John Dvorak
1.9 KiB
1.9 KiB
Security Policy — imhotep-playwright
Fresh Context Per Run
Each imhotep(page) call creates a fresh execution context:
- Deterministic mode: Seeded LCG + monotonic counter IDs + stable clock. No shared state between runs.
- Volatile mode: UUID/nanoid + Date.now + Math.random. Fresh for each invocation.
- No persistent state: Execution contexts are not stored or reused across test files unless explicitly passed by the user.
CDP Direct Connection
Imhotep-playwright uses two browser communication paths:
- Fast path:
page.evaluate()for simple geometry extraction (bounding boxes only). - Full path: Direct Chrome DevTools Protocol (CDP) session for deep extraction (styles, topology, transforms, fragments) via
imhotep-cdppackage.
The CDP path creates a direct debugging session with full DOM/CSS/Runtime access. This is a privileged channel. The Playwright package imports CDPExtractor, createSessionManager, and resolveSelector directly from imhotep-cdp.
Trust boundary: CDP sessions are created within the local Playwright browser context. No remote debugger dialing occurs.
Trusted vs Untrusted Renderer Distinction
Imhotep distinguishes between trusted and untrusted renderers:
- Trusted renderers: Built-in React, Vue, and Storybook adapters that ship with Imhotep. These execute known mount/unmount code.
- Untrusted renderers: User-provided custom adapters. These run arbitrary user code in the Node.js process. Treat custom adapters with the same caution as any dependency.
- Renderer isolation: Each property run creates a fresh mount container. Renderers do not persist between runs unless the test author explicitly caches them.
Playwright Peer Dependency
Imhotep-playwright requires Playwright as a peer dependency. Ensure your Playwright version is kept up to date to receive the latest browser security patches.
npm install --save-dev @playwright/test@latest playwright@latest