Agent-First HTTP v0.7.0: One Flag for the Hard Sites, Brave by Default
v0.7.0 collapses the hard-site dance into a single flag: `afhttp fetch <url> --takeover`. It auto-discovers the local host, gives each site its own isolated profile by default, and only asks a human to step in when a wall actually blocks it. `container install` is now takeover-ready out of the box on Brave — built-in ad/tracker blocking and the browser a human drives, no `--with` flags to remember. Secrets are redacted from agent-visible output by default, with an explicit `--reveal-token-secret` to opt in. The whole release is one thing: make afhttp simpler for an agent to use and harder to use wrong.
The previous release made afhttp honest about bot walls — it stopped handing the agent a 200 that was really a captcha. But knowing you’ve hit a wall and getting past it were still two different jobs, with a small pile of subcommands and flags between them: prepare a tab, pick a display provider, choose a profile, mark the site “hard.” Every one of those was a chance for an agent to do it wrong.
Agent-First HTTP v0.7.0 collapses that pile. The whole release points one way: make afhttp simpler for an agent to drive, and harder to use wrong.
One flag does the hard-site dance
There used to be hard-site commands and a takeover prepare subcommand. They’re
gone, replaced by a single flag on the fetch you were already running:
afhttp fetch "$URL" --takeover
That’s the whole interface for a wall now. fetch --takeover auto-discovers the
standard local afhttp-host and reads its token — no --endpoint-url to wire
up — switches to a persistent per-site profile derived from the URL, and tries
the fetch. If the warmed profile already reaches the target, it just returns the
page; the agent never bothers the human. Only when a wall actually blocks it does
it keep a tab open and return a next_action with kind: "human_takeover", a
complete short-lived takeover_url for a person to open, and a
recommended_command to re-read the same tab once the wall is cleared.
{
"next_action": {
"kind": "human_takeover",
"takeover_url": "https://host.internal/takeover/...",
"takeover_url_expires_at_rfc3339": "2026-06-12T03:15:00Z",
"recommended_command": "afhttp fetch \"$URL\" --tab 7"
}
}
The agent’s decision shrank from “which of these commands and flags is this
situation” to “did I get a page, or a next_action.”
Each site gets its own profile, automatically
A login for one site should never leak into a fetch of another. v0.7.0 makes
that the default: a takeover fetch derives an isolated profile per site from
the URL’s registrable domain (eTLD+1), so cookies and sessions stay scoped to the
site that created them. Sharing browser state across sites is now the thing you
opt into — --profile work — not the thing you have to remember to prevent.
container install is takeover-ready on Brave, out of the box
This is the change you’ll feel first. Standing up a takeover-capable host used to
mean remembering --with kasmvnc, picking a browser, and passing display flags.
Now:
afhttp container install
…is takeover-ready by default — **Brave + KasmVNC + an ephemeral initial profile
- a 2g
/dev/shm** — with nothing to add. Brave is the new default host browser for a reason that compounds across every fetch: its built-in ad and tracker blocking strips out the noise, beacons, and a fair number of the interstitials that make pages slow and bot-wally in the first place, so more fetches simply succeed without a human ever being asked. It’s also the browser a person drives during takeover — so the engine the agent fetches with and the engine the human clears the wall on are the same one, with the same state.
(The full backend spectrum is still there behind --browser — chromium,
fingerprint-chromium, camoufox, lightpanda, edge — for the sites that demand a
specific engine. Brave is just the default that gets out of the way.)
Secrets don’t leak into what the agent reads
afhttp’s output is read by an agent and often logged. So in v0.7.0, AFDATA
_secret fields are redacted by default in envelope output — the host token
and other sensitive values come back masked unless you explicitly ask to see
them. Printing the real host token is now an opt-in:
afhttp container install --reveal-token-secret
afhttp container inspect --reveal-token-secret
The takeover handoff was renamed end to end to match what it is — takeover_url,
--takeover-quality-percent, a /takeover/handoff endpoint, and an SDK
takeover_handoff client — so there’s one name for the concept across the CLI,
the wire, and the SDK. --version and --help now come back as structured
output through afdata like every other command, and container logs --raw gives
you the unprocessed stream when you need it.
Where this fits
Three releases, one arc. v0.5.0 gave afhttp a browser so it could reach pages a shell request can’t. v0.6.0 made it honest about what it reached. v0.7.0 makes the hard part easy to do and hard to do wrong: one flag for a wall, isolated profiles per site so state can’t leak, Brave by default so fewer walls show up at all, and secrets kept out of the agent’s view unless you ask for them. The tool still never decides what a page means — it just stopped making the agent work to get there.
brew install agentfirstkit/tap/afhttp # macOS / Linux
scoop bucket add agentfirstkit https://github.com/agentfirstkit/scoop-bucket
scoop install afhttp # Windows
cargo install agent-first-http # any platform