CLI control of browser extensions

[rgarcia]

• Adds
  • kernel extensions <list|delete|download|download-web-store> for managing extensions and also downloading them as unpacked extensions from the chrome web store
  • kernel browsers extensions upload to do an ad-hoc upload to a running browser instance

Along the way:

• added an -o/--output json option to browsers list
• added the ability to pass more than one session ID to browsers delete

---

TL;DR

This PR introduces CLI commands to manage browser extensions, allowing users to list, delete, download from the Chrome Web Store, and upload extensions to browser instances.

Why we made these changes

This addresses a feature request for programmatic control over browser extensions. It enables users to automate the setup of browser profiles with necessary extensions, improving developer workflow and consistency across environments.

What changed?

• New extensions command:
  • Added a new top-level command kernel extensions for managing the extension registry with list, delete, download, and download-web-store subcommands, implemented in cmd/extensions.go.
• Enhanced browsers command:
  • Added browsers extensions upload to install an extension in a running browser.
  • Added an --extension flag to browsers create to install extensions on creation.
  • Added a -o/--output json option to browsers list.
  • Updated browsers delete to accept multiple session IDs.
• Utilities & Dependencies:
  • Added a new Unzip utility in pkg/util/zip.go to handle extension packages.
  • Updated go.mod to replace the kernel-go-sdk dependency.
• Documentation & Testing:
  • Updated README.md to document the new commands.
  • Added comprehensive unit tests for the new functionality in cmd/extensions_test.go.

Validation

• kernel extensions list correctly displays registered extensions.
• kernel extensions delete successfully removes an extension.
• kernel extensions download-web-store downloads and unpacks an extension correctly.
• kernel browsers extensions upload successfully installs an extension in a running browser.

^{Description generated by Mesa. Update settings}

[mesa-dot-dev]

Performed full review of c1e1cc6...5aec0a9

Analysis

1. CRITICAL SECURITY VULNERABILITY: The Unzip function in pkg/util/zip.go contains a directory traversal vulnerability. The current path validation approach is insufficient and could allow attackers to write files outside the intended directory when processing malicious zip files.

2. Improved Resource Management Needed: In cmd/extensions.go, the defer cleanup should use os.Remove(tmpName) directly in the defer function rather than the current implementation to ensure cleanup happens even during panic scenarios.

3. Consider Additional Security Measures: While the architecture includes some security considerations, additional validation may be needed beyond the CUID regex validation to fully secure extension management operations.

4. Test for Edge Cases: Ensure robust testing of error paths and edge cases, particularly around extension validation and zip/unzip functionality where security vulnerabilities were identified.

Tip

⚡ Quick Actions

This review was generated by Mesa.

Actions:

• Configure your agents

Slash Commands:

• /review - Request a full code review
• /review latest - Review only changes since the last review
• /describe - Generate PR description. This will update the PR body or issue comment depending on your configuration
• /help - Get help with Mesa commands and configuration options

^{9 files reviewed | 0 comments | Review on Mesa | Edit Reviewer Settings}

[Sayan-]

overall lgtm ^^

blocking merge until we can update the deps