Hotfix release. Headline: Privacy Proxy now actually works end-to-end. Three contract bugs were preventing the toggle from doing anything in v1.14.0 and v1.15.0 — the extension was calling the Worker on the wrong path (/v1/unwrap vs /unwrap) and with the wrong query param shape (?url=raw vs ?u=base64url). Both were silent because the cleaner's failure mode is to fall back to the original navigation. The Worker contract is unchanged; this fix aligns the extension to it. Users who had Privacy Proxy enabled but never saw any difference will start getting actual server-side resolution after upgrading.

Fixed

• src/lib/proxy-client.js PROXY_URL path corrected from https://unwrap.muga.app/v1/unwrap to https://unwrap.muga.app/unwrap. The /v1/unwrap path was never deployed on the Worker; every Privacy Proxy request returned 404 Not Found and silently fell back to the wrapper navigation. Discovered via direct curl probe of the production Worker.
• src/lib/proxy-client.js query param contract corrected from ?url=<raw> to ?u=<base64url-encoded>. The Worker handler reads the u param and base64url-decodes it (muga-unwrap/src/handlers/unwrap.ts:110-111); the extension was sending the raw URL under the wrong key, which would have returned 400 missing_u_parameter even if the path had been correct.

Added

• base64UrlEncode(str) helper exported from src/lib/proxy-client.js. Symmetric to the Worker's decodeBase64Url decoder. Uses TextEncoder for Unicode safety (theoretical IRIs in URLs).
• Endpoint-contract regression tests in tests/unit/proxy-client.test.mjs. Three new assertions: PROXY_URL points to /unwrap, fetch is called with ?u= (NOT ?url=), and the encoded value round-trips through atob to the original input. The pre-existing fetch-stubbing tests asserted on response shape but not on request shape — that gap is now closed.

Operational notes

• The Worker side (muga-unwrap) is unchanged. The canonical Worker contract ?u=<base64url> was always correct; the bug was purely client-side.
• Smoke probe in muga-unwrap/.github/workflows/deploy.yml (added in v0.2.x post-mortem hardening) was already exercising the correct path and param shape — that's why deploy CI never caught the extension-side bug. Future-proofing: a separate smoke probe on the extension side that verifies the actual request shape would have caught this; out of scope for this hotfix.

Redirector coverage release. Headline: Privacy Proxy now covers seven more redirector hosts — the generic shorteners bit.ly, tinyurl.com, t.co, and link.medium.com; the Partnerize affiliate redirector prf.hn; A8.net Japan's px.a8.net; and Amazon's branded shortener amzn.to. The toggle disclosure copy is reworded so the broader scope is honest — what was "opaque affiliate links" is now "opaque redirector links (affiliate networks and generic shorteners)." A foundational refactor eliminates the duplicate opaque-host list that previously lived in two files; adding a host now requires a one-line edit in src/lib/opaque-networks.js. The Worker side (cross-repo) landed first in muga-unwrap#29.

Added

• 7 new / activated opaque redirector hosts in src/lib/opaque-networks.js:
• bit.ly — generic URL shortener (PR-02).
• tinyurl.com — generic URL shortener (PR-03).
• prf.hn — Partnerize / Performance Horizon affiliate; resolved via Worker HEAD chain, no client-side path-segment extractor (PR-04).
• px.a8.net — A8.net Japan affiliate; hostname confirmed via T00 STANDARD curl probe (r.a8.net does not resolve) (PR-05).
• amzn.to — Amazon branded shortener; ships conditional on G3 regression gate (PR-06); tag= preservation verified.
• t.co — Twitter/X URL shortener; extension-only activation — Worker already accepts t.co via caps-spec buildSpecAllowlist (PR-07).
• link.medium.com — Medium URL shortener; extension-only activation, same pattern as t.co (PR-08).
• isOpaqueNetworkHost(hostname) helper exported from src/lib/opaque-networks.js. Centralises the www. normalization that previously lived inline inside the content-script IIFE. The helper is re-exported through the content bundle (src/content/cleaner-bundle-src.mjs) so that cleaner.js can delegate to window.__mugaCleaner.isOpaqueNetworkHost without a private replica.
• amzn.to tag= preservation regression test (tests/unit/amzn-to-tag-preservation.test.mjs). Four cases: .com with Honor Creator mode, .es with Honor Creator mode, control case (stripAllAffiliates strips tag), and noise-param stripping alongside tag survival. D7 shipping gate per design AD-03.
• New helpers unit test (tests/unit/opaque-networks-helpers.test.mjs). Covers isOpaqueNetworkHost contract: bare host match, www-stripped match, false for non-opaque host, false for empty/null/undefined. Replaces the obsolete sync test.

Changed

…full release notes: https://github.com/yocreoquesi/muga/releases/tag/v1.15.0

Privacy Proxy release. Headline: MUGA can now resolve opaque affiliate wrappers — links where the destination URL is hidden inside a redirector your browser would normally have to load — through unwrap.muga.app, an open-source Cloudflare Worker that follows the redirect chain server-side and returns the resolved destination signed with Ed25519. The opaque host never loads on your machine. Fully opt-in via a new "Privacy Proxy" toggle in Settings, off by default; the existing Strict Local and Honor Creator modes are unchanged. Closes #453.

Added

• Privacy Proxy mode for opaque affiliate networks (#453). When enabled and a click hits an opaque wrapper (AliExpress s.click.aliexpress.com, CJ Affiliate's eight redirector domains, Admitad ad.admitad.com), MUGA's content script intercepts the navigation, posts the URL to the unwrap.muga.app Worker, verifies the Ed25519 signature on the response locally against a hardcoded public key, and navigates the tab directly to the resolved destination. The opaque host never loads. On signature failure, network failure, or any error path, the original click proceeds unmodified — Privacy Proxy is a privacy enhancement, never a navigation gate. Files: src/lib/proxy-client.js, src/lib/proxy-navigate.js, src/lib/opaque-networks.js, src/content/cleaner.js, src/background/service-worker.js.
• Three-mode matrix UI in Settings. A new "Privacy Proxy" section in the options page exposes two toggles (Honor Creator, Privacy Proxy) that combine into three modes: Strict Local (both off — default; behavior unchanged from v1.13.x), Honor Creator (creator referral preserved on direct affiliate links; behavior unchanged from v1.13.x), and Honor + Proxy (Honor Creator behavior plus opaque-wrapper resolution via the Worker). The active mode is shown above the toggles in plain English so users can confirm what they're enabling. The pure deriveModeLabel helper (src/lib/mode-label.js) is unit-tested independently of the UI. Files: src/options/options.html, src/options/options.js.

…full release notes: https://github.com/yocreoquesi/muga/releases/tag/v1.14.0

Toolbar icon recovery release. Headline: the toolbar action icon now renders consistently in both Firefox and Chrome — the gray placeholder some users were seeing on about:addons and across tabs is fixed. The "creator referral preserved" green-check icon variant, which had been retired earlier the same day on a misdiagnosis, is also restored.

Added

• OBJECTIVES.md — public North Star metric (Firefox AMO weekly active users), 6-month targets, explicit non-goals, and the four decision principles used to triage every new proposal. Closes #338. Linked from the README header.
• docs/ops/ finalised — the three runbooks (health-signals.md, rollback-playbook.md, staged-release.md) plus the README.md index are now wired up end to end. Closes #397. Two broken rollback.md references in health-signals.md were fixed (the actual filename is rollback-playbook.md); a third integrity check was added to tests/unit/ops-docs-sync.test.mjs that asserts every relative .md link inside docs/ops/ points to a file that exists, so a future typo cannot ship silently. The staged-release.md decision log was reset to start at v1.13.5 / v1.13.6 with real entries instead of TBD placeholders. README header now links to docs/ops/README.md alongside Contributing.

Coverage

• TikTok _t added to universal TRACKING_PARAMS (src/lib/affiliates.js, platform_noise category). Sister to existing _r — share token, not functional for the web URL. Closes the corresponding #508 gap.
• AliExpress aff_fcid added to aliexpress.com.stripParams in src/rules/domain-rules.json. Domain-scoped — CPS click ID, transient and not creator-attributing.
• Walmart sourceid + athcpid added to walmart.com.stripParams. Campaign source tag and per-impression content ID respectively.
• bestbuy.com is a new domain-rules entry (#508). Strips ref (referral source) + loc (campaign location) + irclickid + irgwc (Impact Radius affiliate ad-attribution); preserves q / id / intl / page.

Fixed

…full release notes: https://github.com/yocreoquesi/muga/releases/tag/v1.13.7

Onboarding hardening release. Headline: the first-run onboarding flow on Firefox no longer leaves the user staring at an unchanged tab after they accept — the silent regression that made "Start browsing clean" appear to do nothing is fixed, the cleaner is now provably off until acceptance, and the toolbar surfaces a "!" badge while consent is pending. Plus a separate gate fix: opening Settings right after a clean acceptance no longer bounces back to onboarding.

Added

• Apple Services Performance Partners as a direct-injection program (#594, partial — Apple half). Refresh of the vendored caps-spec snapshot brought in apple-phg (caps-spec PR #45), so MUGA now preserves ?at= affiliate tokens on music.apple.com, geo.music.apple.com, tv.apple.com, books.apple.com, podcasts.apple.com, apps.apple.com, and itunes.apple.com. The "Creator referral preserved" badge fires on those hosts when a third-party at token is present, even though MUGA has no Apple Performance Partners account (per the #523 decoupling). The companion ?ct= parameter is intentionally NOT matched as a creator referral — it is the campaign-name field, not the attribution token. The Bookshop.org half of #594 remains blocked on caps-spec#46 (RFC for path-based affiliate program schema).
• Toolbar consent-required cue. A global "!" badge surfaces on the toolbar icon while onboardingDone === false (including hard-reonboard, where getPrefs() forces the flag back to false). Cleared on acceptance. Wired through onInstalled, the cold-start fallback, and a new mugaConsent branch in the storage onChanged listener that re-runs DNR + badge in one shot. Files: src/background/service-worker.js.
• Onboarding success state. After consent persistence, the page renders an in-place "You're all set / Close tab" confirmation and attempts a best-effort tab close (window.close() then chrome.tabs.remove). Firefox refuses window.close() on tabs not opened by JS, so the in-place state is the safety net that proves to the user the click landed. Files: src/onboarding/onboarding.js, src/onboarding/onboarding.html, src/lib/i18n.js (en/es/pt/de).

Changed

…full release notes: https://github.com/yocreoquesi/muga/releases/tag/v1.13.6

Branded-domain release. The signed remote-rules endpoint moves under rules.muga.app so the public surface no longer depends on a personal GitHub username. No user-visible behavior change on a default install.

Changed

• Remote rules endpoint moved to rules.muga.app (#481, landed via #596). The signed params.json is now served from https://rules.muga.app/rules/v1/params.json (was https://yocreoquesi.github.io/muga/rules/v1/params.json). DNS-only CNAME points at GitHub Pages — same hosting, branded subdomain. The optional permission users grant when enabling Remote rule updates is now scoped to https://rules.muga.app/* (Chrome MV3 optional_host_permissions / Firefox MV2 optional_permissions). Existing installs that opted in to remote rules on v1.13.4 or earlier will be re-prompted to grant the new host on the next 7-day refresh — the host changed, so the previous grant no longer applies. Files: src/manifest.json, src/manifest.v2.json, src/lib/remote-rules.js, src/options/options.js, docs/CNAME, .github/workflows/publish-rules.yml.

Coverage + standards-compliance + CI hygiene release. Headline: MUGA now consumes caps-spec/manifest.json as the source of truth for affiliate program identity, and the preserve set is decoupled from MUGA's own affiliate accounts — creator referrals are honored on Booking, Vercel, DigitalOcean, Humble Bundle, and Lemon Squeezy even though MUGA has no direct account on those programs.

Added

• caps-spec/manifest.json consumed as source of truth for the affiliate preserve set (#523, landed via #576/#577/#578). The 12-entry hand-maintained AFFILIATE_PATTERNS array is replaced by 7 consolidated entries generated at module load by joining the vendored caps-spec direct-injection programs with MUGA's hand-maintained OUR_TAGS map. New scripts/sync-affiliate-manifest.mjs mirrors the existing sync-wrappers.mjs pattern (Ed25519 signature verification when available, --allow-unsigned for the interim). Files: scripts/sync-affiliate-manifest.mjs, src/vendor/caps-spec/manifest.data.js, src/lib/affiliates.js.
• Sprinklr campaign-manager params (spr, sprtype) added to universal TRACKING_PARAMS (src/lib/affiliates.js, src/rules/tracking-params.json). Stripped on every domain. False-positive risk is low — these identify the campaign and asset that referred a click inside Sprinklr's backend and have no functional payload from the user's perspective. Closes the last "low-risk universal" gap from the #508 acceptance list (the merchant-specific gaps remain). (#508)
• tracker-flag.yml issue template (.github/ISSUE_TEMPLATE/tracker-flag.yml). Wires Channel 1 of CAPS decision 6 — receives structured tracker reports prefilled by MUGA's local heuristics (entropy + cross-site frequency). Schema mirrors the privacy contract already enforced by csft-upstream.js: only the SHAPE of the observation, never raw URLs or raw values. The existing tracking-param.md template is preserved (different intent — hand-written carrier-aware param requests). (#522)
• tracker-candidate repo label to receive auto-labelled issues from the new form.

Changed

…full release notes: https://github.com/yocreoquesi/muga/releases/tag/v1.13.4

User-visible polish release. Two critical fixes for users on v1.13.0–v1.13.2 (broken toolbar icon, stuck onboarding) plus a copy/visual pass on the onboarding and a popup cleanup. Also bundles two feature PRs that had been sitting on [Unreleased] since the 1.13.2 cut: wildcard whitelist/blacklist values and the CAPS-Basic + Contextual conformance claim.

Fixed

• Toolbar icon was invisible on Firefox and Chrome (#564). The 16/48/128 PNGs introduced in v1.13.0 were 96–99% transparent — only 6/256, 13/2304, and 32/16384 pixels respectively were opaque. The accompanying *-preserved.png files in the tree were the intact RGB sources, mistakenly left as the optimization input rather than the shipped output. This release copies those bytes over the broken files. Users on v1.13.0–v1.13.2 will see the working icon on the next AMO/Chrome Store update.
• Onboarding "Start browsing clean" button did nothing (#565). The CTA was natively disabled until the ToS checkbox was checked, so clicks were silently swallowed. Users who didn't notice the ToS gate clicked repeatedly with no feedback and assumed the onboarding was broken. Now the button uses aria-disabled so the click event still fires; the handler flashes the ToS card (respects prefers-reduced-motion), smooth-scrolls it into view, focuses the checkbox, and announces the requirement via an sr-only aria-live region. Playwright's toBeDisabled() recognises the new state, so existing e2e coverage carries over.
• Onboarding tagline pinned to a narrow left column (#565). The header had max-width: 26ch / 48ch / 52ch while the rest of the page used the full container width, leaving the tagline visually orphaned. Now flows to container width like the feature cards beneath.
• Redundant "Still see tracking?" link in the popup (#567). Two report links (#report-broken, #report-unclean) were splitting a single user intent — "this didn't work as expected" — across two GitHub queues. Removed #report-unclean; the remaining #report-broken absorbs both intents.
• Share button doubled the 📋 emoji on click (#567). The static <span aria-hidden="true">📋 </span> already held the icon and the click handler also wrote share_copy_prefix (another 📋) into the visible label, producing 📋📋 Share. The fix removes the entire share feature (see Removed below) — the bug dies with it.
• Creator-referral hint hidden behind a cursor: help tooltip (#567). The OS-level tooltip surfaces slowly (and not at all on touch), and the help cursor implied a click action that never existed. Now the hint renders inline as a small line below the badge — visible without interaction.

Added

…full release notes: https://github.com/yocreoquesi/muga/releases/tag/v1.13.3

Recovery release. No functional or user-visible changes vs v1.13.1 — same code, same rules, same behavior. The v1.13.1 release was tagged but its Release workflow failed at the unit-test step because the [Unreleased] reference link at the bottom of CHANGELOG.md still pointed at v1.13.0...HEAD after the bump. The tests/unit/changelog-links.test.mjs guard correctly flagged the drift, which blocked the AMO publish step from running. AMO therefore stayed on v1.11.0.

Fixed

• Release pipeline: [Unreleased] link in CHANGELOG.md now tracks the latest released tag, satisfying the changelog-links test that gates the Release workflow. Without this, every bump that forgot to update the link would silently skip AMO publish.

Added

• Popup now surfaces when MUGA preserved a third-party creator's affiliate tag on the current URL. New "Creator referral preserved" badge inside the preview section, with a tooltip explaining the policy. Fires regardless of whether the URL was otherwise modified — including on URLs MUGA leaves untouched. Wedge of "fair to creators" made tangible. New cleaner result field preservedAffiliate exposing { param, value, store, group }. Independent of the existing notifyForeignAffiliate toast preference: this is a passive UI signal, not a notification. New i18n keys preview_preserved_creator and preview_preserved_creator_hint in en/es/pt/de. (#327)
• New collaborative report link in the popup: "Still see tracking? Help us improve" (i18n key report_unclean_url). Visible only when MUGA modified the URL and showReportButton is on, alongside the existing "Report a problem with this URL" link. Opens a pre-filled GitHub issue tagged unclean-url with hostname, version, browser and the params MUGA already removed — never the full URL or query string. Same zero-network, no-new-permissions model as the broken-site report. Feeds the remote-rules catalog with real-world misses. (#271)

Changed

• Options page: the "Remote rule updates" section now appears before the "Advanced" block, so Advanced remains the last section on the page.
• Remote-rules copy softened to reflect the on-wake refresh model introduced in 1.10.1: "Enable rule updates" (toggle) and "Periodically checks for signed updates… about once a week, while you browse" (description). No behavioral change — the max cadence is still ~7 days.

Added

• Popup now reacts live to settings changes. Toggling MUGA on/off, or adding the current domain to the per-domain-disable list (blacklist entries of the form domain::disabled), updates the preview without reopening the popup. The trigger is both an optimistic in-popup re-render on the enabled-toggle click AND a chrome.storage.onChanged listener that catches changes made from the Options page in another tab.
• Distinct popup status when MUGA is globally active but the current site is on the per-domain-disable list. Previously only "MUGA is disabled" (global) was shown; now "MUGA is disabled on this site" surfaces the per-domain state. New i18n key muga_disabled_for_domain in all four locales.

Changed

• Remote rule updates no longer require the alarms permission. The weekly refresh now piggybacks on natural service-worker wake events (browser startup, page visits, popup messages) and is throttled by a stored fetchedAt timestamp — at most one fetch per 7 days, short-circuited immediately when the feature is off. This drops one permission from the manifest without changing the opt-in default or the privacy posture.

Removed

• alarms permission from manifest.json and manifest.v2.json.

Added

• Optional weekly updates for the tracking parameter list, off by default. Ed25519-signed payloads fetched from a public GitHub Pages endpoint (https://yocreoquesi.github.io/muga/rules/v1/params.json). Enable in Settings → Remote rule updates. Zero outbound requests on a default install. See docs/transparency.html. (#270)

Fixed

• Firefox TDZ: _contentPrefs declarations hoisted to top of the content script IIFE so early-firing event handlers (copy, click, runtime.onMessage) can no longer reference them before initialization (#298)
• Security: navigate() now enforces the 2000-char URL length cap before parsing
• Security: hostname extraction in the affiliate toast wrapped in safeHostname() — malformed URLs no longer throw inside event handlers

Added

• Static-analysis regression tests asserting _contentPrefs / _contentPrefsPending declarations stay above any reader and within the first 120 lines of cleaner.js

Fixed

• Security: add URL payload length limit, reject non-HTTP schemes, harden sanitizeHTML
• Robustness: cache version counter prevents stale prefs, time-based rewrite loop eviction
• Firefox MV2: shim chrome.runtime.sendMessage, deduplicate browser-polyfill loading
• MutationObserver ping blocking debounced via requestAnimationFrame
• Document silent .catch() handlers in content scripts
• Safe manifest swap script with trap-based restoration

Added

• Automated Firefox AMO submission on tag push
• Automated Chrome Web Store submission on tag push
• README: Chrome Web Store install badge (no longer "Coming soon")

Version 1.9.6

Fixes:
- Click handler no longer intercepts all link clicks. Only intercepts clicks to affiliate store domains. Non-affiliate clicks pass through unmodified, preserving SPA navigation on YouTube, forums, and all other sites.
- Click, copy, and self-clean handlers now check if the extension is enabled before any interception. Extension is fully inert when disabled.
- Prefs loaded eagerly at content script init for synchronous access.

852 passing tests. No permission changes.

Version 1.9.4

Changes in this version:
- Consent gate: extension is now fully disabled (no URL processing, popup blocked, options redirected) until the user accepts the Terms of Use in onboarding. Enforcement points: service-worker.js (handleProcessUrl), popup.js (consent-gate overlay), options.js (redirect), content/cleaner.js (ping blocking).
- 120+ new domain-specific tracking parameters (Amazon, Facebook, TikTok, Google, LinkedIn, Reddit, eBay, YouTube, Spotify, Netflix, NYTimes, BBC, AliExpress, Bing, Yahoo, Twitter/X, Etsy). Sourced from ClearURLs, AdGuard Filter 17, Neat-URL, and Mozilla's built-in strip list.
- 5 new Shopify recommendation tracking params (pr_prod_strat, pr_rec_id, pr_ref_pid, pr_rec_pid, pr_seq) added to global tracking list.
- Fixed: double onboarding tab caused by both onInstalled and fallback IIFE opening tabs. Now uses a dedup flag (openOnboardingOnce).
- Fixed: Promise shim (shimChromePromises in storage.js) was probing each API call by invoking it without a callback. For side-effectful methods like chrome.tabs.create, this executed the action twice. Now detects environment once at startup.

Version 1.9.2

Changes in this version:
- Redesigned onboarding (privacy-first messaging, 3 features)
- Affiliate redirect unwrapping (Awin, Admitad, ShareASale, VigLink, Tradedoubler)
- Strip awc/wt_mc from redirect-based affiliate networks
- Fix collapsible store groups in Settings
- Rename "Report broken site" to "Report a bug or suggest an improvement"
- 730 passing tests

No permission changes from previous version