feat(extension): block suspicious domains and copy totp via bridge

Author: cuihairu

browser/chromium-extension/dist/background.js

@@ -318,10 +318,11 @@ async function handleRequestFill(
             };
         }
 
-        // For suspicious/unknown domains, log a warning
-        if (assessment.risk === 'suspicious' || assessment.risk === 'unknown') {
-            // In future: show confirmation dialog
-            console.warn('[Persona] Fill request for untrusted domain:', host, assessment.reasons);
+        if (assessment.risk === 'suspicious') {
+            return {
+                success: false,
+                error: `user_confirmation_required: domain flagged as suspicious (${assessment.reasons.join('; ') || host})`
+            };
         }
 
         const response = await requestFill(origin, itemId, userGesture);
@@ -354,6 +355,20 @@ async function handleGetTotp(
     userGesture = true
 ): Promise<AutofillResult<{ code: string; remaining_seconds: number; period: number }>> {
     try {
+        const policies = await getPolicies();
+        const host = new URL(origin).hostname;
+        const assessment = evaluateDomain(host, policies);
+
+        if (assessment.risk === 'blocked') {
+            return { success: false, error: 'Domain is blocked by policy' };
+        }
+        if (assessment.risk === 'suspicious') {
+            return {
+                success: false,
+                error: `user_confirmation_required: domain flagged as suspicious (${assessment.reasons.join('; ') || host})`
+            };
+        }
+
         const response = await getTotp(origin, itemId, userGesture);
 
         if (!response.ok) {
@@ -389,6 +404,20 @@ async function handleCopy(
             return { success: false, error: 'Origin is required for copy requests' };
         }
 
+        const policies = await getPolicies();
+        const host = new URL(origin).hostname;
+        const assessment = evaluateDomain(host, policies);
+
+        if (assessment.risk === 'blocked') {
+            return { success: false, error: 'Domain is blocked by policy' };
+        }
+        if (assessment.risk === 'suspicious') {
+            return {
+                success: false,
+                error: `user_confirmation_required: domain flagged as suspicious (${assessment.reasons.join('; ') || host})`
+            };
+        }
+
         const response = await copyToClipboard(origin, itemId, field, userGesture);
 
         if (!response.ok) {

browser/chromium-extension/dist/background.js.map

@@ -312,8 +312,23 @@ async function requestTotp(itemId: string, targetInput?: HTMLInputElement) {
                 fillInput(input, code);
                 showNotification('2FA code filled', 'success');
             } else {
-                await copyToClipboard(code);
-                showNotification('2FA code copied', 'success');
+                const copied = await chrome.runtime
+                    .sendMessage({
+                        type: 'persona_copy',
+                        origin: location.origin,
+                        itemId,
+                        field: 'totp',
+                        userGesture: true
+                    })
+                    .then((r) => Boolean(r?.success && r?.data?.copied))
+                    .catch(() => false);
+
+                if (copied) {
+                    showNotification('2FA code copied', 'success');
+                } else {
+                    await copyToClipboard(code);
+                    showNotification('2FA code copied (fallback)', 'success');
+                }
             }
         } else {
             console.error('[Persona] TOTP failed:', response?.error);