v1.3.36 -- Capture automation (Playwright; read-only)¶
A new operator-tooling component: scripts/capture/ ships a Playwright-driven capture session that takes screenshots of the panel for the docs portal.
Strict read-only contract: every click goes through a 25-pattern blocklist that throws on Save / Add / Delete / Apply / Confirm / Submit / Create / Run / Trigger / Restart / Reset / Send / Disable / Enable / Generate / Regenerate / Revoke / Ban / Unban / Whitelist / Purge / Refresh / Mark applied / Sign out / Logout. Form fills are categorically refused outside the auth flow. State-changing surfaces (true_detect_mode hosts, drift banner, selfblock, country expansion, totp-setup) are auto-skipped against prod and captured against the demo stack instead.
The capture script never touches the repo. PNGs land in /tmp/argos-captures-pending/; the operator reviews, sanitizes, and moves approved files to docs/screenshots/ manually. No git add, no commit, no push from the automation.
argosVersion and frontend/package.json deliberately stay at 1.3.35.4 — this release ships only operator tooling under scripts/capture/, no panel binary change.
What ships¶
scripts/capture/ directory (new)¶
| File | Role |
|---|---|
package.json | Single dev dependency: @playwright/test ^1.49.0. Versioned at 1.3.36.0 (independent of argosVersion). |
playwright.config.js | Chromium-only, 1440×900 viewport, dark-mode forced, no video / no trace / no screenshot-on-failure (privacy), 1 worker, 30s test timeout. |
.env.example | Template with argos.example.com + admin placeholders; operator copies to .env (gitignored) and fills real values. |
.gitignore | Local: .env, node_modules/, playwright-report/, test-results/. |
lib/safe-page.js | Read-only enforcement wrappers: safeClick, safeHover, safeFill (always throws), and openModal (audited escape hatch requiring a reason string). |
lib/auth.js | Login flow only — the one place raw page.click / page.fill are authorized. |
capture.spec.js | 32 Playwright tests; ARGOS_CAPTURE_MODE=prod / demo switches between read-only-safe set + state-dependent set. |
run.sh | Wrapper for prod mode: pre-flight .env check, fresh /tmp/argos-captures-pending/, npm install if needed, run spec, summary. |
run-demo.sh | Wrapper for demo mode: defaults to localhost:9181 + demo / demo1234; URL sanity-check refuses non-localhost-shaped URLs. |
README.md | Full operator guide. |
Surface coverage¶
24 read-only-safe surfaces (run.sh):
login, dashboard-overview, dashboard-security,
host-form, host-form-dns-provider-dropdown,
hosts-list-auth-column, target-group-form,
target-group-first-target, security-banned,
security-whitelist, security-activity, security-scenarios,
appsec-status, security-overview (route /security/hosts),
threats-decisions, appsec-metrics,
notifications-deliveries, logs-browser, backup-settings,
backups-list, geoip-status, sso-allowlist,
settings-panel, settings-dns-providers
Plus two graceful-skip surfaces against prod (capture if prod state happens to match; otherwise log to .skip-list and continue):
hosts-detect-badge (any host with true_detect_mode=true)
target-group-two-targets (any TG with >=2 targets)
5 state-dependent surfaces (run-demo.sh):
host-form-true-detect (demo seed has 3 such hosts)
drift-indicators (demo seed sets drift_detected:true)
country-bans-progress (demo seed has 8 country bans visible)
selfblock-banner (operator runs argos demo seed-self-block first)
totp-setup (fresh demo; 2FA not yet enabled; click is openModal-audited)
Read-only enforcement¶
The lib/safe-page.js wrappers throw on:
Save / Save changes / Save and continue
Add / Add target / Add country ban
Delete / Remove
Apply / Confirm / Submit
Create / Create target group
Run / Trigger / Restart / Reset
Send / Send test / Disable / Enable
Generate / Regenerate / Revoke
Ban / Unban / Whitelist / Purge / Refresh
Mark applied
Sign out / Logout
Verified via the partial smoke phase 4 with 13 synthetic test cases (10 expected-block + 3 expected-allow).
page.fill is wrapped by a safeFill shim that always throws — the only authorized fills happen in lib/auth.js during login, where raw page.fill is used directly.
The audited openModal(page, selector, reason) is the escape hatch for clicks that match the blocklist text but are confirmed safe (e.g. "Create target group" button — opens client-side modal; verified TargetGroups.tsx openCreate sets local state only, API call only fires on onSubmit). Every openModal call requires a reason string and logs to stdout for traceability.
Smoke: scripts/smoke/capture-automation.sh¶
Partial smoke that runs without prod credentials. Five phases:
1. run.sh refuses to run without .env (clear error)
2. .env is git check-ignore'd
3. .env.example contains only RFC-shaped placeholders
4. safeClick blocklist: 13/13 synthetic test cases pass
5. Working tree unchanged by the smoke (no spurious staging)
Self-executed pre-tag; PASS end-to-end.
The full end-to-end smoke (login + 24 captures) requires real productive panel + credentials and is operator-mediated only. There's no CI path because the credentials are operator-secret.
Files added¶
scripts/capture/.env.examplescripts/capture/.gitignorescripts/capture/README.mdscripts/capture/capture.spec.jsscripts/capture/lib/auth.jsscripts/capture/lib/safe-page.jsscripts/capture/package.jsonscripts/capture/playwright.config.jsscripts/capture/run-demo.shscripts/capture/run.shscripts/smoke/capture-automation.shdocs/release-notes/v1.3.36.md(this file)
Files updated¶
CHANGELOG.mdmkdocs.yml
NOT changed: backend/cmd/argos/main.go argosVersion stays at 1.3.35.4; frontend/package.json version stays at 1.3.35.4; no Go code; no frontend code; no migrations.
Upgrade¶
cd ~/argos-edge
git pull
# First-time setup of capture tooling:
cd scripts/capture
cp .env.example .env
$EDITOR .env # fill ARGOS_PROD_URL/USER/PASS
npm ci
npx playwright install chromium
# Capture against prod:
cd ~/argos-edge
scripts/capture/run.sh
# Or against the demo stack (for the 5 state-dependent
# surfaces that prod skips):
scripts/demo/init.sh # if not already up
scripts/capture/run-demo.sh
Operator workflow post-capture¶
- Review each PNG in
/tmp/argos-captures-pending/visually. - Pixelate any operator-specific data leaked into a tooltip or visible URL bar (real domains, real LAN IPs, real personal email).
- Move approved PNGs to
docs/screenshots/. Drop the.skip-listfile; it's just for reference. - Commit with scope
docs(screenshots).
The capture session never runs git add or git commit for you — that's deliberate so the operator's review is always in the loop.
Versioning¶
scripts/capture/package.json version field tracks tag releases of this folder independently from the panel binary. v1.3.36 ships 1.3.36.0 there; future capture-tooling patches bump this independently of argosVersion.