feat: add build-web-bot-auth CLI command

[rgarcia]

Summary

Adds support for building Cloudflare's Web Bot Auth browser extension directly from the Kernel CLI.

• New command: kernel extensions build-web-bot-auth
  • Downloads web-bot-auth repo from GitHub
  • Builds the Chrome extension with configurable Ed25519 signing key
  • Defaults to RFC9421 test key (works with Cloudflare's test site)
  • Optional --upload flag to upload directly to Kernel
• Test script: scripts/test-web-bot-auth.ts for verifying the extension works

Usage

# Build with default test key
kernel extensions build-web-bot-auth --to ./web-bot-auth-ext

# Build with custom key and upload
kernel extensions build-web-bot-auth --to ./web-bot-auth-ext --key ./my-key.jwk --upload

# Build with custom name
kernel extensions build-web-bot-auth --to ./web-bot-auth-ext --upload --name my-company-bot

Test plan

• Built and tested the command locally
• Verified extension uploads successfully to Kernel
• Manual test: create browser with extension and verify signatures on Cloudflare test site

[mesa-dot-dev]

Mesa Description

Summary

Adds support for building Cloudflare's Web Bot Auth browser extension directly from the Kernel CLI.

• New command: kernel extensions build-web-bot-auth
  • Downloads web-bot-auth repo from GitHub
  • Builds the Chrome extension with configurable Ed25519 signing key
  • Defaults to RFC9421 test key (works with Cloudflare's test site)
  • Optional --upload flag to upload directly to Kernel
• Test script: scripts/test-web-bot-auth.ts for verifying the extension works

Usage

# Build with default test key
kernel extensions build-web-bot-auth --to ./web-bot-auth-ext

# Build with custom key and upload
kernel extensions build-web-bot-auth --to ./web-bot-auth-ext --key ./my-key.jwk --upload

# Build with custom name
kernel extensions build-web-bot-auth --to ./web-bot-auth-ext --upload --name my-company-bot

Why we made these changes

This feature allows users to build Cloudflare's Web Bot Auth browser extension directly from the Kernel CLI, streamlining the process of creating and deploying custom browser extensions for bot authentication. This enhances the utility of the Kernel CLI for managing browser-based automation and security.

What changed?

• cmd/extensions.go:
  • Added extensions build-web-bot-auth command to automate building the Web Bot Auth browser extension.
  • Implemented logic for dependency verification, Ed25519 signing key management, source repository download and extraction, npm install and npm run build execution, file copying, and optional upload to Kernel.
  • Introduced extractTarGz and copyFile helper functions.
• scripts/test-web-bot-auth.ts:
  • Added a new TypeScript script to test the web-bot-auth extension with Kernel browsers.
  • Verifies HTTP message signature acceptance on a Cloudflare test site.
  • Includes debugging features (screenshots, live view URLs), error handling, and resource cleanup.

Validation

• Built and tested the command locally
• Verified extension uploads successfully to Kernel
• Manual test: create browser with extension and verify signatures on Cloudflare test site

^{Description generated by Mesa. Update settings}

[mesa-dot-dev]

Performed full review of 5d277a1...2b0dc71

Analysis

1. Path Traversal Protection Bug: Security vulnerability in the extractTarGz function where the condition incorrectly rejects the destination directory itself, causing extraction failures.

2. Resource Leakage: Test script calls process.exit(1) in catch blocks, preventing the execution of cleanup code in finally blocks, potentially leaking browser resources.

3. Context Management Issues: HTTP downloads use http.Get() instead of context-aware requests, preventing proper timeout and cancellation handling.

4. Error Handling Gaps: Several error conditions are silently ignored, including directory read errors that could mask permission issues while proceeding with incorrect assumptions.

5. External Dependencies Risk: Build process relies on GitHub availability and npm toolchain with a hardcoded reference to the 'main' branch, creating stability risks without version pinning or integrity verification.

Tip

Help

Slash Commands:

• /review - Request a full code review
• /review latest - Review only changes since the last review
• /describe - Generate PR description. This will update the PR body or issue comment depending on your configuration
• /help - Get help with Mesa commands and configuration options

^{2 files reviewed | 0 comments | Edit Agent Settings • Read Docs}