Coverage + standards-compliance + CI hygiene release. Headline: MUGA now consumes caps-spec/manifest.json as the source of truth for affiliate program identity, and the preserve set is decoupled from MUGA's own affiliate accounts — creator referrals are honored on Booking, Vercel, DigitalOcean, Humble Bundle, and Lemon Squeezy even though MUGA has no direct account on those programs.

Added

• caps-spec/manifest.json consumed as source of truth for the affiliate preserve set (#523, landed via #576/#577/#578). The 12-entry hand-maintained AFFILIATE_PATTERNS array is replaced by 7 consolidated entries generated at module load by joining the vendored caps-spec direct-injection programs with MUGA's hand-maintained OUR_TAGS map. New scripts/sync-affiliate-manifest.mjs mirrors the existing sync-wrappers.mjs pattern (Ed25519 signature verification when available, --allow-unsigned for the interim). Files: scripts/sync-affiliate-manifest.mjs, src/vendor/caps-spec/manifest.data.js, src/lib/affiliates.js.
• Sprinklr campaign-manager params (spr, sprtype) added to universal TRACKING_PARAMS (src/lib/affiliates.js, src/rules/tracking-params.json). Stripped on every domain. False-positive risk is low — these identify the campaign and asset that referred a click inside Sprinklr's backend and have no functional payload from the user's perspective. Closes the last "low-risk universal" gap from the #508 acceptance list (the merchant-specific gaps remain). (#508)
• tracker-flag.yml issue template (.github/ISSUE_TEMPLATE/tracker-flag.yml). Wires Channel 1 of CAPS decision 6 — receives structured tracker reports prefilled by MUGA's local heuristics (entropy + cross-site frequency). Schema mirrors the privacy contract already enforced by csft-upstream.js: only the SHAPE of the observation, never raw URLs or raw values. The existing tracking-param.md template is preserved (different intent — hand-written carrier-aware param requests). (#522)
• tracker-candidate repo label to receive auto-labelled issues from the new form.

Changed

…full release notes: https://github.com/yocreoquesi/muga/releases/tag/v1.13.4

User-visible polish release. Two critical fixes for users on v1.13.0–v1.13.2 (broken toolbar icon, stuck onboarding) plus a copy/visual pass on the onboarding and a popup cleanup. Also bundles two feature PRs that had been sitting on [Unreleased] since the 1.13.2 cut: wildcard whitelist/blacklist values and the CAPS-Basic + Contextual conformance claim.

Fixed

• Toolbar icon was invisible on Firefox and Chrome (#564). The 16/48/128 PNGs introduced in v1.13.0 were 96–99% transparent — only 6/256, 13/2304, and 32/16384 pixels respectively were opaque. The accompanying *-preserved.png files in the tree were the intact RGB sources, mistakenly left as the optimization input rather than the shipped output. This release copies those bytes over the broken files. Users on v1.13.0–v1.13.2 will see the working icon on the next AMO/Chrome Store update.
• Onboarding "Start browsing clean" button did nothing (#565). The CTA was natively disabled until the ToS checkbox was checked, so clicks were silently swallowed. Users who didn't notice the ToS gate clicked repeatedly with no feedback and assumed the onboarding was broken. Now the button uses aria-disabled so the click event still fires; the handler flashes the ToS card (respects prefers-reduced-motion), smooth-scrolls it into view, focuses the checkbox, and announces the requirement via an sr-only aria-live region. Playwright's toBeDisabled() recognises the new state, so existing e2e coverage carries over.
• Onboarding tagline pinned to a narrow left column (#565). The header had max-width: 26ch / 48ch / 52ch while the rest of the page used the full container width, leaving the tagline visually orphaned. Now flows to container width like the feature cards beneath.
• Redundant "Still see tracking?" link in the popup (#567). Two report links (#report-broken, #report-unclean) were splitting a single user intent — "this didn't work as expected" — across two GitHub queues. Removed #report-unclean; the remaining #report-broken absorbs both intents.
• Share button doubled the 📋 emoji on click (#567). The static <span aria-hidden="true">📋 </span> already held the icon and the click handler also wrote share_copy_prefix (another 📋) into the visible label, producing 📋📋 Share. The fix removes the entire share feature (see Removed below) — the bug dies with it.
• Creator-referral hint hidden behind a cursor: help tooltip (#567). The OS-level tooltip surfaces slowly (and not at all on touch), and the help cursor implied a click action that never existed. Now the hint renders inline as a small line below the badge — visible without interaction.

Added

…full release notes: https://github.com/yocreoquesi/muga/releases/tag/v1.13.3

Recovery release. No functional or user-visible changes vs v1.13.1 — same code, same rules, same behavior. The v1.13.1 release was tagged but its Release workflow failed at the unit-test step because the [Unreleased] reference link at the bottom of CHANGELOG.md still pointed at v1.13.0...HEAD after the bump. The tests/unit/changelog-links.test.mjs guard correctly flagged the drift, which blocked the AMO publish step from running. AMO therefore stayed on v1.11.0.

Fixed

• Release pipeline: [Unreleased] link in CHANGELOG.md now tracks the latest released tag, satisfying the changelog-links test that gates the Release workflow. Without this, every bump that forgot to update the link would silently skip AMO publish.

Added

• Popup now surfaces when MUGA preserved a third-party creator's affiliate tag on the current URL. New "Creator referral preserved" badge inside the preview section, with a tooltip explaining the policy. Fires regardless of whether the URL was otherwise modified — including on URLs MUGA leaves untouched. Wedge of "fair to creators" made tangible. New cleaner result field preservedAffiliate exposing { param, value, store, group }. Independent of the existing notifyForeignAffiliate toast preference: this is a passive UI signal, not a notification. New i18n keys preview_preserved_creator and preview_preserved_creator_hint in en/es/pt/de. (#327)
• New collaborative report link in the popup: "Still see tracking? Help us improve" (i18n key report_unclean_url). Visible only when MUGA modified the URL and showReportButton is on, alongside the existing "Report a problem with this URL" link. Opens a pre-filled GitHub issue tagged unclean-url with hostname, version, browser and the params MUGA already removed — never the full URL or query string. Same zero-network, no-new-permissions model as the broken-site report. Feeds the remote-rules catalog with real-world misses. (#271)

Changed

• Options page: the "Remote rule updates" section now appears before the "Advanced" block, so Advanced remains the last section on the page.
• Remote-rules copy softened to reflect the on-wake refresh model introduced in 1.10.1: "Enable rule updates" (toggle) and "Periodically checks for signed updates… about once a week, while you browse" (description). No behavioral change — the max cadence is still ~7 days.

Added

• Popup now reacts live to settings changes. Toggling MUGA on/off, or adding the current domain to the per-domain-disable list (blacklist entries of the form domain::disabled), updates the preview without reopening the popup. The trigger is both an optimistic in-popup re-render on the enabled-toggle click AND a chrome.storage.onChanged listener that catches changes made from the Options page in another tab.
• Distinct popup status when MUGA is globally active but the current site is on the per-domain-disable list. Previously only "MUGA is disabled" (global) was shown; now "MUGA is disabled on this site" surfaces the per-domain state. New i18n key muga_disabled_for_domain in all four locales.

Changed

• Remote rule updates no longer require the alarms permission. The weekly refresh now piggybacks on natural service-worker wake events (browser startup, page visits, popup messages) and is throttled by a stored fetchedAt timestamp — at most one fetch per 7 days, short-circuited immediately when the feature is off. This drops one permission from the manifest without changing the opt-in default or the privacy posture.

Removed

• alarms permission from manifest.json and manifest.v2.json.

Added

• Optional weekly updates for the tracking parameter list, off by default. Ed25519-signed payloads fetched from a public GitHub Pages endpoint (https://yocreoquesi.github.io/muga/rules/v1/params.json). Enable in Settings → Remote rule updates. Zero outbound requests on a default install. See docs/transparency.html. (#270)

Fixed

• Firefox TDZ: _contentPrefs declarations hoisted to top of the content script IIFE so early-firing event handlers (copy, click, runtime.onMessage) can no longer reference them before initialization (#298)
• Security: navigate() now enforces the 2000-char URL length cap before parsing
• Security: hostname extraction in the affiliate toast wrapped in safeHostname() — malformed URLs no longer throw inside event handlers

Added

• Static-analysis regression tests asserting _contentPrefs / _contentPrefsPending declarations stay above any reader and within the first 120 lines of cleaner.js

Fixed

• Security: add URL payload length limit, reject non-HTTP schemes, harden sanitizeHTML
• Robustness: cache version counter prevents stale prefs, time-based rewrite loop eviction
• Firefox MV2: shim chrome.runtime.sendMessage, deduplicate browser-polyfill loading
• MutationObserver ping blocking debounced via requestAnimationFrame
• Document silent .catch() handlers in content scripts
• Safe manifest swap script with trap-based restoration

Added

• Automated Firefox AMO submission on tag push
• Automated Chrome Web Store submission on tag push
• README: Chrome Web Store install badge (no longer "Coming soon")

Version 1.9.6

Fixes:
- Click handler no longer intercepts all link clicks. Only intercepts clicks to affiliate store domains. Non-affiliate clicks pass through unmodified, preserving SPA navigation on YouTube, forums, and all other sites.
- Click, copy, and self-clean handlers now check if the extension is enabled before any interception. Extension is fully inert when disabled.
- Prefs loaded eagerly at content script init for synchronous access.

852 passing tests. No permission changes.

Version 1.9.4

Changes in this version:
- Consent gate: extension is now fully disabled (no URL processing, popup blocked, options redirected) until the user accepts the Terms of Use in onboarding. Enforcement points: service-worker.js (handleProcessUrl), popup.js (consent-gate overlay), options.js (redirect), content/cleaner.js (ping blocking).
- 120+ new domain-specific tracking parameters (Amazon, Facebook, TikTok, Google, LinkedIn, Reddit, eBay, YouTube, Spotify, Netflix, NYTimes, BBC, AliExpress, Bing, Yahoo, Twitter/X, Etsy). Sourced from ClearURLs, AdGuard Filter 17, Neat-URL, and Mozilla's built-in strip list.
- 5 new Shopify recommendation tracking params (pr_prod_strat, pr_rec_id, pr_ref_pid, pr_rec_pid, pr_seq) added to global tracking list.
- Fixed: double onboarding tab caused by both onInstalled and fallback IIFE opening tabs. Now uses a dedup flag (openOnboardingOnce).
- Fixed: Promise shim (shimChromePromises in storage.js) was probing each API call by invoking it without a callback. For side-effectful methods like chrome.tabs.create, this executed the action twice. Now detects environment once at startup.

Version 1.9.2

Changes in this version:
- Redesigned onboarding (privacy-first messaging, 3 features)
- Affiliate redirect unwrapping (Awin, Admitad, ShareASale, VigLink, Tradedoubler)
- Strip awc/wt_mc from redirect-based affiliate networks
- Fix collapsible store groups in Settings
- Rename "Report broken site" to "Report a bug or suggest an improvement"
- 730 passing tests

No permission changes from previous version