plugins/ruflo-browser/skills/browser-auth-flow/SKILL.md
Adversarial probe of a site's authentication. Drives the login flow once, records the trajectory, then runs a configurable set of probes against the captured artifacts and live page. Output is a structured findings.md inside the RVF container.
Open a recorded session via browser-record.
Drive the auth flow as in browser-login (credentials come from --credentials <handle> referencing browser-cookies if the run is a re-auth probe).
Run probes:
csrf: inspect the login POST in the trajectory; verify a same-origin token field is present and non-empty.redirect: watch browser_get-url after each nav for cross-origin redirects with auth state in the URL or fragment. Flag any token-bearing URL that crosses an origin boundary.cookie: walk document.cookie via browser_eval. For each cookie, check Secure, HttpOnly, SameSite, expiry, and entropy of the value. Flag missing flags or short tokens. Pass each through aidefence_scan to flag PII embedded in cookie values.oauth: if the flow involves a third-party provider, capture the authorization request, verify state and nonce are present and high-entropy, verify redirect_uri matches the registered callback domain.Quarantine any token / credential / PII captured during probing — it stays inside the RVF container's findings, never returns to the model unredacted (aidefence_is_safe gate from browser-extract applies if you read the findings back).
Write findings.md with one section per probe, severity rating per finding, and a verdict (pass / warn / fail).
Index the session in browser-sessions with tag: auth-probe so future audits compare against it.