#8818: fix(browser): block unsafe code patterns in browser evaluate

## Summary Adds code validation to `evaluateViaPlaywright` to block dangerous patterns that could be used for data exfiltration or code injection. ## The Problem The browser automation `evaluate` function executes user-provided JavaScript code without any validation. An attacker controlling the code (via prompt injection) could use APIs like `fetch()`, `WebSocket`, or `navigator.sendBeacon()` to exfiltrate cookies, credentials, and sensitive data from the browser context. Reference: [CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code](https://cwe.mitre.org/data/definitions/95.html) ## Changes - `src/browser/pw-evaluate-validation.ts`: New validation module with blocklist of dangerous patterns - `src/browser/pw-tools-core.interactions.ts`: Add validation call before code execution - `src/browser/pw-evaluate-validation.test.ts`: Unit tests for validation logic (29 tests) - `src/browser/pw-tools-core.evaluate-blocks-unsafe.test.ts`: Integration tests (13 tests) **Blocked patterns:** - Data exfiltration: `fetch`, `XMLHttpRequest`, `WebSocket`, `sendBeacon` - Code execution: `eval`, `new Function`, `setTimeout`/`setInterval` with strings - Module loading: dynamic `import`, `importScripts` ## Test Plan - [x] `pnpm build && pnpm check && pnpm test` passes - [x] 29 unit tests validate blocking of unsafe patterns and allowing of safe operations - [x] 13 integration tests confirm `evaluateViaPlaywright` rejects unsafe code - [x] Validation occurs before page access (early rejection) ## Related - [CWE-95](https://cwe.mitre.org/data/definitions/95.html) - Internal audit ref: VULN-037 --- *Built with [bitsec-ai](https://github.com/bitsec-ai). AI-assisted: Yes. Testing: fully tested (test written before fix). Code reviewed and understood.* <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> Adds a pre-execution validation step for `evaluateViaPlaywright` to reject browser-evaluated code containing a set of blocked “dangerous” patterns (exfiltration APIs, dynamic code execution, and module loading). This is implemented via a new `pw-evaluate-validation.ts` module and covered by unit tests for the validator plus integration tests that ensure unsafe `fn` strings are rejected before interacting with a Playwright page. <h3>Confidence Score: 3/5</h3> - This PR is directionally correct but has a couple of behavioral and security-footgun edge cases worth addressing before merge. - The validation is a simple regex blocklist and the tests are extensive, but (1) blocking any `eval(` token is likely to break legitimate evaluate snippets given this function always uses `eval` internally, and (2) the error message currently echoes user code which can leak sensitive data into logs. No other obvious correctness issues were found in the touched paths. - src/browser/pw-evaluate-validation.ts, src/browser/pw-tools-core.interactions.ts <!-- greptile_other_comments_section --> <!-- /greptile_comment -->