Add optional SwiftAPI attestation provider #3824
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
4 issues found across 5 files
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="browser_use/swiftapi_integration/attestation.py">
<violation number="1" location="browser_use/swiftapi_integration/attestation.py:189">
P2: Unlike `verify` and `check_revocation`, this method lacks error handling for httpx exceptions. Consider wrapping in try/except for consistency and to provide meaningful `AttestationError` messages.</violation>
</file>
<file name="browser_use/swiftapi_integration/agent.py">
<violation number="1" location="browser_use/swiftapi_integration/agent.py:102">
P2: Comment says 'Copy registry' but code shares the reference. If `provided_tools.registry` is modified elsewhere, it will affect `swiftapi_tools`. Consider using `.model_copy()` or creating a new registry instance if independent copies are intended.</violation>
</file>
<file name="browser_use/swiftapi_integration/tools.py">
<violation number="1" location="browser_use/swiftapi_integration/tools.py:167">
P2: The `_attestation_cache` is initialized but never used. This suggests an incomplete caching implementation - attestation results are never cached, which could result in redundant attestation calls for repeated actions. Either implement the caching logic or remove this unused attribute.</violation>
</file>
<file name="browser_use/swiftapi_integration/__init__.py">
<violation number="1" location="browser_use/swiftapi_integration/__init__.py:10">
P2: Import path in docstring example is incorrect. The module is at `browser_use/swiftapi_integration/`, so the import should be `from browser_use.swiftapi_integration import ...` rather than `from swiftapi_integration import ...`.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Ask questions if you need clarification on any suggestion
Reply to cubic to teach it or ask questions. Tag @cubic-dev-ai to re-run a review.
| # Conservative: assume revoked if we can't check | ||
| return True | ||
|
|
||
| async def get_info(self) -> Dict[str, Any]: |
Contributor
There was a problem hiding this comment.
P2: Unlike verify and check_revocation, this method lacks error handling for httpx exceptions. Consider wrapping in try/except for consistency and to provide meaningful AttestationError messages.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At browser_use/swiftapi_integration/attestation.py, line 189:
<comment>Unlike `verify` and `check_revocation`, this method lacks error handling for httpx exceptions. Consider wrapping in try/except for consistency and to provide meaningful `AttestationError` messages.</comment>
<file context>
@@ -0,0 +1,315 @@
+ # Conservative: assume revoked if we can't check
+ return True
+
+ async def get_info(self) -> Dict[str, Any]:
+ """Get SwiftAPI authority info."""
+ client = await self._get_client()
</file context>
✅ Addressed in 26f307b
| attest_all_actions=attest_all_actions, | ||
| ) | ||
| # Copy registry from provided tools | ||
| swiftapi_tools.registry = provided_tools.registry |
Contributor
There was a problem hiding this comment.
P2: Comment says 'Copy registry' but code shares the reference. If provided_tools.registry is modified elsewhere, it will affect swiftapi_tools. Consider using .model_copy() or creating a new registry instance if independent copies are intended.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At browser_use/swiftapi_integration/agent.py, line 102:
<comment>Comment says 'Copy registry' but code shares the reference. If `provided_tools.registry` is modified elsewhere, it will affect `swiftapi_tools`. Consider using `.model_copy()` or creating a new registry instance if independent copies are intended.</comment>
<file context>
@@ -0,0 +1,160 @@
+ attest_all_actions=attest_all_actions,
+ )
+ # Copy registry from provided tools
+ swiftapi_tools.registry = provided_tools.registry
+ else:
+ # Create new SwiftAPI-enabled tools
</file context>
✅ Addressed in 26f307b
| self._attestation_provider = None | ||
|
|
||
| self._attest_all_actions = attest_all_actions | ||
| self._attestation_cache: Dict[str, AttestationResult] = {} |
Contributor
There was a problem hiding this comment.
P2: The _attestation_cache is initialized but never used. This suggests an incomplete caching implementation - attestation results are never cached, which could result in redundant attestation calls for repeated actions. Either implement the caching logic or remove this unused attribute.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At browser_use/swiftapi_integration/tools.py, line 167:
<comment>The `_attestation_cache` is initialized but never used. This suggests an incomplete caching implementation - attestation results are never cached, which could result in redundant attestation calls for repeated actions. Either implement the caching logic or remove this unused attribute.</comment>
<file context>
@@ -0,0 +1,289 @@
+ self._attestation_provider = None
+
+ self._attest_all_actions = attest_all_actions
+ self._attestation_cache: Dict[str, AttestationResult] = {}
+
+ def _requires_attestation(self, action_name: str) -> bool:
</file context>
✅ Addressed in 26f307b
| before execution. | ||
|
|
||
| Usage: | ||
| from swiftapi_integration import SwiftAPITools, SwiftAPIAgent |
Contributor
There was a problem hiding this comment.
P2: Import path in docstring example is incorrect. The module is at browser_use/swiftapi_integration/, so the import should be from browser_use.swiftapi_integration import ... rather than from swiftapi_integration import ....
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At browser_use/swiftapi_integration/__init__.py, line 10:
<comment>Import path in docstring example is incorrect. The module is at `browser_use/swiftapi_integration/`, so the import should be `from browser_use.swiftapi_integration import ...` rather than `from swiftapi_integration import ...`.</comment>
<file context>
@@ -0,0 +1,58 @@
+before execution.
+
+Usage:
+ from swiftapi_integration import SwiftAPITools, SwiftAPIAgent
+
+ # Option 1: Use SwiftAPI-enabled Tools
</file context>
✅ Addressed in 26f307b
Contributor
There was a problem hiding this comment.
3 issues found across 5 files (changes from recent commits).
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="browser_use/swiftapi_integration/attestation.py">
<violation number="1" location="browser_use/swiftapi_integration/attestation.py:142">
P2: Variable `action_fingerprint` is computed but never used. This appears to be dead code - either remove the computation or use the fingerprint (e.g., include it in the payload if intended).</violation>
</file>
<file name="browser_use/swiftapi_integration/tools.py">
<violation number="1" location="browser_use/swiftapi_integration/tools.py:246">
P2: Broad exception handling: Silently catching all exceptions when getting page URL could hide real issues. Consider catching specific exceptions or logging at debug level.</violation>
<violation number="2" location="browser_use/swiftapi_integration/tools.py:279">
P1: Potential attestation bypass: If no valid action is found in `model_dump`, `super().act()` is still called without attestation. For a fail-closed security module, consider validating that an action was found and attested, or raising an error when no action is detected.</violation>
</file>
Reply to cubic to teach it or ask questions. Tag @cubic-dev-ai to re-run a review.
| 'type': action_type, | ||
| 'params': params, | ||
| } | ||
| action_fingerprint = hashlib.sha256(json.dumps(action_data, sort_keys=True).encode()).hexdigest() |
Contributor
There was a problem hiding this comment.
P2: Variable action_fingerprint is computed but never used. This appears to be dead code - either remove the computation or use the fingerprint (e.g., include it in the payload if intended).
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At browser_use/swiftapi_integration/attestation.py, line 142:
<comment>Variable `action_fingerprint` is computed but never used. This appears to be dead code - either remove the computation or use the fingerprint (e.g., include it in the payload if intended).</comment>
<file context>
@@ -24,297 +26,301 @@
+ 'type': action_type,
+ 'params': params,
+ }
+ action_fingerprint = hashlib.sha256(json.dumps(action_data, sort_keys=True).encode()).hexdigest()
+
+ # Build request payload
</file context>
✅ Addressed in e28f00a
| if browser_session: | ||
| try: | ||
| page_url = await browser_session.get_current_page_url() | ||
| except Exception: |
Contributor
There was a problem hiding this comment.
P2: Broad exception handling: Silently catching all exceptions when getting page URL could hide real issues. Consider catching specific exceptions or logging at debug level.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At browser_use/swiftapi_integration/tools.py, line 246:
<comment>Broad exception handling: Silently catching all exceptions when getting page URL could hide real issues. Consider catching specific exceptions or logging at debug level.</comment>
<file context>
@@ -5,284 +5,287 @@
+ if browser_session:
+ try:
+ page_url = await browser_session.get_current_page_url()
+ except Exception:
+ pass
+
</file context>
✅ Addressed in e28f00a
| break # Only one action per ActionModel | ||
|
|
||
| # Call parent act() method if attestation passed | ||
| return await super().act( # type: ignore[reportAttributeAccessIssue] |
Contributor
There was a problem hiding this comment.
P1: Potential attestation bypass: If no valid action is found in model_dump, super().act() is still called without attestation. For a fail-closed security module, consider validating that an action was found and attested, or raising an error when no action is detected.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At browser_use/swiftapi_integration/tools.py, line 279:
<comment>Potential attestation bypass: If no valid action is found in `model_dump`, `super().act()` is still called without attestation. For a fail-closed security module, consider validating that an action was found and attested, or raising an error when no action is detected.</comment>
<file context>
@@ -5,284 +5,287 @@
+ break # Only one action per ActionModel
+
+ # Call parent act() method if attestation passed
+ return await super().act( # type: ignore[reportAttributeAccessIssue]
+ action=action,
+ browser_session=browser_session,
</file context>
✅ Addressed in e28f00a
theonlypal
force-pushed
the
swiftapi-attestation
branch
from
de56d3c to
e28f00a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds optional action-level attestation via SwiftAPI.
High-risk actions (click, input, navigate, evaluate) require Ed25519-signed approval before execution. Read-only actions pass through.
Usage:
Live demo: https://github.com/theonlypal/browser-use-swiftapi
Summary by cubic
Adds optional SwiftAPI attestation for browser actions. High-risk actions require Ed25519-signed approval; read-only actions bypass attestation.
Written for commit e28f00a. Summary will update automatically on new commits.