feat: add browser extension ref-impl

[decofe]

Minimal WXT-based browser extension foundation under ref-impls/extension. Injects Provider.create() onto web apps the user visits and routes fallback RPC calls through a background service worker to avoid CSP issues.

Architecture

inpage.ts (MAIN world)        content.ts (ISOLATED)        background.ts (Service Worker)
┌───────────────────┐         ┌──────────────┐             ┌─────────────────┐
│ Provider.create() │ postMsg │              │  Port msg   │                 │
│ window.ethereum   │────────►│    relay     │────────────►│  fetch() → RPC  │
│ EIP-6963          │◄────────│              │◄────────────│  (CSP-free)     │
└───────────────────┘ postMsg └──────────────┘  Port msg   └─────────────────┘

Changes

• entrypoints/inpage.ts: unlisted script injected into MAIN world — creates provider, sets window.ethereum, EIP-6963 announced internally by the SDK
• entrypoints/content.ts: ISOLATED world content script — injects inpage via injectScript() for cross-browser compat, relays messages between page and background
• entrypoints/background.ts: service worker that proxies RPC reads to rpc.tempo.xyz
• lib/Messenger.ts: typed message schema shared across all three contexts

Cross-browser

Uses WXT's injectScript() instead of world: 'MAIN' so it works on both Chrome (MV3) and Firefox (MV2). Verified both build cleanly.

Prompted by: jxom

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	wxt@​0.20.20

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm linkedom is 92.0% likely obfuscated Confidence: 0.92 Location: Package overview From: pnpm-lock.yaml → npm/wxt@0.20.20 → npm/linkedom@0.18.12 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/linkedom@0.18.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/tempoxyz/accounts@104

commit: 8691b28

[github-actions]

🧩 Extension Builds

Browser	Artifact
Chrome	tempo-wallet-chrome
Firefox	tempo-wallet-firefox

Install instructions

Chrome:

1. Download and unzip tempo-wallet-chrome
2. Go to chrome://extensions
3. Enable "Developer mode"
4. Click "Load unpacked" and select the unzipped folder

Firefox:

1. Download and unzip tempo-wallet-firefox
2. Go to about:debugging#/runtime/this-firefox
3. Click "Load Temporary Add-on"
4. Select any file in the unzipped folder

[github-actions]

Worker	Preview
Playground	https://9c261b1a-accounts-playground.porto.workers.dev

[github-actions]

Worker	Preview
Wagmi	https://f1e37cfa-accounts-wagmi.porto.workers.dev