ScriptVault v2.3.1

ScriptVault v2.3.1

Fixes a broken v2.3.0 — extensions failed to load with Could not load icon 'icons/16.png' specified in 'icons' because the manifest referenced a directory that was deleted during v2.3.0's branding cleanup. Also fixes a separate ZIP-format issue: the v2.3.0 ZIP used Windows-style backslash entry names (images\icon128.png) which Chrome cannot match against manifest paths regardless of file presence.

Install (Brave / Chrome / Edge — recommended)

Dragdrop CRX installs are blocked by Chromium 75+ for any extension not in the Web Store, regardless of signing or developer mode. Use Load unpacked instead:

1. Download ScriptVault-v2.3.1.zip and extract it to a permanent folder (e.g. ~/extensions/scriptvault/). Don't delete the folder afterwards — the browser loads the extension from this path on every startup.
2. Open brave://extensions (or chrome://extensions, edge://extensions).
3. Toggle Developer mode on (top-right).
4. Click Load unpacked and select the extracted folder.

The CRX is still attached for users who have a flow that supports it (enterprise policy with ExtensionInstallSources whitelist, Chrome --load-extension command-line flag, or older Chromium forks like Vivaldi). It is signed with a self-distribution key (extension ID dogogpmmlddegcodbcbeccebdlegphph) — distinct from the Chrome Web Store listing.

Changes

• Fixed: manifest.json referenced icons/16.png / icons/32.png / icons/48.png / icons/128.png, but the icons/ directory was deleted in v2.3.0's branding cleanup. Repointed manifest, pages/popup.html, modules/public-api.js, modules/backup-scheduler.js, and the TypeScript mirror at src/modules/public-api.ts to the surviving images/icon{16,32,48,128}.png files. Firefox manifest was already correct.
• Fixed: build.sh / publish.sh PowerShell Compress-Archive fallback wrote Windows-style backslash entries (images\icon128.png). Switched to bsdtar (C:\Windows\System32\tar.exe), which writes POSIX-style forward-slash entries that Chrome can match.

523/523 tests green.

ScriptVault v2.3.0

ScriptVault v2.3.0

Install (Brave / Chrome / Edge — recommended)

Dragdrop CRX installs are blocked by Chromium 75+ for any extension not in the Web Store, regardless of signing or developer mode. The CRX in this release will hit CRX_REQUIRED_PROOF_MISSING in Brave and a similar block in Chrome/Edge. Use Load unpacked instead:

1. Download ScriptVault-v2.3.0.zip and extract it to a permanent folder (e.g. ~/extensions/scriptvault/). Don't delete the folder afterwards — the browser loads the extension from this path on every startup.
2. Open brave://extensions (or chrome://extensions, edge://extensions).
3. Toggle Developer mode on (top-right).
4. Click Load unpacked and select the extracted folder.

The CRX is still attached for users who have a flow that supports it (enterprise policy with ExtensionInstallSources whitelist, Chrome --load-extension command-line flag, or older Chromium forks like Vivaldi). It is signed with a self-distribution key (extension ID dogogpmmlddegcodbcbeccebdlegphph) — distinct from the Chrome Web Store listing.

Highlights

• Fixed: weekly-digest alarm never dispatched (unknown alarm names now route to NotificationSystem.handleAlarm())
• Security: ScriptSigning.verifyScript() prototype-pollution guard via Object.hasOwn() — malicious publicKey strings like toString no longer auto-trust
• Security: GM_addElement attrs path now drops on* event handlers and rejects javascript: / vbscript: URLs (matches the existing innerHTML path)
• Reliability: ScriptValues set/delete/setAll/deleteMultiple now snapshot prior state and roll back the cache on persist failure
• Reliability: ScriptStorage.clear() and FolderStorage.update() rollback on save failure
• Memory: requireCache capped at 500 entries (LRU)
• Accuracy: QuotaManager.getBreakdown() uses TextEncoder for true UTF-8 byte counts (was string.length)
• Robustness: pages/install.js renderInstallUI() shows visible error instead of crashing on missing DOM
• Robustness: pages/sidepanel.js chrome.runtime.sendMessage calls catch SW-wake errors

See CHANGELOG.md for the full list.

ScriptVault v2.1.7

ScriptVault v2.1.7

A two-day rollup covering every change from 2026-04-09 through 2026-04-10. The shipping binaries are attached below: ScriptVault-v2.1.7.crx and ScriptVault-v2.1.7.zip.

Critical fixes

• Monaco editor would never load. The sandboxed editor iframe's CSP had been tightened to script-src 'self', which blocks the Function() constructor that Monaco's AMD loader uses internally to evaluate fetched module code. require(['vs/editor/editor.main'], …) silently failed and the iframe hung on the "Loading Editor…" splash. Restored the Monaco-compatible sandbox CSP: script-src 'self' 'unsafe-eval' 'unsafe-inline' blob:. Safe because the iframe runs with the sandbox attribute (opaque origin, no extension-API or parent-DOM access).
• Opening a script to edit showed a blank editor. pages/monaco-adapter.js was computing the postMessage target origin from the iframe's src URL (→ chrome-extension://<id>). But the editor iframe is declared under manifest.json → sandbox.pages, so Chrome runs it in an opaque "null" origin, not the extension origin. postMessage silently drops any message whose targetOrigin doesn't match the recipient's document origin, so every set-value was being rejected — Monaco loaded, but the script code never arrived. Fix: always post with targetOrigin: '*' (the channel is private between dashboard and iframe). This bug was masked until the earlier CSP fix because Monaco wasn't loading at all.
• Editor text rendered at ~100 pixels tall. monaco-adapter.applySettings() was passing editorFontSize straight through to Monaco, but that setting is a percentage (100 = 100%), not pixels. Monaco was being told to render 100-pixel text. Fixed by converting the percentage to pixels inside applySettings using the same math the sibling setFontSize(pct) helper already uses: round(13 * pct / 100) clamped to 8..32.
• Dashboard column header rendered between data rows 3 and 4 instead of at the top of the table. Two interacting issues:
  1. .scripts-table-container used overflow: hidden, which per CSS spec makes that ancestor the containing block for any descendant position: sticky element. The sticky thead's top: 100px was therefore being measured from the container's top — landing in the middle of the table. Switched the container to overflow: clip, which still clips the rounded corners but does not establish a sticky containing block.
  2. Defensive: Chrome/Webkit have a long-standing bug where sticky <thead> is miscomputed when the parent table uses border-collapse: separate. Moved position: sticky to the individual <th> cells.

Dashboard redesign

Debloat

• Removed the entire .scripts-results-bar — the secondary row below the toolbar that held quick-filter chips, the live results summary text, and the Reset View button.
• Removed .scripts-toolbar-right. The filter dropdown, script counter, search box, view toggle, and column toggle now all live on the left side of the toolbar in a single flat row.
• Removed the provenance origin badges (Greasy Fork / GitHub / OpenUserJS / Local) from every script row. describeScriptProvenance() is still used by the script info side panel and by exports.
• Removed the conflict-badge and sync-conflict badges from script rows.
• Fixed folder-row colspan from 14 → 13 (the table only has 13 columns).
• Deleted dead helpers left over from the removed UI: updateScriptResultsSummary, updateScriptQuickFilterButtons, resetScriptWorkspaceView, the SCRIPT_FILTER_LABELS lookup table, and the --results-bar-bottom CSS var. Sticky column headers now re-anchor to --toolbar-bottom.

Light theme readability

A comprehensive html[data-theme="light"] element-override block now lives at the end of the dashboard stylesheet. The base dark styles used white-tinted gradients, sheens, and shadows that disappeared on a light background; those overlays are now swapped for darker inks in light mode so every control stays readable. Covered selectors include tm-header, tm-tabs-bar, tm-tab.active, tm-tab[data-tab=newscript], header-icon-btn, header-zoom-select, scripts-shell, scripts-toolbar, toolbar-btn, search-box, select-field, script-counter, scripts-table-container, scripts-table th / row striping / hover / selected, script-name, script-author, action-icon, btn, the settings/trash/utilities/help hero blocks, editor header/tabs/toolbar, the script-health-badge warning and alert variants, script-tag, and the toolbar divider.

Toast position

• The dashboard toast container now docks at bottom-center instead of bottom-right (bottom: 20px; left: 50%; transform: translateX(-50%); align-items: center). The narrow-viewport media query keeps the same centered anchor with a safe max-width. The wrapper uses pointer-events: none while individual toasts re-enable pointer-events so nothing else gets click-blocked.

Toolbar popup debloat

The browser-action popup had drifted into cluttered territory. Total reduction across this rollup: roughly −1,250 lines across popup.html, popup.js, and popup-a11y.test.js, plus the full deletion of popup-timeline.js.

First pass

• Execution Timeline panel removed. pages/popup-timeline.js deleted entirely (real perf work lives in the DevTools panel + dashboard Debugger).
• URL bar removed — the browser's address bar already shows the URL 12px above the popup.
• Page summary block removed — "Checking this page…" title + meta + count badge duplicated information shown by the header and list.
• popup-meta footer strip removed — the Alt+Shift+D Dashboard hint and Feedback link. The keyboard shortcut hint violated the no-keyboard-shortcuts rule and the Feedback link lives in the dashboard.
• Redundant count displays collapsed from 4 → 1. headerCount, pageSummaryCount, popupListSummary, and footerTotalCount all rendered the same number. Kept the single header pill.
• Empty-state action buttons removed — the menu directly below already had "Find New Scripts" and "Create New Script".
• Pinned / Paused filter chips removed. Pinned scripts already sort to the top; Paused is just the inverse of Running. Chips reduced from 5 → 3 (All / Running / Errors).

Second pass

• Entire popup script toolbar removed — search input and all remaining filter chips.
• Script row state pill removed (Running / Ready / Paused / Errors text) — the toggle alone communicates active state.
• Colored status dot + pulse animation removed.
• Row secondary text removed (description / run count / "updated 3d ago").
• Perf badge removed (avg-ms timing pill).
• Error dot removed — duplicate of the dashboard error log.
• All row tags removed — Pinned, New, Edited, Stale, and the source/Local provenance chip.
• Dead helpers deleted — describePopupScriptProvenance and derivePopupHomepageUrl (~70 lines) and the Ctrl+F search-focus keyboard handler (no search box left to focus).

Script row anatomy now

[toggle] [icon] Script Name v1.2.3 [pencil] [⋮]

That's it.

Dashboard UX polish from Codex

• Bulk selection rail removed — the obsolete dashboard bulk-selection rail and its dead controller code (~90 lines from pages/dashboard.js) are gone.
• Scripts table — rounded top corner now renders cleanly.
• Popup condensed — spacing, toolbar, empty-state, and timeline layouts slimmed so more content fits without scrolling.
• Popup chrome auto-hides — search, list, and timeline UI elements now hide when not useful.
• Script ID handling hardened — dashboard deep-links now URL-encode script IDs (#script_<id>) so ids containing special characters round-trip correctly.
• Notification click context — uses chrome.storage.session when available (SW-scoped, no leftover keys); falls back to chrome.storage.local with alarm-based cleanup.
• Dashboard HTML slimmed — bulk-selection-rail inline styles extracted from pages/dashboard.html (~120 lines) into the external stylesheet.
• Accessibility tests updated — dashboard-a11y and popup-a11y test suites refreshed to match the new slimmer UI.
• 266 new tests/dashboard-modules.test.js cases added for coverage of the trimmed dashboard modules.

Tests

• 512 / 512 green across all changes in this rollup.

Artifacts

• ScriptVault-v2.1.7.crx — Chrome signed extension (drag-drop onto chrome://extensions with Developer Mode enabled)
• ScriptVault-v2.1.7.zip — Source ZIP for Chrome Web Store / unpacked install

ScriptVault v1.7.7

v1.7.7 — GM_audio Fix, Firefox Compatibility, CSS Fixes

GM API Fixes

• GM_audio was completely non-functional — addStateChangeListener() referenced window.__ScriptVault_ChannelID__ which was never defined; all audio state events were silently dropped. Fixed to use the correct CHANNEL_ID variable.
• GM_audio event listener leak — the message handler was added but never removed when removeStateChangeListener() was called. Now stores handler reference and properly cleans up when the last listener is removed.

Firefox MV3 Compatibility

• Keyboard shortcuts restored — manifest-firefox.json had empty commands: {}. Now includes all 3 shortcuts (Alt+Shift+S popup, Alt+Shift+D dashboard, Alt+Shift+E toggle scripts).
• Offscreen API guard — ScriptAnalyzer._ensureOffscreen() now checks chrome.offscreen existence before calling, gracefully falling back to regex analysis on Firefox.

CSS Fixes

• Z-index hierarchy fixed — Find Scripts overlay (50 -> 55) now correctly stacks above editor overlay (50). Setup warning banner (99 -> 101) now visible above sticky header (100).
• Modal responsiveness — min-width: min(400px, 90vw) and max-width: min(500px, 95vw) prevent modals from overflowing on narrow viewports.

Assets

• ScriptVault-v1.7.7.zip — Chrome Web Store ready package
• ScriptVault-v1.7.7.crx — Direct install CRX3 file

ScriptVault v1.7.6

v1.7.6 — Null Safety Hardening

Systematic null check pass across all UI pages to prevent TypeError crashes from missing DOM elements.

Fixes by File

• sidepanel.js — $() helper now returns a dummy div instead of null, preventing crashes when panel HTML elements are missing
• devtools-panel.js — Same null-safe $() helper
• install.js — Optional chaining on btn-cancel, btn-install, toggle-code event listeners
• popup.js — Null check on blacklist .menu-item-text querySelector before setting textContent
• dashboard.js — Command palette input null guard; storage editor save/rename/delete/keySpan buttons all use optional chaining

Impact

These were all "silent crash" scenarios where a missing element would throw a TypeError that blocks subsequent code from running. The sidepanel and devtools panel fixes are especially important since those pages load in constrained contexts (side panel, devtools) where DOM might not be fully available.

Assets

• ScriptVault-v1.7.6.zip — Chrome Web Store ready package
• ScriptVault-v1.7.6.crx — Direct install CRX3 file

ScriptVault v1.7.5

v1.7.5 — Monaco Migration: Toolbar & Editor Features Restored

The Monaco editor migration left many editor toolbar buttons broken because the adapter was missing CodeMirror methods that dashboard.js depends on. This release restores full functionality.

Restored Toolbar Buttons

• Undo / Redo — now route through Monaco's built-in undo/redo
• Fold All / Unfold All — use Monaco's native fold actions (was crashing with foldCode is not a function)
• Comment Toggle (Ctrl+/) — uses Monaco's commentLine action instead of broken CodeMirror line-by-line logic
• Find / Replace — Ctrl+F and Ctrl+H now open Monaco's built-in search
• Lint — shows info toast (Monaco handles diagnostics automatically)

Fixed Features

• Snippet Insert — clicking a snippet template now actually inserts text at the cursor position (was a no-op)
• Beautify Code — getOption('indentWithTabs') and getOption('indentUnit') now return correct defaults instead of undefined
• Auto-hint trigger — showHint() is now a safe no-op instead of throwing (Monaco handles completions internally)

Technical Details

• Monaco adapter: added 12 new CodeMirror-compatible methods
• Editor sandbox iframe: added insert-text and action message handlers
• Dashboard: branched Monaco vs CodeMirror paths for fold, comment, lint operations

Assets

• ScriptVault-v1.7.5.zip — Chrome Web Store ready package
• ScriptVault-v1.7.5.crx — Direct install CRX3 file

ScriptVault v1.7.4

v1.7.4 — Critical Dashboard Fix

Bug Fix

Dashboard tabs (Settings, Utilities, Trash) were completely non-functional.

Root cause: During the Monaco editor migration, show-hint.min.js and userscript-hint.js were removed from dashboard.html script loads, but initEditor() still referenced CodeMirror.hint.userscript for autocomplete options. This threw a TypeError that crashed initEditor(), which prevented initEventListeners() from ever running — making all tab buttons, import, settings, and utilities completely unclickable.

Fixes

• Guard hintOptions with CodeMirror.hint?.userscript optional chaining
• Wrap initEditor() in try-catch so editor init errors never block tab navigation
• CRX now uses CRX3 format (Chrome dropped CRX2 support)

Assets

• ScriptVault-v1.7.4.zip — Chrome Web Store ready package
• ScriptVault-v1.7.4.crx — Direct install CRX3 file

ScriptVault v1.7.3

v1.7.3 — Memory Leaks, Missing Handlers & Validation

Background Service Worker

• Added missing GM_unregisterMenuCommand handler — previously, unregistering menu commands was a no-op; commands persisted in session storage forever
• Menu command cleanup on script delete — session storage entries for deleted scripts are now removed
• Notification callback leak fix — _notifCallbacks entries now cleaned up when auto-timeout fires (not all platforms trigger the onClosed event)
• XHR request ID collision fix — local request IDs now use a sequential counter instead of Math.random(), eliminating the possibility of two concurrent requests sharing an ID
• GM_cookie validation — GM_cookie_set and GM_cookie_delete now validate required url and name parameters before calling chrome.cookies, preventing silent failures

Dashboard

• Bulk enable/disable error handling — individual failures in bulk operations no longer crash the entire batch; errors are logged and remaining scripts continue processing
• Auto-delete error handling — closeScriptTab auto-delete for unmodified template scripts now has .catch() to prevent unhandled promise rejections

Assets

• ScriptVault-v1.7.3.zip — Chrome Web Store ready package
• ScriptVault-v1.7.3.crx — Direct install CRX file

ScriptVault v1.7.2

v1.7.2 — Linter, Install Page & Sort Improvements

Linter Severity Fixes

• Unknown @grant values — upgraded from warning to error (unknown grants fail at runtime)
• Invalid @sandbox values — upgraded from warning to error (breaks script execution)
• @grant none + GM API usage — upgraded from info to warning (API calls will silently fail)
• Added GM_webRequest to autocomplete hints and grant value suggestions
• Removed duplicate entries from metadata directive hints

Install Page Hardening

• Fixed XSS vector in icon error fallback (innerHTML → textContent)
• Fixed auto-close race condition — timer now cancels when user clicks Close or Open in Dashboard

Dashboard Sort

• Default sort is Updated descending (newest first) — confirmed working
• Clicking the Updated column header now defaults to descending (newest first) instead of ascending

Other

• Network log capacity increased from 500 → 2000 entries for better DevTools panel utility

Assets

• ScriptVault-v1.7.2.zip — Chrome Web Store ready package
• ScriptVault-v1.7.2.crx — Direct install CRX file

ScriptVault v1.7.1

v1.7.1 — Security & Bug Fix Release

Security Fixes

• postMessage origin validation — Content script bridge now uses location.origin instead of '/' for all window.postMessage calls
• Monaco adapter — Frame messages now scoped to iframe origin instead of wildcard *
• Offscreen document — Added sender ID validation to reject cross-extension messages
• Script signing — Fixed base64url encoding mismatch between sign and verify operations

Critical Bug Fixes

• Side Panel & DevTools were non-functional — Fixed message key mismatch (type: → action:) that prevented all background communication
• Side Panel toggle broken — Fixed id → scriptId parameter name for script settings
• Duplicate script installations — installFromUrl() now detects existing scripts by name+namespace and updates instead of duplicating
• Popup dropdown — Fixed clicks inside dropdown menu closing it prematurely

Improvements

• DevTools panel uses Promise.allSettled for partial failure recovery
• Side panel shows error state with retry instead of blank on connection loss
• WebDAV validates URL before upload/download (prevents null crash)
• Google Drive uses random multipart boundary (prevents body collision)
• Token refresh failures now logged for Google, Dropbox
• OneDrive validates upload data before sending
• Static analyzer entropy detection lowered to 80 chars with adaptive threshold
• Build artifacts (*.crx, *.zip, *.pem) added to .gitignore

Assets

• ScriptVault-v1.7.1.zip — Chrome Web Store ready package
• ScriptVault-v1.7.1.crx — Direct install CRX file