ExtensionUltima is a modular, security-first browser extension platform designed to host multiple independent automation and productivity modules under a single encrypted core.
Instead of installing and managing dozens of separate extensions, ExtensionUltima provides one secure host extension with a shared capability framework, encrypted storage, automation engine, and module ecosystem.
- π Encryption-first architecture β sensitive data is encrypted at rest using envelope encryption.
- 𧩠Modular design β a large, growing library of focused tools; add, remove, or develop modules independently.
- β‘ Background automation engine β scheduling, triggers, and a global activity dashboard built in.
- π‘οΈ Least-privilege, opt-in permissions β nothing scary at install; each tool requests only what it needs, when you enable it, and permissions are shared once granted.
- π Auto-lock β the vault locks itself after a configurable period of inactivity.
- π Cross-browser support β Chrome, Firefox, Edge, and Safari builds from one codebase.
- π¦ Unified launcher UI β search, pin, recent/most-used, and a Running view to see and control everything active.
- π Persistent automations β jobs (and active page effects) survive service-worker eviction and browser lifecycle events.
- π No hijacking β never overrides your new-tab page, search, or homepage unless you explicitly opt in.
ExtensionUltima is built around a layered encryption architecture.
A randomly generated 256-bit Data Encryption Key (DEK) encrypts all stored data.
The DEK is protected by a Key Encryption Key (KEK) derived from your master passphrase using PBKDF2-SHA256. Only the wrapped DEK and non-secret parameters are persisted.
When unlocked, the DEK exists only in memory as a non-extractable cryptographic key.
Locking the vault or browser worker eviction immediately removes access to encrypted data.
Both values and logical key names are encrypted before storage.
Persistent records use opaque identifiers rather than plaintext names.
Modules receive only the capabilities they explicitly declare.
Attempting to access undeclared functionality results in a runtime error.
The vault locks automatically after a configurable period of inactivity (default 15 minutes), clearing the in-memory key. The idle check is enforced even across a service-worker eviction/resume, so it cannot be bypassed by the background lifecycle. Configure it in the popup under π‘οΈ Security.
The install footprint is intentionally tiny β only storage and alarms. Every other
capability (tabs, scripting, host access, notifications, cookies, sessions,
downloads, contextMenus) is optional and requested the moment you enable a tool that
needs it, from a real user gesture. Because browser permissions are extension-global, a
permission granted for one tool is shared by every other tool that needs it β you're only
asked once. Review and revoke them anytime under π‘οΈ Security.
src/
core/
crypto/
keyvault/
storage/
modules/
browser.ts
log.ts
core.ts
background/
ui/popup/
modules/<id>/
build/
build.mjs
Core responsibilities:
- Cryptography
- Secure storage
- Key management
- Module lifecycle
- Capability enforcement
- Browser abstraction
npm install
npm run typecheck # type-check the whole source tree
npm run build # emit dist/<chrome|firefox|edge|safari>
npm run package # zip each build into packages/ for store uploadGenerated builds:
dist/
chrome/
firefox/
edge/
safari/
EU_NEWTAB=1 npm run buildβ opt in to making the dashboard your actual new-tab page. By default the new-tab page is not overridden (the dashboard opens on demand instead).
- Open
chrome://extensions - Enable Developer Mode
- Select Load unpacked
- Choose
dist/chrome
- Open
about:debugging - Select This Firefox
- Click Load Temporary Add-on
- Select
dist/firefox/manifest.json
The first passphrase entered initializes a new encrypted vault.
After initialization, the same passphrase is required to unlock and access encrypted module data.
Tools that need browser permissions (e.g. page access for injection, cookies, downloads) show an Enable prompt the first time you open them, listing exactly what they need. Granting is one-time and shared across tools.
ExtensionUltima includes a centralized activity dashboard for all running automations.
Features include:
- Running job overview
- Site and tab grouping
- Module grouping
- Live countdown timers
- Pause and resume controls
- Individual stop controls
- Global stop-all actions
- Search and filtering
Module status is surfaced through a standardized status interface.
Modules can schedule work through a unified trigger system.
- Manual
- Interval
- Randomized Interval
- Scheduled Time
- Current Tab
- URL
- Domain
- All Tabs
- Window
Jobs are stored encrypted and automatically restored when unlocked.
ExtensionUltima ships a broad library of focused tools (50+), grouped by category. A sample:
- Automation β Auto Refresh, Auto Click, Keep Alive, Page Watch, Scheduled Opener
- Tabs β Tab Switcher, Session Saver, Tab Suspender, Snooze Tab, Recently Closed, Copy Tab URLs, Merge Windows, Auto Mute
- Security β Password Vault, Authenticator (2FA/TOTP), Secure Notes, Bookmark Vault, Breach Checker, Passphrase Generator
- Privacy β Cookie Cleaner, URL Cleaner, Ephemeral Notes, Incognito Opener
- Page β Dark Mode, Reader Mode, Element Zapper, Web Highlighter, Sticky Notes, Find & Replace, Auto-Scroll, Selection Toolbar, Text Expander
- Media β Video Speed, Picture-in-Picture, Volume Booster
- Monitoring β Change Monitor, Uptime Monitor
- Focus β Pomodoro, Reminders, Site Blocker, Time Tracker, Habit Tracker
- Utilities β QR Code, Read Aloud, Screenshot, Image Downloader, Clipboard Manager
- Power β Hotkeys, Context-Menu Actions, Address-bar Commands, New-Tab Dashboard
Every tool that runs in the background or leaves an ongoing effect appears in the Running view of the Activity dashboard, where it can be paused, stopped, or turned off.
Creating a module requires:
- Creating
src/modules/<id>/ - Exporting an
ExtensionModule - Declaring required capabilities
- Registering the module in the core
- Adding UI panels if required
- Updating the module registry
Modules are intentionally isolated and should remain focused on a single responsibility.
ExtensionUltima is under active development.
Planned improvements include:
- Argon2id key derivation
- Enhanced capability enforcement
- Automatic vault locking
- Passphrase rotation support
- Integrity-verified module loading
- Expanded module ecosystem
Copyright Β© 2026 CogForgeLabs
This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).
SPDX-License-Identifier: CC-BY-NC-SA-4.0
You are free to share and adapt the material, under these terms:
- Attribution β credit ExtensionUltima by CogForgeLabs (cognitive-industries.org), link to the license, and indicate changes.
- NonCommercial β not for commercial use without written permission.
- ShareAlike β distribute derivatives under the same license.
Full legal code: https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
See the LICENSE file for the complete notice.