#22750: feat(canvas-lms): add hardened Canvas LMS extension for university workflows

## Summary - Problem: Canvas LMS integration was mixed into an unrelated PR and had security/resilience gaps for production (inline token default, HTTP allowed by default, no retry/timeout hardening). - Why it matters: university deployments need a focused, reviewable plugin PR with safer defaults and predictable API behavior. - What changed: - Added dedicated `extensions/canvas-lms` plugin registration + manifest + labeler scope. - Hardened transport/auth defaults: HTTPS-only by default, inline token disabled by default. - Added retry + timeout behavior for Canvas API calls (`429`/`5xx` aware). - Added new actions: `list_modules` and `list_submissions`. - Expanded tests for URL normalization, retry behavior, inline-token guard, and new actions. - Scope boundary: no core channel behavior changes; this PR is extension-scoped (`extensions/canvas-lms`) plus labeler entry. ## Change Type - [ ] Bug fix - [x] Feature - [ ] Refactor - [x] Docs - [x] Security hardening - [ ] Chore/infra ## Scope - [ ] Gateway / orchestration - [x] Skills / tool execution - [ ] Auth / tokens - [ ] Memory / storage - [ ] Integrations - [x] API / contracts - [ ] UI / DX - [ ] CI/CD / infra ## Repro + Verification ### Verified scenarios - `pnpm vitest run extensions/canvas-lms/src/canvas-lms-tool.test.ts` - `pnpm check` ### What I did not verify - Live Canvas LMS tenant integration with real institutional credentials. ## Compatibility / Migration - Backward compatible: **Mostly** (new stricter default behavior) - Config/env changes: **Optional** - Migration needed: **Maybe** - If needed: - If an existing setup depends on `http://`, set plugin config `allowInsecureHttp=true` (or env `CANVAS_LMS_ALLOW_INSECURE_HTTP=1`). - If an existing setup passes token inline in tool args, set plugin config `allowInlineToken=true`. ## Security Impact - New permissions/capabilities: **No** - Secrets/tokens handling changed: **Yes** - New/changed network calls: **Yes** - Command/tool execution surface changed: **Yes** - Data access scope changed: **No** - Risk + mitigation: - Risk: insecure transport and accidental token leakage in tool args. - Mitigation: HTTPS default + inline token disabled by default; explicit opt-in for legacy behavior. <!-- greptile_comment --> <h3>Greptile Summary</h3> Added dedicated Canvas LMS extension with hardened security defaults (HTTPS-only, inline token disabled by default) and production-ready resilience (retry logic for `429`/`5xx`, configurable timeouts). Implements five LMS actions: `list_courses`, `list_assignments`, `list_announcements`, `list_modules`, and `list_submissions`. Plugin follows established extension patterns (`workspace:*` in devDependencies, proper manifest structure). Tests cover URL normalization, retry behavior, inline token guard, and new actions. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - Clean implementation with proper security hardening, comprehensive test coverage, follows established repository patterns (workspace dependencies, TypeBox schema patterns, plugin structure), and is properly scoped to the extension directory with no core changes - No files require special attention _{Last reviewed commit: d08c64d} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->