← back to work
case study · /bot-detection

Bot-detection bypass for production smoke.

The story of running headed Playwright via MCP with request-shaping injection to keep prod verification viable, without weakening upstream bot-detection for actual customers.

production · lotusflare MCP playwright 90 min build
↗ medium ↗ linkedin

The setup

Production smoke runs on real prod URLs. That's the whole point — they catch what staging can't, because staging doesn't have the upstream CDN, the real CMS, the real third-party JS that breaks on Tuesdays.

The catch: prod has bot-detection turned on (we have it for a reason — credit-card fraud through automated checkout). Playwright headed-and-instrumented looks like exactly the thing bot-detection is built to block. So the smoke suite started failing at the CDN before reaching our app.

We had three options: weaken prod bot-detection (no), give up prod smoke (no), or find a third way.

The third way

Run Playwright via MCP. The Model Context Protocol indirection happens to give us a clean injection point for request-shaping — we can stamp the smoke traffic with a verifiable, time-boxed token that our edge accepts as "this is QA, let it through" while leaving the default-deny posture for everyone else intact.

That's the one-line summary. The interesting part is the boundaries.

What the request-shape does

  • Stamps an HMAC-signed token with a 90-second TTL into a custom header.
  • The edge validates the token and bypasses bot-detection only if the IP is in our CI runner CIDR.
  • Token signing key is rotated weekly via the same secret pipeline as our deploy keys.

What it doesn't do

  • Doesn't disable bot-detection for real traffic — the check still runs for every other request.
  • Doesn't whitelist runners by IP alone — IP + token + TTL.
  • Doesn't survive a leaked token — TTL kills it inside 90s.

The MCP angle

This pattern works without MCP too — you could inject the headers in plain Playwright. But the MCP layer gave us two unexpected wins:

  • Auditability. Every prod-smoke action goes through the MCP gateway, which logs the agent identity, the spec name, and the action verb. We get an audit trail that's missing in a plain Playwright run.
  • Reuse. The same shaping pattern works for any agent — the Codex RCA agent, the Browser Use eval harness — without each having to re-implement it.

Results

  • Prod smoke runs green. 100% reachability since deployment.
  • Bot-detection unchanged. Customer-side surface area is the same.
  • One fraud attempt caught in the first month — the same week we deployed this. Bot-detection still works.

What I'd tell another QA engineer

  • If you're tempted to disable security to make tests pass, stop. There's almost always a token-shaped third option.
  • Make tokens short-lived. 90 seconds is fine. Anything longer is a credential.
  • Audit logs from the MCP gateway became unexpectedly useful for debugging "why did this test fail in prod but pass in staging."