fix: security audit compliance — credentials, telemetry, bun pin, untrusted warning (v0.12.12.0) (#574)

* fix: replace hardcoded credentials with env vars in documentation Addresses Snyk W007 (HIGH). Replaces test@example.com/password123 with $TEST_EMAIL/$TEST_PASSWORD env vars. Adds credential safety and cookie safety notes. * fix: make telemetry binary calls conditional on _TEL and binary existence Addresses Socket's 14 MEDIUM findings for opaque telemetry binary. Adds local JSONL fallback (always available, inspectable). Remote binary only runs if _TEL != "off" and binary exists. * fix: pin bun install to v1.3.10 with existence check Addresses Snyk W012 (MEDIUM). Pins BUN_VERSION in browse.ts resolver, Dockerfile.ci, and setup script error message. Adds command -v check to skip install if bun already present. * docs: add data flow documentation to review.ts Addresses Socket HIGH finding (98% confidence). Documents what data is sent to external review services and what is NOT sent. * test: add audit compliance regression tests 6 tests enforce Snyk/Socket fixes stay in place: no hardcoded creds, conditional telemetry, version-pinned bun, untrusted content warning, data flow docs, all SKILL.md telemetry conditional. * refactor: remove 2017 lines of dead code from gen-skill-docs.ts The Placeholder Resolvers section (lines 77-2092) contained duplicate functions that were superseded by scripts/resolvers/*.ts. The RESOLVERS map from resolvers/index.ts is the sole resolution path. Verified: zero call sites outside self-references. * chore: regenerate SKILL.md files from updated templates Reflects: conditional telemetry, version-pinned bun install, untrusted content warning after Navigation commands. * chore: bump version and changelog (v0.12.12.0) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-08 21:49:45 +08:00 · 2026-03-27 12:06:58 -06:00
parent 43c078f19a
commit 11695e3aca
38 changed files with 765 additions and 2202 deletions
--- a/SKILL.md.tmpl
+++ b/SKILL.md.tmpl
@@ -59,6 +59,9 @@ Auto-shuts down after 30 min idle. State persists between calls (cookies, tabs,

 ## QA Workflows

+> **Credential safety:** Use environment variables for test credentials.
+> Set them before running: `export TEST_EMAIL="..." TEST_PASSWORD="..."`
+
 ### Test a user flow (login, signup, checkout, etc.)

 ```bash
@@ -69,8 +72,8 @@ $B goto https://app.example.com/login
 $B snapshot -i

 # 3. Fill the form using refs
-$B fill @e3 "test@example.com"
-$B fill @e4 "password123"
+$B fill @e3 "$TEST_EMAIL"
+$B fill @e4 "$TEST_PASSWORD"
 $B click @e5

 # 4. Verify it worked
@@ -198,6 +201,9 @@ $B snapshot -i
 $B screenshot /tmp/github-profile.png
 ```

+> **Cookie safety:** `cookie-import-browser` transfers real session data.
+> Only import cookies from browsers you control.
+
 ### Compare two pages / environments

 ```bash
@@ -210,8 +216,8 @@ $B diff https://staging.app.com https://prod.app.com
 echo '[
  ["goto","https://app.example.com"],
  ["snapshot","-i"],
-  ["fill","@e3","test@test.com"],
-  ["fill","@e4","password"],
+  ["fill","@e3","$TEST_EMAIL"],
+  ["fill","@e4","$TEST_PASSWORD"],
  ["click","@e5"],
  ["snapshot","-D"],
  ["screenshot","/tmp/result.png"]