> ## Documentation Index
> Fetch the complete documentation index at: https://piyushvyas.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Stealth Mode

> Reduce bot detection fingerprint and connect to existing Chrome instances

BAP provides two complementary flags for working with sites that employ bot detection: `--stealth` to reduce the automation fingerprint, and `--connect` to attach to a running Chrome instance via CDP.

## The Three Tiers

<CardGroup cols={3}>
  <Card title="Default" icon="browser">
    BAP launches Chrome with Playwright defaults. Good for most sites and development workflows.

    ```bash theme={null}
    bap goto https://example.com
    ```
  </Card>

  <Card title="Stealth" icon="mask">
    Reduces common bot detection signals. Use when sites block or CAPTCHA standard automation
    browsers. `bash bap --stealth goto https://example.com `
  </Card>

  <Card title="Connect" icon="link">
    Attaches to a Chrome instance you launched manually. The gold standard for avoiding detection -- it is a real user browser.

    ```bash theme={null}
    bap --connect goto https://example.com
    ```
  </Card>
</CardGroup>

## `--stealth` Flag

The stealth flag tells the BAP server to launch the browser with additional anti-detection measures:

```bash theme={null}
bap --stealth goto https://protected-site.com --observe
bap --stealth act fill:label:"Email"="user@test.com" click:role:button:"Login"
```

Stealth mode is passed through to the server's `browser/launch` call and applies to the entire session.

<Note>
  Stealth mode reduces but does not eliminate detection. Sophisticated bot detection systems may
  still flag automated browsers. For maximum compatibility, use `--connect`.
</Note>

## `--connect` Flag (CDP Attach)

Connect to an existing Chrome instance via the Chrome DevTools Protocol. This is the most reliable way to avoid bot detection because BAP controls a browser you launched manually -- with your real profile, extensions, and cookies.

<Steps>
  <Step title="Launch Chrome with remote debugging">
    ```bash theme={null}
    # macOS
    /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
      --remote-debugging-port=9222

    # Linux
    google-chrome --remote-debugging-port=9222

    # Windows
    chrome.exe --remote-debugging-port=9222
    ```
  </Step>

  <Step title="Connect BAP to the running Chrome">
    ```bash theme={null}
    bap --connect goto https://protected-site.com --observe
    ```

    BAP discovers the Chrome instance on the default port (9222) and attaches via `chromium.connectOverCDP()`.
  </Step>

  <Step title="Interact normally">
    ```bash theme={null}
    bap --connect act click:text:"Sign in" --observe
    bap --connect fill label:"Email" "user@test.com"
    ```
  </Step>
</Steps>

### Borrowed Browser Lifecycle

When using CDP attach, BAP never closes the external browser:

* On disconnect: BAP drops the reference. The browser continues running.
* On `bap close-all`: BAP closes its own pages but leaves the browser process intact.
* Playwright has no `Browser.disconnect()` method, so BAP simply nullifies the reference.

<Warning>
  The browser process you launched manually will keep running after BAP disconnects. Close it
  yourself when done.
</Warning>

## Combining with Sessions

Both flags work with named sessions:

```bash theme={null}
# Stealth + named session
bap --stealth -s=scrape goto https://protected-site.com

# CDP connect + named session
bap --connect -s=manual-chrome goto https://app.example.com
```

Session persistence ensures the stealth or CDP-attached browser stays warm across commands.

## When to Use Each Tier

| Scenario                                                   | Recommended tier                    |
| ---------------------------------------------------------- | ----------------------------------- |
| Development and testing                                    | Default                             |
| Sites with basic bot detection                             | `--stealth`                         |
| Sites with aggressive bot detection (Cloudflare, DataDome) | `--connect`                         |
| Using your real logged-in session                          | `--connect`                         |
| CI/CD pipelines                                            | Default + `--headless`              |
| Scraping at scale                                          | `--stealth` or `--connect` per site |

## Server-Level CDP

The MCP and TypeScript SDK can also use CDP attach via the `cdpUrl` parameter in `browser/launch`:

```typescript theme={null}
await client.launch({
  cdpUrl: "http://localhost:9222",
});
```

```json theme={null}
{
  "tool": "navigate",
  "arguments": {
    "url": "https://example.com"
  }
}
```

When using `cdpUrl`, the browser lifecycle is "borrowed" -- BAP never closes the external browser on disconnect or shutdown.
