profile download: extract zstd tar to directory + handle 202

[rgarcia]

Summary

The profile download endpoint now returns a zstd-compressed tar of the full Chrome user-data directory, and returns 202 Accepted when a profile has not yet captured any state. This rewires the CLI subcommand to match.

• kernel profile download <id-or-name> --to <dir> — --to is now required and must point at a directory (created if missing). The archive is streamed and extracted into it.
• 202 responses are surfaced as a friendly info message (Profile '...' has no saved data yet. Use it in a browser session first to capture state.) and exit 0 — no zero-byte file or partial directory is written.
• Removed --pretty and the JSON-pretty-print path: the body is no longer JSON.
• Tar entries are validated against path traversal before being written.

Bumps github.com/kernel/kernel-go-sdk to v0.52.0 (which carries the new Returns a zstd-compressed tar file... doc comment on ProfileService.Download) and adds github.com/klauspost/compress for zstd decoding.

No backwards compatibility shim — the old --to <file> / --pretty behavior is gone.

Test plan

• make test (go vet + go test ./...)
• Manual e2e: download a populated profile → extracts a directory containing Default/, Local State, Cookies, etc. (~6 MB unpacked).
• Manual e2e: download a freshly-created empty profile → 202 path fires, info message shown, exits 0, no destination directory created.
• Path-traversal entry in archive → returns an error.

---

Note

Medium Risk
Changes core CLI download behavior (breaking flag/semantics) and introduces archive extraction to disk, so bugs could lead to incorrect writes or incomplete restores despite added path-traversal guards and tests.

Overview
kernel profile download is rewired to require --to <dir> and stream-extract a zstd-compressed tar archive into that directory (replacing the prior “save response to file / pretty-print JSON” behavior).

The command now treats 202 Accepted as a non-error “no saved data yet” message, adds explicit handling for unexpected HTTP statuses, and validates tar entry paths to prevent path traversal while skipping non-file/dir entries.

Dependencies are updated to github.com/kernel/kernel-go-sdk v0.52.0 and github.com/klauspost/compress for zstd decoding; tests are updated to cover extraction, 202 behavior, and traversal rejection.

^{Reviewed by Cursor Bugbot for commit 307f5c0. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​github.com/​kernel/​kernel-go-sdk@​v0.48.0 ⏵ v0.52.0	+1
	golang/​github.com/​klauspost/​compress@​v1.18.5

View full report

[firetiger-agent]

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: PR modifies the CLI subcommand and SDK client behavior for profile download, but does not change the kernel API endpoints themselves (packages/api/cmd/api/) or Temporal workflows (packages/api/lib/temporal).

To monitor this PR anyway, reply with @firetiger monitor this.

[masnwilliams]

Built and tested e2e against the API.

• make test passes
• empty profile → 202 path: info message, exit 0, no dir created
• populated profile → ~4MB extracted with Default/, Local State, Cookies/, etc.
• relative --to → works
• missing --to → clean required-flag error
• --to pointing at file → not a directory error
• unknown profile → 404 surfaced

Code looks good — path-traversal guard, perms stripped, symlinks deliberately skipped, 202/non-200 handled before extract.