By skill_id: nezam-browserbase name: "nezam-Browserbase" description: "Cloud browser automation for adversarial UI testing, scraping requiring auth sessions, and regression testing. Uses 3-round adversarial testing protocol." version: 1.0.0 updated: 2026-05-12 changelog: owner: "lead-qa-architect" tier: 3 sdd_phase: "Quality" rtl_aware: false certified: false dependencies:
Browserbase — Cloud Browser Automation
Purpose
Run browser automation in the cloud with anti-bot bypass, persistent sessions, and parallel execution. Primary use cases: adversarial UI testing, scraping behind authentication, E2E regression tests for complex user flows.
Trigger Conditions
- UI regression testing on complex multi-step flows.
- Testing authentication flows (login, OAuth, MFA).
- Scraping sites that require JavaScript or session cookies.
- Testing against sites with bot detection that blocks headless browsers.
- Parallel test execution for large test suites.
Prerequisites
BROWSERBASE_API_KEYandBROWSERBASE_PROJECT_IDset in environment variables.npm install @browserbasehq/sdk playwrightinstalled.- Target URLs identified for testing.
Procedure
Session Setup
import Browserbase from '@browserbasehq/sdk'
import { chromium } from 'playwright'
const bb = new Browserbase({ apiKey: process.env.BROWSERBASE_API_KEY! })
const session = await bb.sessions.create({
projectId: process.env.BROWSERBASE_PROJECT_ID!,
browserSettings: {
viewport: { width: 1440, height: 900 },
},
})
const browser = await chromium.connectOverCDP(session.connectUrl)
const page = await browser.newPage()
3-Round Adversarial Testing Protocol
Round 1 — Functional (happy path):
- Test all expected inputs with valid data.
- Verify all success states, loading states, and empty states.
- Confirm all user flows complete successfully from start to finish.
- Document: what works as expected.
Round 2 — Adversarial (break it):
- Boundary inputs: empty strings, null values, maximum length strings, special characters, SQL injection attempts, XSS strings.
- Race conditions: double-submit forms, rapid navigation, concurrent requests.
- Auth edge cases: expired sessions, invalid tokens, unauthorized routes.
- Network conditions: offline behavior, slow network (throttle to 3G), request timeouts.
- Document: what breaks, what error state appears (or fails to appear).
Round 3 — Coverage Gaps:
- Explicitly list all user flows and states NOT tested in Rounds 1–2.
- For each gap: explain why it was not tested and whether it should be added to the test suite.
- Document: what is still untested and the risk level of each gap.
Parallel Execution
For large test suites, run tests in parallel Browserbase sessions:
const testCases = ['login-flow', 'checkout-flow', 'onboarding-flow']
const results = await Promise.all(
testCases.map(async (testCase) => {
const session = await bb.sessions.create({ projectId: process.env.BROWSERBASE_PROJECT_ID! })
const browser = await chromium.connectOverCDP(session.connectUrl)
// ... run test
await browser.close()
return { testCase, result }
})
)
Rule: Each parallel session is isolated — no shared state. Design tests to be stateless and independent.
Session Cleanup
Always close sessions after tests complete to avoid unnecessary billing:
await browser.close()
// Session auto-closes, but explicit close is faster and cleaner
Output Artifacts
- Round 1 report:
docs/quality/browserbase-round1-<date>.md - Round 2 report:
docs/quality/browserbase-round2-<date>.md - Round 3 gap analysis:
docs/quality/browserbase-round3-gaps-<date>.md
Validation Checklist
- All 3 rounds completed (no round skipped)
- Round 2 tested: empty inputs, boundary values, XSS strings, SQL injection strings
- Round 2 tested: race conditions (double-submit, concurrent requests)
- Round 3 documents all untested paths with risk assessment
- Parallel tests are stateless (no shared state between sessions)
- All sessions closed after test completion
Handoff Target
Test reports feed quality/regression-detector. Critical findings from Round 2 feed quality/security-hardening.