diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 0000000..529717b
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,16 @@
+## Summary
+
+- What changed:
+- Why:
+- Related issue:
+
+## Validation
+
+- [ ] Relevant tests were run locally
+- [ ] Docs were updated (if behavior/config changed)
+- [ ] No sensitive data added
+
+## Governance (required)
+
+- [ ] This PR has explicit approval from project administration/maintainers
+- [ ] This PR will be merged only by project administration/maintainers
diff --git a/.github/workflows/create_test_report.yml b/.github/workflows/create_test_report.yml
index 5d5ff39..f8e8f90 100644
--- a/.github/workflows/create_test_report.yml
+++ b/.github/workflows/create_test_report.yml
@@ -39,7 +39,7 @@ jobs:
HTML_REPORT_URL: 'https://mspwblobreport.z1.web.core.windows.net/run-${{ github.event.workflow_run.id }}-${{ github.event.workflow_run.run_attempt }}-${{ github.sha }}/index.html'
- name: Azure Login
- uses: azure/login@v2
+ uses: azure/login@v3
with:
client-id: ${{ secrets.AZURE_BLOB_REPORTS_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_BLOB_REPORTS_TENANT_ID }}
@@ -57,7 +57,7 @@ jobs:
AZCOPY_AUTO_LOGIN_TYPE: AZCLI
- name: Publish Report URL as Commit Status
- uses: actions/github-script@v8
+ uses: actions/github-script@v9
with:
script: |
await github.rest.repos.createCommitStatus({
diff --git a/.github/workflows/pr_check_client_side_changes.yml b/.github/workflows/pr_check_client_side_changes.yml
index 8a7a1e3..243f2c3 100644
--- a/.github/workflows/pr_check_client_side_changes.yml
+++ b/.github/workflows/pr_check_client_side_changes.yml
@@ -16,7 +16,7 @@ jobs:
if: github.repository == 'microsoft/playwright'
steps:
- uses: actions/checkout@v6
- - uses: actions/create-github-app-token@v2
+ - uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
@@ -27,7 +27,7 @@ jobs:
playwright-java
playwright-dotnet
- name: Create GitHub issue
- uses: actions/github-script@v8
+ uses: actions/github-script@v9
with:
github-token: ${{ steps.app-token.outputs.token }}
script: |
diff --git a/.github/workflows/publish_release.yml b/.github/workflows/publish_release.yml
index 3e50151..c620ea5 100644
--- a/.github/workflows/publish_release.yml
+++ b/.github/workflows/publish_release.yml
@@ -54,7 +54,7 @@ jobs:
run: utils/publish_all_packages.sh --release
- name: Azure Login
- uses: azure/login@v2
+ uses: azure/login@v3
with:
client-id: ${{ secrets.AZURE_PW_CDN_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_PW_CDN_TENANT_ID }}
@@ -75,7 +75,7 @@ jobs:
- uses: actions/setup-node@v6
with:
node-version: 20
- - uses: actions/create-github-app-token@v2
+ - uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
diff --git a/.github/workflows/publish_release_docker.yml b/.github/workflows/publish_release_docker.yml
index 0626c6b..adf58d0 100644
--- a/.github/workflows/publish_release_docker.yml
+++ b/.github/workflows/publish_release_docker.yml
@@ -30,7 +30,7 @@ jobs:
- run: npm ci
- run: npm run build
- name: Azure Login
- uses: azure/login@v2
+ uses: azure/login@v3
with:
client-id: ${{ secrets.AZURE_DOCKER_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_DOCKER_TENANT_ID }}
diff --git a/.github/workflows/roll_browser_into_playwright.yml b/.github/workflows/roll_browser_into_playwright.yml
index b08ba32..b431fa8 100644
--- a/.github/workflows/roll_browser_into_playwright.yml
+++ b/.github/workflows/roll_browser_into_playwright.yml
@@ -52,13 +52,13 @@ jobs:
git add .
git commit -m "feat(${BROWSER}): roll to r${REVISION}"
git push origin $BRANCH_NAME --force
- - uses: actions/create-github-app-token@v2
+ - uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
- name: Create Pull Request
- uses: actions/github-script@v8
+ uses: actions/github-script@v9
if: ${{ steps.prepare-branch.outputs.exists == '0' }}
with:
github-token: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/roll_nodejs.yml b/.github/workflows/roll_nodejs.yml
index 03e2365..4474979 100644
--- a/.github/workflows/roll_nodejs.yml
+++ b/.github/workflows/roll_nodejs.yml
@@ -33,14 +33,14 @@ jobs:
git add .
git commit -m "chore: roll driver/Dockerfile to recent Node.js LTS version"
git push origin $BRANCH_NAME
- - uses: actions/create-github-app-token@v2
+ - uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
- name: Create Pull Request
if: ${{ steps.prepare-branch.outputs.HAS_CHANGES == '1' }}
- uses: actions/github-script@v8
+ uses: actions/github-script@v9
with:
github-token: ${{ steps.app-token.outputs.token }}
script: |
diff --git a/.github/workflows/roll_stable_test_runner.yml b/.github/workflows/roll_stable_test_runner.yml
index 66781c4..82ba5d4 100644
--- a/.github/workflows/roll_stable_test_runner.yml
+++ b/.github/workflows/roll_stable_test_runner.yml
@@ -38,14 +38,14 @@ jobs:
git add .
git commit -m "test: roll stable-test-runner to ${{ steps.bump.outputs.VERSION }}"
git push origin $BRANCH_NAME
- - uses: actions/create-github-app-token@v2
+ - uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
private-key: ${{ secrets.PLAYWRIGHT_PRIVATE_KEY }}
- name: Create Pull Request
if: ${{ steps.prepare-branch.outputs.HAS_CHANGES == '1' }}
- uses: actions/github-script@v8
+ uses: actions/github-script@v9
with:
github-token: ${{ steps.app-token.outputs.token }}
script: |
diff --git a/.github/workflows/tests_bidi.yml b/.github/workflows/tests_bidi.yml
index 6dcdf52..acd796f 100644
--- a/.github/workflows/tests_bidi.yml
+++ b/.github/workflows/tests_bidi.yml
@@ -78,7 +78,7 @@ jobs:
- name: Azure Login
if: ${{ !cancelled() && github.ref == 'refs/heads/main' }}
- uses: azure/login@v2
+ uses: azure/login@v3
with:
client-id: ${{ secrets.AZURE_BLOB_REPORTS_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_BLOB_REPORTS_TENANT_ID }}
diff --git a/.github/workflows/trigger_tests.yml b/.github/workflows/trigger_tests.yml
index 69a3d5f..761c11f 100644
--- a/.github/workflows/trigger_tests.yml
+++ b/.github/workflows/trigger_tests.yml
@@ -11,7 +11,7 @@ jobs:
name: "trigger"
runs-on: ubuntu-24.04
steps:
- - uses: actions/create-github-app-token@v2
+ - uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ vars.PLAYWRIGHT_APP_ID }}
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
index c72a574..690cfb4 100644
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,9 +1,22 @@
-# Microsoft Open Source Code of Conduct
-
-This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
-
-Resources:
-
-- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
-- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
-- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
+# Code of Conduct
+
+This project expects respectful and constructive collaboration.
+
+## Expected behavior
+
+- Be respectful and professional.
+- Focus on technical facts, not personal attacks.
+- Assume good intent, ask clarifying questions, and provide actionable feedback.
+- Keep discussions inclusive and relevant to the project.
+
+## Unacceptable behavior
+
+- Harassment, insults, discrimination, or intimidation.
+- Repeated off-topic disruption or deliberate trolling.
+- Publishing private/sensitive information without consent.
+
+## Enforcement
+
+Maintainers may edit, hide, lock, or remove content that violates this code, and may restrict participation for repeated or severe violations.
+
+For concerns, contact repository maintainers privately through GitHub repository administration channels.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 67468d3..86262a1 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,158 +1,104 @@
# Contributing
-## Choose an issue
+Thanks for contributing to Treegress Browser Core.
-Playwright **requires an issue** for every contribution, except for minor documentation updates. We strongly recommend
-to pick an issue
-labeled [open-to-a-pull-request](https://github.com/microsoft/playwright/issues?q=is%3Aissue%20state%3Aopen%20label%3Aopen-to-a-pull-request)
-for your first contribution to the project.
+## Before you start
-If you are passionate about a bug/feature, but cannot find an issue describing it, **file an issue first**. This will
-facilitate the discussion, and you might get some early feedback from project maintainers before spending your time on
-creating a pull request.
+1. Create or pick an issue first (except for small typo/docs-only fixes).
+2. Confirm your change belongs in this repository:
+- `treegress-browser-core` is the source of truth for snapshot, formatter, locator-plan and ref-resolution runtime behavior.
+- MCP wiring-only changes should usually go to `treegress-browser-mcp`.
-## Make a change
+## Local setup
+
+Requires Node.js 18+.
-Make sure you're running Node.js 20 or later.
```bash
node --version
```
-Clone the repository. If you plan to send a pull request, it might be better to [fork the repository](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo) first.
+Clone this repository:
+
```bash
-git clone https://github.com/microsoft/playwright
-cd playwright
+git clone https://github.com/MobiDev-Org/treegress-browser-core.git
+cd treegress-browser-core
```
-Install dependencies and run the build in watch mode.
+Install dependencies and start watch build:
+
```bash
npm ci
npm run watch
npx playwright install
```
-Playwright is a multi-package repository that uses npm workspaces. For browser APIs, look at [`packages/playwright-core`](https://github.com/microsoft/playwright/blob/main/packages/playwright-core). For test runner, see [`packages/playwright`](https://github.com/microsoft/playwright/blob/main/packages/playwright).
-
-Note that some files are generated by the build, so the watch process might override your changes if done in the wrong file. For example, TypeScript types for the API are generated from the [`docs/src`](https://github.com/microsoft/playwright/blob/main/docs/src).
-
-Coding style is fully defined in [eslint.config.mjs](https://github.com/microsoft/playwright/blob/main/eslint.config.mjs). Before creating a pull request, or at any moment during development, run linter to check all kinds of things:
- ```bash
- npm run lint
- ```
-
-Comments should have an explicit purpose and should improve readability rather than hinder it. If the code would not be understood without comments, consider re-writing the code to make it self-explanatory.
-
-### Write documentation
-
-Every part of the public API should be documented in [`docs/src`](https://github.com/microsoft/playwright/blob/main/docs/src), in the same change that adds/changes the API. We use markdown files with custom structure to specify the API. Take a look around for an example.
-
-Various other files are generated from the API specification. If you are running `npm run watch`, these will be re-generated automatically.
-
-Larger changes will require updates to the documentation guides as well. This will be made clear during the code review.
-
-## Add a test
-
-Playwright requires a test for almost any new or modified functionality. An exception would be a pure refactoring, but chances are you are doing more than that.
-
-There are multiple [test suites](https://github.com/microsoft/playwright/blob/main/tests) in Playwright that will be executed on the CI. The two most important that you need to run locally are:
-
-- Library tests cover APIs not related to the test runner.
- ```bash
- # fast path runs all tests in Chromium
- npm run ctest
+## Where to make changes
- # slow path runs all tests in three browsers
- npm run test
- ```
+Primary runtime areas:
-- Test runner tests.
- ```bash
- npm run ttest
- ```
+- `packages/injected/src/*`
+- `packages/playwright-core/src/server/*`
+- `packages/playwright-core/src/tools/*`
-Since Playwright tests are using Playwright under the hood, everything from our documentation applies, for example [this guide on running and debugging tests](https://playwright.dev/docs/running-tests#running-tests).
+Do not duplicate long-term custom-dom runtime logic in other repositories when it can live here.
-Note that tests should be *hermetic*, and not depend on external services. Tests should work on all three platforms: macOS, Linux and Windows.
+## Tests
-## Write a commit message
+Run relevant tests before opening a PR.
-Commit messages should follow the [Semantic Commit Messages](https://www.conventionalcommits.org/en/v1.0.0/) format:
+Core/library path:
+```bash
+npm run ctest
+npm run ttest
```
-label(namespace): title
-description
+If you changed custom-dom runtime behavior, also run:
-footer
+```bash
+npm run test-custom-dom-prod-path
```
-1. *label* is one of the following:
- - `fix` - bug fixes
- - `feat` - new features
- - `docs` - documentation-only changes
- - `test` - test-only changes
- - `devops` - changes to the CI or build
- - `chore` - everything that doesn't fall under previous categories
-2. *namespace* is put in parentheses after label and is optional. Must be lowercase.
-3. *title* is a brief summary of changes.
-4. *description* is **optional**, new-line separated from title and is in present tense.
-5. *footer* is **optional**, new-line separated from *description* and contains "fixes" / "references" attribution to GitHub issues.
+## Documentation
-Example:
+If behavior or public-facing workflow changes, update docs in the same PR.
-```
-feat(trace viewer): network panel filtering
-
-This patch adds a filtering toolbar to the network panel.
-
-
-Fixes #123, references #234.
-```
+At minimum, review:
-## Send a pull request
+- `README.md`
+- `DEVELOPING.md`
+- package README files under `packages/*`
-All submissions, including submissions by project members, require review. We use GitHub pull requests for this purpose.
-Make sure to keep your PR (diff) small and readable. If necessary, split your contribution into multiple PRs.
-Consult [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more information on using pull requests.
+## Commit messages
-After a successful code review, one of the maintainers will merge your pull request. Congratulations!
+Use conventional commits:
-## More details
-
-**No new dependencies**
-
-There is a very high bar for new dependencies, including updating to a new version of an existing dependency. We recommend to explicitly discuss this in an issue and get a green light from a maintainer, before creating a pull request that updates dependencies.
+```text
+label(namespace): title
+```
-**Custom browser build**
+Recommended labels: `fix`, `feat`, `docs`, `test`, `devops`, `chore`.
-To run tests with custom browser executable, specify `CRPATH`, `WKPATH` or `FFPATH` env variable that points to browser executable:
-```bash
-CRPATH= npm run ctest
-```
+## Pull request policy (strict)
-You will also find `DEBUG=pw:browser` useful for debugging custom-builds.
+All submissions require pull requests.
-**Building documentation site**
+Required for merge:
-The [playwright.dev](https://playwright.dev/) documentation site lives in a separate repository, and documentation from [`docs/src`](https://github.com/microsoft/playwright/blob/main/docs/src) is frequently rolled there.
+1. CI is green.
+2. Issue is linked.
+3. At least one explicit approval from project administration/maintainers.
+4. PR is merged by project administration/maintainers.
-Most of the time this should not concern you. However, if you are doing something unusual in the docs, you can build locally and test how your changes will look in practice:
-1. Clone the [microsoft/playwright.dev](https://github.com/microsoft/playwright.dev) repo.
-1. Follow [the playwright.dev README instructions to "roll docs"](https://github.com/microsoft/playwright.dev/#roll-docs) against your local `playwright` repo with your changes in progress.
-1. Follow [the playwright.dev README instructions to "run dev server"](https://github.com/microsoft/playwright.dev/#run-dev-server) to view your changes.
+Repository administrators must enforce this with branch protection rules on protected branches.
-## Contributor License Agreement
+## Dependency policy
-This project welcomes contributions and suggestions. Most contributions require you to agree to a
-Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
-the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
+There is a high bar for new dependencies and dependency upgrades.
-When you submit a pull request, a CLA bot will automatically determine whether you need to provide
-a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
-provided by the bot. You will only need to do this once across all repos using our CLA.
+Discuss dependency changes in an issue first and get maintainer approval before final review.
-### Code of Conduct
+## Security and conduct
-This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
-For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
-contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
+- Security reports: see `SECURITY.md`.
+- Community behavior: see `CODE_OF_CONDUCT.md`.
diff --git a/DEVELOPING.md b/DEVELOPING.md
index beb9adf..52d42fc 100644
--- a/DEVELOPING.md
+++ b/DEVELOPING.md
@@ -97,6 +97,15 @@ If the MCP package depends on new runtime behavior from core:
- `README.md` and package-level README files are for users
- release notes, coordination rules and maintainer workflow belong here
+## PR Governance
+
+Protected branches should enforce:
+
+- pull-request-only changes (no direct pushes)
+- required status checks
+- at least one approval from project administration/maintainers
+- merge performed by project administration/maintainers
+
## Maintainers
For release, dependency-sync and build instructions, see [`DEVELOPING.md`](DEVELOPING.md).
diff --git a/FILING_ISSUES.md b/FILING_ISSUES.md
index b699cd2..5eb89af 100644
--- a/FILING_ISSUES.md
+++ b/FILING_ISSUES.md
@@ -1,35 +1,35 @@
-# How to File a Bug Report That Actually Gets Resolved
+# How to file a bug report that gets resolved
-Make sure you’re on the latest Playwright release before filing. Check existing GitHub issues to avoid duplicates.
+Before filing, make sure you are testing against the latest relevant Treegress package version and check for duplicate issues.
-## Use the Template
+## Use the issue template
-Follow the **Bug Report** template. It guides you step-by-step:
+When opening a bug:
-- Fill it out thoroughly.
-- Clearly list the steps needed to reproduce the bug.
-- Provide what you expected to see versus what happened in reality.
-- Include system info from `npx envinfo --preset playwright`.
+- fill all required fields
+- provide exact reproduction steps
+- include expected vs actual behavior
+- include environment details (OS, Node version, package versions)
-## Keep Your Repro Minimal
+## Keep repro minimal
-We can't parse your entire code base. Reduce it down to the absolute essentials:
+Reduce the problem to the smallest reproducible case:
-- Start a fresh project (`npm init playwright@latest new-project`).
-- Add only the code/DOM needed to show the problem.
-- Only use major frameworks if necessary (React, Angular, static HTTP server, etc.).
-- Avoid adding extra libraries unless absolutely necessary. Note that we won't install any suspect dependencies.
+- start from a clean project
+- include only code and data needed to reproduce
+- avoid unrelated dependencies
-## Why This Matters
-- Most issues that lack a repro turn out to be misconfigurations or usage errors.
-- We can't fix problems if we can’t reproduce them ourselves.
-- We can’t debug entire private projects or handle sensitive credentials.
-- Each confirmed bug will have a test in our repo, so your repro must be as clean as possible.
+## Why this matters
-## More Help
+- most unresolved reports are not reproducible
+- maintainers cannot debug private full-scale projects
+- reproducible bugs are fixed much faster
-- [Stack Overflow’s Minimal Reproducible Example Guide](https://stackoverflow.com/help/minimal-reproducible-example)
-- [Playwright Debugging Tools](https://playwright.dev/docs/debug)
+## Useful references
-## Bottom Line
-A well-isolated bug speeds up verification and resolution. Minimal, public repro or it’s unlikely we can assist.
+- [Minimal Reproducible Example](https://stackoverflow.com/help/minimal-reproducible-example)
+- [Playwright Debug Guide](https://playwright.dev/docs/debug)
+
+## Bottom line
+
+Minimal public repro + clear steps = fastest path to a fix.
diff --git a/LICENSE b/LICENSE
index 904fbf4..88e624f 100644
--- a/LICENSE
+++ b/LICENSE
@@ -191,7 +191,7 @@
Copyright (c) MobiDev Corporation.
This is an original Microsoft product with modifications made by MobiDev Corporation.
- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
+ Licensed under the Apache License, Version 2.0 (the "License"), except for packages/injected/src/customDomSerializer.ts, which is subject to a custom non-commercial license. See the file header for details.
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and limitations under the License.
diff --git a/SECURITY.md b/SECURITY.md
index 6b906d4..b4d9f9e 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,41 +1,33 @@
-
-
-## Security
-
-Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet) and [Xamarin](https://github.com/xamarin).
-
-If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/security.md/definition), please report it to us as described below.
-
-## Reporting Security Issues
-
-**Please do not report security vulnerabilities through public GitHub issues.**
-
-Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/security.md/msrc/create-report).
-
-If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/security.md/msrc/pgp).
-
-You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc).
-
-Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
-
- * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- * Full paths of source file(s) related to the manifestation of the issue
- * The location of the affected source code (tag/branch/commit or direct URL)
- * Any special configuration required to reproduce the issue
- * Step-by-step instructions to reproduce the issue
- * Proof-of-concept or exploit code (if possible)
- * Impact of the issue, including how an attacker might exploit the issue
-
-This information will help us triage your report more quickly.
-
-If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/security.md/msrc/bounty) page for more details about our active programs.
-
-## Preferred Languages
-
-We prefer all communications to be in English.
-
-## Policy
-
-Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/security.md/cvd).
-
-
+## Security
+
+Security of Treegress Browser Core is handled by Treegress maintainers.
+
+## Reporting security issues
+
+Do not report security vulnerabilities in public issues.
+
+Preferred channel:
+
+1. Open a private vulnerability report via GitHub Security Advisories in this repository (`Security` -> `Report a vulnerability`).
+
+If private reporting is unavailable in your environment, contact repository maintainers directly and avoid posting exploit details publicly.
+
+## What to include
+
+Please include as much of the following as possible:
+
+- vulnerability type
+- affected files/paths
+- affected branch/tag/commit
+- reproduction steps
+- proof of concept (if available)
+- impact and attack scenario
+- suggested mitigation (if known)
+
+## Disclosure policy
+
+We follow coordinated vulnerability disclosure:
+
+- report privately first
+- allow maintainers to investigate and patch
+- publish details only after a fix is available or a coordinated disclosure date is agreed
diff --git a/SUPPORT.md b/SUPPORT.md
index 78cb929..e6b7bf5 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -1,17 +1,19 @@
# Support
-## How to file issues and get help
+## Issues and feature requests
-This project uses GitHub issues to track bugs and feature requests. Please search the [existing issues][gh-issues] before filing new ones to avoid duplicates. For new issues, file your bug or feature request as a new issue using corresponding template.
+Use this repository's GitHub issues for bugs and feature requests.
-For help and questions about using this project, please see the [docs site for Playwright][docs].
+Before opening a new issue:
-Join our community [Discord Server][discord-server] to connect with other developers using Playwright and ask questions in our 'help-playwright' forum.
+1. Search existing issues.
+2. Use the relevant issue template.
+3. Provide a minimal reproducible example when reporting bugs.
-## Microsoft Support Policy
+## Usage questions
-Support for Playwright is limited to the resources listed above.
+For product usage and integration questions, use project documentation and repository discussions (if enabled).
-[gh-issues]: https://github.com/microsoft/playwright/issues/
-[docs]: https://playwright.dev/
-[discord-server]: https://aka.ms/playwright/discord
+## Scope
+
+Support is provided on a best-effort basis through the project channels above.