wb-browser-runtime 0.14.0 → 0.14.1

package/README.md

@@ -171,13 +171,13 @@ endpoint at session close. Recording is **off by default** — set
 | `WB_RECORDING_MASK_ALL_INPUTS`     | `1`        | rrweb `maskAllInputs`. Set `0` to record input *values* (off by default for safety). |
 | `WB_RECORDING_MASK_TEXT_SELECTOR`  | *(unset)*  | CSS selector whose **text content** rrweb masks (e.g. `.ssn, .acct-balance`). |
 | `WB_RECORDING_BLOCK_SELECTOR`      | *(unset)*  | CSS selector rrweb records as an inert placeholder (contents never captured). |
-| `WB_RECORDING_IGNORE_SELECTOR`     | *(unset)*  | CSS selector whose input events rrweb drops entirely. |
+| `WB_RECORDING_IGNORE_SELECTOR`     | *(unset)*  | CSS selector for elements to exclude from the recording. **In this build it is applied as a block selector** (unioned with `WB_RECORDING_BLOCK_SELECTOR`): the matching element is recorded as an inert placeholder and its subtree/inputs are never captured. The vendored rrweb bundle does not support rrweb's `ignoreSelector` (which only drops input *events*), so we map this knob onto the supported, stronger `blockSelector` to honor the "drop this field" intent. |
 
 Artifacts are two parallel POSTs per session, `kind ∈ {rrweb, video}`:
 
 - **rrweb** — gzipped JSON (`application/json+gzip`) — `{ run_id, session, event_count, events: [...] }`. DOM mutations + input events captured from every page.
 
-  **PII scope — read this.** `maskAllInputs` (on by default) only redacts the *values* a user types into form fields. It does **not** mask field labels, placeholders, `aria-label`s, `<option>` text, or any other rendered text, and it does not alter the recorded DOM structure. A displayed account number, balance, or name that is page text — not an input value — is captured verbatim. For those, point rrweb at the sensitive nodes with `WB_RECORDING_MASK_TEXT_SELECTOR` (mask the text) or `WB_RECORDING_BLOCK_SELECTOR` (omit the subtree). When in doubt, block the region.
+  **PII scope — read this.** `maskAllInputs` (on by default) only redacts the *values* a user types into form fields. It does **not** mask field labels, placeholders, `aria-label`s, `<option>` text, or any other rendered text, and it does not alter the recorded DOM structure. A displayed account number, balance, or name that is page text — not an input value — is captured verbatim. For those, point rrweb at the sensitive nodes with `WB_RECORDING_MASK_TEXT_SELECTOR` (mask the text) or `WB_RECORDING_BLOCK_SELECTOR` (omit the subtree). `WB_RECORDING_IGNORE_SELECTOR` is treated as an alias for `WB_RECORDING_BLOCK_SELECTOR` in this build (the vendored rrweb bundle has no `ignoreSelector` support), so a field named there is excluded from the recording entirely rather than merely having its input events dropped. When in doubt, block the region.
 - **video** — VP9 WebM (`video/webm`) — encoded from JPEG screencast frames via `ffmpeg`. Requires `ffmpeg` on `$PATH` (droplet install: `apt-get install -y ffmpeg`). If `ffmpeg` is missing the video kind silently disables and rrweb continues alone.
 
 Each POST carries headers `Authorization: Bearer <secret>`,

package/lib/http.js

@@ -1,3 +1,5 @@
+import dns from "node:dns";
+import { isIP } from "node:net";
 import { log } from "./io.js";
 
 export async function safeText(res) {
@@ -8,6 +10,138 @@ export async function safeText(res) {
   }
 }
 
+// --- Body-read timeout handoff ---------------------------------------------
+//
+// retryableFetch's AbortController timer normally fires until fetch() resolves
+// (headers received) and is then cleared in `finally`. That leaves the *body*
+// read unbounded: a server can dribble bytes forever after sending headers.
+//
+// `keepBodyTimeout: true` is an opt-in for callers that consume the body
+// themselves (the signed-URL download path). When set, on a successful (2xx)
+// response we do NOT clear the timer — instead we stash the timer + controller
+// in a WeakMap keyed by the Response so the caller can either:
+//   - releaseBodyTimeout(res): clear it once the body is fully consumed, or
+//   - abortBody(res): abort the in-flight body read (e.g. size cap tripped).
+// If the caller never releases, the timer still fires and aborts the socket,
+// so a hung body read can't wedge the process. Other callers (default
+// keepBodyTimeout=false) are unaffected — their timer is cleared as before.
+const bodyTimers = new WeakMap();
+
+export function releaseBodyTimeout(res) {
+  const entry = bodyTimers.get(res);
+  if (entry) {
+    clearTimeout(entry.timer);
+    bodyTimers.delete(res);
+  }
+}
+
+export function abortBody(res) {
+  const entry = bodyTimers.get(res);
+  if (entry) {
+    try {
+      entry.controller.abort();
+    } catch {}
+  }
+}
+
+// Best-effort cancel/drain of a response body so a non-OK or redirect response
+// doesn't leak the underlying socket while we throw or follow a redirect.
+export async function drainResponseBody(res) {
+  try {
+    if (res?.body?.cancel) {
+      await res.body.cancel();
+    } else if (res?.body) {
+      // Fall back to consuming it if cancel() isn't available.
+      await res.arrayBuffer().catch(() => {});
+    }
+  } catch {}
+}
+
+// --- SSRF guard: private/loopback/link-local IP detection ------------------
+
+function isPrivateIPv4(addr) {
+  const m = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/.exec(addr);
+  if (!m) return false;
+  const a = Number(m[1]);
+  const b = Number(m[2]);
+  if (a === 0) return true; // 0.0.0.0/8 (includes the unspecified address)
+  if (a === 127) return true; // 127.0.0.0/8 loopback
+  if (a === 10) return true; // 10.0.0.0/8
+  if (a === 172 && b >= 16 && b <= 31) return true; // 172.16.0.0/12
+  if (a === 192 && b === 168) return true; // 192.168.0.0/16
+  if (a === 169 && b === 254) return true; // 169.254.0.0/16 link-local
+  return false;
+}
+
+function isPrivateIPv6(addr) {
+  let s = String(addr).toLowerCase();
+  const pct = s.indexOf("%");
+  if (pct >= 0) s = s.slice(0, pct); // strip zone id
+  if (s === "::1") return true; // loopback
+  if (s === "::") return true; // unspecified
+  // IPv4-mapped / IPv4-embedded (e.g. ::ffff:127.0.0.1, ::127.0.0.1)
+  const v4 = /:(\d+\.\d+\.\d+\.\d+)$/.exec(s);
+  if (v4 && isPrivateIPv4(v4[1])) return true;
+  const first = s.split(":")[0];
+  if (/^f[cd]/.test(first)) return true; // fc00::/7 unique-local
+  if (/^fe[89ab]/.test(first)) return true; // fe80::/10 link-local
+  return false;
+}
+
+// True if a literal IP address falls in a private/loopback/link-local range.
+export function isPrivateIp(addr) {
+  const fam = isIP(addr);
+  if (fam === 4) return isPrivateIPv4(addr);
+  if (fam === 6) return isPrivateIPv6(addr);
+  return false;
+}
+
+// Validate a single URL as an allowed download target. Applies the caller's
+// host allowlist (the SAME check used on the initial URL — this is what makes
+// redirect following safe) and, unless explicitly allowed, rejects any host
+// that is a private IP literal or resolves to one (DNS rebinding / SSRF).
+// Throws on rejection; resolves on success.
+export async function assertAllowedTarget(
+  urlStr,
+  { validateHost = null, allowPrivateIp = false } = {},
+) {
+  let u;
+  try {
+    u = new URL(urlStr);
+  } catch {
+    throw new Error(`blocked target: unparseable URL`);
+  }
+  if (u.protocol !== "http:" && u.protocol !== "https:") {
+    throw new Error(`blocked target: unsupported scheme "${u.protocol}"`);
+  }
+  const host = u.host.toLowerCase(); // includes port — matches the picker
+  const hostname = u.hostname.toLowerCase();
+  if (validateHost && !validateHost(host)) {
+    throw new Error(`blocked target: host not allowed: ${host}`);
+  }
+  if (allowPrivateIp) return;
+  if (isIP(hostname)) {
+    if (isPrivateIp(hostname)) {
+      throw new Error(`blocked target: private/loopback IP ${hostname}`);
+    }
+    return;
+  }
+  let results;
+  try {
+    results = await dns.promises.lookup(hostname, { all: true });
+  } catch (e) {
+    // Fail closed: a host we can't resolve isn't a host we should fetch.
+    throw new Error(`blocked target: could not resolve ${hostname}: ${e?.message || e}`);
+  }
+  for (const r of results) {
+    if (isPrivateIp(r.address)) {
+      throw new Error(
+        `blocked target: ${hostname} resolves to private/loopback IP ${r.address}`,
+      );
+    }
+  }
+}
+
 // Retry transient network + 5xx/429 failures with short exponential backoff.
 // Each attempt gets its own AbortController + timeout; caller-passed signals
 // are not plumbed through since we don't have a cancellation story above this
@@ -17,11 +151,15 @@ export async function safeText(res) {
 // `bodyFactory`, when set, is invoked per attempt to produce a fresh body —
 // required for streaming uploads where the previous attempt consumed the
 // stream. Takes precedence over opts.body.
+//
+// `keepBodyTimeout`, when set, hands the attempt's abort timer to the caller on
+// a successful (2xx) response instead of clearing it, so the body-read window
+// stays bounded. See releaseBodyTimeout / abortBody above.
 export async function retryableFetch(
   url,
   opts = {},
   label,
-  { timeoutMs = 30_000, bodyFactory = null } = {},
+  { timeoutMs = 30_000, bodyFactory = null, keepBodyTimeout = false } = {},
 ) {
   const delays = [100, 500];
   let lastErr = null;
@@ -36,6 +174,7 @@ export async function retryableFetch(
     }
     const controller = new AbortController();
     const timer = setTimeout(() => controller.abort(), timeoutMs);
+    let handedOff = false;
     try {
       const fetchOpts = { ...opts, signal: controller.signal };
       if (bodyFactory) {
@@ -45,7 +184,14 @@ export async function retryableFetch(
         fetchOpts.duplex = "half";
       }
       const res = await fetch(url, fetchOpts);
-      if (res.ok) return res;
+      if (res.ok) {
+        if (keepBodyTimeout) {
+          // Keep the timer armed until the caller consumes the body.
+          handedOff = true;
+          bodyTimers.set(res, { timer, controller });
+        }
+        return res;
+      }
       if (res.status === 429 || (res.status >= 500 && res.status < 600)) {
         lastRes = res;
         continue;
@@ -55,9 +201,60 @@ export async function retryableFetch(
       lastErr = e;
       continue;
     } finally {
-      clearTimeout(timer);
+      if (!handedOff) clearTimeout(timer);
     }
   }
   if (lastRes) return lastRes;
   throw lastErr;
 }
+
+export const MAX_DOWNLOAD_REDIRECTS = 5;
+
+// Fetch a download target with manual redirect handling and an SSRF guard.
+// Every hop (the initial URL and each Location target) is re-validated with
+// assertAllowedTarget before it is fetched, so a 3xx to an unvalidated or
+// private host is rejected instead of silently followed. Redirect bodies are
+// drained between hops. Returns the final (non-redirect) Response; the caller
+// owns the body (use keepBodyTimeout semantics: releaseBodyTimeout when done).
+export async function guardedDownloadFetch(
+  url,
+  {
+    timeoutMs = 30_000,
+    validateHost = null,
+    allowPrivateIp = false,
+    maxRedirects = MAX_DOWNLOAD_REDIRECTS,
+    label,
+  } = {},
+) {
+  let current = url;
+  for (let hop = 0; ; hop++) {
+    await assertAllowedTarget(current, { validateHost, allowPrivateIp });
+    const res = await retryableFetch(
+      current,
+      { method: "GET", redirect: "manual" },
+      label,
+      { timeoutMs, keepBodyTimeout: true },
+    );
+    const status = res.status;
+    if (status >= 300 && status < 400) {
+      const loc = res.headers?.get?.("location");
+      if (loc) {
+        // A 3xx is not res.ok, so it was never handed off — its timer is
+        // already cleared. Drain the redirect body and re-validate the target.
+        await drainResponseBody(res);
+        if (hop >= maxRedirects) {
+          throw new Error(`too many redirects (> ${maxRedirects})`);
+        }
+        let next;
+        try {
+          next = new URL(loc, current).toString();
+        } catch {
+          throw new Error(`blocked target: unparseable redirect Location`);
+        }
+        current = next;
+        continue;
+      }
+    }
+    return res;
+  }
+}

package/lib/recording-manager.js

@@ -160,17 +160,32 @@ export function loadRecordingConfig() {
 //   WB_RECORDING_MASK_ALL_INPUTS  default on; set "0" to record input values
 //   WB_RECORDING_MASK_TEXT_SELECTOR  text content of matches → asterisks
 //   WB_RECORDING_BLOCK_SELECTOR      matches recorded as inert placeholders
-//   WB_RECORDING_IGNORE_SELECTOR     matches' input events dropped entirely
+//   WB_RECORDING_IGNORE_SELECTOR     matches excluded from the recording
+//
+// Privacy note: the vendored `vendor/rrweb-record.min.js` bundle supports
+// `blockSelector` but NOT `ignoreSelector` — passing `ignoreSelector` to this
+// build is a silent no-op, so an operator relying on it to drop a sensitive
+// field would have that value recorded verbatim. To keep the "drop this field"
+// promise on the shipped binary, WB_RECORDING_IGNORE_SELECTOR is folded into the
+// (supported, and strictly stronger) `blockSelector`: a blocked element is not
+// recorded at all — its subtree and inputs are never captured. The env var name
+// is kept for compatibility; both selectors are unioned so neither is lost.
 export function loadMaskConfig() {
   const sel = (name) => {
     const v = (process.env[name] || "").trim();
     return v || null;
   };
+  // Comma-join the explicit block selector with the ignore selector so the
+  // ignore intent is honored via a mechanism the vendored bundle actually
+  // supports. Either, both, or neither may be set.
+  const blockParts = [
+    sel("WB_RECORDING_BLOCK_SELECTOR"),
+    sel("WB_RECORDING_IGNORE_SELECTOR"),
+  ].filter(Boolean);
   return {
     maskAllInputs: process.env.WB_RECORDING_MASK_ALL_INPUTS !== "0",
     maskTextSelector: sel("WB_RECORDING_MASK_TEXT_SELECTOR"),
-    blockSelector: sel("WB_RECORDING_BLOCK_SELECTOR"),
-    ignoreSelector: sel("WB_RECORDING_IGNORE_SELECTOR"),
+    blockSelector: blockParts.length ? blockParts.join(", ") : null,
   };
 }
 
@@ -253,9 +268,10 @@ export class RecordingManager {
         };
         if (mask.maskTextSelector)
           recordOpts.maskTextSelector = mask.maskTextSelector;
+        // `blockSelector` already folds in WB_RECORDING_IGNORE_SELECTOR (see
+        // loadMaskConfig). We never pass `ignoreSelector` — the vendored rrweb
+        // bundle does not support it, so it would be silently dropped.
         if (mask.blockSelector) recordOpts.blockSelector = mask.blockSelector;
-        if (mask.ignoreSelector)
-          recordOpts.ignoreSelector = mask.ignoreSelector;
         const recordOptsJson = JSON.stringify(recordOpts);
         const bootstrap = `
 ;(function(){

package/lib/signed-url-capture.js

@@ -138,9 +138,10 @@ export function parseSignedConfig(raw) {
 export function pickSignedCandidate(candidates, opts = {}) {
   const hosts = opts.hosts || [];
   const jsonFields = opts.jsonFields || null;
-  const forced = opts.enabled === true;
   for (const cand of candidates || []) {
     for (const u of cand.urls || []) {
+      // json_fields only *filters* which fields are inspected — it never
+      // bypasses the host check below.
       if (jsonFields && !jsonFields.includes(leafField(u.field)) && !jsonFields.includes(u.field))
         continue;
       let host = "";
@@ -153,12 +154,12 @@ export function pickSignedCandidate(candidates, opts = {}) {
         hosts.length > 0 &&
         hosts.some((h) => host === h || host.endsWith(`.${h}`));
       const looksSigned = isSignedHost(host);
-      // auto: only recognized signed hosts or an explicit hosts allowlist.
-      // forced: also honor a candidate the author selected via hosts/json_fields.
-      const accept =
-        hostAllowed ||
-        looksSigned ||
-        (forced && (hosts.length > 0 || jsonFields));
+      // A host match is ALWAYS required: a recognized signed host (auto mode)
+      // or an explicit `hosts` allowlist entry. Forced mode (`enabled: true`)
+      // does not relax this — it only opts the feature on; an author who needs
+      // an unrecognized host must name it in `hosts`. This closes the SSRF gap
+      // where forced + json_fields accepted an arbitrary host.
+      const accept = hostAllowed || looksSigned;
       if (accept) {
         return { url: u.url, field: u.field, api_url: cand.api_url || null, host };
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wb-browser-runtime",
-  "version": "0.14.0",
+  "version": "0.14.1",
   "description": "Browser sidecar runtime for wb — Playwright over CDP (Browserbase, browser-use) via the wb-sidecar/1 line-framed JSON protocol.",
   "bin": {
     "wb-browser-runtime": "bin/wb-browser-runtime.js"

package/verbs/download.js

@@ -18,7 +18,8 @@
 
 import path from "node:path";
 import { Buffer } from "node:buffer";
-import { promises as fsPromises } from "node:fs";
+import { promises as fsPromises, createWriteStream } from "node:fs";
+import { once } from "node:events";
 import { send } from "../lib/io.js";
 import {
   uniquePathInside,
@@ -26,19 +27,57 @@ import {
   extensionAllowed,
 } from "../lib/util.js";
 import { HANDLED_MARK } from "../lib/download-capture.js";
-import { retryableFetch } from "../lib/http.js";
+import {
+  guardedDownloadFetch,
+  releaseBodyTimeout,
+  abortBody,
+  drainResponseBody,
+} from "../lib/http.js";
 import {
   SIGNED_PAGE_HOOK,
   SIGNED_POLL_SCRIPT,
   parseSignedConfig,
   pickSignedCandidate,
   redactSignedUrl,
+  isSignedHost,
 } from "../lib/signed-url-capture.js";
 
 const DEFAULT_TIMEOUT_MS = 10_000;
 const POLL_INTERVAL_MS = 50;
 const FALLBACK_NAME = "download.bin";
 
+// Hard cap on signed-URL download size to bound memory/disk. A lying or absent
+// Content-Length can't bypass it: the stream is aborted once bytes exceed it.
+// Override for tests/ops via WB_MAX_DOWNLOAD_BYTES.
+const MAX_SIGNED_DOWNLOAD_BYTES = 512 * 1024 * 1024; // 512 MiB
+
+function maxDownloadBytes() {
+  const v = Number(process.env.WB_MAX_DOWNLOAD_BYTES);
+  return Number.isFinite(v) && v > 0 ? v : MAX_SIGNED_DOWNLOAD_BYTES;
+}
+
+// Test/ops escape hatch: by default the SSRF guard rejects targets that resolve
+// to private/loopback IPs. A local test server lives on 127.0.0.1, so the guard
+// must be opt-out-able for those tests. Production leaves this unset.
+function privateDownloadIpAllowed() {
+  const v = String(process.env.WB_ALLOW_PRIVATE_DOWNLOAD_IP || "").toLowerCase();
+  return v === "1" || v === "true" || v === "yes" || v === "on";
+}
+
+// Build the host validator applied to the initial signed URL *and* every
+// redirect hop — the same gate pickSignedCandidate uses, so a redirect can't
+// escape to a host the picker would never have selected.
+function makeSignedHostValidator(signedCfg) {
+  const hosts = (signedCfg && signedCfg.hosts) || [];
+  return (host) => {
+    if (!host) return false;
+    const h = String(host).toLowerCase();
+    const hostAllowed =
+      hosts.length > 0 && hosts.some((x) => h === x || h.endsWith(`.${x}`));
+    return hostAllowed || isSignedHost(h);
+  };
+}
+
 // Page-side hook that traps blob/data-URL anchor clicks the SPA performs
 // programmatically — `URL.createObjectURL(blob)` + `<a download>` + `.click()`.
 // Playwright's own `download` event normally catches these, but a handful
@@ -247,6 +286,7 @@ export default {
           page,
           ctx,
           timeout,
+          signedCfg,
         });
       }
 
@@ -417,6 +457,7 @@ async function saveSignedUrlDownload({
   page,
   ctx,
   timeout,
+  signedCfg,
 }) {
   const redacted = redactSignedUrl(signed.url);
   // Filename: explicit path: wins, else the signed URL's basename, else a
@@ -439,18 +480,8 @@ async function saveSignedUrlDownload({
   }
   await fsPromises.mkdir(artifactsDir, { recursive: true });
 
-  // Fetch the signed URL from the sidecar (not the page) so the object store's
-  // CORS policy doesn't block the read. The label is redacted — retry logs must
-  // never echo signed credentials.
-  let res;
-  try {
-    res = await retryableFetch(
-      signed.url,
-      { method: "GET" },
-      `signed-url download (${redacted})`,
-      { timeoutMs: timeout },
-    );
-  } catch (e) {
+  const maxBytes = maxDownloadBytes();
+  const failed = (extra, reason) =>
     send({
       type: "slice.download_failed",
       verb: "download",
@@ -459,58 +490,161 @@ async function saveSignedUrlDownload({
       api_url: signed.api_url,
       signed_url: redacted,
       page_url: safePageUrl(page),
-      reason: `signed url fetch error: ${e?.message || e}`,
+      ...extra,
+      reason,
     });
+
+  // Fetch the signed URL from the sidecar (not the page) so the object store's
+  // CORS policy doesn't block the read. Redirects are followed *manually* with
+  // the same host allowlist + private-IP block applied to every hop (SSRF), and
+  // the body-read timeout stays armed until we finish streaming. The label is
+  // redacted — retry logs must never echo signed credentials.
+  let res;
+  try {
+    res = await guardedDownloadFetch(signed.url, {
+      timeoutMs: timeout,
+      validateHost: makeSignedHostValidator(signedCfg),
+      allowPrivateIp: privateDownloadIpAllowed(),
+      label: `signed-url download (${redacted})`,
+    });
+  } catch (e) {
+    failed({}, `signed url fetch error: ${e?.message || e}`);
     throw new Error(
       `download: signed URL fetch failed for ${redacted}: ${e?.message || e}`,
     );
   }
-  if (!res.ok) {
-    // A 403 on a pre-signed URL almost always means the token expired before
-    // we fetched it — call that out so the operator knows to shorten the gap.
-    const expired = res.status === 403;
+
+  try {
+    if (!res.ok) {
+      // A 403 on a pre-signed URL almost always means the token expired before
+      // we fetched it — call that out so the operator knows to shorten the gap.
+      const expired = res.status === 403;
+      await drainResponseBody(res); // don't leak the socket
+      failed(
+        { http_status: res.status, expired },
+        `signed url fetch: HTTP ${res.status}${expired ? " (likely expired)" : ""}`,
+      );
+      throw new Error(
+        `download: signed URL fetch returned HTTP ${res.status} for ${redacted}${expired ? " (likely expired)" : ""}`,
+      );
+    }
+
+    // Reject up front when the server *declares* an oversized body...
+    const clRaw = safeHeader(res, "content-length");
+    const cl = clRaw == null ? NaN : Number(clRaw);
+    if (Number.isFinite(cl) && cl > maxBytes) {
+      await drainResponseBody(res);
+      failed(
+        { content_length: cl, max_bytes: maxBytes },
+        `signed url body too large: Content-Length ${cl} > cap ${maxBytes}`,
+      );
+      throw new Error(
+        `download: signed URL body exceeds size cap (${cl} > ${maxBytes} bytes) for ${redacted}`,
+      );
+    }
+
+    // ...and enforce while streaming so a lying/absent Content-Length can't slip
+    // past. Streams to disk rather than materializing the whole body in memory.
+    let bytes;
+    try {
+      bytes = await streamToFileWithCap(res, target, maxBytes);
+    } catch (e) {
+      if (e && e.code === "WB_SIZE_CAP") {
+        failed(
+          { max_bytes: maxBytes },
+          `signed url body exceeded size cap of ${maxBytes} bytes mid-stream`,
+        );
+        throw new Error(
+          `download: signed URL body exceeded size cap (${maxBytes} bytes) for ${redacted}`,
+        );
+      }
+      failed({}, `signed url body read error: ${e?.message || e}`);
+      throw new Error(
+        `download: signed URL body read failed for ${redacted}: ${e?.message || e}`,
+      );
+    }
+
+    const contentType = safeHeader(res, "content-type");
+    const contentDisposition = safeHeader(res, "content-disposition");
     send({
-      type: "slice.download_failed",
-      verb: "download",
-      verb_index: ctx?.index ?? null,
-      capture: "signed_url",
-      api_url: signed.api_url,
-      signed_url: redacted,
-      page_url: safePageUrl(page),
-      http_status: res.status,
-      expired,
-      reason: `signed url fetch: HTTP ${res.status}${expired ? " (likely expired)" : ""}`,
+      type: "slice.artifact_saved",
+      filename: path.basename(target),
+      path: target,
+      bytes,
+      source: "download",
+      provenance: {
+        url: null,
+        signed_url: redacted,
+        api_url: signed.api_url,
+        field: signed.field,
+        suggested_filename: suggested,
+        page_url: safePageUrl(page),
+        verb_index: ctx?.index ?? null,
+        verb_name: "download",
+        capture: "signed_url",
+        content_type: contentType,
+        content_disposition: contentDisposition,
+        ts: Date.now(),
+      },
     });
-    throw new Error(
-      `download: signed URL fetch returned HTTP ${res.status} for ${redacted}${expired ? " (likely expired)" : ""}`,
+    return `→ ${path.basename(target)}`;
+  } finally {
+    // Body fully consumed (or we bailed) — disarm the body-read timeout.
+    releaseBodyTimeout(res);
+  }
+}
+
+// Stream a response body to disk, counting bytes and aborting the in-flight
+// read once the cap is exceeded (so an absent/under-stated Content-Length can't
+// OOM us). Removes the partial file on any error. Returns total bytes written.
+async function streamToFileWithCap(res, target, maxBytes) {
+  const reader = res.body?.getReader?.();
+  const ws = createWriteStream(target);
+  let total = 0;
+  try {
+    if (!reader) {
+      // No body to read (e.g. 204) — write an empty file.
+      await new Promise((resolve, reject) =>
+        ws.end((e) => (e ? reject(e) : resolve())),
+      );
+      return 0;
+    }
+    for (;;) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      total += value.byteLength;
+      if (total > maxBytes) {
+        abortBody(res); // abort the underlying socket read
+        try {
+          await reader.cancel();
+        } catch {}
+        const err = new Error(`size cap exceeded`);
+        err.code = "WB_SIZE_CAP";
+        throw err;
+      }
+      if (!ws.write(Buffer.from(value))) {
+        await once(ws, "drain");
+      }
+    }
+    await new Promise((resolve, reject) =>
+      ws.end((e) => (e ? reject(e) : resolve())),
     );
+    return total;
+  } catch (e) {
+    // Await the stream's close before unlinking: createWriteStream opens its fd
+    // asynchronously, so unlinking eagerly can race the (lazy) open and leave a
+    // resurrected empty file behind.
+    try {
+      await new Promise((resolve) => {
+        ws.once("close", resolve);
+        ws.destroy();
+      });
+    } catch {}
+    try {
+      await fsPromises.unlink(target);
+    } catch {}
+    throw e;
   }
-  const buf = Buffer.from(await res.arrayBuffer());
-  await fsPromises.writeFile(target, buf);
-  const contentType = safeHeader(res, "content-type");
-  const contentDisposition = safeHeader(res, "content-disposition");
-  send({
-    type: "slice.artifact_saved",
-    filename: path.basename(target),
-    path: target,
-    bytes: buf.length,
-    source: "download",
-    provenance: {
-      url: null,
-      signed_url: redacted,
-      api_url: signed.api_url,
-      field: signed.field,
-      suggested_filename: suggested,
-      page_url: safePageUrl(page),
-      verb_index: ctx?.index ?? null,
-      verb_name: "download",
-      capture: "signed_url",
-      content_type: contentType,
-      content_disposition: contentDisposition,
-      ts: Date.now(),
-    },
-  });
-  return `→ ${path.basename(target)}`;
 }
 
 async function pollForBlob(page, timeoutMs, stop) {

package/verbs/goto.js

@@ -1,10 +1,16 @@
+import { scrubSecrets } from "../lib/substitution.js";
+
 export default {
   name: "goto",
   primaryKey: "url",
-  async execute(page, args) {
+  async execute(page, args, ctx) {
     const url = args.url ?? "";
     const waitUntil = args.wait_until ?? "domcontentloaded";
     await page.goto(url, { waitUntil, timeout: args.timeout ?? 30_000 });
-    return `→ ${page.url()}`;
+    // The resolved URL can carry a substituted secret (e.g.
+    // ?token={{ env.TOKEN }}). Scrub any collected secret value out of the
+    // summary before it crosses into the verb.complete event stream — the
+    // same mechanism error messages use (lib/substitution.scrubSecrets).
+    return `→ ${scrubSecrets(page.url(), ctx?.secrets)}`;
   },
 };