Summary

• pin the init template catalog in-package instead of downloading templates.json at runtime
• verify every downloaded template file against pinned SHA-256 hashes before writing it to disk
• add regression tests for trusted manifest usage and integrity mismatch rejection

Testing

• python3 -m py_compile browser_use/init_cmd.py browser_use/init_template_manifest.py test_init_template_integrity.py
• python3 -m pytest test_init_template_integrity.py

Summary by cubic

Pins the init template manifest inside browser_use and verifies SHA-256 for every downloaded template file to block tampering. Removes the runtime templates.json fetch and makes the init command work offline for the catalog.

• New Features
  • Ship trusted template catalog and hashes in browser_use/init_template_manifest.py.
  • Verify each downloaded file via SHA-256; reject on mismatch or missing hash.
  • CLI listing now reads the pinned manifest instead of fetching from GitHub.
  • Add tests covering manifest usage and integrity mismatch handling.

^{Written for commit 0a7cd93. Summary will update on new commits.}