ScriptVault v1.7.1

v1.7.1 — Security & Bug Fix Release

Security Fixes

• postMessage origin validation — Content script bridge now uses location.origin instead of '/' for all window.postMessage calls
• Monaco adapter — Frame messages now scoped to iframe origin instead of wildcard *
• Offscreen document — Added sender ID validation to reject cross-extension messages
• Script signing — Fixed base64url encoding mismatch between sign and verify operations

Critical Bug Fixes

• Side Panel & DevTools were non-functional — Fixed message key mismatch (type: → action:) that prevented all background communication
• Side Panel toggle broken — Fixed id → scriptId parameter name for script settings
• Duplicate script installations — installFromUrl() now detects existing scripts by name+namespace and updates instead of duplicating
• Popup dropdown — Fixed clicks inside dropdown menu closing it prematurely

Improvements

• DevTools panel uses Promise.allSettled for partial failure recovery
• Side panel shows error state with retry instead of blank on connection loss
• WebDAV validates URL before upload/download (prevents null crash)
• Google Drive uses random multipart boundary (prevents body collision)
• Token refresh failures now logged for Google, Dropbox
• OneDrive validates upload data before sending
• Static analyzer entropy detection lowered to 80 chars with adaptive threshold
• Build artifacts (*.crx, *.zip, *.pem) added to .gitignore

Assets

• ScriptVault-v1.7.1.zip — Chrome Web Store ready package
• ScriptVault-v1.7.1.crx — Direct install CRX file