avorelo 0.1.0 → 0.3.0

package/scripts/lib/browser-capability.js

@@ -1,1048 +0,0 @@
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-const crypto = require("crypto");
-
-const SCHEMA_VERSION = 2;
-
-// ── Capability constants ───────────────────────────────────────────────────────
-
-const CAPABILITY = {
-  BROWSER_READ: "browser_read",
-  BROWSER_WRITE: "browser_write",
-  AUTHENTICATED_SESSION_ACCESS: "authenticated_session_access",
-  SENSITIVE_FORM_ACTION: "sensitive_form_action",
-  FILE_TRANSFER: "file_transfer",
-  JAVASCRIPT_OR_CDP_EXECUTION: "javascript_or_cdp_execution",
-  REMOTE_BROWSER_OR_PROXY: "remote_browser_or_proxy",
-  SELF_MODIFYING_HELPER: "self_modifying_helper",
-  DEPENDENCY_BOOTSTRAP: "dependency_bootstrap",
-};
-
-const RISK_TIER = {
-  NONE: "none",
-  LOW: "low",
-  MEDIUM: "medium",
-  HIGH: "high",
-  CRITICAL: "critical",
-};
-
-const TIER_ORDER = {
-  none: 0,
-  low: 1,
-  medium: 2,
-  high: 3,
-  critical: 4,
-};
-
-const DOMAIN_POLICY_READINESS = {
-  MISSING: "missing",
-  PARTIAL: "partial",
-  CONFIGURED: "configured",
-  STRONG: "strong",
-};
-
-// ── Known-tool registry ────────────────────────────────────────────────────────
-// Each entry: names[] matched case-insensitively against dep names and MCP server names/commands.
-
-const BROWSER_TOOL_REGISTRY = [
-  {
-    id: "browser-use",
-    names: ["browser-use", "browseruse", "browser_use"],
-    capabilities: [
-      CAPABILITY.BROWSER_READ,
-      CAPABILITY.BROWSER_WRITE,
-      CAPABILITY.AUTHENTICATED_SESSION_ACCESS,
-    ],
-    riskTier: RISK_TIER.HIGH,
-    reasons: [
-      "browser-use gives agents direct browser control including navigation, form fill, and click.",
-      "May interact with logged-in sessions via persistent browser profiles.",
-    ],
-    recommendedActions: [
-      "Use an isolated browser profile.",
-      "Prefer a test/staging account.",
-      "Require approval before form submission or account-changing actions.",
-    ],
-  },
-  {
-    id: "browser-harness",
-    names: ["browser-harness", "browser-harness-js", "@browser-harness/core", "browser_harness"],
-    capabilities: [
-      CAPABILITY.BROWSER_READ,
-      CAPABILITY.BROWSER_WRITE,
-      CAPABILITY.JAVASCRIPT_OR_CDP_EXECUTION,
-      CAPABILITY.SELF_MODIFYING_HELPER,
-      CAPABILITY.DEPENDENCY_BOOTSTRAP,
-    ],
-    riskTier: RISK_TIER.CRITICAL,
-    reasons: [
-      "browser-harness-js uses direct Chrome DevTools Protocol with possible self-modifying domain skill generation.",
-      "Can generate and save site-specific helper scripts, install dependencies (Bun/Node), and execute arbitrary JavaScript via CDP.",
-    ],
-    recommendedActions: [
-      "Use an isolated browser profile.",
-      "Disable self-modifying domain skill generation unless explicitly reviewed.",
-      "Pin all dependency installs and review before running.",
-      "Require approval before CDP execution in authenticated sessions.",
-    ],
-  },
-  {
-    id: "playwright-mcp",
-    names: ["playwright-mcp", "@playwright/mcp", "@playwright/mcp-server"],
-    capabilities: [
-      CAPABILITY.BROWSER_READ,
-      CAPABILITY.BROWSER_WRITE,
-    ],
-    riskTier: RISK_TIER.MEDIUM,
-    reasons: [
-      "Playwright MCP allows agents to navigate pages, click buttons, fill forms, and read page content.",
-    ],
-    recommendedActions: [
-      "Use an isolated browser profile.",
-      "Prefer a test/staging account for any form actions.",
-      "Add a domain allowlist to restrict which URLs the agent can visit.",
-    ],
-  },
-  {
-    id: "chrome-devtools-mcp",
-    names: ["chrome-devtools-mcp", "cdp-mcp", "mcp-cdp", "chrome-mcp", "mcp-chrome-devtools"],
-    capabilities: [
-      CAPABILITY.BROWSER_READ,
-      CAPABILITY.BROWSER_WRITE,
-      CAPABILITY.JAVASCRIPT_OR_CDP_EXECUTION,
-      CAPABILITY.AUTHENTICATED_SESSION_ACCESS,
-    ],
-    riskTier: RISK_TIER.HIGH,
-    reasons: [
-      "Chrome DevTools Protocol MCP gives the agent direct low-level browser control.",
-      "Can execute JavaScript, inspect network traffic, and interact with authenticated sessions.",
-    ],
-    recommendedActions: [
-      "Use an isolated browser profile.",
-      "Disable JavaScript execution unless explicitly needed.",
-      "Require approval before any CDP action on a logged-in session.",
-    ],
-  },
-  {
-    id: "mcp-chrome",
-    names: ["mcp-chrome", "chrome-extension-mcp", "chrome-mcp-server"],
-    capabilities: [
-      CAPABILITY.BROWSER_READ,
-      CAPABILITY.BROWSER_WRITE,
-      CAPABILITY.AUTHENTICATED_SESSION_ACCESS,
-    ],
-    riskTier: RISK_TIER.HIGH,
-    reasons: [
-      "mcp-chrome connects to Chrome with possible access to existing logged-in sessions.",
-    ],
-    recommendedActions: [
-      "Use an isolated browser profile.",
-      "Disable persistent session reuse.",
-    ],
-  },
-  {
-    id: "agent-browser",
-    names: ["agent-browser", "agent-chrome", "ai-browser"],
-    capabilities: [
-      CAPABILITY.BROWSER_READ,
-      CAPABILITY.BROWSER_WRITE,
-      CAPABILITY.AUTHENTICATED_SESSION_ACCESS,
-    ],
-    riskTier: RISK_TIER.HIGH,
-    reasons: [
-      "Agent-browser tools give AI agents direct browser control.",
-    ],
-    recommendedActions: [
-      "Use an isolated browser profile.",
-      "Require approval before form submission or account actions.",
-    ],
-  },
-  {
-    id: "puppeteer",
-    names: ["puppeteer", "puppeteer-core"],
-    capabilities: [
-      CAPABILITY.BROWSER_READ,
-      CAPABILITY.BROWSER_WRITE,
-      CAPABILITY.JAVASCRIPT_OR_CDP_EXECUTION,
-    ],
-    riskTier: RISK_TIER.MEDIUM,
-    reasons: [
-      "Puppeteer provides programmatic browser control via Chrome DevTools Protocol.",
-    ],
-    recommendedActions: [
-      "Use an isolated browser profile.",
-      "Add a domain allowlist.",
-    ],
-  },
-  {
-    id: "selenium",
-    names: ["selenium-webdriver", "selenium"],
-    capabilities: [
-      CAPABILITY.BROWSER_READ,
-      CAPABILITY.BROWSER_WRITE,
-    ],
-    riskTier: RISK_TIER.MEDIUM,
-    reasons: [
-      "Selenium WebDriver allows programmatic browser control.",
-    ],
-    recommendedActions: [
-      "Use an isolated browser profile or dedicated test account.",
-    ],
-  },
-];
-
-// ── Text-pattern registry ─────────────────────────────────────────────────────
-// Used to scan package.json scripts sections and MCP config text.
-// Each pattern must be specific enough to avoid firing on unrelated content.
-
-const PATTERN_REGISTRY = [
-  {
-    id: "pat-remote-browser",
-    pattern: /\b(remote[\s_-]?browser|cloud[\s_-]?browser|proxy[\s_-]?browser|stealth[\s_-]?browser|captcha[\s_-]?solv|anti[\s_-]?bot|bypass[\s_-]?captcha)\b/i,
-    capabilities: [CAPABILITY.REMOTE_BROWSER_OR_PROXY],
-    riskTier: RISK_TIER.CRITICAL,
-    confidence: 0.9,
-    reason: "Remote/proxy/CAPTCHA-solving browser pattern detected. This is high-risk and should be reviewed.",
-    recommendedActions: [
-      "Disable remote browser or CAPTCHA-solving unless there is a reviewed, legitimate testing need.",
-      "Remote browser access may expose authenticated session data to third-party infrastructure.",
-    ],
-  },
-  {
-    id: "pat-dep-bootstrap",
-    pattern: /\b(install[\s_-]?bun|install[\s_-]?browser|npx\s+skills\s+add|npx\s+playwright\s+install|chromium[\s_-]?install|playwright\s+install)\b/i,
-    capabilities: [CAPABILITY.DEPENDENCY_BOOTSTRAP],
-    riskTier: RISK_TIER.HIGH,
-    confidence: 0.85,
-    reason: "Dependency bootstrap pattern detected: agent may install browsers, runtimes, or packages during run.",
-    recommendedActions: [
-      "Pin dependency versions and require manual review before agent installs runtimes or browsers.",
-    ],
-  },
-  {
-    id: "pat-self-modifying",
-    pattern: /\b(domain[\s_-]?skills?|self[\s_-]?healing[\s_-]?harness|generate[\s_-]?helper|save[\s_-]?helper|create[\s_-]?helper[\s_-]?file)\b/i,
-    capabilities: [CAPABILITY.SELF_MODIFYING_HELPER],
-    riskTier: RISK_TIER.HIGH,
-    confidence: 0.8,
-    reason: "Self-modifying helper pattern: agent may generate or save site-specific automation scripts.",
-    recommendedActions: [
-      "Keep generated domain skills inside reviewable project-local folders.",
-      "Require review before generated helpers are executed.",
-    ],
-  },
-  {
-    id: "pat-persistent-session",
-    pattern: /\b(persistent[\s_-]?session|reuse[\s_-]?session|existing[\s_-]?profile|logged[\s_-]?in[\s_-]?session|user[\s_-]?cookies|local[\s_-]?storage[\s_-]?access)\b/i,
-    capabilities: [CAPABILITY.AUTHENTICATED_SESSION_ACCESS],
-    riskTier: RISK_TIER.HIGH,
-    confidence: 0.85,
-    reason: "Persistent/authenticated session access pattern detected.",
-    recommendedActions: [
-      "Use a dedicated test account instead of a personal logged-in session.",
-      "Disable persistent session reuse.",
-    ],
-  },
-  {
-    id: "pat-cdp",
-    pattern: /\b(chrome[\s_-]?devtools[\s_-]?protocol|(?<![a-zA-Z])CDP(?![a-zA-Z])|page\.evaluate|page\.addScriptTag|Runtime\.evaluate)\b/i,
-    capabilities: [CAPABILITY.JAVASCRIPT_OR_CDP_EXECUTION],
-    riskTier: RISK_TIER.HIGH,
-    confidence: 0.85,
-    reason: "Chrome DevTools Protocol or JavaScript execution pattern detected.",
-    recommendedActions: [
-      "Require approval before JavaScript execution in authenticated sessions.",
-    ],
-  },
-  {
-    id: "pat-browser-automation",
-    pattern: /\b(browser[\s_-]?automation|browser[\s_-]?control|browser[\s_-]?harness|automated[\s_-]?browsing|automate[\s_-]?browser)\b/i,
-    capabilities: [CAPABILITY.BROWSER_READ, CAPABILITY.BROWSER_WRITE],
-    riskTier: RISK_TIER.MEDIUM,
-    confidence: 0.75,
-    reason: "Browser automation pattern detected in configuration or script.",
-    recommendedActions: [
-      "Use an isolated browser profile.",
-      "Restrict to test/staging environments.",
-    ],
-  },
-  {
-    id: "pat-file-transfer",
-    pattern: /\b(file[\s_-]?upload|file[\s_-]?download|attach[\s_-]?file)\b/i,
-    capabilities: [CAPABILITY.FILE_TRANSFER],
-    riskTier: RISK_TIER.HIGH,
-    confidence: 0.75,
-    reason: "File transfer capability pattern detected in browser automation context.",
-    recommendedActions: [
-      "Require explicit approval before file upload or download actions.",
-    ],
-  },
-];
-
-// ── MCP config file locations (project-relative) ──────────────────────────────
-
-const MCP_CONFIG_REL_PATHS = [
-  ".cursor/mcp.json",
-  ".claude/mcp.json",
-  "mcp.json",
-  ".mcp.json",
-  ".claude/settings.json",
-  ".claude/settings.local.json",
-];
-
-// ── Helpers ───────────────────────────────────────────────────────────────────
-
-function safeReadFile(absPath) {
-  try {
-    return fs.readFileSync(absPath, "utf8").replace(/^/, "");
-  } catch {
-    return null;
-  }
-}
-
-function safeParseJson(text) {
-  try {
-    return JSON.parse(text);
-  } catch {
-    return null;
-  }
-}
-
-function nowIso() {
-  return new Date().toISOString();
-}
-
-function shortId(prefix, seed) {
-  const hash = crypto.createHash("sha256").update(String(seed || "")).digest("hex").slice(0, 8);
-  return `${prefix}-${hash}`;
-}
-
-function maxTier(a, b) {
-  return (TIER_ORDER[a] || 0) >= (TIER_ORDER[b] || 0) ? a : b;
-}
-
-function confidenceLabel(score) {
-  if (score >= 0.8) return "high";
-  if (score >= 0.65) return "medium";
-  return "low";
-}
-
-// ── Registry lookup ───────────────────────────────────────────────────────────
-
-function findRegistryEntry(name) {
-  if (!name || typeof name !== "string") return null;
-  // Strip npm scope for comparison
-  const lower = name.toLowerCase();
-  return BROWSER_TOOL_REGISTRY.find((entry) =>
-    entry.names.some((n) => {
-      const nLower = n.toLowerCase();
-      // Exact match, or the dep name ends with the bare name (handles scoped pkgs)
-      return lower === nLower || lower.endsWith(`/${nLower}`) || nLower.endsWith(`/${lower}`);
-    })
-  ) || null;
-}
-
-// ── package.json scanner ──────────────────────────────────────────────────────
-
-function scanPackageJson(cwd, scannedFiles) {
-  const absPath = path.join(cwd, "package.json");
-  const text = safeReadFile(absPath);
-  if (!text) return [];
-
-  const pkg = safeParseJson(text);
-  if (!pkg) return [];
-
-  scannedFiles.push("package.json");
-  const findings = [];
-
-  const allDeps = Object.assign(
-    {},
-    pkg.dependencies || {},
-    pkg.devDependencies || {},
-    pkg.optionalDependencies || {}
-  );
-
-  Object.keys(allDeps).forEach((depName) => {
-    const entry = findRegistryEntry(depName);
-    if (!entry) return;
-    const key = `${entry.id}:package.json`;
-    findings.push({
-      id: shortId("bcf", key),
-      name: depName,
-      sourceType: "package_json",
-      sourcePath: "package.json",
-      matchedText: depName,
-      matchedPattern: `dependency:${depName}`,
-      confidence: "high",
-      capabilities: entry.capabilities.slice(),
-      riskTier: entry.riskTier,
-      reasons: entry.reasons.slice(),
-      recommendedActions: entry.recommendedActions.slice(),
-      _registryId: entry.id,
-      _dedupeKey: key,
-    });
-  });
-
-  // Pattern scan on scripts section only (not full package.json to avoid README-style content)
-  const scripts = pkg.scripts && typeof pkg.scripts === "object" ? pkg.scripts : {};
-  const scriptText = Object.values(scripts).join("\n");
-  if (scriptText) {
-    const patternFindings = scanTextForPatterns(scriptText, "package.json#scripts", "script");
-    findings.push(...patternFindings);
-  }
-
-  return findings;
-}
-
-// ── MCP config scanner ────────────────────────────────────────────────────────
-
-function extractMcpServerEntries(json) {
-  if (!json || typeof json !== "object") return [];
-  const results = [];
-
-  // Standard: { mcpServers: { serverName: { command, args } } }
-  const servers = json.mcpServers || json.mcp_servers || json.servers || {};
-  if (typeof servers === "object" && !Array.isArray(servers)) {
-    Object.entries(servers).forEach(([serverName, serverDef]) => {
-      results.push({ name: serverName, def: serverDef });
-      // Also inspect command + first args element for package names
-      if (serverDef && typeof serverDef === "object") {
-        const cmd = String(serverDef.command || "");
-        const args = Array.isArray(serverDef.args) ? serverDef.args.map(String) : [];
-        [cmd, ...args.slice(0, 3)].forEach((token) => {
-          if (token && token !== serverName) results.push({ name: token, def: null });
-        });
-      }
-    });
-  }
-
-  return results;
-}
-
-function scanMcpConfigs(cwd, scannedFiles) {
-  const findings = [];
-  const seenDedupeKeys = new Set();
-
-  MCP_CONFIG_REL_PATHS.forEach((relP) => {
-    const absPath = path.join(cwd, relP);
-    const text = safeReadFile(absPath);
-    if (!text) return;
-
-    const json = safeParseJson(text);
-    if (!json) return;
-
-    // Only track file as scanned if it had parseable content
-    if (!scannedFiles.includes(relP)) scannedFiles.push(relP);
-
-    const serverEntries = extractMcpServerEntries(json);
-    serverEntries.forEach(({ name }) => {
-      const entry = findRegistryEntry(name);
-      if (!entry) return;
-      const key = `${entry.id}:${relP}`;
-      if (seenDedupeKeys.has(key)) return;
-      seenDedupeKeys.add(key);
-
-      findings.push({
-        id: shortId("bcf", key),
-        name,
-        sourceType: "mcp_config",
-        sourcePath: relP,
-        matchedText: name,
-        matchedPattern: `mcp_server:${name}`,
-        confidence: "high",
-        capabilities: entry.capabilities.slice(),
-        riskTier: entry.riskTier,
-        reasons: entry.reasons.slice(),
-        recommendedActions: entry.recommendedActions.slice(),
-        _registryId: entry.id,
-        _dedupeKey: key,
-      });
-    });
-
-    // Pattern scan on full MCP config text to catch inline descriptions
-    const patternFindings = scanTextForPatterns(text, relP, "mcp_config");
-    findings.push(...patternFindings);
-  });
-
-  return findings;
-}
-
-// ── Skill/command file scanner ────────────────────────────────────────────────
-// Only registry-name matching (no pattern scanning) to keep false positives low.
-
-const SKILL_EXTENSIONS = new Set([".md", ".json", ".yaml", ".yml", ".txt"]);
-const SKILL_SCAN_ROOTS = ["skills", ".claude/skills", ".claude/commands"];
-
-function scanSkillFiles(cwd, scannedFiles) {
-  const findings = [];
-  const seenDedupeKeys = new Set();
-
-  SKILL_SCAN_ROOTS.forEach((rootRel) => {
-    const absRoot = path.join(cwd, rootRel);
-    if (!fs.existsSync(absRoot)) return;
-
-    const walkDir = (dir) => {
-      let entries;
-      try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
-      catch { return; }
-
-      entries.forEach((entry) => {
-        const entryAbs = path.join(dir, entry.name);
-        if (entry.isDirectory()) { walkDir(entryAbs); return; }
-        if (!entry.isFile()) return;
-        if (!SKILL_EXTENSIONS.has(path.extname(entry.name).toLowerCase())) return;
-
-        const text = safeReadFile(entryAbs);
-        if (!text) return;
-
-        const relP = path.relative(cwd, entryAbs).replace(/\\/g, "/");
-        if (!scannedFiles.includes(relP)) scannedFiles.push(relP);
-
-        BROWSER_TOOL_REGISTRY.forEach((toolEntry) => {
-          const namePat = new RegExp(
-            `\\b(${toolEntry.names.map((n) => n.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")).join("|")})\\b`,
-            "i"
-          );
-          if (!namePat.test(text)) return;
-          const matchResult = text.match(namePat);
-          const matchedText = matchResult ? matchResult[0] : toolEntry.names[0];
-
-          const key = `${toolEntry.id}:${relP}`;
-          if (seenDedupeKeys.has(key)) return;
-          seenDedupeKeys.add(key);
-
-          findings.push({
-            id: shortId("bcf", key),
-            name: toolEntry.names[0],
-            sourceType: "skill_manifest",
-            sourcePath: relP,
-            matchedText,
-            matchedPattern: namePat.source,
-            confidence: "medium",
-            capabilities: toolEntry.capabilities.slice(),
-            riskTier: toolEntry.riskTier,
-            reasons: toolEntry.reasons.slice(),
-            recommendedActions: toolEntry.recommendedActions.slice(),
-            _registryId: toolEntry.id,
-            _dedupeKey: key,
-          });
-        });
-      });
-    };
-
-    walkDir(absRoot);
-  });
-
-  return findings;
-}
-
-// ── Pattern scanner ───────────────────────────────────────────────────────────
-
-function scanTextForPatterns(text, sourcePath, sourceType) {
-  if (!text || typeof text !== "string") return [];
-  const findings = [];
-
-  PATTERN_REGISTRY.forEach((entry) => {
-    // Reset lastIndex for global flags (none here, but defensive)
-    entry.pattern.lastIndex = 0;
-    if (!entry.pattern.test(text)) return;
-    entry.pattern.lastIndex = 0;
-    const matchResult = text.match(entry.pattern);
-    const matchedText = matchResult ? matchResult[0] : "";
-    const key = `${entry.id}:${sourcePath}`;
-
-    findings.push({
-      id: shortId("bcf", key),
-      name: `pattern:${entry.id}`,
-      sourceType,
-      sourcePath,
-      matchedText,
-      matchedPattern: entry.pattern.source,
-      confidence: confidenceLabel(entry.confidence),
-      capabilities: entry.capabilities.slice(),
-      riskTier: entry.riskTier,
-      reasons: [entry.reason],
-      recommendedActions: entry.recommendedActions.slice(),
-      _patternId: entry.id,
-    });
-  });
-
-  return findings;
-}
-
-// ── Deduplication ─────────────────────────────────────────────────────────────
-// For registry findings: keep the highest-confidence source (package.json > mcp_config > skill_manifest).
-// For pattern findings: keep one per pattern per source file.
-
-const SOURCE_PRIORITY = { package_json: 3, script: 2, mcp_config: 2, skill_manifest: 1, config: 1, unknown: 0 };
-
-function deduplicateFindings(findings) {
-  // Group registry findings by registryId
-  const registryGroups = new Map();
-  const patternFindings = [];
-
-  findings.forEach((f) => {
-    if (f._registryId) {
-      const existing = registryGroups.get(f._registryId);
-      if (!existing || (SOURCE_PRIORITY[f.sourceType] || 0) > (SOURCE_PRIORITY[existing.sourceType] || 0)) {
-        registryGroups.set(f._registryId, f);
-      }
-    } else {
-      patternFindings.push(f);
-    }
-  });
-
-  // Deduplicate pattern findings by _patternId + sourcePath
-  const seenPatterns = new Set();
-  const dedupedPatterns = patternFindings.filter((f) => {
-    const key = `${f._patternId || f.id}:${f.sourcePath}`;
-    if (seenPatterns.has(key)) return false;
-    seenPatterns.add(key);
-    return true;
-  });
-
-  return [...registryGroups.values(), ...dedupedPatterns];
-}
-
-// ── Tier computation ──────────────────────────────────────────────────────────
-
-function computeOverallTier(findings) {
-  if (!findings.length) return RISK_TIER.NONE;
-  return findings.reduce((tier, f) => maxTier(tier, f.riskTier), RISK_TIER.NONE);
-}
-
-// ── Summary and recommended actions ──────────────────────────────────────────
-
-function buildSummaryText(findings, overallTier) {
-  if (!findings.length) {
-    return "No browser-capability tools detected.";
-  }
-  const toolNames = [...new Set(findings.filter((f) => f._registryId).map((f) => f.name))];
-  const allCaps = [...new Set(findings.flatMap((f) => f.capabilities))];
-  const capStr = allCaps.slice(0, 3).map((c) => c.replace(/_/g, " ")).join(", ");
-
-  switch (overallTier) {
-    case RISK_TIER.CRITICAL:
-      return `Critical browser capability detected${toolNames.length ? `: ${toolNames.slice(0, 2).join(", ")}` : ""}. Agent may have broad browser control including CDP, remote browser, or self-modifying capabilities.`;
-    case RISK_TIER.HIGH:
-      return `High-risk browser capability detected${toolNames.length ? `: ${toolNames.slice(0, 2).join(", ")}` : ""}. Agent may access authenticated sessions, execute JavaScript, or perform file transfers.`;
-    case RISK_TIER.MEDIUM:
-      return `Browser capability detected${toolNames.length ? `: ${toolNames.slice(0, 2).join(", ")}` : ""}. Capabilities: ${capStr || "browser read/write"}. Use an isolated profile for logged-in apps.`;
-    default:
-      return `Low-risk browser capability detected. Capabilities: ${capStr || "browser read"}.`;
-  }
-}
-
-function buildRecommendedActions(findings, overallTier) {
-  const actions = new Set();
-
-  if (findings.length) {
-    actions.add("Use an isolated browser profile.");
-    actions.add("Prefer a test/staging account.");
-  }
-
-  findings.forEach((f) => {
-    (f.recommendedActions || []).forEach((a) => actions.add(a));
-  });
-
-  if (overallTier === RISK_TIER.HIGH || overallTier === RISK_TIER.CRITICAL) {
-    actions.add("Require approval before form submission, file upload, or account-changing actions.");
-    actions.add("Add a domain allowlist for approved URLs.");
-    actions.add("Add a denylist for production, admin, and billing domains.");
-  }
-
-  if (overallTier === RISK_TIER.CRITICAL) {
-    actions.add("Block or warn on remote browser/proxy mode by default.");
-    actions.add("Pin all dependencies and avoid auto-install during agent runs.");
-  }
-
-  return [...actions].slice(0, 8);
-}
-
-// ── Domain policy ─────────────────────────────────────────────────────────────
-
-function isValidHostname(str) {
-  if (!str || str.length > 253) return false;
-  // Labels separated by dots; each label: letters/digits/hyphens, not starting/ending with hyphen
-  return /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*$/.test(str);
-}
-
-function validateDomainPattern(str) {
-  if (!str || typeof str !== "string") {
-    return { valid: false, warning: "Empty or non-string domain pattern." };
-  }
-  const trimmed = str.trim();
-  if (!trimmed) {
-    return { valid: false, warning: "Empty domain pattern after trimming." };
-  }
-
-  // Reject full URLs with scheme
-  if (/^https?:\/\//i.test(trimmed)) {
-    return {
-      valid: false,
-      warning: `"${trimmed}" looks like a full URL; use a hostname like example.com or *.example.com instead.`,
-    };
-  }
-
-  // Reject paths (slash after first label segment)
-  if (/^[^/]+\//.test(trimmed)) {
-    return {
-      valid: false,
-      warning: `"${trimmed}" contains a path; use a hostname pattern, not a URL with a path.`,
-    };
-  }
-
-  // Allow localhost and loopback
-  if (trimmed === "localhost" || trimmed === "127.0.0.1" || trimmed === "::1") {
-    return { valid: true };
-  }
-
-  // Allow *.example.com wildcard prefix
-  if (trimmed.startsWith("*.")) {
-    const rest = trimmed.slice(2);
-    if (isValidHostname(rest)) return { valid: true };
-    return { valid: false, warning: `"${trimmed}" has an invalid wildcard pattern.` };
-  }
-
-  // Reject other wildcard positions
-  if (trimmed.includes("*")) {
-    return {
-      valid: false,
-      warning: `"${trimmed}" uses a wildcard in an unsupported position. Use *.example.com format.`,
-    };
-  }
-
-  if (isValidHostname(trimmed)) return { valid: true };
-
-  return { valid: false, warning: `"${trimmed}" is not a valid hostname or domain pattern.` };
-}
-
-function normalizeDomainList(list) {
-  if (!Array.isArray(list)) return { domains: [], warnings: [] };
-
-  const seen = new Set();
-  const domains = [];
-  const warnings = [];
-
-  list.forEach((entry) => {
-    if (typeof entry !== "string") {
-      if (entry !== null && entry !== undefined) {
-        warnings.push(`Non-string domain entry ignored: ${JSON.stringify(entry)}`);
-      }
-      return;
-    }
-    const trimmed = entry.trim();
-    if (!trimmed) return;
-
-    const result = validateDomainPattern(trimmed);
-    if (!result.valid) {
-      warnings.push(result.warning);
-      return;
-    }
-
-    const lower = trimmed.toLowerCase();
-    if (seen.has(lower)) return; // dedupe
-    seen.add(lower);
-    domains.push(trimmed);
-  });
-
-  return { domains, warnings };
-}
-
-function buildDomainPolicy(domainConfig, hasFindings) {
-  const rawAllowed = Array.isArray(domainConfig?.allowedDomains) ? domainConfig.allowedDomains : [];
-  const rawBlocked = Array.isArray(domainConfig?.blockedDomains) ? domainConfig.blockedDomains : [];
-  const rawSensitive = Array.isArray(domainConfig?.sensitiveDomains) ? domainConfig.sensitiveDomains : [];
-  const requireApproval = domainConfig?.requireApprovalForUnlistedDomains === true;
-
-  const allowedResult = normalizeDomainList(rawAllowed);
-  const blockedResult = normalizeDomainList(rawBlocked);
-  const sensitiveResult = normalizeDomainList(rawSensitive);
-
-  const allWarnings = [
-    ...allowedResult.warnings,
-    ...blockedResult.warnings,
-    ...sensitiveResult.warnings,
-  ];
-
-  const hasAny = rawAllowed.length > 0 || rawBlocked.length > 0 || rawSensitive.length > 0;
-
-  if (!hasFindings) {
-    return {
-      configured: hasAny,
-      readiness: null,
-      allowedDomains: allowedResult.domains,
-      blockedDomains: blockedResult.domains,
-      sensitiveDomains: sensitiveResult.domains,
-      requireApprovalForUnlistedDomains: requireApproval,
-      validationWarnings: allWarnings,
-      summary: "No browser-capability findings; domain policy not evaluated.",
-      recommendedActions: [],
-    };
-  }
-
-  // Determine readiness
-  const hasValidAllowed = allowedResult.domains.length > 0;
-  const hasValidBlocked = blockedResult.domains.length > 0;
-
-  let readiness;
-  if (!hasAny) {
-    readiness = DOMAIN_POLICY_READINESS.MISSING;
-  } else if (hasValidAllowed && hasValidBlocked && requireApproval && allWarnings.length === 0) {
-    readiness = DOMAIN_POLICY_READINESS.STRONG;
-  } else if (hasValidAllowed || hasValidBlocked) {
-    readiness = DOMAIN_POLICY_READINESS.PARTIAL;
-  } else {
-    // Has entries but all invalid
-    readiness = DOMAIN_POLICY_READINESS.PARTIAL;
-  }
-
-  // Summary and recommendations
-  let summary = "";
-  const recommendations = [];
-
-  switch (readiness) {
-    case DOMAIN_POLICY_READINESS.MISSING:
-      summary = "No domain policy configured for browser-capable tools.";
-      recommendations.push("Add allowedDomains for local/staging/test environments.");
-      recommendations.push("Add blockedDomains for production, admin, and billing domains.");
-      recommendations.push("Set requireApprovalForUnlistedDomains: true for unlisted domains.");
-      break;
-    case DOMAIN_POLICY_READINESS.PARTIAL:
-      if (allWarnings.length > 0 && !hasValidAllowed && !hasValidBlocked) {
-        summary = "Domain policy has only invalid entries.";
-        recommendations.push("Fix malformed domain patterns; prefer hostnames or *.example.com wildcard prefixes.");
-        recommendations.push("Add allowedDomains for local/staging/test environments.");
-        recommendations.push("Add blockedDomains for production, admin, and billing domains.");
-      } else if (!hasValidAllowed && hasValidBlocked) {
-        summary = "Domain policy configured: blocked domains set, no allowed domains.";
-        recommendations.push("Add allowedDomains for safe local/staging targets.");
-      } else if (hasValidAllowed && !hasValidBlocked) {
-        summary = "Domain policy configured: allowed domains set, no blocked domains.";
-        recommendations.push("Add blockedDomains for production, admin, and billing domains.");
-      } else {
-        summary = "Domain policy configured with validation warnings.";
-        recommendations.push("Fix malformed domain patterns; prefer hostnames or *.example.com wildcard prefixes.");
-      }
-      if (!requireApproval) {
-        recommendations.push("Set requireApprovalForUnlistedDomains: true to require approval for unlisted domains.");
-      }
-      break;
-    case DOMAIN_POLICY_READINESS.CONFIGURED:
-      summary = "Domain boundaries configured for browser-capable tools.";
-      if (!requireApproval) {
-        recommendations.push("Set requireApprovalForUnlistedDomains: true for stronger boundaries.");
-      }
-      break;
-    case DOMAIN_POLICY_READINESS.STRONG:
-      summary = "Domain boundaries are fully configured for browser-capable tools.";
-      recommendations.push("Keep the domain policy reviewed as browser-capable tools change.");
-      break;
-    default:
-      summary = "Domain policy status unknown.";
-  }
-
-  return {
-    configured: hasAny,
-    readiness,
-    allowedDomains: allowedResult.domains,
-    blockedDomains: blockedResult.domains,
-    sensitiveDomains: sensitiveResult.domains,
-    requireApprovalForUnlistedDomains: requireApproval,
-    validationWarnings: allWarnings,
-    summary,
-    recommendedActions: recommendations,
-  };
-}
-
-function readBrowserDomainConfig(cwd) {
-  try {
-    // Lazy require to avoid load-time issues if config module is unavailable
-    const { readProjectConfig } = require("./config");
-    const cfg = readProjectConfig(cwd);
-    return cfg.browserCapability || {};
-  } catch {
-    return {};
-  }
-}
-
-// ── Status line formatter ─────────────────────────────────────────────────────
-
-function formatBrowserCapabilityStatusLine(report) {
-  const tier = report.overallTier;
-
-  if (tier === RISK_TIER.NONE) {
-    return "Browser capability: none — no browser-control tools detected.";
-  }
-
-  const toolNames = [...new Set(
-    (report.findings || []).filter((f) => f._registryId).map((f) => f.name)
-  )].slice(0, 2);
-  const toolLabel = toolNames.length ? ` — ${toolNames.join(", ")} detected` : "";
-
-  // Domain policy phrase (when domain policy is provided)
-  const dp = report.domainPolicy;
-  if (dp && dp.readiness !== null) {
-    switch (dp.readiness) {
-      case DOMAIN_POLICY_READINESS.MISSING:
-        return `Browser capability: ${tier}${toolLabel}; no domain policy configured.`;
-      case DOMAIN_POLICY_READINESS.PARTIAL:
-        return `Browser capability: ${tier}${toolLabel}; domain policy partial: ${dp.summary.toLowerCase()}`;
-      case DOMAIN_POLICY_READINESS.CONFIGURED:
-        return `Browser capability: ${tier}${toolLabel}; domain policy configured.`;
-      case DOMAIN_POLICY_READINESS.STRONG:
-        return `Browser capability: ${tier}${toolLabel}; domain policy strong.`;
-    }
-  }
-
-  // Fallback: show first recommended action (backward-compatible)
-  const action = (report.recommendedActions || [])[0] || "Review browser capability settings.";
-  return `Browser capability: ${tier}${toolLabel}; ${action}`;
-}
-
-// ── Main scan ─────────────────────────────────────────────────────────────────
-
-function scanProjectForBrowserCapabilities(cwd) {
-  const scannedFiles = [];
-
-  const rawFindings = [
-    ...scanPackageJson(cwd, scannedFiles),
-    ...scanMcpConfigs(cwd, scannedFiles),
-    ...scanSkillFiles(cwd, scannedFiles),
-  ];
-
-  const deduped = deduplicateFindings(rawFindings);
-
-  // Strip internal tracking keys from public output
-  const findings = deduped.map(({ _registryId, _dedupeKey, _patternId, ...clean }) => clean);
-
-  // Re-attach _registryId for status line (read-only usage post-dedup); kept on the surface object only
-  const findingsWithMeta = deduped.map(({ _dedupeKey, _patternId, ...rest }) => rest);
-
-  const uniqueScannedFiles = [...new Set(scannedFiles)];
-  const overallTier = computeOverallTier(findingsWithMeta);
-  const summary = buildSummaryText(findingsWithMeta, overallTier);
-  const recommendedActions = buildRecommendedActions(findingsWithMeta, overallTier);
-
-  return {
-    schemaVersion: SCHEMA_VERSION,
-    generatedAt: nowIso(),
-    projectRoot: cwd,
-    scannedFiles: uniqueScannedFiles,
-    findings,
-    _findingsWithMeta: findingsWithMeta, // internal; stripped before evidence write
-    overallTier,
-    summary,
-    recommendedActions,
-    evidenceId: shortId("bce", `${cwd}:${scannedFiles.join(",")}:${overallTier}`),
-  };
-}
-
-// ── Evidence artifact writer ──────────────────────────────────────────────────
-
-function writeBrowserCapabilityEvidence(cwd, report, domainPolicy) {
-  const absDir = path.join(cwd, ".claude", "cco", "security");
-  try {
-    fs.mkdirSync(absDir, { recursive: true });
-    // Strip internal meta before writing
-    const { _findingsWithMeta, ...publicReport } = report;
-    const artifact = {
-      ...publicReport,
-      ...(domainPolicy !== undefined ? { domainPolicy } : {}),
-    };
-    const absPath = path.join(absDir, "browser-capability-report.json");
-    fs.writeFileSync(absPath, JSON.stringify(artifact, null, 2), "utf8");
-    return ".claude/cco/security/browser-capability-report.json";
-  } catch {
-    return null;
-  }
-}
-
-// ── Dashboard surface builder ─────────────────────────────────────────────────
-
-function buildBrowserCapabilitySurface(cwd) {
-  let report;
-  try {
-    report = scanProjectForBrowserCapabilities(cwd);
-  } catch {
-    return null;
-  }
-
-  // Build domain policy from project config
-  const domainConfig = readBrowserDomainConfig(cwd);
-  const hasFindings = report.overallTier !== RISK_TIER.NONE;
-  const domainPolicy = buildDomainPolicy(domainConfig, hasFindings);
-
-  // Best-effort evidence write; only when findings exist (no artifact for clean projects)
-  if (hasFindings) {
-    try { writeBrowserCapabilityEvidence(cwd, report, domainPolicy); } catch { /* intentional */ }
-  }
-
-  const tier = report.overallTier;
-  const findings = report._findingsWithMeta || report.findings;
-
-  const toolFindings = findings.filter((f) =>
-    f.sourceType === "package_json" || f.sourceType === "mcp_config"
-  );
-
-  // Top risk is the most severe capability across all findings
-  const capPriority = [
-    CAPABILITY.REMOTE_BROWSER_OR_PROXY,
-    CAPABILITY.SELF_MODIFYING_HELPER,
-    CAPABILITY.DEPENDENCY_BOOTSTRAP,
-    CAPABILITY.JAVASCRIPT_OR_CDP_EXECUTION,
-    CAPABILITY.AUTHENTICATED_SESSION_ACCESS,
-    CAPABILITY.FILE_TRANSFER,
-    CAPABILITY.SENSITIVE_FORM_ACTION,
-    CAPABILITY.BROWSER_WRITE,
-    CAPABILITY.BROWSER_READ,
-  ];
-  const allCaps = new Set(findings.flatMap((f) => f.capabilities || []));
-  const topRisk = capPriority.find((c) => allCaps.has(c)) || null;
-
-  // Public findings strip internal meta
-  const publicFindings = report.findings.slice(0, 10);
-
-  return {
-    showInStatus: tier !== RISK_TIER.NONE,
-    showInDashboard: tier !== RISK_TIER.NONE,
-    statusLine: formatBrowserCapabilityStatusLine({
-      overallTier: tier,
-      findings,
-      recommendedActions: report.recommendedActions,
-      domainPolicy,
-    }),
-    overallTier: tier,
-    detectedBrowserToolsCount: toolFindings.length,
-    topRisk,
-    recommendedAction: report.recommendedActions[0] || null,
-    summary: report.summary,
-    findings: publicFindings,
-    evidenceArtifact: ".claude/cco/security/browser-capability-report.json",
-    domainPolicy,
-  };
-}
-
-// ── Exports ───────────────────────────────────────────────────────────────────
-
-module.exports = {
-  CAPABILITY,
-  RISK_TIER,
-  TIER_ORDER,
-  DOMAIN_POLICY_READINESS,
-  BROWSER_TOOL_REGISTRY,
-  PATTERN_REGISTRY,
-  findRegistryEntry,
-  computeOverallTier,
-  maxTier,
-  isValidHostname,
-  validateDomainPattern,
-  normalizeDomainList,
-  buildDomainPolicy,
-  scanProjectForBrowserCapabilities,
-  writeBrowserCapabilityEvidence,
-  buildBrowserCapabilitySurface,
-  formatBrowserCapabilityStatusLine,
-};