feat: add downloadable extensions support

[yujonglee]

Summary

This PR adds the ability to download and install extensions from a central registry hosted on Cloudflare R2. The implementation includes:

CI/CD Changes:

• Updated extensions_cd.yaml to package extensions into versioned zip archives
• Added registry.json generation with extension metadata (id, name, version, checksum, download URL)
• Added optional R2 upload step (triggered via publish input flag)

Backend (Rust):

• Added fetch_registry command to retrieve available extensions from R2
• Added download_extension command with SHA-256 checksum verification and zip extraction
• Added uninstall_extension command to remove installed extensions
• New error types for network, checksum mismatch, and zip extraction failures

Frontend:

• Added "Store" tab in Extensions view alongside "Installed" tab
• New store.tsx component showing available extensions with install/uninstall buttons
• Loading states and error handling for registry fetch and install operations

Review & Testing Checklist for Human

• Verify R2 bucket configuration: The workflow expects hyprnote-extensions bucket and secrets (CLOUDFLARE_R2_ENDPOINT_URL, CLOUDFLARE_R2_ACCESS_KEY_ID, CLOUDFLARE_R2_SECRET_ACCESS_KEY). Confirm these exist or update accordingly.
• Test the workflow manually: Run extensions_cd.yaml with publish: false first to verify packaging and registry generation work correctly before enabling R2 uploads.
• Test the Store UI in desktop app: Run ONBOARDING=0 pnpm -F desktop tauri dev and navigate to Extensions to verify the Store tab loads and install/uninstall work.
• Review zip extraction security: The code uses enclosed_name() and skips the first path component - verify this handles all edge cases for path traversal protection.
• Verify hardcoded registry URL: https://pub-hyprnote.r2.dev/extensions/registry.json is hardcoded in commands.rs:148 - confirm this matches your R2 public URL.

Notes

• The registry URL will return a network error until the workflow is run with publish: true and extensions are uploaded to R2
• No version comparison logic yet - the UI only shows if an extension is installed, not if updates are available
• Link to Devin run: https://app.devin.ai/sessions/0838e846b501407b9dabf41088655300
• Requested by: yujonglee (@yujonglee)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[netlify]

✅ Deploy Preview for hyprnote-storybook ready!

Name	Link
🔨 Latest commit	3918a41
🔍 Latest deploy log	https://app.netlify.com/projects/hyprnote-storybook/deploys/6932878ef19aff000818cea4
😎 Deploy Preview	https://deploy-preview-2132--hyprnote-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for hyprnote ready!

Name	Link
🔨 Latest commit	3918a41
🔍 Latest deploy log	https://app.netlify.com/projects/hyprnote/deploys/6932878ef077d200088a719e
😎 Deploy Preview	https://deploy-preview-2132--hyprnote.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Warning

Rate limit exceeded

@yujonglee has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 14 minutes and 0 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 5f898bb and 3918a41.

⛔ Files ignored due to path filters (2)

• Cargo.lock is excluded by !**/*.lock
• plugins/extensions/js/bindings.gen.ts is excluded by !**/*.gen.ts

📒 Files selected for processing (7)

• .github/workflows/extensions_cd.yaml (2 hunks)
• apps/desktop/src/components/main/body/extensions/index.tsx (5 hunks)
• apps/desktop/src/components/main/body/extensions/store.tsx (1 hunks)
• plugins/extensions/Cargo.toml (1 hunks)
• plugins/extensions/src/commands.rs (2 hunks)
• plugins/extensions/src/error.rs (1 hunks)
• plugins/extensions/src/lib.rs (2 hunks)

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1764918366-extensions-downloadable

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}