Security hardening for Leonardo fork

.claude-plugin/marketplace.json

@@ -3,8 +3,8 @@
   "name": "agent-browser",
   "description": "Browser automation for AI agents",
   "owner": {
-    "name": "Vercel",
-    "email": "support@vercel.com"
+    "name": "Leonardo Interactive",
+    "email": "ariel.rahmane@leonardo.ai"
   },
   "plugins": [
     {

.github/workflows/release.yml

@@ -10,6 +10,7 @@ concurrency: ${{ github.workflow }}-${{ github.ref }}
 
 permissions:
   contents: write
+  packages: write
 
 jobs:
   check-release:
@@ -28,7 +29,7 @@ jobs:
           LOCAL_VERSION=$(node -p "require('./package.json').version")
           echo "Local version: $LOCAL_VERSION"
 
-          NPM_VERSION=$(npm view agent-browser version 2>/dev/null || echo "0.0.0")
+          NPM_VERSION=$(npm view @leonardo-interactive/agent-browser version 2>/dev/null || echo "0.0.0")
           echo "npm version: $NPM_VERSION"
 
           if [ "$LOCAL_VERSION" != "$NPM_VERSION" ]; then
@@ -183,7 +184,7 @@ jobs:
         with:
           node-version: '22'
           cache: pnpm
-          registry-url: 'https://registry.npmjs.org'
+          registry-url: 'https://npm.pkg.github.com'
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -238,7 +239,7 @@ jobs:
       - name: Publish to npm
         run: pnpm publish --no-git-checks
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_VERCEL_TOKEN_ELEVATED }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   github-release:
     name: Create GitHub Release
@@ -285,12 +286,6 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
-      - name: Build dashboard
-        run: pnpm --filter dashboard build
-
-      - name: Create dashboard.zip
-        run: cd packages/dashboard/out && zip -r ../../../dashboard.zip .
-
       - name: Extract changelog entry
         run: |
           VERSION="${{ needs.check-release.outputs.version }}"
@@ -310,13 +305,13 @@ jobs:
 
           if gh release view "$TAG" &>/dev/null; then
             echo "Release $TAG already exists, uploading assets..."
-            gh release upload "$TAG" bin/agent-browser-* dashboard.zip --clobber
+            gh release upload "$TAG" bin/agent-browser-* --clobber
           else
             echo "Creating release $TAG..."
             gh release create "$TAG" \
               --title "$TAG" \
               --notes-file /tmp/release-notes.md \
-              bin/agent-browser-* dashboard.zip
+              bin/agent-browser-*
           fi
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -64,3 +64,9 @@ docs/package-lock.json
 # next
 .next/
 out/
+
+# Claude
+.claude/
+
+# Dev Internal
+.dev-internal/

.npmrc

@@ -0,0 +1 @@
+@leonardo-interactive:registry=https://npm.pkg.github.com

AGENTS.md

@@ -20,18 +20,10 @@ When adding or changing user-facing features (new flags, commands, behaviors, en
 1. `cli/src/output.rs` — `--help` output (flags list, examples, environment variables)
 2. `README.md` — Options table, relevant feature sections, examples
 3. `skills/agent-browser/SKILL.md` — so AI agents know about the feature
-4. `docs/src/app/` — the Next.js docs site (MDX pages)
-5. Inline doc comments in the relevant source files
+4. Inline doc comments in the relevant source files
 
 This applies to changes that either human users or AI agents would need to know about. Do not skip any of these locations.
 
-In the `docs/src/app/` MDX files, always use HTML `<table>` syntax for tables (not markdown pipe tables). This matches the existing convention across the docs site.
-
-## Dashboard (packages/dashboard)
-
-- Never use native browser dialogs (`alert`, `confirm`, `prompt`). Use shadcn/ui components (`Dialog`, `AlertDialog`, etc.) instead.
-- Use param-case (kebab-case) for all file and folder names (e.g., `session-tree.tsx`, not `SessionTree.tsx`). The `ui/` directory follows shadcn conventions which already uses param-case.
-
 ## Releasing
 
 Releases are manual, single-PR affairs. There is no changesets automation. The maintainer controls the changelog voice and format.
@@ -42,10 +34,9 @@ To prepare a release:
 2. Bump `version` in `package.json`
 3. Run `pnpm version:sync` to update `cli/Cargo.toml`, `cli/Cargo.lock`, and `packages/dashboard/package.json`
 4. Write the changelog entry in `CHANGELOG.md` at the top, under a new `## <version>` heading, wrapped in `<!-- release:start -->` and `<!-- release:end -->` markers
-5. Add a matching entry to `docs/src/app/changelog/page.mdx` at the top (below the `# Changelog` heading)
-6. Open a PR and merge to `main`
+5. Open a PR and merge to `main`
 
-When the PR merges, CI compares `package.json` version to what's on npm. If it differs, it builds all 7 platform binaries, publishes to npm, and creates the GitHub release automatically. The GitHub release body is extracted from the content between the `<!-- release:start -->` and `<!-- release:end -->` markers in `CHANGELOG.md`.
+When the PR merges, CI compares `package.json` version to what's on GitHub Packages. If it differs, it builds all 7 platform binaries, publishes to GitHub Packages, and creates the GitHub release automatically. The GitHub release body is extracted from the content between the `<!-- release:start -->` and `<!-- release:end -->` markers in `CHANGELOG.md`.
 
 ### Writing the changelog
 
@@ -122,88 +113,3 @@ The e2e tests live in `cli/src/native/e2e_tests.rs` and cover: launch/close, nav
 cd cli && cargo fmt -- --check   # Check formatting
 cd cli && cargo clippy            # Lint
 ```
-
-## Windows Debugging
-
-A remote Windows Server 2022 EC2 instance is available for debugging Windows-specific issues. It uses AWS Systems Manager (SSM) with no SSH or open ports. Commands run via `aws ssm send-command` and return stdout/stderr.
-
-### Prerequisites
-
-The instance must be provisioned first (one-time, by a human):
-
-```bash
-./scripts/windows-debug/provision.sh
-```
-
-Requires: AWS CLI v2 configured with `ec2:*`, `iam:CreateRole`, `iam:AttachRolePolicy`, `ssm:SendCommand`, `ssm:GetCommandInvocation` permissions and a default VPC.
-
-### Usage
-
-Start the instance (if stopped):
-
-```bash
-./scripts/windows-debug/start.sh
-```
-
-Run a command on Windows:
-
-```bash
-./scripts/windows-debug/run.sh "<powershell-command>"
-```
-
-Sync the current git branch and rebuild:
-
-```bash
-./scripts/windows-debug/sync.sh
-```
-
-Stop the instance when done (avoids cost):
-
-```bash
-./scripts/windows-debug/stop.sh
-```
-
-### Common Workflows
-
-Run unit tests on Windows:
-
-```bash
-./scripts/windows-debug/run.sh "cd C:\agent-browser && cargo test --manifest-path cli\Cargo.toml"
-```
-
-Run e2e tests on Windows:
-
-```bash
-./scripts/windows-debug/run.sh "cd C:\agent-browser && cargo test e2e --manifest-path cli\Cargo.toml -- --ignored --test-threads=1"
-```
-
-Check bootstrap progress (first boot only):
-
-```bash
-./scripts/windows-debug/run.sh "Get-Content C:\bootstrap.log"
-```
-
-The repo lives at `C:\agent-browser` on the instance. Rust, Git, and Chrome are pre-installed. The `run.sh` wrapper automatically adds cargo and git to PATH.
-
-<!-- opensrc:start -->
-
-## Source Code Reference
-
-Source code for dependencies is available in `opensrc/` for deeper understanding of implementation details.
-
-See `opensrc/sources.json` for the list of available packages and their versions.
-
-Use this source code when you need to understand how a package works internally, not just its types/interface.
-
-### Fetching Additional Source Code
-
-To fetch source code for a package or repository you need to understand, run:
-
-```bash
-npx opensrc <package>           # npm package (e.g., npx opensrc zod)
-npx opensrc pypi:<package>      # Python package (e.g., npx opensrc pypi:requests)
-npx opensrc crates:<package>    # Rust crate (e.g., npx opensrc crates:serde)
-npx opensrc <owner>/<repo>      # GitHub repo (e.g., npx opensrc vercel/ai)
-```
-
-<!-- opensrc:end -->

CHANGELOG.md

@@ -1,5 +1,23 @@
 # agent-browser
 
+## 0.23.4-leonardo.1
+
+<!-- release:start -->
+### Security Hardening
+
+Leonardo's hardened fork of agent-browser v0.23.4. This release removes dangerous commands, flags, and capabilities from the Rust binary so AI agents cannot bypass security controls.
+
+**Removed commands:** `eval`, `inspect`, `auth` (all subcommands), `connect`, `stream` (all subcommands), `clipboard` (all subcommands), `dashboard` (all subcommands), `set credentials`
+
+**Removed flags:** `--cdp`, `--auto-connect`, `--provider` / `-p`, `--extension`, `--executable-path`, `--allow-file-access`
+
+**Hardened flags (config-file-only):** `--allowed-domains` and `--action-policy` can no longer be overridden via CLI flags or environment variables. They are only loadable from `agent-browser.json`.
+
+**Removed modules:** Dashboard UI, inspect server. Provider module kept as dead code with hard rejection in launch handler.
+
+**Distribution:** Published as `@leonardo-interactive/agent-browser` to GitHub Packages.
+<!-- release:end -->
+
 ## 0.23.4
 
 <!-- release:start -->

LICENSE

@@ -187,6 +187,7 @@ APPENDIX: How to apply the Apache License to your work.
       identification within third-party archives.
 
 Copyright 2025 Vercel Inc.
+Copyright 2026 Leonardo Interactive Pty Ltd.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.