Wrap extensions with registry and add additional sec scanners

[pbennett1-godaddy]

This pull request introduces a new security rule to block UI extensions from escaping their container and accessing page-level DOM, storage, or navigation APIs. It implements both source-level (SEC012) and bundle-level (SEC112) rules to prevent unsafe operations in checkout/embed UI extensions. Additionally, it updates the extension bundling process to wrap certain UI extensions in a runtime contract, and makes minor improvements and refactoring to related code.

Security: DOM Escape Operation Blocking

• Added SEC012 source rule and SEC112 bundle rule to block UI extensions from accessing page-level DOM, navigation, or browser storage APIs. These rules prevent extensions from escaping the host-provided container, both in source and in the final bundle. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]

Bundler: UI Extension Runtime Wrapper

• Updated the extension bundler to wrap "checkout" and "embed" UI extensions with a runtime contract, ensuring they expose a mount function and register with the global runtime. This helps enforce the container boundary at runtime. [1] [2]

Type and Interface Improvements

• Changed the type property on ReleaseUiExtension to use the ExtensionType type for stronger typing and clarity.
• Updated imports and refactored code for clarity and maintainability, including import order and error message improvements. [1] [2] [3] [4] [5]

---

These changes significantly strengthen the security posture for UI extensions by enforcing strict boundaries and preventing unsafe DOM or browser API access, both at the source and bundle level.

[wcole1-godaddy]

Approved after re-review. Local verification passed after the follow-up fixes.