fix: remove invalid webRequestBlocking permission from web-bot-auth build

The web-bot-auth extension build was failing to load in Chrome because
the upstream source contains "webRequestBlocking" permission which is
not valid in Manifest V3.

Changes:
- Clean up package-lock.json and node_modules before npm install to
  avoid optional dependency resolution bugs
- Fix source manifest.json BEFORE running npm build:chrome so the
  resulting .crx file has valid MV3 permissions
- Also fix the unpacked manifest in the output directory

The webRequestBlocking permission was silently rejected by Chrome when
the extension was installed via enterprise policy, causing the extension
to not load at all.

Author: rgarcia

pkg/extensions/webbotauth.go

@@ -3,6 +3,7 @@ package extensions
 import (
 	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
@@ -286,6 +287,14 @@ func buildWebBotAuthExtension(ctx context.Context, browserExtDir, hostURL, keyDa
 	extractedDir := filepath.Dir(filepath.Dir(browserExtDir))
 
 	// Install dependencies
+	// Clean up package-lock.json and node_modules first to avoid npm optional dependency bug
+	// See: https://github.com/npm/cli/issues/4828
+	pterm.Info.Println("Cleaning up any existing npm artifacts...")
+	packageLockPath := filepath.Join(extractedDir, "package-lock.json")
+	nodeModulesPath := filepath.Join(extractedDir, "node_modules")
+	_ = os.Remove(packageLockPath)
+	_ = os.RemoveAll(nodeModulesPath)
+
 	pterm.Info.Println("Installing dependencies (this may take a minute)...")
 	npmInstall := exec.CommandContext(ctx, "npm", "install")
 	npmInstall.Dir = extractedDir
@@ -305,6 +314,15 @@ func buildWebBotAuthExtension(ctx context.Context, browserExtDir, hostURL, keyDa
 		return "", fmt.Errorf("npm run build (workspaces) failed: %w", err)
 	}
 
+	// Fix source manifest.json to remove invalid MV3 permissions BEFORE building
+	// This must happen before npm run build:chrome so the .crx will have valid permissions
+	// The source manifest is at platform/mv3/chromium/manifest.json
+	sourceManifestDir := filepath.Join(browserExtDir, "platform", "mv3", "chromium")
+	pterm.Info.Println("Fixing source manifest for MV3 compatibility...")
+	if err := fixManifestPermissions(sourceManifestDir); err != nil {
+		return "", fmt.Errorf("failed to fix source manifest: %w", err)
+	}
+
 	// Build the extension
 	pterm.Info.Println("Building extension...")
 	npmBuild := exec.CommandContext(ctx, "npm", "run", "build:chrome")
@@ -393,6 +411,68 @@ func injectJWKIntoBackgroundTs(backgroundTsPath, jwkData string) error {
 	return nil
 }
 
+// fixManifestPermissions removes invalid MV3 permissions from manifest.json
+// The upstream web-bot-auth extension has "webRequestBlocking" which is not valid in MV3
+func fixManifestPermissions(outputDir string) error {
+	manifestPath := filepath.Join(outputDir, "manifest.json")
+
+	data, err := os.ReadFile(manifestPath)
+	if err != nil {
+		return fmt.Errorf("failed to read manifest.json: %w", err)
+	}
+
+	var manifest map[string]interface{}
+	if err := json.Unmarshal(data, &manifest); err != nil {
+		return fmt.Errorf("failed to parse manifest.json: %w", err)
+	}
+
+	// Check for and remove invalid MV3 permissions
+	invalidPermissions := []string{"webRequestBlocking"}
+	modified := false
+
+	if permissions, ok := manifest["permissions"].([]interface{}); ok {
+		var validPermissions []interface{}
+		for _, perm := range permissions {
+			permStr, ok := perm.(string)
+			if !ok {
+				validPermissions = append(validPermissions, perm)
+				continue
+			}
+
+			isInvalid := false
+			for _, invalid := range invalidPermissions {
+				if permStr == invalid {
+					isInvalid = true
+					pterm.Warning.Printf("Removing invalid MV3 permission: %s\n", permStr)
+					modified = true
+					break
+				}
+			}
+			if !isInvalid {
+				validPermissions = append(validPermissions, perm)
+			}
+		}
+		manifest["permissions"] = validPermissions
+	}
+
+	if !modified {
+		return nil
+	}
+
+	// Write back the fixed manifest with proper formatting
+	fixedData, err := json.MarshalIndent(manifest, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal fixed manifest: %w", err)
+	}
+
+	if err := os.WriteFile(manifestPath, fixedData, defaultFileMode); err != nil {
+		return fmt.Errorf("failed to write fixed manifest: %w", err)
+	}
+
+	pterm.Success.Println("Fixed manifest.json for MV3 compatibility")
+	return nil
+}
+
 // copyExtensionArtifacts copies built extension files to the output directory
 func copyExtensionArtifacts(browserExtDir, outputDir string) error {
 	pterm.Info.Println("Copying extension files to output directory...")
@@ -418,6 +498,11 @@ func copyExtensionArtifacts(browserExtDir, outputDir string) error {
 		}
 	}
 
+	// Fix manifest.json to remove invalid MV3 permissions
+	if err := fixManifestPermissions(outputDir); err != nil {
+		return fmt.Errorf("failed to fix manifest permissions: %w", err)
+	}
+
 	updateXMLSrc := filepath.Join(browserExtDir, "dist", "web-ext-artifacts", "update.xml")
 	updateXMLDst := filepath.Join(outputDir, "update.xml")
 	if err := util.CopyFile(updateXMLSrc, updateXMLDst); err != nil {