Summary

Adds hosted WebDriver provider support for BrowserStack and AWS Device Farm without adding Limrun to the CLI surface. agent-device connect keeps the existing cloud default, agent-device connect cloud is an explicit alias, connect proxy keeps the direct remote daemon flow, and connect browserstack / connect aws-device-farm now create local provider profiles that allocate hosted sessions on first open.

The provider wiring stays isolated: generated profiles persist non-secret provider selectors, daemon startup composes provider runtimes through the existing request-provider seams, and BrowserStack/AWS session setup delegates to the shared cloud WebDriver runtime. Artifacts remain available through agent-device artifacts --json, including active-session inference and historical provider-session lookup where supported.

This also addresses the code-quality review pass:

• WebDriver source parsing now reuses the hardened shared XML parser and existing Android bounds parsing instead of bespoke regex XML handling.
• BrowserStack/AWS provider helpers are consolidated for auth headers, lease-derived labels, URL normalization, capability overrides, and artifact lookup dispatch.
• Runtime construction and environment-based artifact lookup share one hosted WebDriver provider definition table.
• The lazy hosted-provider runtime wrapper was removed; each provider creates one shared CloudWebDriverRuntime, and per-lease request/profile setup happens through prepareSession.
• Daemon startup no longer requires BrowserStack/AWS credentials unless that provider is actually used.
• Connect profile dispatch is table-driven, shared Metro profile projection is centralized, and AWS flag/env fallback parsing is simplified.
• Client close/release provider payloads preserve the typed cloud artifact result shape instead of exposing only Record<string, unknown>.
• The premature public agent-device/cloud-webdriver subpath and leftover source-only facade were removed, so the daemon still ships the runtime chunk without publishing a large unused SDK declaration surface.
• BrowserStack capability assembly and AWS Device Farm CLI command assembly now have one implementation each.
• WebDriver scroll gestures now use the remote window rect instead of a hardcoded viewport.
• The generic artifact callback no longer carries the unused phase mode.

Agents can connect autonomously when credentials are present up front. BrowserStack uses BROWSERSTACK_USERNAME / BROWSERSTACK_ACCESS_KEY; AWS Device Farm uses the AWS CLI credential chain, including CI-provided environment credentials, profiles, or web identity role variables. The Hosted Device Providers docs page captures the CI setup and links to official AWS CLI/OIDC guidance.

Docs/help now give actionable hosted-provider flows and credential guidance across CLI, JavaScript, and MCP: CLI is the canonical bootstrap path, JavaScript can pass provider config directly through the typed client, and MCP is documented as an operational interface after CLI bootstrap rather than a separate provider-connect surface.

Validation

Verified locally with focused CLI/profile/provider tests, docs/help tests, static checks, package build, and fallow audit.

Latest checks:

• pnpm exec vitest run src/utils/__tests__/args.test.ts src/__tests__/cli-help.test.ts src/__tests__/cloud-connect-profile.test.ts src/__tests__/package-exports.test.ts
• pnpm exec vitest run src/__tests__/cloud-connect-profile.test.ts src/__tests__/remote-connection.test.ts src/__tests__/default-cloud-artifact-provider.test.ts src/__tests__/package-exports.test.ts test/integration/provider-scenarios/cloud-webdriver-provider-adapters.test.ts test/integration/provider-scenarios/cloud-webdriver-runtime.test.ts
• pnpm check:quick
• pnpm build
• pnpm check:fallow --base origin/main
• node ./node_modules/oxfmt/bin/oxfmt --write <touched files>
• git diff --check