ScriptVault v1.7.8: script registration engine fixes

Match pattern engine:
- Fix isValidMatchPattern rejecting patterns with ports (e.g. http://localhost:3000/*)
- Fix matchPattern wildcard subdomain comparison with ports (*.example.com:8080)
- convertIncludeToMatch now validates output against isValidMatchPattern

Script registration:
- Fix inconsistent enabled checks: 4 locations used truthy s.enabled instead
  of s.enabled !== false, causing scripts with undefined enabled state to be
  incorrectly treated as disabled
- Log failed script registrations in registerAllScripts (was silently swallowed
  by Promise.allSettled)

DNR rules:
- Check dynamic rule quota (30,000 limit) before applying GM_webRequest rules
  to prevent silent failures

Author: SysAdminDoc

CLAUDE.md

@@ -4,7 +4,7 @@
 Modern userscript manager built with Chrome Manifest V3. Tampermonkey-inspired functionality with cloud sync, auto-updates, a full dashboard, Monaco editor, DevTools panel, and a persistent side panel.
 
 ## Version
-v1.7.7
+v1.7.8
 
 ## Tech Stack
 - Chrome MV3 extension (JavaScript)
@@ -88,8 +88,8 @@ v1.7.7
 - `cleanupStaleCaches()` runs on init to prune expired `require_cache_*`, `res_cache_*`, trash entries, and tombstones >30 days
 - Lint: `@grant none` + GM API usage shows `warning` severity (upgraded from `info` in v1.7.2). Unknown `@grant` values and invalid `@sandbox` values are `error` severity.
 - **Side panel / DevTools must use `action:` key** (not `type:`) for background messages. Background returns `{ scripts: [...] }` — callers need `res?.scripts`. `setScriptSettings` expects `scriptId` not `id`.
-- **GM_cookie_set/GM_cookie_delete** require `url` and `name` parameters (validated in v1.7.7)
-- **GM_unregisterMenuCommand** handler added in v1.7.7 — previously calls were silently dropped
+- **GM_cookie_set/GM_cookie_delete** require `url` and `name` parameters (validated in v1.7.8)
+- **GM_unregisterMenuCommand** handler added in v1.7.8 — previously calls were silently dropped
 - **XHR local request IDs** use sequential counter `_xhrSeqId++` (not `Math.random`) to prevent collision
 - **Notification callbacks** cleaned up on auto-timeout (not all platforms fire `onClosed`)
 - **Menu commands** cleaned from session storage when a script is deleted
@@ -163,7 +163,7 @@ v1.7.7
 - **Side panel**: responds to `chrome.tabs.onActivated` and `chrome.tabs.onUpdated` to refresh script list on navigation. Uses same `sendToBackground` pattern as popup.
 - **DevTools panel**: auto-refreshes every 3s. `getNetworkLog` returns flat array; `getNetworkLogStats` for totals. HAR export uses `URL.createObjectURL` + programmatic `<a>` click.
 
-## v1.7.0 → v1.7.7 Audit (2026-03-24, 4 rounds)
+## v1.7.0 → v1.7.8 Audit (2026-03-24, 4 rounds)
 
 ### v1.7.0 — Major Feature Release
 - DevTools panel, Side panel, Script signing (Ed25519), Monaco editor adapter, Offscreen document
@@ -185,7 +185,7 @@ v1.7.7
 - GM_webRequest added to hints + grant values, duplicate hint directives removed
 - Dashboard: updated column defaults to desc sort, network log cap 500 -> 2000
 
-### v1.7.7 — Memory Leaks & Validation
+### v1.7.8 — Memory Leaks & Validation
 - Added missing GM_unregisterMenuCommand handler (calls were silently dropped)
 - Menu commands cleaned from session storage on script delete
 - Notification callback cleanup on auto-timeout
@@ -232,7 +232,7 @@ v1.7.7
 - Fixed: NetworkLog duration calculation used `_netLogEntry.timestamp` which was undefined; replaced with dedicated `_netLogStartTime` variable
 - Fixed: `state.folders`, `state._collapsedFolders`, `state._lastCheckedId`, `state._quotaWarned` not initialized in dashboard state object
 - Fixed: `switchTab('help')` in command palette failed because help tab is a header icon, not a `.tm-tab`; added special case handling
-- Verified: All version strings match (v1.7.7 across manifest, manifest-firefox, content.js, popup.js, dashboard.js)
+- Verified: All version strings match (v1.7.8 across manifest, manifest-firefox, content.js, popup.js, dashboard.js)
 - Verified: All bg/ modules load before background.core.js in build output
 - Verified: `escapeHtml` available in popup.js (shared/utils.js loaded first)
 - Verified: Column index mapping still correct after pin button addition (pin is inside actions TD, not a new column)

README.md

@@ -9,7 +9,7 @@
 </p>
 
 <p align="center">
-  <img src="https://img.shields.io/badge/version-1.7.7-22c55e?style=flat-square" alt="Version">
+  <img src="https://img.shields.io/badge/version-1.7.8-22c55e?style=flat-square" alt="Version">
   <img src="https://img.shields.io/badge/manifest-v3-60a5fa?style=flat-square" alt="Manifest V3">
   <img src="https://img.shields.io/badge/license-MIT-orange?style=flat-square" alt="License">
   <img src="https://img.shields.io/badge/chrome-120%2B-blue?style=flat-square" alt="Chrome 120+">
@@ -412,6 +412,6 @@ MIT License &mdash; see [LICENSE](LICENSE) for details.
 ---
 
 <p align="center">
-  <strong>ScriptVault v1.7.7</strong><br>
+  <strong>ScriptVault v1.7.8</strong><br>
   <em>Your scripts, your rules &mdash; locked down and loaded</em>
 </p>

background.core.js

@@ -853,7 +853,7 @@ async function handleMessage(message, sender) {
 
         // Re-register the script with userScripts API
         await unregisterScript(id);
-        if (script.enabled) {
+        if (script.enabled !== false) {
           await registerScript(script);
         }
 
@@ -973,7 +973,7 @@ async function handleMessage(message, sender) {
         trash.splice(idx, 1);
         await chrome.storage.local.set({ trash });
         await ScriptStorage.set(script.id, script);
-        if (script.enabled) await registerScript(script);
+        if (script.enabled !== false) await registerScript(script);
         await updateBadge();
         return { success: true };
       }
@@ -1445,7 +1445,7 @@ async function handleMessage(message, sender) {
         const needsReregister = EXEC_KEYS.some(k =>
           JSON.stringify(oldSettings[k]) !== JSON.stringify(data.settings[k])
         );
-        if (needsReregister && script.enabled) {
+        if (needsReregister && script.enabled !== false) {
           await unregisterScript(data.scriptId);
           await registerScript(script);
         }
@@ -2660,12 +2660,20 @@ function matchPattern(pattern, url, urlObj) {
 
     // Check host (use urlObj.host when pattern includes port, urlObj.hostname otherwise)
     if (host !== '*') {
-      const urlHost = host.includes(':') ? urlObj.host : urlObj.hostname;
+      const hasPort = host.includes(':');
+      const urlHost = hasPort ? urlObj.host : urlObj.hostname;
       if (host.startsWith('*.')) {
         const baseDomain = host.slice(2);
-        const compareHost = host.includes(':') ? urlObj.host : urlObj.hostname;
-        if (compareHost !== baseDomain && !compareHost.endsWith('.' + baseDomain)) {
-          return false;
+        if (hasPort) {
+          // For *.example.com:8080, compare host (includes port) against baseDomain
+          if (urlHost !== baseDomain && !urlHost.endsWith('.' + baseDomain)) {
+            return false;
+          }
+        } else {
+          // For *.example.com, compare hostname only
+          if (urlObj.hostname !== baseDomain && !urlObj.hostname.endsWith('.' + baseDomain)) {
+            return false;
+          }
         }
       } else if (host !== urlHost) {
         return false;
@@ -3263,7 +3271,7 @@ async function registerAllScripts() {
       return;
     }
 
-    const enabledScripts = scripts.filter(s => s.enabled);
+    const enabledScripts = scripts.filter(s => s.enabled !== false);
 
     // Sort by @priority (higher = first), then position
     enabledScripts.sort((a, b) => {
@@ -3276,7 +3284,11 @@ async function registerAllScripts() {
     console.log(`[ScriptVault] Registering ${enabledScripts.length} scripts`);
 
     // Register all scripts in parallel — significantly faster on large script collections
-    await Promise.allSettled(enabledScripts.map(script => registerScript(script)));
+    const results = await Promise.allSettled(enabledScripts.map(script => registerScript(script)));
+    const failures = results.filter(r => r.status === 'rejected');
+    if (failures.length > 0) {
+      console.warn(`[ScriptVault] ${failures.length} script(s) failed to register:`, failures.map(r => r.reason?.message || r.reason));
+    }
   } catch (e) {
     console.error('[ScriptVault] Failed to register scripts:', e);
   }
@@ -3879,6 +3891,12 @@ async function applyWebRequestRules(scriptId, rules) {
     });
 
     if (dnrRules.length > 0) {
+      // Check dynamic rule quota (Chrome limit: 30,000)
+      const existing = await chrome.declarativeNetRequest.getDynamicRules();
+      if (existing.length + dnrRules.length > 30000) {
+        console.warn(`[ScriptVault] DNR rule limit would be exceeded: ${existing.length} + ${dnrRules.length} > 30000`);
+        return;
+      }
       await chrome.declarativeNetRequest.updateDynamicRules({ addRules: dnrRules });
       _webRequestRuleMap.set(scriptId, ruleIds);
       debugLog(`[GM_webRequest] Applied ${dnrRules.length} rules for script ${scriptId}`);
@@ -5362,9 +5380,9 @@ ${libraryExports}
 function isValidMatchPattern(pattern) {
   if (!pattern) return false;
   if (pattern === '<all_urls>') return true;
-  
-  // Basic match pattern validation
-  const matchRegex = /^(\*|https?|file|ftp):\/\/(\*|\*\.[^/*]+|[^/*]+)\/.*$/;
+
+  // Match pattern validation (allows ports: http://localhost:3000/*)
+  const matchRegex = /^(\*|https?|file|ftp):\/\/(\*|\*\.[^/*]+|[^/*:]+(?::\d+)?)\/.*$/;
   return matchRegex.test(pattern);
 }
 
@@ -5440,34 +5458,29 @@ function convertIncludeToMatch(include) {
 
   // Handle patterns like *://example.com/*
   if (pattern.startsWith('*://')) {
-    // Ensure pattern has a path component
-    const afterScheme = pattern.slice(4); // after *://
-    if (!afterScheme.includes('/')) {
-      pattern += '/*';
-    }
-    return pattern;
+    const afterScheme = pattern.slice(4);
+    if (!afterScheme.includes('/')) pattern += '/*';
+    return isValidMatchPattern(pattern) ? pattern : null;
   }
-  
+
   // Handle patterns like http://example.com/*
   if (pattern.match(/^https?:\/\//)) {
-    // Add wildcard path if not present
-    if (!pattern.includes('/*') && !pattern.endsWith('/')) {
-      pattern += '/*';
-    }
-    return pattern;
+    if (!pattern.includes('/*') && !pattern.endsWith('/')) pattern += '/*';
+    return isValidMatchPattern(pattern) ? pattern : null;
   }
-  
+
   // Handle patterns like *.example.com
   if (pattern.startsWith('*.')) {
-    return '*://' + pattern + '/*';
+    const result = '*://' + pattern + '/*';
+    return isValidMatchPattern(result) ? result : null;
   }
-  
+
   // Handle patterns like example.com
   if (!pattern.includes('://') && !pattern.startsWith('/')) {
-    return '*://' + pattern + '/*';
+    const result = '*://' + pattern + '/*';
+    return isValidMatchPattern(result) ? result : null;
   }
-  
-  // Can't convert, return null
+
   return null;
 }
 

background.js

@@ -1,4 +1,4 @@
-// ScriptVault v1.7.7 - Background Service Worker
+// ScriptVault v1.7.8 - Background Service Worker
 // Comprehensive userscript manager with cloud sync and auto-updates
 // NOTE: This file is built from source modules. Edit the individual files in
 // shared/, modules/, and lib/, then run build-background.sh to regenerate.
@@ -6020,7 +6020,7 @@ async function handleMessage(message, sender) {
 
         // Re-register the script with userScripts API
         await unregisterScript(id);
-        if (script.enabled) {
+        if (script.enabled !== false) {
           await registerScript(script);
         }
 
@@ -6140,7 +6140,7 @@ async function handleMessage(message, sender) {
         trash.splice(idx, 1);
         await chrome.storage.local.set({ trash });
         await ScriptStorage.set(script.id, script);
-        if (script.enabled) await registerScript(script);
+        if (script.enabled !== false) await registerScript(script);
         await updateBadge();
         return { success: true };
       }
@@ -6612,7 +6612,7 @@ async function handleMessage(message, sender) {
         const needsReregister = EXEC_KEYS.some(k =>
           JSON.stringify(oldSettings[k]) !== JSON.stringify(data.settings[k])
         );
-        if (needsReregister && script.enabled) {
+        if (needsReregister && script.enabled !== false) {
           await unregisterScript(data.scriptId);
           await registerScript(script);
         }
@@ -7827,12 +7827,20 @@ function matchPattern(pattern, url, urlObj) {
 
     // Check host (use urlObj.host when pattern includes port, urlObj.hostname otherwise)
     if (host !== '*') {
-      const urlHost = host.includes(':') ? urlObj.host : urlObj.hostname;
+      const hasPort = host.includes(':');
+      const urlHost = hasPort ? urlObj.host : urlObj.hostname;
       if (host.startsWith('*.')) {
         const baseDomain = host.slice(2);
-        const compareHost = host.includes(':') ? urlObj.host : urlObj.hostname;
-        if (compareHost !== baseDomain && !compareHost.endsWith('.' + baseDomain)) {
-          return false;
+        if (hasPort) {
+          // For *.example.com:8080, compare host (includes port) against baseDomain
+          if (urlHost !== baseDomain && !urlHost.endsWith('.' + baseDomain)) {
+            return false;
+          }
+        } else {
+          // For *.example.com, compare hostname only
+          if (urlObj.hostname !== baseDomain && !urlObj.hostname.endsWith('.' + baseDomain)) {
+            return false;
+          }
         }
       } else if (host !== urlHost) {
         return false;
@@ -8430,7 +8438,7 @@ async function registerAllScripts() {
       return;
     }
 
-    const enabledScripts = scripts.filter(s => s.enabled);
+    const enabledScripts = scripts.filter(s => s.enabled !== false);
 
     // Sort by @priority (higher = first), then position
     enabledScripts.sort((a, b) => {
@@ -8443,7 +8451,11 @@ async function registerAllScripts() {
     console.log(`[ScriptVault] Registering ${enabledScripts.length} scripts`);
 
     // Register all scripts in parallel — significantly faster on large script collections
-    await Promise.allSettled(enabledScripts.map(script => registerScript(script)));
+    const results = await Promise.allSettled(enabledScripts.map(script => registerScript(script)));
+    const failures = results.filter(r => r.status === 'rejected');
+    if (failures.length > 0) {
+      console.warn(`[ScriptVault] ${failures.length} script(s) failed to register:`, failures.map(r => r.reason?.message || r.reason));
+    }
   } catch (e) {
     console.error('[ScriptVault] Failed to register scripts:', e);
   }
@@ -9046,6 +9058,12 @@ async function applyWebRequestRules(scriptId, rules) {
     });
 
     if (dnrRules.length > 0) {
+      // Check dynamic rule quota (Chrome limit: 30,000)
+      const existing = await chrome.declarativeNetRequest.getDynamicRules();
+      if (existing.length + dnrRules.length > 30000) {
+        console.warn(`[ScriptVault] DNR rule limit would be exceeded: ${existing.length} + ${dnrRules.length} > 30000`);
+        return;
+      }
       await chrome.declarativeNetRequest.updateDynamicRules({ addRules: dnrRules });
       _webRequestRuleMap.set(scriptId, ruleIds);
       debugLog(`[GM_webRequest] Applied ${dnrRules.length} rules for script ${scriptId}`);
@@ -10529,9 +10547,9 @@ ${libraryExports}
 function isValidMatchPattern(pattern) {
   if (!pattern) return false;
   if (pattern === '<all_urls>') return true;
-  
-  // Basic match pattern validation
-  const matchRegex = /^(\*|https?|file|ftp):\/\/(\*|\*\.[^/*]+|[^/*]+)\/.*$/;
+
+  // Match pattern validation (allows ports: http://localhost:3000/*)
+  const matchRegex = /^(\*|https?|file|ftp):\/\/(\*|\*\.[^/*]+|[^/*:]+(?::\d+)?)\/.*$/;
   return matchRegex.test(pattern);
 }
 
@@ -10607,34 +10625,29 @@ function convertIncludeToMatch(include) {
 
   // Handle patterns like *://example.com/*
   if (pattern.startsWith('*://')) {
-    // Ensure pattern has a path component
-    const afterScheme = pattern.slice(4); // after *://
-    if (!afterScheme.includes('/')) {
-      pattern += '/*';
-    }
-    return pattern;
+    const afterScheme = pattern.slice(4);
+    if (!afterScheme.includes('/')) pattern += '/*';
+    return isValidMatchPattern(pattern) ? pattern : null;
   }
-  
+
   // Handle patterns like http://example.com/*
   if (pattern.match(/^https?:\/\//)) {
-    // Add wildcard path if not present
-    if (!pattern.includes('/*') && !pattern.endsWith('/')) {
-      pattern += '/*';
-    }
-    return pattern;
+    if (!pattern.includes('/*') && !pattern.endsWith('/')) pattern += '/*';
+    return isValidMatchPattern(pattern) ? pattern : null;
   }
-  
+
   // Handle patterns like *.example.com
   if (pattern.startsWith('*.')) {
-    return '*://' + pattern + '/*';
+    const result = '*://' + pattern + '/*';
+    return isValidMatchPattern(result) ? result : null;
   }
-  
+
   // Handle patterns like example.com
   if (!pattern.includes('://') && !pattern.startsWith('/')) {
-    return '*://' + pattern + '/*';
+    const result = '*://' + pattern + '/*';
+    return isValidMatchPattern(result) ? result : null;
   }
-  
-  // Can't convert, return null
+
   return null;
 }
 

content.js

@@ -1,4 +1,4 @@
-// ScriptVault v1.7.7 - Content Script Bridge
+// ScriptVault v1.7.8 - Content Script Bridge
 // Bridges messages between userscripts (USER_SCRIPT world) and background service worker
 
 (function() {

manifest-firefox.json

@@ -1,7 +1,7 @@
 {
   "manifest_version": 3,
   "name": "__MSG_extName__",
-  "version": "1.7.7",
+  "version": "1.7.8",
   "description": "__MSG_extDescription__",
   "default_locale": "en",
   "homepage_url": "https://github.com/SysAdminDoc/ScriptVault",

manifest.json

@@ -1,7 +1,7 @@
 {
   "manifest_version": 3,
   "name": "__MSG_extName__",
-  "version": "1.7.7",
+  "version": "1.7.8",
   "description": "__MSG_extDescription__",
   "default_locale": "en",
   "minimum_chrome_version": "120",

offscreen.js

@@ -1,4 +1,4 @@
-// ScriptVault Offscreen Document v1.7.7
+// ScriptVault Offscreen Document v1.7.8
 // Handles CPU-intensive tasks off the service worker:
 //   - AST-based script analysis (via Acorn)
 //   - 3-way text merge for sync conflict resolution