TAB-976 Harden form fills against prompt context exfiltration

[srbiv]

Summary

Two-part hardening against web-content prompt injection. The first part (structural firewall) is the original scope; the second part (caller controls) was added so the firewall is shippable for non-search workflows.

Part 1 — Structural action firewall

• Add a structural action firewall for form fills and submissions using DOM field metadata and ref provenance, not payload text matching.
• Allow agent-filled operational controls (search/date/range/combobox), while blocking unapproved freeform or sensitive fields before browser execution.
• Track agent-filled, operational, and user-approved refs so submit actions are blocked when a form contains unauthorized agent-filled data.
• Avoid echoing blocked payloads in recoverable tool results.

Part 2 — Caller-supplied controls

• trustedHostnames / --trusted-hostnames / PILO_TRUSTED_HOSTNAMES: bypass both fill and submit gates for sites where the caller has accepted the data risk. Bypass applies only when the current page hostname AND every form-action hostname (form action + submitter formaction override) are all in the list.
• unsafeMode / --unsafe / PILO_UNSAFE_MODE: global firewall disable, with prominent data-risk warnings on every surface.
• FIREWALL_BLOCKED_NON_INTERACTIVE event: when a block fires in non-interactive mode, the CLI prints a structured remediation footer listing all three enable paths (add hostname, switch to interactive, enable unsafe mode). The footer is user-facing only — the model never sees the remediation text, so injected page content cannot ask the user to enable a bypass.
• Hostname validation runs synchronously at WebAgent construction AND at pilo config set trusted_hostnames ... (via normalizeHostname), so bad entries surface immediately.
• Fixes a pre-existing parseConfigValue bug where string[] config fields (trusted_hostnames, pw_cdp_endpoints) were stored as raw strings instead of arrays.

Design + plan

• Spec: docs/superpowers/specs/2026-05-28-firewall-bypass-controls-design.md
• Plan: docs/superpowers/plans/2026-05-28-firewall-bypass-controls.md
• README has a new "Security Model" section documenting both bypasses as deliberate data-protection opt-outs.

Test Plan

• pnpm run format
• pnpm run format:check
• pnpm run typecheck
• pnpm -r run test (1352 tests across all packages)
• gitleaks protect -v / gitleaks detect -v
• pnpm exec tsx scripts/verify-prompt-injection-firewall.ts (local uncommitted verifier; passes on this branch and is designed to fail on main)

[lmorchard]

I think this is okay to land - though, it does break some form-filling stuff I was doing for automated survey testing. Not sure if we have any real customers relying on something similar.

The solution for the survey testing would be to use a separate companion agent to provide the survey answers in interactive mode. But that's probably a better design anyway, since that agent won't necessarily be exposed to prompt injection from the page itself as easily.

[Copilot]

Pull request overview

This PR introduces a structural “action firewall” to harden browser automation against prompt-context exfiltration by gating agent-driven form fills and form submissions using DOM-derived field metadata and provenance tracking (rather than payload text matching).

Changes:

• Add FieldMetadata / FormSubmissionContext browser APIs and implement them in Playwright + Extension browsers.
• Enforce a security policy in webActionTools to block unauthorized agent fills and to gate submit-like actions when a form contains unauthorized agent-filled refs.
• Add unit/regression tests for firewall behavior, provenance requirements, and snapshot/provenance lifetime interactions.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
packages/extension/src/background/ExtensionBrowser.ts	Adds DOM introspection helpers for field metadata + form submission context.
packages/core/src/browser/ariaBrowser.ts	Extends the AriaBrowser contract with metadata/submission context types and methods.
packages/core/src/browser/playwrightBrowser.ts	Implements the new browser APIs using Playwright locator.evaluate.
packages/core/src/security/actionFirewall.ts	Adds fill/submission assessment logic and constants.
packages/core/src/tools/webActionTools.ts	Integrates firewall checks + provenance tracking into tools (fill/click/enter).
packages/core/src/tools/interactiveTools.ts	Simplifies ApprovedRefs implementation (now a Set).
packages/core/src/webAgent.ts	Wires provenance sets into tool context; adjusts snapshot refresh policy for fill.
packages/core/src/core.ts	Re-exports the new browser types from the public core entrypoint.
packages/core/test/security/actionFirewall.test.ts	Adds unit coverage for the firewall’s allow/block decisions.
packages/core/test/tools/webActionTools.test.ts	Adds regression tests for blocked fills, submit gating, and provenance requirements.
packages/core/test/webAgent.test.ts	Adds regression coverage for snapshot stability after fill.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 4 comments.

[lmorchard]

Looks good, works for me, passes evals without significant regression 👍