Oncohealth Security Contact

No antivirus exception will be granted for esentutl.exe cookie copying.

Approved Alternatives

Roman's approved workarounds:

1. storageState — Playwright's JSON-based auth state (cookies + localStorage export/import)
2. API tokens — Use service API tokens instead of browser session cookies
3. Special security approval — Last resort if completely blocked. Requires formal request through Roman.

What Happened (2026-03 Incident)

1. miro-login-capture.js used Playwright persistent context to read Miro boards
2. Playwright internally used esentutl.exe to copy Edge session cookies
3. CrowdStrike blocked it and Roman flagged the activity
4. Carlos confirmed it was authorized testing, explained the workflow
5. Roman denied antivirus exception, recommended storageState or API tokens
6. Resolution: Use Miro REST API (shared/miro-api.js) instead of browser automation for Miro. For other browser automation, use storageState pattern.

storageState Pattern (Preferred)

// Step 1: Manual login, save state
const context = await browser.newContext();
const page = await context.newPage();
await page.goto('https://target-site.com');
// ... manual login ...
await context.storageState({ path: 'auth-state.json' });

// Step 2: Reuse state (no esentutl.exe)
const context = await browser.newContext({ storageState: 'auth-state.json' });

Communication Protocol

• If CrowdStrike blocks a script → check if it uses persistent browser context → switch to storageState
• If Roman flags something → respond promptly with full transparency (script name, purpose, workflow)
• Always disclose automation tooling when asked