Connecting to the user's real Chrome via CDP will be more resistant to bot detection than Playwright's bundled Chromium with stealth scripts
CDP mode disables ALL stealth scripts, relying entirely on real Chrome session. 22-38s click gaps were pure LLM inference, not humanization. Real Chro
HypothesisConnecting to the user's real Chrome via CDP will be more resistant to bot detection than Playwright's bundled Chromium with stealth scripts
CDP mode disables ALL stealth scripts, relying entirely on real Chrome session. 22-38s click gaps were pure LLM inference, not humanization. Real Chrome with a user profile + cookies + extensions is inherently undetectable because it IS a real browser. The 275-line stealth module was unnecessary.
Changelog
| Date | Summary |
|---|---|
| 2026-04-07 | Created during temporal gap audit |
| 2026-03-22 | Original audit (JOBHUNTR_AUDIT_2026-03-22.md) |
Hypothesis
Real Chrome via the Chrome DevTools Protocol (CDP) is more resistant to bot detection than Playwright’s bundled Chromium with stealth script injection. The intuition: bot detection systems are looking for tells like a missing window.chrome object, a missing set of extensions, a too-clean navigator.plugins list, or a webdriver flag. Stealth scripts try to forge those tells, which means bot detection systems then look for the forgery. The forger is always a step behind the detector. Meanwhile, real Chrome has none of the tells because it is not forging anything.
Method
I produced a 274-line audit document (JOBHUNTR_AUDIT_2026-03-22.md) comparing the two strategies against the ATS platforms the engine targets. In CDP mode, the engine connects to the user’s real Chrome on port 9222, uses their actual profile, their cookies, their extensions, and their session history. Zero stealth scripts run. In bundled mode, the engine launches Playwright’s Chromium and injects 12 stealth scripts: navigator.webdriver override, fake window.chrome object, plugin spoofing, WebGL vendor masking, permission API patching, language list forging, and seven more.
To isolate the anti-detection question from the latency question, I also ran a click timing analysis. Every gap between two automated actions was logged with its cause: LLM inference time, explicit humanization delay, page wait, or DOM polling. The gaps that had been previously attributed to “humanization” turned out to be almost entirely LLM inference.
Results
CDP mode confirmed superior on every dimension. The real browser has no detectable artifacts because there are no artifacts to detect. The 12 stealth scripts in bundled mode each add a potential detection surface because the scripts themselves can be detected by bot systems that look for the exact patched shapes. The forger-always-behind-detector dynamic played out exactly as predicted.
Click timing analysis revealed that gaps between actions (22 to 38 seconds on hard cases) were pure LLM inference time, not intentional humanization. Perceived slowness was the AI thinking, not artificial delay. That finding alone retired a 275-line humanization module as unnecessary, which simplified the adapter layer considerably.
Findings
Real Chrome with a user profile, cookies, and extensions is inherently undetectable because it is a real browser. The 275-line stealth module shipped previously in bundled mode was deleted in the same PR. Stealth scripts are a cat-and-mouse game that the automation side cannot win long-term. The durable answer is to stop impersonating a real browser and instead drive a real browser.
Next Steps
Treat CDP-to-real-Chrome as the permanent architecture. Every new adapter assumes the real Chrome surface and does not run stealth. The SaaS deployment later inherited this choice by requiring a local Chrome for user tokens, which is why Railway was abandoned.
Source
JOBHUNTR_AUDIT_2026-03-22.md in the jobs-apply repository, 2026-03-22.