v3/@claude-flow/browser/docs/SECURITY_AUDIT.md
@claude-flow/browser Security Audit (ADR-122 / v3.0.0-alpha.4)Date: 2026-05-18
Auditor: automated audit at end of Phase 7 (feat/adr-122-browser-beyond-sota)
Scope: all code added by ADR-122 Phases 0–7, plus existing adapter surface.
✅ No new vulnerabilities introduced by ADR-122 work.
⚠️ Transitive vulnerabilities present via agentic-flow → agentdb → @xenova/transformers, @opentelemetry/*, sqlite3 — already tracked in ADR-118 (AIDefence) and ADR-121 (embeddings) remediation work. None of these reach the runtime surface of this package.
| Package | Version | Verdict |
|---|---|---|
agent-browser | ^0.27.0 | ✅ Clean (latest upstream; spawned via execFileSync so no shell-injection vector) |
agentic-flow | ^2.0.3 | ⚠️ Transitive findings via @xenova/[email protected] (Xenova retirement — see ADR-121 Phase 4 migration) |
zod | ^3.22.4 | ✅ Clean |
node:crypto Ed25519 (FIPS-validated path). No third-party crypto.canonicalJSON skips undefined keys — ensures round-trip determinism (regression test in place).verify(null, ...) which uses constant-time compare).SelectorBreakEventSchema).mkdir({ recursive: true }) + atomic write semantics.sha256Hex(cookie.value)) means tampering the value without resigning is detected.clean=false attestations are refused even when their signature is valid.fetch() to peer URLs in this package — PeerAdapter is an interface only; transport is the federation layer's concern (ADR-097/104).BrowserSecurityScanner (covered by 30-test suite).ReusePolicy.allowedOrigins / allowedTaskClasses enforced at mount.maxReplays cap.RiskClassifier regex patterns are anchored and bounded — no catastrophic-backtracking patterns.scanInlineState() before sealing (regression test for previous string-spread bug).| Pattern | Findings | Verdict |
|---|---|---|
eval() in source | 1 — adapter.eval() wraps agent-browser eval CLI verb | ✅ User-driven, no automatic execution |
child_process.exec* | All callsites use execFileSync (no shell) | ✅ No shell-injection vector |
new Function() | 0 | ✅ |
Dynamic import() of user-supplied strings | 0 | ✅ |
| Unbounded regex on user input | 0 (all patterns anchored or capped by BrowserSecurityScanner) | ✅ |
| Secrets in source | 0 — only process.env.RUFLO_BROWSER_WITNESS_KEY lookup | ✅ |
JSON.parse of untrusted disk content | Yes (causal store + vault persistence) — wrapped in try/catch that restarts fresh on corrupt input | ✅ Fail-safe |
@xenova/transformers retirement — ADR-121 Phase 4 migrates to ruvector-onnx-embeddings-wasm. Not blocking for browser package release.@opentelemetry/* Prometheus crash — runtime path not invoked from browser package code.sqlite3 — browser package does not import sqlite directly; embedded via agentdb only as optional peer.✅ Approve @claude-flow/[email protected] for npm publish. All new code paths covered by 230 unit tests. No new direct vulnerabilities. Transitive findings are pre-existing and tracked in other ADRs.
BrowserExecutionAdapter implementations and re-audit their dep trees.