feat!: harden raw browser control and packaging

- Add safe-by-default policy gates for raw command surfaces: command, script, and serve-http /command.

- Require explicit opt-ins for page reads, browser control, and high-risk commands such as dom.eval, storage.*, and screenshots.

- Remove all cookies support from CLI, SDK, extension commands, permissions, constants, docs, and tests.

- Add diagnostic, events, watch, workspace, remote, raw command, script, HTTP gateway, tree-view, session import/export, and extension info/capability commands.

- Add Chrome Web Store packaging that strips manifest.key while keeping local packages with a stable native-messaging extension ID.

- Bump browser-cli and extension version to 0.14.1 and cover the new behavior with pytest and extension packaging tests.

BREAKING CHANGE: cookies commands and the b.cookies SDK namespace have been removed; generic raw command execution now blocks non-safe commands unless explicitly allowed.

browser_cli/sdk/session.py

@@ -48,6 +48,14 @@ class SessionNS(Namespace):
   def diff(self, name_a: str, name_b: str) -> dict:
     """Diff two saved sessions."""
 
+  @sdk_command("session.export", lambda self, name=None: {"name": name}, default={})
+  def export(self, name: str | None = None) -> dict:
+    """Export one saved session, or all sessions when *name* is omitted."""
+
+  @sdk_command("session.import", lambda self, name, session, overwrite=False: {"name": name, "session": session, "overwrite": overwrite}, default={})
+  def import_(self, name: str, session: dict, *, overwrite: bool = False) -> dict:
+    """Import a saved session payload under *name*."""
+
   def list(self) -> list[dict]:
     """Return saved sessions.