🌍 archetype: browser-extension

Ship a Chrome / Firefox extension without store rejection.

Building a Chrome / Firefox / Edge / Safari extension on Manifest V3? GreatCTO auto-detects the browser-extension archetype and ships permission-justification audit, CSP enforcement, host_permissions minimization, and cross-browser API divergence gates from day one.

$ npx great-cto init Back to home ↗

What you avoid

The 5 extension bugs that get you delisted.

Without GreatCTO

☐host_permissions: [""] — Chrome rejects
☐Inline script in popup — CSP violation
☐webRequest blocking still in code — MV3 incompatible
☐Permissions justification missing — store delays 2 wk
☐Logs user URLs to remote — privacy violation
☐Delisted · re-review · revenue gone.

With GreatCTO

✓web-store-reviewer audits manifest.json pre-submit
✓host_permissions minimized + activeTab pattern
✓CSP enforced · no inline · no eval · MV3-clean
✓Permission justification doc auto-generated
✓No PII / browsing history sent to servers
✓Pass review on first attempt · stay listed.

Auto-applied gates

Detected: `manifest.json` with `manifest_version: 3` →
browser-extension archetype.

Compliance auto-suggested: csp · mv3-security · gdpr. Specialist agents activated:

01 · web-store-reviewer

Store policy audit

Validates manifest.json against Chrome / Firefox / Edge / Safari policies. Generates threat model with permissions justification, host_permissions audit, CSP enforcement, cross-browser API divergence.

02 · security-officer

CSP + DOM XSS

Content Security Policy hardening · inline-script blocking · DOM-based XSS detection · message-passing trust boundaries between content / background / popup.

03 · code-reviewer

12-angle review

Cross-browser API divergence (chrome.* vs browser.*) · service worker lifecycle · message-passing race conditions · storage.local quota.

04 · senior-dev

TDD with playwright

E2E in headless Chrome / Firefox · permissions tested · upgrade path from MV2 → MV3 verified.