Skip to content

v1.4.0 — pre-launch deep audit

Latest
Latest

Choose a tag to compare

View all tags
@harry-harish harry-harish released this 13 Jun 17:35
· 12 commits to main since this release
v1.4.0
d1e2de3

Pre-launch deep audit: a 4-dimension adversarial review (cross-framework
breakage, dependency drift, validator correctness, security/cross-platform)
that fixed 16 verified findings — including a publish-guard gap — and added CI
guardrails so each fixed class is regression-protected.

Added

  • CI regression guardrails. Three jobs in .github/workflows/validate.yml:
    an adversarial validator-fixture suite (known-bad manifests must be caught,
    known-good must pass), a dependency-drift check (fails if a fast-moving
    package un-pins), and a WXT scaffold→install→build→validate matrix (the exact
    path the wxt/sandbox break failed on). The drift check immediately caught a
    stray wxt@latest in the vanilla template README.
  • Agent capability matrix in the README. A table now shows each specialist
    agent's tool grants, making the minimal-privilege design (no agent can
    Edit/Write or publish; only the architect plans without shell) verifiable at
    a glance instead of by reading three agent files.
  • Note that DNR rule-count limits aren't validated. dnr-conversion.md
    already documented Chrome's ~30k static / ~5k dynamic limits; it now states
    explicitly that the bundled validators don't count rules, so authors track it.
  • Icon dimension validation. validate-manifest.py now reads each PNG
    icon's actual pixel dimensions (stdlib only — no Pillow) and warns when they
    don't match the size key the icon is declared under. Wrong-size icons used to
    pass the file-existence check and only fail later at Chrome Web Store upload.
  • Host/match-pattern syntax validation. validate-permissions.py now flags
    malformed match patterns in host_permissions, optional_host_permissions,
    and content-script matches (e.g. **invalid**), which Chrome silently drops
    at load time.

Fixed

  • Windows requirements documented. The bundled helper scripts assume a
    POSIX shell, and build-zip.sh shells out to zip. README now states that
    Windows users must run the plugin inside WSL or Git Bash. A cross-platform
    port of the helpers is planned post-launch.
  • Plasmo scaffold produced a project that wouldn't install (upstream bug).
    pnpm create plasmo (create-plasmo 0.90.x) pins "plasmo": "workspace:*",
    so the next pnpm install fails with ERR_PNPM_WORKSPACE_PKG_NOT_FOUND. The
    plasmo-framework skill and /chrome-ext:new Plasmo path now warn about the
    upstream breakage, document the pnpm pkg set dependencies.plasmo=latest
    workaround, and steer new projects to WXT. (Existing Plasmo projects are
    unaffected — they never re-run the scaffold.)
  • Interactive WXT scaffold docs pinned to wxt@~0.20.26. commands/new.md
    and the wxt-framework skill used wxt@latest init; since 0.20.x relocated
    the defineBackground/defineContentScript exports, a floating @latest
    can scaffold a project that no longer imports correctly. Also corrected a doc
    line that wrongly said scaffold-wxt.sh runs wxt init (it writes files
    directly and already pins ~0.20.26).
  • validate-csp.sh now honors the exit-code contract. It exited with the
    raw critical count (e.g. 3) instead of 1; now exit 1 on any critical,
    0 otherwise — consistent with the other validators.
  • CRXJS scaffold was incomplete and failed to build. The react-ts
    template doesn't include the chrome.* types and the skill didn't create the
    _locales file its manifest references, so a clean scaffold hit TS2304: Cannot find name 'chrome' and shipped unresolved __MSG_*__ placeholders.
    Added @types/chrome, a tsconfig.app.json types: ["chrome"] step, and a
    public/_locales/en/messages.json step. Also moved the recommended plugin
    off @crxjs/vite-plugin@beta (an old 2.0.0-beta.x) to stable @^2.6.

Security

  • Publish guard rewritten to block the actual live-publish commands. The
    PreToolUse hook previously blocked --auto-publish, a flag that
    chrome-webstore-upload-cli v4 no longer has — so the real live-publish
    paths (chrome-webstore-upload publish, or a bare chrome-webstore-upload
    that uploads-and-publishes in one shot) bypassed the guard entirely. The
    hook now allows only the explicit upload (draft) subcommand and blocks
    publish/bare invocations unless prefixed with CONFIRM_PUBLISH_LIVE=1.

Changed

  • Publishing docs updated to the chrome-webstore-upload-cli v4 CLI.
    v4 removed the --client-id/--client-secret/--refresh-token/--auto-publish
    flags: credentials now come from the CLIENT_ID/CLIENT_SECRET/REFRESH_TOKEN
    environment variables, and live publish uses a separate publish subcommand.
    Updated commands/publish.md, extension-publishing/SKILL.md, the GitHub
    Actions template, and the OAuth setup guide; pinned the dlx invocations to
    chrome-webstore-upload-cli@4 so a future major can't break the flags again.
Assets 2
Loading