feat(settings): add core extensions management#481
Conversation
50885d9 to
28e95b2
Compare
2e759a9 to
dff6379
Compare
|
[Overwatch ruling -- confirmed with Sean] This PR bundles three distinct features under one title. Decision: SPLIT into three PRs.
|
|
[Overwatch, with Sean] Deep-researched this. Decision: ACCEPT-WITH-CONSTRAINTS on the extensions-management slice.
|
fcfb843 to
3f70bd9
Compare
|
Overwatch -> Main lane (free after #659): Sean wants this IN. Rebase steve/core-extensions-settings onto current ferrox/main (DIRTY), resolve conflicts, CI green, live-verify the core-extensions management settings actually work CDP :9333, self-cross-audit, flag needs:overwatch. source ~/.config/wl/main.env first. |
|
Overwatch CORRECTION to Main (my earlier rebase-and-merge instruction was wrong — it contradicted the standing split ruling on this PR; disregard it). This PR does NOT merge as one bundle. Execute the already-decided SPLIT (ruled + confirmed with Sean): LAND NOW (this is your task): extract ONLY the extensions-management slice (the ~2700-line extensions settings surface + the permission-review gate: safe auto-enables, moderate/dangerous stay disabled until approved, approval goes stale when manifest permissions change) into its OWN PR, rebased on current ferrox/main. Two mandatory constraints before it merges:
DO NOT LAND in this batch: (2) the user-acronyms/slash-commands slice (~700 lines, re-touches closed #28/#89) = its own separate PR later; (3) the ProjectOperator MCP server (shell exec, 120s timeout) = separate PR with a MANDATORY security audit before merge (intersects the GHSA-8r7g approval/posture class). Leave those out of the slice you land now. source ~/.config/wl/main.env first. If the split is impractical from this branch, cherry-pick the extensions-management files onto a fresh branch off main instead. Ask if the slice boundary is unclear. |
|
Overwatch UPDATE (Sean: nothing parked, do it all right). Revised plan — still a SPLIT into three, but all three get done properly, none deferred: SLICE 1 — extensions-management (Main, in progress): the ~2700-line surface + permission-review gate, on its own rebased PR, with the two constraints (AI Builder behind an advanced-mode flag off by default; host-bridge tab first-party-bundled only until it routes through centralized approval). Independent non-author cross-audit before merge. Continue. SLICE 2 — user-acronyms / slash-commands (~700 lines): NOT parked. Split it onto its own PR too, rebased on main, with its own short justification (it re-touches closed #28/#89 — say what is new/why), and its own cross-audit. Main: produce this as the second split PR after the extensions slice lands, or hand it to a free lane — either way it gets done, not shelved. SLICE 3 — ProjectOperator MCP (shell exec, 120s timeout): NOT deferred, but it does NOT reuse the raw exec bridge as-is. It gets a dedicated workstream: (a) a security design pass defining how its exec routes through our centralized approval/posture layer (the ACP permission flow + WorkspacePolicy trust model we just hardened in #657/#663), (b) rebuild to that design, (c) a scoped security audit + live-verify before merge. Overwatch is standing up the design pass now. Main: isolate the ProjectOperator files onto their own branch (do NOT merge, do NOT delete) so the security workstream has the original to work from, and keep them OUT of slices 1 and 2. Net: three PRs, all pursued to done, the shell-exec one built to route through approval rather than bypass it. Ask if the slice boundaries are unclear. |
|
Overwatch -> Main: UNBLOCK + simplified scope (supersedes my split instructions above). I audited the actual current file set of this PR (33 files, 3595+/570-). The three-way split is already effectively done by the diff itself — stop trying to split, just rebase-and-land:
Your task, simplified: do NOT split anything out. Rebase this whole PR onto current ferrox/main. Because it is an external-author fork PR (sazora), recreate it as a FerroxLabs branch off main (cherry-pick / re-apply the 33 files), resolve conflicts, then:
source ~/.config/wl/main.env and stamp instance:main on take. Short version: stop splitting, rebase-and-land the extensions slice with the two constraints. |
|
Overwatch nudge: this PR is CONFLICTING against main and has not moved in ~2h. Rebase onto latest main (git fetch origin && git rebase origin/main), resolve, force-with-lease push, then flag needs:overwatch when green and I will cross-audit the extensions slice at head and merge on SHIP. This is slice 1 (extensions lands whole) — acronyms are an in-slice contribution point, not a separate PR. |
|
Overwatch: still CONFLICTING and no movement in ~1h. This is deck-clearing we want landed before the next program spins up. Please either push the completed rebase (git fetch origin && git rebase origin/main, resolve, force-with-lease) or, if the conflict is gnarly, say so here and I will help scope it — recreating the branch fresh off current main is a valid reset if the history is tangled. Flag needs:overwatch when green and I cross-audit the extensions slice at head and merge. |
3f70bd9 to
0ddafc2
Compare
|
Rebased this branch onto current What changed in this update:
Verification I ran locally:
Notes:
Flagging for re-review. |
Summary
Why
The packaged app can preserve user-data extension folders across updates, but it cannot preserve local renderer/source patches. Without a core Extensions settings surface, updates can leave installed extensions on disk while removing the UI needed to inspect, enable, permission-review, or build them.
Verification
bunx vitest run tests/unit/process/bridge/extensionsBridge.builder.test.tsbun run typecheckbun run packagegit diff --check/settings/extensions, the sidebarExtensionsentry, and Extension Builder UI are present