Browser MCP for recruiter automation: read everything, draft writes, fire nothing without approval.

A Model Context Protocol server that exposes a live browser session to an AI agent through a fixed set of tools. The two reference implementations in 2026 are Microsoft's playwright-mcp (70+ tools, accessibility-tree-first, no vision model required) and the Chrome DevTools MCP from the ChromeDevTools org (40+ tools, deep DevTools integration via Puppeteer). Anthropic introduced the protocol in November 2024; by early 2026 the SDK had crossed 97 million downloads and shipped on Claude Desktop, ChatGPT, Cursor, Copilot, and most coding agents. The agent calls browser_navigate, browser_snapshot, browser_click, browser_type, and the underlying browser does the work.

Every action on a QA target is reversible inside the test harness: spin a fresh browser, restore a fixture, throw the run away. Every action on a recruiter ATS is irreversible the moment it crosses a candidate-facing surface. browser_click on Move to onsite advances a stage and writes a row in the candidate timeline. browser_click on Send draft fires an email. There is no fixture to restore. The 2026 hiring laws (NYC DCWP Local Law 144, Illinois HB 3773, Colorado CAIA, the EU AI Act high-risk hiring rules) all assume a human approved the candidate-facing action and the rationale is auditable. A browser MCP that fires browser_click autonomously gives you neither.

Yes, and the community guidance acknowledges it. The Ashby Claude MCP exposes 33 distinct tools mapped to the Ashby API, including writes for stage moves, notes, and outreach. Almost every public Ashby and Greenhouse Claude MCP setup recommends starting in read-only mode and explicitly filtering out the write tools, precisely because the ATS itself has no human-in-the-loop spine and a generic MCP write reaches the candidate without any approval surface in between. Browser MCP is the same shape, one layer down: instead of wrapping the API, it wraps the UI, but the lack of an approval queue is identical.

Microsoft's playwright-mcp returns the full accessibility snapshot in the tool response on every browser_navigate or browser_snapshot. A typical browser-automation turn measured by Pramod Dutta in February 2026 burned around 114,000 tokens through MCP versus roughly 27,000 through the equivalent Playwright CLI, which writes the snapshot to a YAML file on disk and returns a one-line path. For a recruiter loop walking 200 candidates a day, that is the difference between a $20 and an $80 LLM bill on Sonnet pricing. Most public benchmarks recommend MCP for sandboxed agents (Claude Desktop, ChatGPT) and CLI for shell-capable agents (Claude Code, Cursor, Copilot).

Three rules. First, separate reads from writes: every read tool is exposed (browser_navigate, browser_snapshot, browser_evaluate); every write tool is rewrapped to emit a draft, not a live action. Second, anchor every draft to a role-and-name target read off the accessibility tree, never to CSS classes or pixel coordinates, so the audit row is something a regulator can verify against the surface a screen reader sees. Third, write the draft into an approval queue (Gmail, Slack, web view, your call) and fire the actual click only after a recruiter taps approve. The queue is the product; the browser MCP is the transport.

Always, when the API covers the surface. Greenhouse Harvest, Lever Data API, Workday Recruiting REST, and the Ashby Public API all cover candidate read, candidate write, application stage transitions, and event webhooks. The browser MCP is for the long tail: a custom scorecard field a customer added in the admin panel, a vendor-specific dropdown, a multi-step approval modal, anything behind a feature flag the API has not caught up to. Use the API for the 80% the API ships and fall through to a role+name browser_click for the 20% it does not. Both produce the same audit row shape.

Yes for reads, and yes for writes once you put an approval queue in front of the writes. All four publish WCAG 2.1 or 2.2 AA conformance because federal procurement requires a VPAT, which makes the accessibility tree dense and stable enough to script against deterministically. The accessible name varies per vendor (Move on Greenhouse, Advance on Lever, Change Stage on Workday, Move stage on Ashby) so the selector is per-vendor, but the integration shape is identical: snapshot, find by role and name, queue the action, fire on approval.

Either works for reads. Chrome DevTools MCP from the ChromeDevTools org leans into performance tracing, network inspection, and Puppeteer-based automation, with about 40+ tools and slim-mode support. Playwright MCP from Microsoft is the more general browser-automation surface with 70+ tools and explicit accessibility-tree-first execution. For recruiter loops the deciding factor is rarely the MCP itself; it is whether the agent runs sandboxed (Claude Desktop, ChatGPT, where MCP is the only option) or shell-capable (Claude Code, Cursor, Copilot, where the CLI variant cuts tokens roughly 4x).

It can, if you wire it correctly. The audit row written for each action carries: actor (the agent identifier and the recruiter who approved), tool (ats.move_stage, ats.send_message, ats.draft_email), target (a role and accessible-name pair plus the rendered text snapshot of the affected node), prior_state (the tree slice before), new_state (the tree slice after), and a content hash of both. Regulators auditing under any of those four regimes can replay any decision because the audit row contains both the surface the agent saw and the surface it produced. CSS-selector logs and pixel logs are not the same artifact and have repeatedly failed the disparate-impact-and-notice review at the staffing-agency level.

10xats ships pattern two from day one on the Starter $0 plan: a Sourcing, Scheduling, and Match Rating agent graph with browser-driven writes wrapped as drafts in a one-tap approval queue, anchored to role+name accessibility-tree targets, and exposed through both an MCP server and ChatGPT integration. The product is in development; the pricing, the architectural commitments, and the public roadmap are on the home and pricing pages, the rest of this guide is the playbook to apply if you are wiring a browser MCP into your existing ATS today and do not want to wait.