5 tests, ~13s, gate tier. Loads real extension sidepanel in Playwright
Chromium with stubbed chrome.runtime + fetch, injects a reviewable
security_event, and drives the user path end-to-end:
- banner title flips to "Review suspected injection"
- suspected text excerpt renders inside the auto-expanded details
- Allow + Block buttons are visible
- click Allow → POST /security-decision with decision:"allow"
- click Block → POST /security-decision with decision:"block"
- banner auto-hides after each decision
- non-reviewable events keep the hard-stop framing (regression guard)
- XSS guard: script-tagged suspected_text doesn't execute
Complements security-review-flow.test.ts (unit-level file handshake)
and security-review-fullstack.test.ts (full pipeline with real
classifier).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Garry Tan