feat: add minimal external API bridge for trusted websites

[Antoinevdlb]

Hello! 👋

I’ve been building Antoine’s Archive, a web app for Xteink users to discover books and send them to their X4 in a streamlined way.

I posted a demo here:
Reddit demo thread

The goal is simple: make it easier for users to go from “found a book” to “sent to my X4” with as little friction as possible.

Right now, users often need multiple tools/extensions for similar upload actions. I’d love to avoid that duplication and use Send to X4 as the shared bridge.
So this PR proposes a small external API bridge that lets trusted websites call a few core actions (ping/status/upload), while keeping your existing popup workflow unchanged.

In short:

one extension ecosystem
less duplicated code
better UX for users
no breaking changes to current users

Summary

• add externally_connectable allowlist for trusted website origins
• add a minimal runtime.onMessageExternal API in the service worker
• expose only 3 actions for website integration: x4.ping, x4.status, x4.upload

Why

This keeps the extension popup-first behavior unchanged while allowing a trusted hosted UI (e.g. Antoine's Archive) to integrate without requiring users to configure both app settings and extension popup flows separately.

API contract (minimal)

• x4.ping -> { ok: true }
• x4.status with { firmwareType, host } -> connectivity payload
• x4.upload with { firmwareType, host, filename, dataBase64 } -> upload result

Safety

• only explicitly allowlisted origins can call the external API
• unsupported actions return explicit errors
• no change to existing internal popup/runtime message routes

Test plan

• install extension locally, keep existing popup flow working
• from an allowlisted site, call x4.ping and confirm success
• call x4.status with stock + crosspoint host settings
• call x4.upload and verify EPUB arrives on device

Made with Cursor