@test-lab-ai/cli 0.2.10 → 0.2.12

package/README.md

@@ -130,16 +130,20 @@ and `testlab skills update` re-installs the bundled version on demand.
 
 ### Example prompts
 
-With the skill installed, talk to your agent in plain language; it writes the plan
-and runs the CLI. For a feature you just built:
+With the skill installed, invoke it and describe the test in plain language. In
+Claude Code: `/test-lab-plan`; in Codex or Cursor, just mention test-lab.
 
-- "Write a test-lab test for the signup flow at https://app.example.com/signup and create it in my account."
-- "Add a test-lab smoke test for our /login page (the test creds are already in test-lab), then import it."
+Create a test for a feature you just built:
 
-To import tests you already have:
+```
+/test-lab-plan write a test for the signup flow at https://app.example.com/signup, then create it in my account
+```
+
+Import tests you already have:
 
-- "Convert the Playwright specs in ./tests/e2e into test-lab plans and import them."
-- "Turn our Cucumber .feature files into test-lab tests and create them in the Checkout project."
+```
+/test-lab-plan convert the Playwright specs in ./tests/e2e into test-lab plans and import them
+```
 
 ## For AI agents
 

package/bin/testlab.mjs

@@ -47,10 +47,13 @@ Usage:
   testlab labels list                      List your labels
   testlab data list                        List your data fixtures
   testlab data create -f fixture.json      Create a data fixture ({{data.<fixture>.<field>}})
+  testlab scripts upload <file> --plan <id>  Upload a local Playwright script for a plan
+                                           (skips paid AI generation; --device optional)
   testlab examples                         Print the full JSON reference for every
                                            resource (designed for AI agents)
-  testlab skills install [--agent ...]     Install the test-lab-plan skill (auto-detects
-                                           Claude/Codex/Cursor; --agent claude|codex|cursor|all)
+  testlab skills install [--agent ...]     Install the test-lab skills (test-lab-plan +
+                                           test-lab-script; auto-detects Claude/Codex/Cursor;
+                                           --agent claude|codex|cursor|all)
   testlab skills update                    Refresh installed skills (also auto-runs after a CLI upgrade)
 
 Options:
@@ -79,6 +82,8 @@ function parse() {
       global: { type: "boolean" },
       agent: { type: "string" },
       project: { type: "string" },
+      plan: { type: "string" },
+      device: { type: "string" },
       version: { type: "boolean", short: "v" },
       help: { type: "boolean", short: "h" },
     },
@@ -153,9 +158,25 @@ async function cmdLogin(flags) {
 
 async function cmdWhoami(flags) {
   const { apiKey, apiUrl } = requireAuth(flags)
-  const r = await verifyKey(apiUrl, apiKey)
+  // The two requests are independent (apiFetch never throws), so fire
+  // them together — whoami is interactive and the serial form doubled
+  // its wall-clock. Identity endpoint shipped after the CLI's first
+  // release: older servers 404 on /me and we just skip those lines.
+  const [r, me] = await Promise.all([
+    verifyKey(apiUrl, apiKey),
+    apiFetch(apiUrl, apiKey, "GET", "/api/v1/me"),
+  ])
   if (!r.ok) errExit(`not authenticated (${r.status}): ${r.json?.error || ""}`)
   log(`✓ Authenticated to ${apiUrl}`)
+  if (me.ok && me.json) {
+    if (me.json.email) log(`  Email:   ${me.json.email}`)
+    const accountLabel =
+      me.json.accountType === "organization"
+        ? `${me.json.organization?.name || "organization"} (organization)`
+        : "personal"
+    log(`  Account: ${accountLabel}`)
+    if (me.json.plan) log(`  Plan:    ${me.json.plan}`)
+  }
   log(`  Test plans in account: ${r.json?.total ?? "?"}`)
 }
 
@@ -345,6 +366,54 @@ async function cmdDataCreate(flags) {
   log(`✓ Created data fixture: ${r.json.fixture.key}`)
 }
 
+// Upload a locally-written Playwright .spec.ts for an existing plan, skipping
+// paid AI generation. The server validates it (allow-list + intent review),
+// wraps it in the trusted harness, and stores it as the plan's saved script.
+// On rejection the per-line issues are printed so an agent can self-correct.
+async function cmdScriptsUpload(flags, args) {
+  const file = args[2]
+  if (!file) errExit("usage: testlab scripts upload <file.spec.ts> --plan <planId> [--device <device>]")
+  const planId = flags.plan ? parseInt(flags.plan, 10) : NaN
+  if (!Number.isInteger(planId)) errExit("--plan <planId> is required (the numeric test-plan id; see `testlab plans list`)")
+  const { apiKey, apiUrl } = requireAuth(flags)
+
+  let script
+  try {
+    script = fs.readFileSync(file, "utf8")
+  } catch (e) {
+    errExit(`could not read ${file}: ${e.message}`)
+  }
+
+  // Omit the device when --device isn't passed so the server resolves it to the
+  // plan's first configured device. Hardcoding "Desktop Chrome" here would 400
+  // on any plan whose device isn't Desktop Chrome (the server validates it).
+  const device = flags.device
+  const r = await apiFetch(apiUrl, apiKey, "POST", "/api/v1/scripts/upload", { script, planId, device })
+
+  // 422 = the script was understood but rejected (allow-list or intent review).
+  // Print the structured issues so a human or agent can fix and retry.
+  if (r.status === 422 && Array.isArray(r.json?.issues)) {
+    log(`✗ Script rejected (${r.json.issues.length} issue${r.json.issues.length === 1 ? "" : "s"}):`)
+    for (const i of r.json.issues) {
+      const loc = i.line ? `L${i.line}${i.column ? ":" + i.column : ""} ` : ""
+      log(`  ${loc}[${i.rule}] ${i.message}`)
+    }
+    process.exit(1)
+  }
+  if (r.status === 422 && r.json?.reason) {
+    log(`✗ Script rejected by security review: ${r.json.reason}`)
+    process.exit(1)
+  }
+  if (!r.ok) errExit(`${r.status}: ${r.json?.error || "upload failed"}`)
+
+  const steps = r.json?.stepCount
+  // Show the device the SERVER resolved (it defaults an omitted device to the
+  // plan's first), not the CLI-local flag which is undefined when --device is omitted.
+  const resolvedDevice = r.json?.device || device || "the plan's default device"
+  log(`✓ Uploaded ${file} → plan #${planId} (${steps != null ? `${steps} step${steps === 1 ? "" : "s"}, ` : ""}${resolvedDevice})`)
+  log(`  This plan now runs your script instead of AI generation.`)
+}
+
 function cmdExamples() {
   log(EXAMPLES_TEXT)
 }
@@ -480,6 +549,9 @@ async function main() {
       if (args[1] === "list") return cmdDataList(flags)
       if (args[1] === "create") return cmdDataCreate(flags)
       return errExit("usage: testlab data <list|create>")
+    case "scripts":
+      if (args[1] === "upload") return cmdScriptsUpload(flags, args)
+      return errExit("usage: testlab scripts upload <file.spec.ts> --plan <planId> [--device <device>]")
     case "examples":
       return cmdExamples()
     case "skills":

package/lib/config.mjs

@@ -36,6 +36,8 @@ export function saveConfig(cfg) {
 export function resolveAuth(flags) {
   const cfg = loadConfig()
   const apiKey = flags.key || process.env.TESTLAB_API_KEY || cfg.apiKey || null
-  const apiUrl = (flags["api-url"] || cfg.apiUrl || DEFAULT_API_URL).replace(/\/+$/, "")
+  const apiUrl = (
+    flags["api-url"] || process.env.TESTLAB_API_URL || cfg.apiUrl || DEFAULT_API_URL
+  ).replace(/\/+$/, "")
   return { apiKey, apiUrl }
 }

package/lib/skills.mjs

@@ -26,7 +26,7 @@ import path from "node:path"
 import { fileURLToPath } from "node:url"
 
 // Skills published by test-lab. Add new skill directory names here.
-export const TESTLAB_SKILLS = ["test-lab-plan"]
+export const TESTLAB_SKILLS = ["test-lab-plan", "test-lab-script"]
 
 // Agents this CLI can install into.
 export const AGENTS = ["claude", "codex", "cursor"]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@test-lab-ai/cli",
-  "version": "0.2.10",
+  "version": "0.2.12",
   "description": "Import existing test plans into test-lab.ai from the command line (or an AI agent).",
   "type": "module",
   "bin": {

package/skills/test-lab-plan/SKILL.md

@@ -245,6 +245,7 @@ Rules: get secret VALUES from the user (the CLI stores them encrypted, never ech
 
 ## Going further
 
+- **Write the Playwright yourself and upload it** (skip paid AI generation) instead of describing a flow — use the **test-lab-script** skill (`testlab scripts upload`). Best when the user already has a `.spec.ts` or wants exact control.
 - **Create plans (and their credentials, labels, and data) directly** instead of pasting — the `@test-lab-ai/cli`. See "Creating it with the CLI" above.
 - **Two ways to drive this skill** (author a test while you build a feature, or import tests you already have) — see `examples/workflows.md`.
 - **Variable syntax in depth** (pre-steps, pipeline inputs, devices) — see `references/syntax.md`.

package/skills/test-lab-script/SKILL.md

@@ -0,0 +1,163 @@
+---
+name: test-lab-script
+description: Write and upload a Playwright .spec.ts to test-lab.ai to skip paid AI script generation. Use this skill when the user wants to hand-write a Playwright test (or already has one) and attach it to an EXISTING test-lab.ai test plan via the CLI (`testlab scripts upload`), instead of describing a flow in English for the AI to generate. Trigger on "upload a Playwright script to test-lab", "write the Playwright myself", "I already have a .spec.ts", "skip AI generation / save credits", "attach my own test script", "testlab scripts upload". For describing a flow in plain English so the platform generates the Playwright, use the test-lab-plan skill instead. Outputs a .spec.ts that passes the upload allow-list (no imports, no lifecycle hooks, Playwright + safe JS only) plus the exact upload command.
+allowed-tools:
+  - Read
+  - Glob
+  - Grep
+  - WebFetch
+  - Bash
+  - Write
+---
+
+# test-lab.ai uploaded scripts
+
+[test-lab.ai](https://test-lab.ai) is an AI QA platform. Normally you describe a flow in plain English and the platform's AI generates the Playwright that runs it (that is the `test-lab-plan` skill). This skill is the other path: you **write the Playwright `.spec.ts` yourself** and upload it to an existing plan, so the plan runs your exact script and skips paid generation.
+
+Use this skill when the user says they want to write the Playwright themselves, already have a `.spec.ts`, or wants to save generation credits. If they instead want to describe a flow and let the AI build it, use **test-lab-plan**.
+
+## The one thing to understand first
+
+You write **only the test steps**. You do **not** write the scaffolding. When you upload, the platform throws away everything except your step bodies and your top-level shared variables, then re-wraps them in its own harness that:
+
+- imports Playwright and sets up the browser, context, tracing, and teardown for you,
+- opens a shared page named `sharedPage`, already navigated to the plan's start URL, before your first step,
+- runs your steps **serially**, in order, sharing that one page and browser context.
+
+So your file must **not** contain `import` lines or `beforeAll`/`afterAll` hooks. If you write them, they are ignored (the harness owns them). What you write is a sequence of `test(...)` steps that drive `sharedPage`.
+
+This also means the script runs in a **restricted environment**: Playwright and ordinary JavaScript only. No Node APIs (`fs`, `process`, `require`), no network clients (`fetch`, the `request` fixture), no `page.evaluate`. You drive the application the way a user would: through the page. The full allow / deny list is in `references/playwright-api.md` and is summarized below.
+
+## Workflow
+
+Follow these in order.
+
+### 1. Confirm the target plan exists and is reachable
+
+An upload attaches to an **existing** plan by numeric id. Before writing anything:
+
+- `testlab whoami` – confirm the CLI is authenticated. If not, the user runs `testlab login` once or sets `TESTLAB_API_KEY`. If `testlab` is not found, use `npx @test-lab-ai/cli` instead.
+- `testlab plans list` – find the plan id to upload to. The plan must already have a target URL (from its prompt or its project), because the script runs against that origin.
+
+If there is no suitable plan yet, create one first (in the dashboard, or with the **test-lab-plan** skill + `testlab import`). The plan's English prompt stops driving runs the moment a script is uploaded: your script replaces AI generation for that plan and device.
+
+### 2. Know the flow and its checks
+
+Same discipline as a good test plan: one user journey, explicit start, observable assertions. If you are in the target site's repo, read the relevant component / route so your locators and assertions match real DOM text and real success states, not guesses. If you are not in the repo, pull a snapshot with WebFetch or ask the user for the key screens. Anchor every `expect` to something real.
+
+### 3. Write the steps against `sharedPage`
+
+Use the Template below. Each step is a `test("Step N: ...", async (...) => { ... })` block that acts on `sharedPage` and asserts with `expect`. The browser already sits on the start URL when Step 1 begins, so go straight into the flow. Keep one logical action + its checks per step; steps run in order and share state.
+
+### 4. Plug in credentials and per-run data through fixtures
+
+Never inline a real password, token, or email. Pull sensitive values from the `credentials` fixture, and unique-per-run values from the `run` fixture, by **destructuring them in the step's parameters**:
+
+```ts
+test("Step 1: Sign in", async ({ credentials }) => {
+  await sharedPage.getByLabel("Email").fill(credentials.testEmail);
+  await sharedPage.getByLabel("Password").fill(credentials.testPassword);
+  await sharedPage.getByRole("button", { name: "Sign in" }).click();
+});
+```
+
+The real values are injected at run time and never appear in your file. Configure the credential keys on the plan first (dashboard → Credentials, or `testlab credentials`). For a fresh value each run (a unique email, an order ref), use the `run` fixture (e.g. `run.shortId`); run `testlab examples` for the exact fixture shape. A bare `credentials` / `run` / `page` reference (not destructured) is rejected with a message telling you to add it to the step parameters.
+
+### 5. Self-check, then upload
+
+Run the Self-check list below. Then write the file and upload:
+
+```bash
+testlab scripts upload login.spec.ts --plan 1234
+```
+
+- `--device` is optional; omit it and the server uses the plan's first configured device. If you pass one it must match a device configured on the plan, or the upload is rejected.
+- On success you see `✓ Uploaded … → plan #1234 (N steps, <device>)` and the plan now runs your script instead of AI generation.
+- On rejection the CLI prints the issues to fix. Allow-list problems come as `L<line>:<col> [<rule>] <message>` lines (the `[rule]` → fix map is in `references/playwright-api.md`); a security-review or device-mismatch rejection prints a plain reason instead. Fix what each says and re-upload. Don't try to "trick" the validator; rewrite the step to drive the page.
+
+## Template
+
+A passing uploaded script looks like this. Note: no imports, no `beforeAll`/`afterAll`, steps drive `sharedPage`, shared state is a top-level `let`.
+
+```ts
+// Optional cross-step state (top-level let/const is allowed and carried over).
+let orderRef = "";
+
+test("Step 1: Sign in", async ({ credentials }) => {
+  // sharedPage is already on the plan's start URL.
+  await sharedPage.getByLabel("Email").fill(credentials.testEmail);
+  await sharedPage.getByLabel("Password").fill(credentials.testPassword);
+  await sharedPage.getByRole("button", { name: "Sign in" }).click();
+  await expect(sharedPage.getByRole("navigation")).toContainText("Dashboard");
+});
+
+test("Step 2: Place an order", async ({ run }) => {
+  orderRef = `TEST-${run.shortId}`;
+  await sharedPage.getByRole("link", { name: "New order" }).click();
+  await sharedPage.getByLabel("Reference").fill(orderRef);
+  await sharedPage.getByRole("button", { name: "Submit" }).click();
+});
+
+test("Step 3: Confirm it was created", async () => {
+  await expect(sharedPage.getByRole("heading")).toHaveText("Order created");
+  await expect(sharedPage.getByText(orderRef)).toBeVisible();
+});
+```
+
+You may wrap the steps in `test.describe.serial("...", () => { ... })` if you prefer; it is optional (the harness already runs them serially). Top-level `let`/`const`/`function` declarations are carried over so steps can share them.
+
+### What you can write inside a step
+
+- **Playwright:** `sharedPage` actions (`goto`, `click`, `fill`, `getByRole`/`getByLabel`/`getByText`/`locator`, `waitForURL`, `waitForLoadState`, …) and `expect(...)` matchers (`toBeVisible`, `toHaveText`, `toHaveURL`, …).
+- **Plain JavaScript:** variables, `if`/`for`/`while`/`try`, arrow and named functions, destructuring, `async`/`await`, template literals, regex, `Promise.all([...])`.
+- **Safe built-ins:** `JSON`, `Math`, `Date`, `RegExp`, `Number`, `String`, `Array`, `Object`, `Set`, `Map`, `console`, `Intl`, and similar pure helpers.
+- **Fixtures**, by destructuring step parameters: `page`, `context`, `browser`, `run`, `credentials`, `pipeline`, `testInfo`, `browserName`. (`sharedPage`, `context`, and `expect` are already available without destructuring.)
+
+### What you must not write (and the fix)
+
+| Don't | Why / Fix |
+|---|---|
+| `import ...` / `export ...` | The harness provides imports. Delete them. |
+| `test.beforeAll` / `afterAll` / `beforeEach` | The harness owns lifecycle. Put setup in Step 1 against `sharedPage`. |
+| `process`, `require`, `fs`, `Buffer`, `__dirname` | Node host APIs are unavailable. Drive the app through the page. |
+| `fetch`, `XMLHttpRequest`, `WebSocket`, the `request` fixture | No direct network clients. Trigger requests via UI actions and assert the visible result. |
+| `page.evaluate` / `$eval` / `waitForFunction` / `addInitScript` / `page.route` | In-page code execution and network interception are unavailable. Use locators + `expect`. |
+| `eval`, `Function(...)`, `globalThis`, `Reflect`, `Proxy` | Not available. Write the logic directly. |
+| `window`, `document`, `navigator`, `location` | Step bodies run in Node, not the browser. Use Playwright locators (`sharedPage.getBy…`). |
+| `el["some" + x]` (computed key) or `.constructor` / `.__proto__` | Use dot access, `.nth(i)`, or `.at(i)`; don't touch prototype/constructor. |
+| Downloading a file to disk via Node | Not available in an uploaded step. Assert the download was offered (e.g. a `download` event or the link/state) through the page. |
+
+The complete lists and the per-rule fixes are in `references/playwright-api.md`.
+
+## Self-check (apply before upload)
+
+1. **No `import`/`export` lines** anywhere in the file.
+2. **No `beforeAll`/`afterAll`/`beforeEach`.** Setup lives in Step 1 against `sharedPage`.
+3. **At least one `test("...", async (...) => { ... })` step**, and each does one logical action + its checks.
+4. **Steps drive `sharedPage`** for continuity (a destructured `page` is a fresh, un-navigated page – only use it for a deliberately isolated check).
+5. **Every assertion is real.** `expect` targets DOM text / state that actually exists (read the source where you could).
+6. **No inlined secrets.** Passwords / tokens / real emails come from `{ credentials }`; unique-per-run values from `{ run }`. Each is destructured in the step that uses it.
+7. **No Node / browser / network globals** (`process`, `fs`, `fetch`, `window`, `request`, …) and **no `page.evaluate`/`route`**. If you reached for one, rewrite the step to use the page.
+8. **No computed member keys or prototype access** (`x[expr]`, `.constructor`, `.__proto__`).
+9. **The plan id is right** (`testlab plans list`) and the plan has a target URL.
+
+If any item fails, fix it before uploading – it will be rejected server-side anyway, and fixing first saves a round-trip.
+
+## Anti-patterns (fix before upload)
+
+| Anti-pattern | Why it's wrong | Fix |
+|---|---|---|
+| File starts with `import { test, expect } from "@playwright/test"` | The harness injects these and strips any imports you write (a leftover import is ignored, not run), so they're dead weight. | Delete all import lines. |
+| `test.beforeAll(async () => { await page.goto(...) })` | Lifecycle is owned by the platform and discarded. | Do first-step setup inside `test("Step 1: …")` on `sharedPage`. |
+| Using a destructured `page` across steps and wondering why state resets | Destructured `page` is a fresh page per step, not the shared one. | Use `sharedPage` for a continuous flow. |
+| `const data = await page.evaluate(() => window.__STATE__)` | In-page execution is unavailable. | Assert on rendered DOM via locators + `expect`. |
+| `await fetch("/api/orders")` to seed data | No network client in a step. | Drive the seeding through the UI, or set it up as a plan pre-step. |
+| `password: "hunter2"` inlined | Secrets in scripts leak into reports and version control. | `async ({ credentials }) => …` and `credentials.password`. |
+| Re-implementing login in every script | Wasted steps; brittle. | If the plan has a login pre-step, start after it; otherwise keep login as Step 1 only. |
+
+## Relationship to test-lab-plan
+
+- **test-lab-plan** – describe a flow in English; the AI generates and maintains the Playwright. Best when you want low effort or don't have a script.
+- **test-lab-script** (this skill) – you own the Playwright; upload it verbatim. Best when you already have a script, need exact control, or want to save generation credits.
+
+An uploaded script can still be refined later with AI from the dashboard (it is tagged as uploaded vs generated). `testlab examples` is the canonical, always-current reference for fixture shapes and resource formats.

package/skills/test-lab-script/references/playwright-api.md

@@ -0,0 +1,74 @@
+# Uploaded-script API reference
+
+The precise allow / deny surface for an uploaded `.spec.ts`, plus what each rejection `[rule]` means and how to fix it. The validator is **default-deny**: ordinary computation is allowed, only *capabilities* are denied. When in doubt, drive the application through `sharedPage` and assert with `expect`.
+
+## Available without declaring
+
+These names can be used in any step body without destructuring or declaring them:
+
+- `sharedPage` – the Playwright `Page` shared across all steps, already navigated to the plan's start URL before Step 1. Use this for a continuous flow.
+- `context` – the shared `BrowserContext`.
+- `expect` – Playwright assertions.
+- `test` – to declare steps (and optionally `test.describe.serial(...)` to group them).
+- Pure JS built-ins: `JSON`, `Math`, `Date`, `RegExp`, `Number`, `String`, `Boolean`, `Array`, `Object`, `Set`, `Map`, `WeakMap`, `WeakSet`, `Symbol`, `Promise`, `parseInt`, `parseFloat`, `isNaN`, `isFinite`, `encodeURIComponent`, `decodeURIComponent`, `encodeURI`, `decodeURI`, `console`, `Error`, `TypeError`, `RangeError`, `Intl`, `undefined`, `NaN`, `Infinity`.
+
+## Fixtures (destructure in the step parameters)
+
+A step may inject any of these by destructuring them from its first parameter (`async ({ ... }) => {}`), or `testInfo` as the second parameter:
+
+`page`, `context`, `browser`, `run`, `credentials`, `pipeline`, `testInfo`, `browserName`
+
+```ts
+test("Step 1: ...", async ({ page, credentials, run }, testInfo) => { ... });
+```
+
+- `credentials.<key>` – values configured on the plan; injected at run time, never written in the file.
+- `run.shortId` (and other `run` fields) – per-run values, e.g. to build a unique email or reference. Run `testlab examples` for the full shape.
+- `page` (destructured) – a **fresh** page in a separate fixture context, **not** `sharedPage`. State does not carry between steps on it. Use `sharedPage` unless you deliberately want an isolated page.
+- **Not** available as a fixture: `request` (the Playwright `APIRequestContext`). There is no direct HTTP client in an uploaded step; drive requests through the UI.
+
+## Playwright surface you can use
+
+Anything on `sharedPage` / `page` / locators / `expect` **except** the denied method names below. The common, fully-allowed set:
+
+- Navigation: `goto`, `goBack`, `reload`, `waitForURL`, `waitForLoadState`.
+- Locators: `locator`, `getByRole`, `getByText`, `getByLabel`, `getByPlaceholder`, `getByTestId`, `getByTitle`, `getByAltText`, `filter`, `nth`, `first`, `last`.
+- Actions: `click`, `dblclick`, `fill`, `type`, `press`, `check`, `uncheck`, `selectOption`, `setInputFiles`, `hover`, `focus`, `scrollIntoViewIfNeeded`, `dragTo`.
+- State / waits: `waitFor`, `isVisible`, `isEnabled`, `textContent`, `innerText`, `inputValue`, `getAttribute`, `count`.
+- Assertions: `expect(locator).toBeVisible()/toHaveText()/toContainText()/toHaveValue()/toHaveURL()/toHaveCount()/toBeEnabled()`, etc.
+
+## Denied capabilities
+
+Denied by **identifier** (free-identifier rule):
+
+`process`, `globalThis`, `global`, `Buffer`, `require`, `module`, `exports`, `__dirname`, `__filename`, `eval`, `Function`, `fetch`, `XMLHttpRequest`, `WebSocket`, `importScripts`, `Reflect`, `Proxy`, `WebAssembly`, `window`, `document`, `navigator`, `location`, `self`, `Deno`, `Bun` – and **any** name you didn't declare and that isn't listed above.
+
+Denied by **member / method name** (denied-api rule), on any receiver:
+
+`evaluate`, `evaluateHandle`, `evaluateAll`, `$eval`, `$$eval`, `waitForFunction`, `exposeFunction`, `exposeBinding`, `addInitScript`, `addScriptTag`, `route`, `routeFromHAR`, `unroute`, `unrouteAll`, `request`.
+
+Denied **member access** (dangerous-member rule):
+
+`constructor`, `__proto__`, `prototype`, `getPrototypeOf`, `setPrototypeOf`, `__defineGetter__`, `__defineSetter__`, `__lookupGetter__`, `__lookupSetter__`.
+
+Also: dynamic `import()` is denied, and computed member access with a non-literal key (`obj[expr]`) is denied. Static top-level `import`/`export` lines are **stripped** (the harness injects its own imports), so they're ignored rather than run – delete them to keep the file clean.
+
+## Rejection rules → fix
+
+When `testlab scripts upload` prints `L<line>:<col> [<rule>] <message>`, this is what each rule means:
+
+| `[rule]` | Meaning | Fix |
+|---|---|---|
+| `parse-error` | The file is not valid TypeScript/Playwright. | Fix the syntax at the reported line. |
+| `no-steps` | No `test(...)` step was found. | Wrap actions in `test("Step 1: ...", async ({ ... }) => { ... })`. |
+| `import-in-step` | An `import`/`export` appears inside validated step/declaration code (a normal top-level import is stripped, not flagged). | Don't import; the harness injects Playwright. |
+| `dynamic-import` | A dynamic `import()` call. | Remove it; uploaded steps cannot load modules. |
+| `denied-api` | A method like `evaluate`/`route`/`request`. | Use locators + `expect` (drive the UI); remove network interception / in-page eval. |
+| `dangerous-member` | `.constructor` / `.__proto__` / `.prototype` etc. | Access the value directly; don't walk the prototype chain. |
+| `computed-member` | `x[expr]` with a non-literal key. | Use dot access, `.nth(i)`, or `.at(i)`. |
+| `denied-fixture` | A step destructured a fixture that isn't allowed (e.g. `request`). | Use only `page`, `context`, `browser`, `run`, `credentials`, `pipeline`, `testInfo`, `browserName`; drive HTTP through the page. |
+| `free-identifier` | A name that is neither a safe global, an allowed fixture, nor declared by you (e.g. `process`, `fetch`, a bare `credentials`). | Remove the host/browser global, or – if it's a fixture – add it to the step parameters (`async ({ credentials }) => ...`), or declare your own variable. |
+
+## The page model, in one line
+
+`sharedPage` persists across steps (the normal case); a destructured `page` is fresh per step. Pick `sharedPage` for a journey, `page` only for an intentionally isolated probe.