article2026-03-30by ModelPiper

Browser Automation on Mac: Your Local LLM Sees and Controls Chrome

TL;DR

Every AI browser tool sends your page content to a cloud API. ToolPiper's CDP engine exposes 14 browser tools that work with any local LLM via MCP. AX-native selectors target the accessibility tree instead of fragile CSS, self-healing handles UI changes, and your banking app never leaves your Mac.

Image

A local LLM sees the accessibility tree and drives Chrome - no cloud model ever sees your page

Browser automation has always been a developer tool. Write Playwright scripts, set up test infrastructure, maintain selector libraries. AI coding assistants changed this - now an LLM can drive a browser. It reads a page, decides what to click, types text, navigates forms. The workflow that used to require a test engineer now happens in a conversation.

But there is a catch. Every AI browser automation tool sends your page content to a cloud API. Your banking app, your admin dashboard, your internal tools, your client portals - all visible to someone else's server. The AI needs to see the page to act on it, and "seeing" means transmitting a full snapshot to GPT-4 or Claude in a data center you do not control.

What if the AI driving your browser ran entirely on your Mac?

How does AI browser automation work in 2026?

Tools like Playwright MCP, Browser Use, and similar projects give AI models control over Chrome via CDP - the Chrome DevTools Protocol. The workflow is straightforward: the AI requests a snapshot of the current page, reasons about what it sees, and issues commands to click buttons, fill forms, or navigate to new URLs. The browser executes those commands and returns the result.

This is genuinely useful. An AI that can browse the web, fill out forms, and verify page state opens up workflows that were previously manual. Testing, data entry, monitoring, scraping - all become conversational.

The problem is where the reasoning happens. The AI processing that page snapshot is usually a cloud model - GPT-4, Claude, Gemini - running on someone else's infrastructure. Every page you automate gets transmitted as context. If you are automating your company's admin panel, the cloud model sees your admin panel. If you are testing a staging environment with real user data, the cloud model sees that data.

For public websites, this is fine. For anything behind a login, it is a privacy decision most people do not realize they are making.

Why do CSS selectors keep breaking?

Before we get to the local AI part, there is a foundational problem with how most browser automation works. Most tools use CSS selectors or XPath to identify elements on a page. Click the button with class btn-primary. Fill the input with ID email-field. These selectors are tied to implementation details - class names, DOM structure, element IDs - that change whenever a developer refactors the CSS, updates a component library, or migrates frameworks.

The accessibility tree (AX tree) is fundamentally different. It is Chrome's semantic representation of what the user sees: buttons, links, inputs, headings, landmarks. It describes meaning, not implementation. A React app with 2,000 DOM nodes might have 200 AX tree nodes - the ones that actually matter for interaction.

When a developer renames a CSS class, CSS selectors break. When a team migrates from Bootstrap to Tailwind, CSS selectors break. But the accessibility tree rarely changes unless the actual user-visible behavior changes - which is exactly when your automation should break.

This stability difference is not marginal. It is the difference between tests that survive a UI refactor and tests that break every sprint.

What does ToolPiper's CDP engine actually do?

ToolPiper is a native macOS app that, among other things, holds a persistent CDP connection to Chrome and exposes 14 browser-specific tools. These tools are available via MCP (Model Context Protocol), which means any MCP-aware AI client can use them - including Claude Code, local models via llama.cpp, or any OpenAI-compatible endpoint.

Here is what each tool does:

browser_snapshot - Auto-connects to Chrome and returns a semantic AX tree of the current page. This is the primary way an AI "sees" what is on screen.
browser_action - Click, type, fill, navigate, scroll, and hover using AX selectors. Includes self-healing when selectors break.
browser_assert - Seven assertion types (visible, hidden, text, url, count, attribute, console) with configurable polling. Captures an AX snapshot on failure.
browser_console - Formatted console output with a separate network error section.
browser_record - Record user interactions and capture them as AX-enriched selectors.
browser_manage - Connection lifecycle: connect, disconnect, list pages, switch tabs.
browser_network - Enable, disable, list, get response bodies, clear, and check status of network requests.
browser_storage - Read and write cookies, localStorage, and sessionStorage.
browser_performance - Collect Web Vitals (LCP, FID, CLS) and runtime performance metrics.
browser_coverage - Measure JavaScript and CSS code coverage.
browser_eval - Execute arbitrary JavaScript in the page context.
browser_intercept - Set up mock rules and intercept network requests.
browser_webauthn - Create a virtual authenticator for testing passkey and WebAuthn flows.
browser_autofill - Autofill credit card and address forms for testing checkout flows.

These are not thin wrappers. Each tool handles connection management, error recovery, and output formatting internally. The AI receives clean, semantic text - not raw JSON blobs.

How do AX-native selectors work?

Instead of CSS selectors, ToolPiper uses accessibility-role-based selectors throughout. The format is simple and readable:

role:button:Sign In matches a node with role "button" and accessible name "Sign In". label:Email matches an element labeled "Email". text:Welcome matches visible text content. testid:submit-btn matches a data-testid attribute for developers who use them.

For pages with ambiguous selectors - multiple "Submit" buttons, for example - hierarchical scoping narrows the match: role:form:Login > role:button:Submit finds the Submit button inside the Login form specifically.

These selectors target the accessibility tree directly. They do not depend on CSS class names, DOM nesting depth, or framework-specific wrapper elements. A component library migration from Material UI to Radix does not break them, because the accessibility tree still describes the same buttons and inputs.

What happens when a selector breaks anyway?

UI changes. Buttons get renamed. Forms get restructured. When an AX selector no longer matches, ToolPiper does not fail immediately. The self-healing system takes over.

It takes a fresh AX tree snapshot and searches for nodes that match the original selector's role and approximate name. Candidates are scored by role match, name edit distance, and position in the tree. If a high-confidence match is found, the action executes on the healed selector and the mapping is recorded for future runs.

A button renamed from "Submit" to "Save" is healed automatically. A fundamentally different page structure correctly fails the test. The distinction matters - self-healing should fix cosmetic changes, not mask real regressions.

How does smart fill handle different input types?

Filling a text input is straightforward. Filling a date picker, a color chooser, or a dropdown is not. Most automation tools handle these poorly or not at all.

ToolPiper's browser_action fill command auto-detects the input type and uses the appropriate strategy. <select> elements get programmatic option selection by value or visible text. Date and time inputs use the native value setter to bypass the browser's picker UI. Range sliders set the value and dispatch input and change events. Color inputs validate hex format and set via the native setter. Standard text inputs dispatch realistic keyboard events.

Detection happens via CDP's DOM tree, not the AX tree - because the accessibility tree does not expose input subtypes. The AX tree says "this is a textbox"; the DOM says it is <input type="date">. Both layers work together.

What does the AI actually see after an action?

Every action returns an AX diff - a structured comparison showing what changed on the page. Added nodes are marked with +, removed with -, modified with ~. This means the AI (or you, reading the output) can see the effect of each action without taking another full snapshot.

Actions also return an axPath - the accessibility-tree path from the document root to the target element - and an elementMeta object with the element's tag name, type, and bounding box. All of this is computed in a single CDP call via the enrichForSelector method. No extra round trips.

How does framework detection help?

Modern web apps built with React, Vue, Angular, Svelte, and similar frameworks do not render synchronously. After a navigation or action, the page might still be loading data, hydrating components, or running transitions. Taking a snapshot too early gives you an incomplete or stale view.

ToolPiper detects 16 frontend frameworks and uses framework-specific readiness signals. A React app is ready when its root has hydrated. An Angular app is ready when Zone.js stabilizes. The detection uses a RACE pattern - the framework-specific signal races against a generic idle timeout, and whichever resolves first wins. This means pages are scraped and snapshotted at the right moment, not on an arbitrary delay.

How does this work with a local LLM?

This is the core point. ToolPiper exposes these 14 browser tools via MCP. Any MCP-aware client can call them. When you use Claude Code with ToolPiper configured as an MCP server, calling browser_snapshot returns the AX tree to your local conversation. Your local LLM interprets the page structure and calls browser_action to interact with it.

The key difference from cloud-only browser tools: your page content never leaves your machine. The AX tree snapshot goes from Chrome to ToolPiper to your local model - all on localhost. Your banking app stays on your Mac. Your admin dashboard stays on your Mac. Your staging environment with real user data stays on your Mac.

For the local LLM to drive browser automation effectively, it needs to be capable of tool calling. Models at 7B parameters and above generally handle this well. Smaller models may struggle with complex multi-step browser workflows, but can handle simple navigation and form filling.

Chrome Dev is the supported browser (tested on Chrome 148). ToolPiper auto-connects on the first browser tool call - no manual setup required.

What are the honest limitations?

This is not a magic solution that replaces everything else. Here is what you should know before adopting it.

Chrome only. There is no Firefox, Safari, or Edge support. CDP is a Chrome-specific protocol, and the AX tree implementation differs across browsers. Cross-browser testing still requires Playwright or Cypress.

Local model quality matters. The LLM driving the browser needs enough reasoning capability for tool calling and multi-step planning. A 3B model will struggle with complex workflows. 7B or larger is the practical minimum for reliable browser automation.

Complex SPAs need readiness detection. JavaScript-heavy single-page applications with async data loading, client-side routing, and framework hydration can produce incomplete snapshots if captured at the wrong moment. ToolPiper's 16-framework detection handles most cases, but unusual or custom frameworks may need the generic idle fallback.

Not a Playwright replacement. If you have a full Playwright test suite running in CI, ToolPiper is a different tool for a different workflow. It is better for exploratory testing, quick verification, AI-assisted test generation, and workflows where you want a conversational interface rather than a code-first approach. You can export PiperTest sessions to Playwright or Cypress code when you want to move tests into CI.

ToolPiper CDP browser tools showing AX-native selectors, self-healing actions, and structured AX diff output

14 browser tools exposed via MCP - snapshots, actions, assertions, network intercept, and more

Browser Automation: ToolPiper vs Playwright MCP vs Browser Use

	ToolPiper Browser	Playwright MCP	Browser Use
AI runs locally	Yes (any local LLM)	No (cloud model)	No (cloud model)
Selector type	AX tree (accessibility)	CSS + role + XPath	CSS + vision
Self-healing	Yes (fuzzy AX match)	No	Partial (vision)
Browser tools	14	12	~8
Network intercept	Yes	No	No
Performance/Coverage	Yes	No	No
WebAuthn/Passkeys	Yes	No	No
Test export	Playwright + Cypress	Playwright native	No
Framework detection	16 frameworks	No	No
Privacy	Page content stays local	Page content sent to cloud	Page content sent to cloud

Frequently Asked Questions

Does the AI see my passwords and sensitive data?

It depends on which AI. When you use ToolPiper with a local LLM, the page snapshot (accessibility tree) travels from Chrome to ToolPiper to your local model - all on localhost. Passwords in password fields are masked in the AX tree by Chrome itself. Other sensitive data on the page (account numbers, personal information, dashboard data) is visible to the local model but never leaves your machine. If you use a cloud model instead, that data is sent to the cloud provider's servers.

Can I use this with Claude Code?

Yes. Add ToolPiper as an MCP server in Claude Code with claude mcp add toolpiper -- ~/.toolpiper/mcp. All 14 browser tools become available as MCP tools. Claude Code can call browser_snapshot to see the page, browser_action to interact, and browser_assert to verify results. Note that Claude Code uses Anthropic's cloud models by default - for fully local operation, you would point MCP at a local model server.

How is this different from Playwright?

Playwright is a code-first test framework. You write JavaScript or TypeScript tests, run them in Node.js, and execute in CI. ToolPiper is a conversational browser automation tool - you describe what you want in natural language, and an AI model executes it via the accessibility tree. ToolPiper can export tests to Playwright code when you want to move them into CI. They are complementary, not competing.

Does it work with React, Vue, and Angular apps?

Yes. ToolPiper detects 16 frontend frameworks including React, Vue, Angular, Svelte, Next.js, Nuxt, SvelteKit, and others. Framework detection enables readiness signals - ToolPiper waits for the framework to finish hydrating or stabilizing before taking a snapshot, so you get an accurate view of the fully loaded page rather than a partially rendered state.

Can I record tests and export them?

Yes. The browser_record tool captures your interactions as AX-enriched test steps. These are stored in PiperTest format - a framework-agnostic JSON structure with accessibility selectors. You can replay tests with self-healing, then export to Playwright or Cypress code using test_export. The export renderer maps AX selectors to each framework's native selector format.

Browser AutomationCDPAccessibilityAI TestingPrivacymacOSDeveloper Tools

AX-Native Browser Automation: Why We Built Our Own CDP EngineThe technical deep-dive on ToolPiper's accessibility-tree-first CDP architecture Visual Testing on Mac: Record, Replay, Export to PlaywrightRecord browser tests visually, replay with self-healing, export to Playwright or Cypress Local MCP Server on Mac: 93 AI Tools in One InstallThe full MCP server that hosts these 14 browser tools alongside 79 others Local-First AI on macOS: Why Your Data Should Never Leave Your MachineThe pillar article on local-first AI workflows