fix: remove flags blocking enterprise extension loading (#133)

## Summary

- Removes `--disable-background-networking` from the default
`CHROMIUM_FLAGS` in the headless wrapper
- **Removes `--disable-extensions-except` flag usage** - this flag was
preventing Chrome from creating external providers (including the policy
loader), blocking enterprise extension installation
- Chrome's `ExtensionInstallForcelist` enterprise policy requires
background networking to fetch `update.xml` and `.crx` files from the
extension server

## Root Cause

Two issues were preventing enterprise extensions from loading:

1. `--disable-background-networking` prevented Chrome from making HTTP
requests to fetch extensions
2. `--disable-extensions-except` caused Chrome to set
`extensions_enabled_` to `false`, which prevents external providers
(including the policy loader) from being created in
`extension_service.cc`

## Changes

### Flag Changes
- Remove `--disable-background-networking` from headless wrapper
defaults
- Remove `--disable-extensions-except` from:
  - `wrapper.sh` proxy extension setup
  - `chromium.go` API flag generation
  - `chromiumflags.go` MergeExtensionPath function
- Keep `--load-extension` for loading extensions via command line

### Test Changes
- Add `TestEnterpriseExtensionInstallation` e2e test
- Test uploads a kernel-like extension first (mirrors production
behavior)
- Then uploads enterprise extension and verifies it loads via policy

## Test plan

- [x] Add new e2e test `TestEnterpriseExtensionInstallation`
- [x] Test verifies Chrome fetches update.xml and .crx
- [x] Test verifies extension appears in chrome://extensions
- [ ] Run existing e2e tests to ensure no regressions

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Allows enterprise policy (`ExtensionInstallForcelist`) extensions to
install correctly.
> 
> - Removes `--disable-background-networking` from headless `wrapper.sh`
defaults
> - Eliminates use/emission of `--disable-extensions-except`;
`chromiumflags.MergeFlags` now folds its paths into `--load-extension`
and never re-emits it; adds `MergeExtensionPath`
> - `server/cmd/api/api/chromium.go` no longer writes
`--disable-extensions-except` when building flags; only uses
`--load-extension` for non-policy extensions with clear inline rationale
> - Adds e2e `TestEnterpriseExtensionInstallation` (headless/headful)
plus minimal enterprise test extension assets and pack script; verifies
policy config, update.xml/.crx fetch, logs, and presence in
`chrome://extensions`
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
1472fd8. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: rgarcia

images/chromium-headless/image/wrapper.sh

@@ -44,13 +44,15 @@ fi
 export HOSTNAME="${HOSTNAME:-kernel-vm}"
 
 # if CHROMIUM_FLAGS is not set, default to the flags used in playwright_stealth
+# NOTE: --disable-background-networking was intentionally removed because it prevents
+# Chrome from fetching extensions via ExtensionInstallForcelist enterprise policy.
+# Enterprise extensions require Chrome to make HTTP requests to fetch update.xml and .crx files.
 if [ -z "${CHROMIUM_FLAGS:-}" ]; then
   CHROMIUM_FLAGS="--accept-lang=en-US,en \
     --allow-pre-commit-input \
     --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 \
     --crash-dumps-dir=/tmp/chromium-dumps \
     --disable-back-forward-cache \
-    --disable-background-networking \
     --disable-background-timer-throttling \
     --disable-backgrounding-occluded-windows \
     --disable-blink-features=AutomationControlled \

server/cmd/api/api/chromium.go

@@ -260,10 +260,14 @@ func (s *ApiService) UploadExtensionsAndRestart(ctx context.Context, request oap
 
 	// Build flags overlay file in /chromium/flags, merging with existing flags
 	// Only add --load-extension flags for extensions that don't use policy installation
+	// NOTE: We intentionally do NOT use --disable-extensions-except here because it causes
+	// Chrome to disable external providers (including the policy loader), which prevents
+	// enterprise policy extensions (ExtensionInstallForcelist) from being fetched and installed.
+	// See Chromium source: extension_service.cc - external providers are only created when
+	// extensions_enabled() returns true, which is false when --disable-extensions-except is used.
 	var newTokens []string
 	if len(pathsNeedingFlags) > 0 {
 		newTokens = []string{
-			fmt.Sprintf("--disable-extensions-except=%s", strings.Join(pathsNeedingFlags, ",")),
 			fmt.Sprintf("--load-extension=%s", strings.Join(pathsNeedingFlags, ",")),
 		}
 	}