feat(extension): add browser agent side panel#4164
Conversation
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
Code Review SummaryStatus: 5 Issues Found | Recommendation: Address before merge Executive SummaryThe new Firefox scripting fallback drops both eval timeouts and async-snippet support, so dangerous-mode executions can now hang indefinitely or fail on Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)WARNING
Files Reviewed (10 files)
Previous Review Summaries (14 snapshots, latest commit 9eec7a8)Current summary above is authoritative. Previous snapshots are kept for context only. Previous review (commit 9eec7a8)Status: 3 Issues Found | Recommendation: Address before merge Executive SummarySelected-tab context is still forwarding raw page title/URL into gateway requests, and the new Firefox install coverage adds two test-path regressions around cleanup and MV3 background-state assertions. Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)WARNING
Files Reviewed (3 files)
Previous review (commit 3efee7c)Status: 1 Issue Found | Recommendation: Address before merge Executive SummaryThe new selected-tab context snapshot now forwards raw page-controlled URL/title data to the gateway, which can leak sensitive URL state and weaken the prompt boundary around trusted context. Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)WARNING
Files Reviewed (7 files)
Previous review (commit 3218fac)Status: No Issues Found | Recommendation: Merge Files Reviewed (3 files)
Previous review (commit 5d7dced)Status: No Issues Found | Recommendation: Merge Files Reviewed (2 files)
Previous review (commit 04ce1fc)Status: No Issues Found | Recommendation: Merge Files Reviewed (1 files)
Previous review (commit 4ec7201)Status: 1 Issue Found | Recommendation: Address before merge Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)WARNING
Files Reviewed (10 files)
Previous review (commit a701fb4)Status: 1 Issue Found | Recommendation: Address before merge Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)WARNING
Files Reviewed (3 files)
Previous review (commit 447c633)Status: 1 Issue Found | Recommendation: Address before merge Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)WARNING
Files Reviewed (3 files)
Previous review (commit f1e2c9f)Status: 1 Issue Found | Recommendation: Address before merge Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)WARNING
Files Reviewed (4 files)
Previous review (commit 017f3ff)Status: 1 Issue Found | Recommendation: Address before merge Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)WARNING
Files Reviewed (3 files)
Previous review (commit f6a652f)Status: 2 Issues Found | Recommendation: Address before merge Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)WARNING
Files Reviewed (10 files)
Previous review (commit 946d4e7)Status: 3 Issues Found | Recommendation: Address before merge Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)WARNING
Files Reviewed (5 files)
Previous review (commit b7354d1)Status: 4 Issues Found | Recommendation: Address before merge Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)WARNING
Files Reviewed (7 files)
Previous review (commit 785e525)Status: 4 Issues Found | Recommendation: Address before merge Overview
Fix these issues in Kilo Cloud Issue Details (click to expand)WARNING
Files Reviewed (5 files)
Reviewed by gpt-5.4-20260305 · Input: 115K · Output: 14.7K · Cached: 534.5K Review guidance: REVIEW.md from base branch |
| readonly title: string; | ||
| readonly url: string; | ||
| }): string => | ||
| `<system_environment>\nSelected tab title: ${title}\nSelected tab URL: ${url}\nCurrent time: ${new Date().toISOString()}\nTimezone: ${new Intl.DateTimeFormat().resolvedOptions().timeZone}\n</system_environment>`; |
There was a problem hiding this comment.
WARNING: Raw tab context is forwarded upstream without sanitization
This helper serializes the page-controlled tab title and full url into every gateway request. That can leak query-string tokens, magic-link parameters, email addresses, or other sensitive URL state to app.kilo.ai, and a crafted title like </system_environment> can also break the pseudo-XML wrapper you are using for trusted context. Please redact/sanitize these fields before attaching them to the prompt.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| const { connectWithMaxRetries, findFreeTcpPort } = await loadWebExtFirefoxRemote(); | ||
| const port = await findFreeTcpPort(); | ||
| const userDataDir = await mkdtemp(join(tmpdir(), 'kilo-extension-firefox-e2e-')); | ||
| const context = await firefox.launchPersistentContext(userDataDir, { |
There was a problem hiding this comment.
WARNING: Temp Firefox profile directory is leaked when launch fails
userDataDir is created before launchPersistentContext(), but the try/finally only starts after this call succeeds. If Firefox fails to start, the profile directory is never removed and repeated failures can accumulate stale temp directories on CI or local machines.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| await remote.installTemporaryAddon(firefoxExtensionPath, false); | ||
| const addon = await remote.getInstalledAddon(extensionId); | ||
|
|
||
| expect(addon.backgroundScriptStatus).toBe('RUNNING'); |
There was a problem hiding this comment.
WARNING: backgroundScriptStatus is too strict for an MV3 Firefox install check
This assertion assumes the add-on's background context is always running immediately after install, but MV3 background workers can be idle even when the manifest is valid and the temporary add-on installed successfully. That makes this test flaky against correct Firefox builds.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| if (scriptingApi) { | ||
| return { | ||
| ok: true, | ||
| result: await evalInTabWithScripting({ |
There was a problem hiding this comment.
WARNING: Firefox eval requests drop the timeout contract
The Chrome debugger path still forwards request.timeoutMs, but the new Firefox scripting fallback ignores it entirely. That means the same dangerous-mode eval can time out cleanly in Chromium yet hang indefinitely in Firefox if the generated snippet loops or awaits something that never resolves. Keeping the existing timeout behavior in both backends avoids browser-specific stalls.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
|
|
||
| const runInjectedEval = (code: string): unknown => | ||
| // eslint-disable-next-line eslint/no-new-func, typescript-eslint/no-implied-eval, typescript-eslint/no-unsafe-call | ||
| new Function(code)(); |
There was a problem hiding this comment.
WARNING: Firefox eval fallback no longer supports await inside snippets
evalInTab() wraps tool code in an async IIFE before evaluating it, so generated snippets can use await. This fallback executes the raw body with new Function(code)(), which turns any await ... snippet into a syntax error on Firefox even though the same code works in Chrome. The two execution paths need to preserve the same async semantics.
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
1 participant
Summary
Adds the new browser extension app under
apps/extension, including a native Chrome side panel, Kilo auth, model loading, tab selection, dangerous-mode eval tooling through Chrome debugger, and a gateway-backed streaming LLM harness. The side panel includes compact Kilo-styled controls, virtualized conversation history, fixed shell scrolling, and E2E coverage for the core extension flows.Verification
Manual verification not run; no manual browser screenshots were captured for this extension scaffold.
Visual Changes
N/A
Reviewer Notes
Review focus areas: Chrome extension permissions, debugger/eval execution path, streaming chat-completions parsing, auth-token validation, and the new WXT/Playwright package setup.