evaluateEnabled,
+    bridgeAuth,
   });
 
   const sandboxContext: SandboxContext = {