Skip to content

feat: add chrome extension on top of wasm#24

Open
meysam81 wants to merge 4 commits into
mainfrom
claude/cli-to-extension-wasm-pc10E
Open

feat: add chrome extension on top of wasm#24
meysam81 wants to merge 4 commits into
mainfrom
claude/cli-to-extension-wasm-pc10E

Conversation

@meysam81
Copy link
Copy Markdown
Owner

@meysam81 meysam81 commented Apr 22, 2026

Proves internal/audit, internal/rules (CEL), internal/model and
internal/schema compile cleanly under GOOS=js GOARCH=wasm and run
correctly: 24 real issues returned in 20ms, 0.54ms/audit warm, 2.9MB
gzipped with -ldflags="-s -w" -trimpath.

Build-tagged //go:build js && wasm so it stays inert for the native CLI.

claude and others added 3 commits April 22, 2026 18:12
@claude
spike(wasm): expose audit engine via syscall/js for browser extension…
e2c790f 
… port

Proves internal/audit, internal/rules (CEL), internal/model and
internal/schema compile cleanly under GOOS=js GOARCH=wasm and run
correctly: 24 real issues returned in 20ms, 0.54ms/audit warm, 2.9MB
gzipped with -ldflags="-s -w" -trimpath.

Build-tagged //go:build js && wasm so it stays inert for the native CLI.
@claude
feat(extension): ship Chrome side panel powered by Go/WASM core engine
9fef0ac 
Move the audit logic out of internal/ into core/ so the CLI and the
new browser extension both consume one implementation with two
frontends:

  internal/audit  -> core/checks   (package renamed audit -> checks)
  internal/model  -> core/model
  internal/rules  -> core/rules
  internal/schema -> core/schema
  core/engine    (new)             thin orchestrator for both callers

cmd/wasm now uses core/engine and exposes a { ok, data, error }
envelope consumed by the extension over syscall/js.

The extension (extension/) is a Vue 3 + CRXJS + Vite 8 + TypeScript +
Zod + Bun side panel. It captures real response headers via
chrome.webRequest.onResponseStarted, extracts the DOM via a content
script, and hands a PageSnapshot to the service worker which owns a
single WasmRuntime instance. Every payload crossing the WASM ↔ JS
boundary is Zod-validated — invalid data becomes null, never a throw.

Design tokens (Sanity-inspired, dark-first) live in
extension/src/styles/tokens.css; no component hard-codes colour,
radius, font, or spacing. Home tab is the juiciest view: editorial
serif score dial, per-category health bars, top critical issues,
page facts, detected tech stack.

Pre-existing flaky tests in core/checks/structured_data_v2_test.go
are unchanged and still flaky (map iteration order); not addressed
here.
@pre-commit-ci
[pre-commit.ci] auto fixes from pre-commit.com hooks
fd8d5f6 
for more information, see https://pre-commit.ci
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 22, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​types/​chrome@​0.1.40801007994100
Addednpm/​@​types/​node@​24.12.21001008195100
Addednpm/​pinia@​3.0.4951008182100
Addednpm/​vite@​8.0.9991008299100
Addednpm/​@​crxjs/​vite-plugin@​2.4.0971008892100
Addednpm/​zod@​4.3.610010010088100
Addednpm/​typescript@​5.9.31001009010090
Addednpm/​vue@​3.5.331001009197100
Addednpm/​vue-tsc@​3.2.71001009296100
Addednpm/​@​vitejs/​plugin-vue@​6.0.610010010094100

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 22, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm entities is 91.0% likely obfuscated

Confidence: 0.91

Location: Package overview

From: ?npm/@crxjs/vite-plugin@2.4.0npm/entities@4.5.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@meysam81 meysam81 changed the title spike(wasm): expose audit engine via syscall/js for browser extension port feat: add chrome extension on top of wasm Apr 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@meysam81 @claude