ScriptVault v1.7.3: memory leaks, missing handlers, validation fixes

Background fixes:
- Add missing GM_unregisterMenuCommand handler (commands persisted forever)
- Clean up menu commands from session storage on script delete
- Fix notification callback leak (cleanup on auto-timeout)
- Fix XHR local request ID collision (sequential counter instead of Math.random)
- Add url/name validation to GM_cookie_set and GM_cookie_delete

Dashboard fixes:
- Add try-catch to bulk enable/disable operations
- Add .catch() to auto-delete .then() chain in closeScriptTab

Author: SysAdminDoc

CLAUDE.md

@@ -4,7 +4,7 @@
 Modern userscript manager built with Chrome Manifest V3. Tampermonkey-inspired functionality with cloud sync, auto-updates, a full dashboard, Monaco editor, DevTools panel, and a persistent side panel.
 
 ## Version
-v1.7.2
+v1.7.3
 
 ## Tech Stack
 - Chrome MV3 extension (JavaScript)
@@ -194,7 +194,7 @@ v1.7.2
 - Fixed: NetworkLog duration calculation used `_netLogEntry.timestamp` which was undefined; replaced with dedicated `_netLogStartTime` variable
 - Fixed: `state.folders`, `state._collapsedFolders`, `state._lastCheckedId`, `state._quotaWarned` not initialized in dashboard state object
 - Fixed: `switchTab('help')` in command palette failed because help tab is a header icon, not a `.tm-tab`; added special case handling
-- Verified: All version strings match (v1.7.2 across manifest, manifest-firefox, content.js, popup.js, dashboard.js)
+- Verified: All version strings match (v1.7.3 across manifest, manifest-firefox, content.js, popup.js, dashboard.js)
 - Verified: All bg/ modules load before background.core.js in build output
 - Verified: `escapeHtml` available in popup.js (shared/utils.js loaded first)
 - Verified: Column index mapping still correct after pin button addition (pin is inside actions TD, not a new column)

README.md

@@ -9,7 +9,7 @@
 </p>
 
 <p align="center">
-  <img src="https://img.shields.io/badge/version-1.7.2-22c55e?style=flat-square" alt="Version">
+  <img src="https://img.shields.io/badge/version-1.7.3-22c55e?style=flat-square" alt="Version">
   <img src="https://img.shields.io/badge/manifest-v3-60a5fa?style=flat-square" alt="Manifest V3">
   <img src="https://img.shields.io/badge/license-MIT-orange?style=flat-square" alt="License">
   <img src="https://img.shields.io/badge/chrome-120%2B-blue?style=flat-square" alt="Chrome 120+">
@@ -325,6 +325,6 @@ MIT License &mdash; see [LICENSE](LICENSE) for details.
 ---
 
 <p align="center">
-  <strong>ScriptVault v1.7.2</strong><br>
+  <strong>ScriptVault v1.7.3</strong><br>
   <em>Your scripts, your rules &mdash; locked down and loaded</em>
 </p>

background.core.js

@@ -927,6 +927,15 @@ async function handleMessage(message, sender) {
         await unregisterScript(scriptId);
         await ScriptStorage.delete(scriptId);
 
+        // Clean up menu commands for deleted script
+        try {
+          const cmdData = await chrome.storage.session.get('menuCommands');
+          if (cmdData?.menuCommands?.[scriptId]) {
+            delete cmdData.menuCommands[scriptId];
+            await chrome.storage.session.set(cmdData);
+          }
+        } catch {}
+
         // Record tombstone so sync won't re-import this script from remote
         const tombstoneData = await chrome.storage.local.get('syncTombstones');
         const tombstones = tombstoneData.syncTombstones || {};
@@ -2097,6 +2106,8 @@ async function handleMessage(message, sender) {
         if (data.timeout && data.timeout > 0) {
           setTimeout(() => {
             chrome.notifications.clear(notifId).catch(() => {});
+            // Clean up callback tracker (onClosed listener may not fire on all platforms)
+            self._notifCallbacks.delete(notifId);
           }, data.timeout);
         }
         return { success: true, id: notifId };
@@ -2197,6 +2208,21 @@ async function handleMessage(message, sender) {
         return { success: true };
       }
 
+      case 'unregisterMenuCommand':
+      case 'GM_unregisterMenuCommand': {
+        const commands = await chrome.storage.session.get('menuCommands') || {};
+        if (commands.menuCommands?.[data.scriptId]) {
+          commands.menuCommands[data.scriptId] = commands.menuCommands[data.scriptId].filter(
+            c => c.id !== data.commandId
+          );
+          if (commands.menuCommands[data.scriptId].length === 0) {
+            delete commands.menuCommands[data.scriptId];
+          }
+          await chrome.storage.session.set(commands);
+        }
+        return { success: true };
+      }
+
       // Get menu commands
       case 'getMenuCommands': {
         const result = await chrome.storage.session.get('menuCommands');
@@ -2250,6 +2276,8 @@ async function handleMessage(message, sender) {
 
       case 'GM_cookie_set': {
         try {
+          if (!data.url) return { error: 'url is required for cookie set' };
+          if (!data.name) return { error: 'name is required for cookie set' };
           const cookie = await chrome.cookies.set({
             url: data.url,
             name: data.name,
@@ -2269,6 +2297,7 @@ async function handleMessage(message, sender) {
 
       case 'GM_cookie_delete': {
         try {
+          if (!data.url || !data.name) return { error: 'url and name are required for cookie delete' };
           await chrome.cookies.remove({
             url: data.url,
             name: data.name
@@ -4045,6 +4074,7 @@ ${req.code}
   
   // XHR request tracking (like Violentmonkey's idMap)
   const _xhrRequests = new Map(); // requestId -> { details, aborted }
+  let _xhrSeqId = 0;
   
   // Value change listeners (like Tampermonkey)
   const _valueChangeListeners = new Map(); // listenerId -> { key, callback }
@@ -4441,7 +4471,7 @@ ${req.code}
     }
     
     // Generate unique request ID
-    const localId = 'xhr_' + Math.random().toString(36).substring(2) + Date.now().toString(36);
+    const localId = 'xhr_' + (++_xhrSeqId) + '_' + Date.now().toString(36);
     let requestId = null;
     let aborted = false;
     let currentMapKey = localId;

background.js

@@ -1,4 +1,4 @@
-// ScriptVault v1.7.2 - Background Service Worker
+// ScriptVault v1.7.3 - Background Service Worker
 // Comprehensive userscript manager with cloud sync and auto-updates
 // NOTE: This file is built from source modules. Edit the individual files in
 // shared/, modules/, and lib/, then run build-background.sh to regenerate.
@@ -6093,6 +6093,15 @@ async function handleMessage(message, sender) {
         await unregisterScript(scriptId);
         await ScriptStorage.delete(scriptId);
 
+        // Clean up menu commands for deleted script
+        try {
+          const cmdData = await chrome.storage.session.get('menuCommands');
+          if (cmdData?.menuCommands?.[scriptId]) {
+            delete cmdData.menuCommands[scriptId];
+            await chrome.storage.session.set(cmdData);
+          }
+        } catch {}
+
         // Record tombstone so sync won't re-import this script from remote
         const tombstoneData = await chrome.storage.local.get('syncTombstones');
         const tombstones = tombstoneData.syncTombstones || {};
@@ -7263,6 +7272,8 @@ async function handleMessage(message, sender) {
         if (data.timeout && data.timeout > 0) {
           setTimeout(() => {
             chrome.notifications.clear(notifId).catch(() => {});
+            // Clean up callback tracker (onClosed listener may not fire on all platforms)
+            self._notifCallbacks.delete(notifId);
           }, data.timeout);
         }
         return { success: true, id: notifId };
@@ -7363,6 +7374,21 @@ async function handleMessage(message, sender) {
         return { success: true };
       }
 
+      case 'unregisterMenuCommand':
+      case 'GM_unregisterMenuCommand': {
+        const commands = await chrome.storage.session.get('menuCommands') || {};
+        if (commands.menuCommands?.[data.scriptId]) {
+          commands.menuCommands[data.scriptId] = commands.menuCommands[data.scriptId].filter(
+            c => c.id !== data.commandId
+          );
+          if (commands.menuCommands[data.scriptId].length === 0) {
+            delete commands.menuCommands[data.scriptId];
+          }
+          await chrome.storage.session.set(commands);
+        }
+        return { success: true };
+      }
+
       // Get menu commands
       case 'getMenuCommands': {
         const result = await chrome.storage.session.get('menuCommands');
@@ -7416,6 +7442,8 @@ async function handleMessage(message, sender) {
 
       case 'GM_cookie_set': {
         try {
+          if (!data.url) return { error: 'url is required for cookie set' };
+          if (!data.name) return { error: 'name is required for cookie set' };
           const cookie = await chrome.cookies.set({
             url: data.url,
             name: data.name,
@@ -7435,6 +7463,7 @@ async function handleMessage(message, sender) {
 
       case 'GM_cookie_delete': {
         try {
+          if (!data.url || !data.name) return { error: 'url and name are required for cookie delete' };
           await chrome.cookies.remove({
             url: data.url,
             name: data.name
@@ -9211,6 +9240,7 @@ ${req.code}
   
   // XHR request tracking (like Violentmonkey's idMap)
   const _xhrRequests = new Map(); // requestId -> { details, aborted }
+  let _xhrSeqId = 0;
   
   // Value change listeners (like Tampermonkey)
   const _valueChangeListeners = new Map(); // listenerId -> { key, callback }
@@ -9607,7 +9637,7 @@ ${req.code}
     }
     
     // Generate unique request ID
-    const localId = 'xhr_' + Math.random().toString(36).substring(2) + Date.now().toString(36);
+    const localId = 'xhr_' + (++_xhrSeqId) + '_' + Date.now().toString(36);
     let requestId = null;
     let aborted = false;
     let currentMapKey = localId;

content.js

@@ -1,4 +1,4 @@
-// ScriptVault v1.7.2 - Content Script Bridge
+// ScriptVault v1.7.3 - Content Script Bridge
 // Bridges messages between userscripts (USER_SCRIPT world) and background service worker
 
 (function() {

manifest-firefox.json

@@ -1,7 +1,7 @@
 {
   "manifest_version": 3,
   "name": "__MSG_extName__",
-  "version": "1.7.2",
+  "version": "1.7.3",
   "description": "__MSG_extDescription__",
   "default_locale": "en",
   "homepage_url": "https://github.com/SysAdminDoc/ScriptVault",

manifest.json

@@ -1,7 +1,7 @@
 {
   "manifest_version": 3,
   "name": "__MSG_extName__",
-  "version": "1.7.2",
+  "version": "1.7.3",
   "description": "__MSG_extDescription__",
   "default_locale": "en",
   "minimum_chrome_version": "120",

offscreen.js

@@ -1,4 +1,4 @@
-// ScriptVault Offscreen Document v1.7.2
+// ScriptVault Offscreen Document v1.7.3
 // Handles CPU-intensive tasks off the service worker:
 //   - AST-based script analysis (via Acorn)
 //   - 3-way text merge for sync conflict resolution

pages/dashboard.js

@@ -1,4 +1,4 @@
-// ScriptVault Dashboard v1.7.2 - Full-Featured Controller
+// ScriptVault Dashboard v1.7.3 - Full-Featured Controller
 (function() {
     'use strict';
 
@@ -1325,7 +1325,11 @@
                 for (let i = 0; i < ids.length; i++) {
                     const s = state.scripts.find(x => x.id === ids[i]);
                     updateProgress(i + 1, ids.length, `${s?.metadata?.name || ids[i]} (${i + 1}/${ids.length})`);
-                    await chrome.runtime.sendMessage({ action: 'toggleScript', scriptId: ids[i], enabled: true });
+                    try {
+                        await chrome.runtime.sendMessage({ action: 'toggleScript', scriptId: ids[i], enabled: true });
+                    } catch (e) {
+                        console.warn('[ScriptVault] Enable failed for', ids[i], e.message);
+                    }
                 }
                 await loadScripts();
                 updateStats();
@@ -1338,7 +1342,11 @@
                 for (let i = 0; i < ids.length; i++) {
                     const s = state.scripts.find(x => x.id === ids[i]);
                     updateProgress(i + 1, ids.length, `${s?.metadata?.name || ids[i]} (${i + 1}/${ids.length})`);
-                    await chrome.runtime.sendMessage({ action: 'toggleScript', scriptId: ids[i], enabled: false });
+                    try {
+                        await chrome.runtime.sendMessage({ action: 'toggleScript', scriptId: ids[i], enabled: false });
+                    } catch (e) {
+                        console.warn('[ScriptVault] Disable failed for', ids[i], e.message);
+                    }
                 }
                 await loadScripts();
                 updateStats();
@@ -2042,7 +2050,7 @@
                 chrome.runtime.sendMessage({ action: 'deleteScript', scriptId }).then(() => {
                     loadScripts();
                     updateStats();
-                });
+                }).catch(e => console.warn('[ScriptVault] Auto-delete failed:', e.message));
             }
 
             if (state.currentScriptId === scriptId) {

pages/devtools-panel.js

@@ -1,4 +1,4 @@
-// ScriptVault DevTools Panel v1.7.2
+// ScriptVault DevTools Panel v1.7.3
 // Network inspection, execution profiling, and console capture
 
 (function () {
@@ -232,7 +232,7 @@
       comment: e.scriptName || ''
     }));
 
-    const har = { log: { version: '1.2', creator: { name: 'ScriptVault', version: '1.7.2' }, entries } };
+    const har = { log: { version: '1.2', creator: { name: 'ScriptVault', version: '1.7.3' }, entries } };
     const blob = new Blob([JSON.stringify(har, null, 2)], { type: 'application/json' });
     const url = URL.createObjectURL(blob);
     const a = document.createElement('a');