[RFC] Add Secure Container (SES/LavaMoat)

[louisgv]

How do you envision this feature/change to look/work like?

Maybe plasmo build --lavamoat or plasmo build --secured or plasmo build --ses?

We can either:

• make a lavamoat optimizer OR a lavamoat stream (if their bundler has a stream interface)
• inject the lavamoat dependency checker at the resolver level
• inject the lavamoat ses wrapper at the transformer level <- this requires most work unit

What is the purpose of this change/feature? Why?

For extension that requires high degree of dependency integrity and sandboxing, lavamoat helps a lot with supply chain atk:

https://github.com/LavaMoat/lavamoat#readme

(OPTIONAL) Example implementations

https://github.com/LavaMoat/lavamoat#readme

https://www.npmjs.com/package/@lavamoat/lavapack

(OPTIONAL) Contribution

• [ ] I would like to contribute to this RFC via a PR

Verify canary release

• [X] I verified that the issue exists in plasmo canary release

Code of Conduct

• [X] I agree to follow this project's Code of Conduct
• [X] I checked the current issues for duplicate problems.

[louisgv]

The manual integration with SES is simply to import it and call the lockdown function at the top of the entry file.

That should work. Also SES remote integration is not possible since extension cannot run remote code.

[louisgv]

https://github.com/LavaMoat/LavaMoat/blob/main/packages/browserify/examples/01-simple-js/README.md