Garry Tan 80dfc988a1 security(N2): document Windows v20 ABE elevation path on CDP port ...

The existing comment around the cookie-import-browser --remote-debugging-port
launch claimed "threat model: no worse than baseline." That's wrong on
Windows with App-Bound Encryption v20. A same-user local process that
opens the cookie SQLite DB directly CANNOT decrypt v20 values (DPAPI
context is bound to the browser process). The CDP port lets them bypass
that: connect to the debug port, call Network.getAllCookies inside Chrome,
walk away with decrypted v20 cookies.

The correct fix is to switch from TCP --remote-debugging-port to
--remote-debugging-pipe so the CDP transport is a stdio pipe, not a
socket. That requires restructuring the CDP WebSocket client in this
module and Playwright doesn't expose the pipe transport out of the box.
Non-trivial, deferred from the v1.6.0.0 wave.

This commit updates the comment to correctly describe the threat and
points at the tracking issue. No code change to the launch itself.
Follow-up: #1136.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-21 20:42:15 -07:00

..

bin

feat: multi-agent support — gstack works on Codex, Gemini CLI, and Cursor (v0.9.0) (#226)

2026-03-19 18:20:50 -07:00

scripts

fix: ngrok Windows build + close CI error-swallowing gap (v0.18.0.1) (#1024)

2026-04-16 13:49:04 -07:00

src

security(N2): document Windows v20 ABE elevation path on CDP port

2026-04-21 20:42:15 -07:00

test

security(N1): replace ?token= SSE auth with HttpOnly session cookie

2026-04-21 20:41:07 -07:00

PLAN-snapshot-dropdown-interactive.md

fix: snapshot -i auto-detects dropdown/popover interactive elements (#845)

2026-04-05 22:57:45 -07:00

SKILL.md

feat(v1.4.0.0): /make-pdf — markdown to publication-quality PDFs (#1086)

2026-04-20 13:20:30 +08:00

SKILL.md.tmpl

feat(browse): Puppeteer parity — load-html, screenshot --selector, viewport --scale, file:// (v1.1.0.0) (#1062)

2026-04-18 23:25:33 +08:00