Skip to content

feat(store): AI auto-ingest from .crx + security scan publish gate#38

Merged
ralyodio merged 1 commit into
mainfrom
store-crx-autoingest
Jul 5, 2026
Merged

feat(store): AI auto-ingest from .crx + security scan publish gate#38
ralyodio merged 1 commit into
mainfrom
store-crx-autoingest

Conversation

@ralyodio

@ralyodio ralyodio commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

No more forms — point the store at a .crx URL and it fills the listing and gates on a security scan.

What

  • Auto-ingest (services/api/src/store/crx.ts): parse a CRX2/CRX3 (Cr24 header + zip) → manifest.json + icons. Auto-derives name, summary, description, version, permissions, and the logo (largest icon → data: URI).
  • Security scan gate (services/api/src/store/scanner.ts): the engine is ported from ugig.net's BuiltInScanner/CompositeScanner, tuned for browser extensions — the raw skill ruleset flags things every extension legitimately does (fetch, globalThis, atob, base64, hex escapes in bundled @noble crypto), so those are advisory (high/medium) and only critical (pipe-to-shell, rm -rf /, ssh-key paths, bundled native binaries) blocks. Also flags broad host access + sensitive permissions. A listing is green iff there are no critical findings. Optional SecureClaw/vu1nz enrichment stays behind SECURECLAW_API_KEY.
  • Endpoints: POST /api/store/extensions/ingest returns the auto-filled listing + scan verdict; version-submit now gates on a green .crx scan (422 on critical) and stores the result for the store badge.
  • Frontend: renders the logo (was initials-only) in cards + detail; the submit page gets a "paste your .crx → auto-fill + scan" flow that populates every field and keeps Publish disabled until the scan is green; Source / homepage (GitHub/GitLab) field.

Verify

services/api: 27 tests pass (crx parse; scanner: green-for-legit-extension, block-on-critical, bundled-binary, advisory-eval, permission flags), tsc clean. Validated end-to-end against the real CoinPay Wallet .crx → ingests name/version/permissions/icon and scans green.

Notes for maintainers

  • Gate strictness is deliberately critical-only so legit extensions (incl. the CoinPay one already live) aren't blocked — easy to dial up in scanner.ts if you want high to block too.
  • Icons are inlined as data: URIs; if the store page CSP restricts img-src, add data: for the logos to render.

🤖 Generated with Claude Code

Publishers shouldn't fill out forms — point the store at a .crx URL and it
does the rest:

- crx.ts: parse a CRX2/CRX3 (Cr24 header + zip) → manifest.json + icons.
  Auto-derives name, summary, description, version, permissions, and the
  logo (largest icon as a data: URI).
- scanner.ts: security scan ported from ugig.net's BuiltInScanner/Composite
  engine, TUNED for browser extensions — high/medium are advisory; only
  `critical` (pipe-to-shell, rm -rf /, ssh-key paths, bundled native
  binaries) BLOCKS. Also flags broad host access + sensitive permissions.
  A listing is `green` (publishable) iff there are no critical findings.
  SecureClaw/vu1nz enrichment stays optional behind SECURECLAW_API_KEY.
- routes: POST /extensions/ingest (auth) returns the auto-filled listing +
  scan verdict; version-submit now GATES on a green .crx scan (422 on
  critical) and stores the result for the store badge.
- frontend: render the logo (was initials-only) in cards + detail; submit
  page gets a "paste your .crx → auto-fill + scan" flow that populates every
  field and disables publish until the scan is green; "Source / homepage
  (GitHub/GitLab)" field.

27 tests pass (crx + scanner incl. green-for-legit / block-on-critical),
tsc clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

vu1nz Security Review

0 finding(s) in PR #?

No security issues found.

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedfflate@​0.8.310010010083100

View full report

@ralyodio ralyodio merged commit d99f632 into main Jul 5, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant