Token leakage
Needs browser scan
static checks pass; browser evidence pending.
F062 · security
Static and browser evidence policy for no runtime/admin token leakage in snippets, DOM, URL, postMessage, logs and screenshots.
Token leakage
Needs browser scan
Forbidden patterns
8
Policy
redacted
Generated snippet contains widget id and public key only; no runtime/admin token.
Runtime data clients use headers/auth paths and loader never handles runtime token values.
Embed runtime sends ready/error/resize only and must not post runtime token.
Static scanner script is added; run locally after pnpm install/build for complete artifact coverage.
Requires Playwright/browser execution before beta release.