[kernel 715] add web bot auth docs

browsers/extensions.mdx

@@ -97,3 +97,54 @@ kernel browsers extensions upload <session_id> ./my-extension
 <Info>
 Note that this will restart the browser process and break any connections to the browser CDP URL.
 </Info>
+
+## Extensions requiring enterprise policies
+
+For a complete list of available extension settings and policies, refer to the [Chrome Enterprise Policy documentation](https://chromeenterprise.google/policies/extension-settings/).
+
+### Uploading extensions requiring enterprise policies
+
+Some Chrome extensions require elevated permissions that Chrome will only grant when the extension is installed via enterprise policies. These extensions cannot be loaded with the standard `--load-extension` flag and require special handling.
+
+### What are enterprise policy extensions?
+
+Extensions that require enterprise policies typically:
+
+- Use permissions like `webRequestBlocking` or `webRequest` with blocking capabilities
+- Need to intercept and modify network requests before they're sent
+- Require installation via Chrome's `ExtensionInstallForcelist` policy
+
+Common examples include extensions for network filtering, request signing, or advanced content modification.
+
+### Required files for upload
+
+When uploading an extension that requires enterprise policies to Kernel, your extension directory or zip file must include:
+
+1. **Extension source files** - Your `manifest.json` and all extension code (background scripts, content scripts, etc.)
+2. **`update.xml`** - A Chrome update manifest that points to the `.crx` file location
+3. **`.crx` file** - The signed and packed extension file
+
+<Info>
+The `.crx` file and `update.xml` are required for Kernel to serve the extension via Chrome's `ExtensionInstallForcelist` policy. If you're deploying extensions from the Chrome Web Store via `ExtensionInstallForcelist`, these files are optional since Chrome uses the Web Store's default update URL.
+</Info>
+
+### Automatic detection and validation
+
+Kernel automatically detects extensions that require enterprise policies by analyzing the `manifest.json` file during upload. No manual configuration is needed.
+
+**Detection process:**
+1. You upload an extension via CLI or API
+2. Kernel scans the `manifest.json` for permissions like `webRequestBlocking`
+3. If enterprise policies are required, Kernel validates the required files are present
+
+### How it works
+
+Once you successfully upload an enterprise policy extension, Kernel handles the rest automatically:
+
+1. **Upload** - You upload your extension with all required files
+2. **Detection** - Kernel detects the enterprise policy requirement from the manifest
+3. **Policy configuration** - Extension is automatically added to `ExtensionInstallForcelist`
+4. **File serving** - The kernel-images server serves update files at `http://127.0.0.1:10001/extensions/{extension-id}/update.xml`
+5. **Installation** - Chrome installs the extension via enterprise policy when the browser starts
+
+No additional HTTP server or manual policy configuration is needed. The extension works seamlessly in any browser session that it's uploaded to.

docs.json

@@ -136,7 +136,8 @@
                   "integrations/vercel/ai-sdk",
                   "integrations/vercel/marketplace"
                 ]
-              }
+              },
+              "integrations/web-bot-auth"
             ]
           },
           {
@@ -182,7 +183,8 @@
           "reference/cli/create",
           "reference/cli/auth",
           "reference/cli/browsers",
-          "reference/cli/apps"
+          "reference/cli/apps",
+          "reference/cli/extensions"
         ]
       },
       {

integrations/overview.mdx

@@ -28,7 +28,8 @@ Kernel provides detailed guides for popular agent frameworks:
 - **[Notte](/integrations/notte)** - AI agent framework for browser automation
 - **[Val Town](/integrations/valtown)** - Serverless function runtime
 - **[Vercel](https://github.com/onkernel/vercel-template)** - Deploy browser automations to Vercel
+- **[Web Bot Authentication](/integrations/web-bot-auth)** - Create signed Chrome extensions for web bot authentication
 
 ## Custom Integrations
 
-Kernel works with any tool that supports CDP. Check out our [browser creation guide](/browsers/create-a-browser) to learn how to connect any other agent framework.
+Kernel works with any tool that supports CDP. Check out our [browser creation guide](/browsers/create-a-browser) to learn how to connect any other agent framework.

integrations/web-bot-auth.mdx

@@ -0,0 +1,172 @@
+---
+title: "Web Bot Auth"
+description: "Cryptographically sign browser requests with Cloudflare's Web Bot Auth"
+---
+
+[Web Bot Auth](https://github.com/cloudflare/web-bot-auth) is Cloudflare's implementation of cryptographic authentication for automated web agents. It uses [RFC 9421 HTTP Message Signatures](https://datatracker.ietf.org/doc/html/rfc9421) to sign outgoing HTTP requests, allowing websites to verify the identity and integrity of bot traffic.
+
+By integrating Web Bot Auth with Kernel, your browser automations can cryptographically prove their identity to websites that support signature verification.
+
+## How it works
+
+Web Bot Auth works via a Chrome extension that intercepts all outgoing HTTP requests and adds cryptographic signature headers:
+
+- **`Signature`**: The RFC 9421 signature of the request
+- **`Signature-Input`**: Metadata about how the signature was created
+
+Websites can verify these signatures against your public key to confirm the request came from your authenticated agent.
+
+## Quick Start with Test Key
+
+The fastest way to get started is using Cloudflare's RFC9421 test key, which works with their [test verification site](https://http-message-signatures-example.research.cloudflare.com/).
+
+### 1. Build the extension
+
+Use the Kernel CLI to build the Web Bot Auth extension:
+
+```bash
+kernel extensions build-web-bot-auth --to ./web-bot-auth-ext --upload my-web-bot-auth
+```
+
+This command:
+- Downloads Cloudflare's web-bot-auth browser extension source
+- Builds it with the default RFC9421 test key
+- Uploads it to Kernel as `my-web-bot-auth`
+
+<Info>
+The build command requires Node.js and npm to be installed on your system.
+</Info>
+
+### 2. Create a browser with the extension
+
+<CodeGroup>
+```bash CLI
+# Create a browser with the web-bot-auth extension
+kernel browsers create --extension my-web-bot-auth
+
+# The command outputs the browser ID and live view URL
+# Open the live view URL in your browser, then navigate to:
+# https://http-message-signatures-example.research.cloudflare.com/
+```
+
+```typescript TypeScript
+import { Kernel } from "@onkernel/sdk";
+import { chromium } from "playwright";
+
+const kernel = new Kernel();
+
+// Create browser with web-bot-auth extension
+const browser = await kernel.browsers.create({
+  extensions: [{ name: "my-web-bot-auth" }],
+});
+
+// Connect via Playwright
+const pw = await chromium.connectOverCDP(browser.browser_url);
+const context = pw.contexts()[0];
+const page = context?.pages()[0] || await context.newPage();
+
+// Navigate to a page - requests will be automatically signed
+await page.goto("https://http-message-signatures-example.research.cloudflare.com/");
+```
+
+```python Python
+from kernel import Kernel
+from playwright.sync_api import sync_playwright
+
+kernel = Kernel()
+
+# Create browser with web-bot-auth extension
+browser = kernel.browsers.create(extensions=[{"name": "my-web-bot-auth"}])
+
+# Connect via Playwright
+with sync_playwright() as p:
+    pw = p.chromium.connect_over_cdp(browser.browser_url)
+    context = pw.contexts[0]
+    page = context.pages[0] if context.pages else context.new_page()
+
+    # Navigate to a page - requests will be automatically signed
+    page.goto("https://http-message-signatures-example.research.cloudflare.com/")
+```
+
+</CodeGroup>
+
+### 3. Verify it's working
+
+Navigate to Cloudflare's test site to verify your signatures are being accepted:
+
+```
+https://http-message-signatures-example.research.cloudflare.com/
+```
+
+This site validates requests signed with the RFC9421 test key and shows whether the signature was verified successfully.
+
+## Using Your Own Keys
+
+For production use, you'll want to use your own signing keys instead of the test key.
+
+### 1. Generate an Ed25519 key pair
+
+Create a JWK file with your Ed25519 private key. The key must include both the public (`x`) and private (`d`) components:
+
+```json my-key.jwk
+{
+  "kty": "OKP",
+  "crv": "Ed25519",
+  "x": "YOUR_PUBLIC_KEY_BASE64URL",
+  "d": "YOUR_PRIVATE_KEY_BASE64URL"
+}
+```
+
+<Info>
+See [Cloudflare's web-bot-auth documentation](https://github.com/cloudflare/web-bot-auth) for tools to generate Ed25519 key pairs.
+</Info>
+
+### 2. Build with your key
+
+```bash
+kernel extensions build-web-bot-auth --to ./web-bot-auth-ext --key ./my-key.jwk --upload my-web-bot-auth
+```
+
+### 3. Host your public key
+
+For websites to verify your signatures, you need to host your public key at a well-known URL. Create a key directory at:
+
+```
+https://yourdomain.com/.well-known/http-message-signatures-directory
+```
+
+The directory should contain your public keys in JWKS format:
+
+```json
+{
+  "keys": [
+    {
+      "kty": "OKP",
+      "crv": "Ed25519",
+      "x": "YOUR_PUBLIC_KEY_BASE64URL",
+      "kid": "YOUR_KEY_ID"
+    }
+  ],
+  "purpose": "your-bot-purpose"
+}
+```
+
+### 4. Register with Cloudflare (optional)
+
+If you want Cloudflare-protected sites to recognize your bot, you can register your key directory with Cloudflare:
+
+1. Log into the Cloudflare dashboard
+2. Navigate to **Manage Account > Configurations**
+3. Select the **Bot Submission Form** tab
+4. Choose **Request Signature** as the verification method
+5. Enter your key directory URL
+
+See [Cloudflare's Web Bot Auth documentation](https://developers.cloudflare.com/bots/reference/bot-verification/web-bot-auth/) for complete details.
+
+## References
+
+- [Web Bot Auth GitHub Repository](https://github.com/cloudflare/web-bot-auth)
+- [Cloudflare Web Bot Auth Documentation](https://developers.cloudflare.com/bots/reference/bot-verification/web-bot-auth/)
+- [RFC 9421 - HTTP Message Signatures](https://datatracker.ietf.org/doc/html/rfc9421)
+- [Cloudflare Test Verification Site](https://http-message-signatures-example.research.cloudflare.com/)
+- [Web Bot Auth Architecture Draft](https://thibmeu.github.io/http-message-signatures-directory/draft-meunier-web-bot-auth-architecture.html)

reference/cli.mdx

@@ -37,6 +37,9 @@ kernel --version
   <Card icon="rocket" title="Apps" href="/reference/cli/apps">
     Deploy apps, invoke actions, and stream logs.
   </Card>
+  <Card icon="puzzle-piece" title="Extensions" href="/reference/cli/extensions">
+    Upload, download, and build browser extensions.
+  </Card>
   <Card icon="code-fork" title="MCP" href="/reference/cli/mcp">
     Install Kernel MCP server configuration for AI tools.
   </Card>