playwright-a11y-mcp

The source code explicitly launches Playwright in non-headless mode (`headless: false`) in all browser automation tools (`analizeURL`, `testPageTool`). This contradicts the README's claim of 'Runs in headless Chromium'. Running non-headless browsers on a server introduces significant operational complexities (requires a display environment) and security risks (increased attack surface if a browser exploit were to escape the sandbox, potential for unexpected UI interactions). Sensitive credentials (`AUTH_COOKIE_NAME`, `AUTH_COOKIE_VALUE`, S3 keys) are correctly loaded from environment variables and validated with Zod. Uploaded screenshots to S3 are marked `public-read`, which is expected but means any sensitive data captured in screenshots will be publicly accessible. Inputs are validated with Zod, mitigating some injection risks.