Toolbar icon recovery release. Headline: the toolbar action icon now renders consistently in both Firefox and Chrome — the gray placeholder some users were seeing on about:addons and across tabs is fixed. The "creator referral preserved" green-check icon variant, which had been retired earlier the same day on a misdiagnosis, is also restored.

Added

• OBJECTIVES.md — public North Star metric (Firefox AMO weekly active users), 6-month targets, explicit non-goals, and the four decision principles used to triage every new proposal. Closes #338. Linked from the README header.
• docs/ops/ finalised — the three runbooks (health-signals.md, rollback-playbook.md, staged-release.md) plus the README.md index are now wired up end to end. Closes #397. Two broken rollback.md references in health-signals.md were fixed (the actual filename is rollback-playbook.md); a third integrity check was added to tests/unit/ops-docs-sync.test.mjs that asserts every relative .md link inside docs/ops/ points to a file that exists, so a future typo cannot ship silently. The staged-release.md decision log was reset to start at v1.13.5 / v1.13.6 with real entries instead of TBD placeholders. README header now links to docs/ops/README.md alongside Contributing.

Coverage

• TikTok _t added to universal TRACKING_PARAMS (src/lib/affiliates.js, platform_noise category). Sister to existing _r — share token, not functional for the web URL. Closes the corresponding #508 gap.
• AliExpress aff_fcid added to aliexpress.com.stripParams in src/rules/domain-rules.json. Domain-scoped — CPS click ID, transient and not creator-attributing.
• Walmart sourceid + athcpid added to walmart.com.stripParams. Campaign source tag and per-impression content ID respectively.
• bestbuy.com is a new domain-rules entry (#508). Strips ref (referral source) + loc (campaign location) + irclickid + irgwc (Impact Radius affiliate ad-attribution); preserves q / id / intl / page.

Fixed

…full release notes: https://github.com/yocreoquesi/muga/releases/tag/v1.13.7

Onboarding hardening release. Headline: the first-run onboarding flow on Firefox no longer leaves the user staring at an unchanged tab after they accept — the silent regression that made "Start browsing clean" appear to do nothing is fixed, the cleaner is now provably off until acceptance, and the toolbar surfaces a "!" badge while consent is pending. Plus a separate gate fix: opening Settings right after a clean acceptance no longer bounces back to onboarding.

Added

• Apple Services Performance Partners as a direct-injection program (#594, partial — Apple half). Refresh of the vendored caps-spec snapshot brought in apple-phg (caps-spec PR #45), so MUGA now preserves ?at= affiliate tokens on music.apple.com, geo.music.apple.com, tv.apple.com, books.apple.com, podcasts.apple.com, apps.apple.com, and itunes.apple.com. The "Creator referral preserved" badge fires on those hosts when a third-party at token is present, even though MUGA has no Apple Performance Partners account (per the #523 decoupling). The companion ?ct= parameter is intentionally NOT matched as a creator referral — it is the campaign-name field, not the attribution token. The Bookshop.org half of #594 remains blocked on caps-spec#46 (RFC for path-based affiliate program schema).
• Toolbar consent-required cue. A global "!" badge surfaces on the toolbar icon while onboardingDone === false (including hard-reonboard, where getPrefs() forces the flag back to false). Cleared on acceptance. Wired through onInstalled, the cold-start fallback, and a new mugaConsent branch in the storage onChanged listener that re-runs DNR + badge in one shot. Files: src/background/service-worker.js.
• Onboarding success state. After consent persistence, the page renders an in-place "You're all set / Close tab" confirmation and attempts a best-effort tab close (window.close() then chrome.tabs.remove). Firefox refuses window.close() on tabs not opened by JS, so the in-place state is the safety net that proves to the user the click landed. Files: src/onboarding/onboarding.js, src/onboarding/onboarding.html, src/lib/i18n.js (en/es/pt/de).

Changed

…full release notes: https://github.com/yocreoquesi/muga/releases/tag/v1.13.6

Branded-domain release. The signed remote-rules endpoint moves under rules.muga.app so the public surface no longer depends on a personal GitHub username. No user-visible behavior change on a default install.

Changed

• Remote rules endpoint moved to rules.muga.app (#481, landed via #596). The signed params.json is now served from https://rules.muga.app/rules/v1/params.json (was https://yocreoquesi.github.io/muga/rules/v1/params.json). DNS-only CNAME points at GitHub Pages — same hosting, branded subdomain. The optional permission users grant when enabling Remote rule updates is now scoped to https://rules.muga.app/* (Chrome MV3 optional_host_permissions / Firefox MV2 optional_permissions). Existing installs that opted in to remote rules on v1.13.4 or earlier will be re-prompted to grant the new host on the next 7-day refresh — the host changed, so the previous grant no longer applies. Files: src/manifest.json, src/manifest.v2.json, src/lib/remote-rules.js, src/options/options.js, docs/CNAME, .github/workflows/publish-rules.yml.

Coverage + standards-compliance + CI hygiene release. Headline: MUGA now consumes caps-spec/manifest.json as the source of truth for affiliate program identity, and the preserve set is decoupled from MUGA's own affiliate accounts — creator referrals are honored on Booking, Vercel, DigitalOcean, Humble Bundle, and Lemon Squeezy even though MUGA has no direct account on those programs.

Added

• caps-spec/manifest.json consumed as source of truth for the affiliate preserve set (#523, landed via #576/#577/#578). The 12-entry hand-maintained AFFILIATE_PATTERNS array is replaced by 7 consolidated entries generated at module load by joining the vendored caps-spec direct-injection programs with MUGA's hand-maintained OUR_TAGS map. New scripts/sync-affiliate-manifest.mjs mirrors the existing sync-wrappers.mjs pattern (Ed25519 signature verification when available, --allow-unsigned for the interim). Files: scripts/sync-affiliate-manifest.mjs, src/vendor/caps-spec/manifest.data.js, src/lib/affiliates.js.
• Sprinklr campaign-manager params (spr, sprtype) added to universal TRACKING_PARAMS (src/lib/affiliates.js, src/rules/tracking-params.json). Stripped on every domain. False-positive risk is low — these identify the campaign and asset that referred a click inside Sprinklr's backend and have no functional payload from the user's perspective. Closes the last "low-risk universal" gap from the #508 acceptance list (the merchant-specific gaps remain). (#508)
• tracker-flag.yml issue template (.github/ISSUE_TEMPLATE/tracker-flag.yml). Wires Channel 1 of CAPS decision 6 — receives structured tracker reports prefilled by MUGA's local heuristics (entropy + cross-site frequency). Schema mirrors the privacy contract already enforced by csft-upstream.js: only the SHAPE of the observation, never raw URLs or raw values. The existing tracking-param.md template is preserved (different intent — hand-written carrier-aware param requests). (#522)
• tracker-candidate repo label to receive auto-labelled issues from the new form.

Changed

…full release notes: https://github.com/yocreoquesi/muga/releases/tag/v1.13.4

User-visible polish release. Two critical fixes for users on v1.13.0–v1.13.2 (broken toolbar icon, stuck onboarding) plus a copy/visual pass on the onboarding and a popup cleanup. Also bundles two feature PRs that had been sitting on [Unreleased] since the 1.13.2 cut: wildcard whitelist/blacklist values and the CAPS-Basic + Contextual conformance claim.

Fixed

• Toolbar icon was invisible on Firefox and Chrome (#564). The 16/48/128 PNGs introduced in v1.13.0 were 96–99% transparent — only 6/256, 13/2304, and 32/16384 pixels respectively were opaque. The accompanying *-preserved.png files in the tree were the intact RGB sources, mistakenly left as the optimization input rather than the shipped output. This release copies those bytes over the broken files. Users on v1.13.0–v1.13.2 will see the working icon on the next AMO/Chrome Store update.
• Onboarding "Start browsing clean" button did nothing (#565). The CTA was natively disabled until the ToS checkbox was checked, so clicks were silently swallowed. Users who didn't notice the ToS gate clicked repeatedly with no feedback and assumed the onboarding was broken. Now the button uses aria-disabled so the click event still fires; the handler flashes the ToS card (respects prefers-reduced-motion), smooth-scrolls it into view, focuses the checkbox, and announces the requirement via an sr-only aria-live region. Playwright's toBeDisabled() recognises the new state, so existing e2e coverage carries over.
• Onboarding tagline pinned to a narrow left column (#565). The header had max-width: 26ch / 48ch / 52ch while the rest of the page used the full container width, leaving the tagline visually orphaned. Now flows to container width like the feature cards beneath.
• Redundant "Still see tracking?" link in the popup (#567). Two report links (#report-broken, #report-unclean) were splitting a single user intent — "this didn't work as expected" — across two GitHub queues. Removed #report-unclean; the remaining #report-broken absorbs both intents.
• Share button doubled the 📋 emoji on click (#567). The static <span aria-hidden="true">📋 </span> already held the icon and the click handler also wrote share_copy_prefix (another 📋) into the visible label, producing 📋📋 Share. The fix removes the entire share feature (see Removed below) — the bug dies with it.
• Creator-referral hint hidden behind a cursor: help tooltip (#567). The OS-level tooltip surfaces slowly (and not at all on touch), and the help cursor implied a click action that never existed. Now the hint renders inline as a small line below the badge — visible without interaction.

Added

…full release notes: https://github.com/yocreoquesi/muga/releases/tag/v1.13.3

Recovery release. No functional or user-visible changes vs v1.13.1 — same code, same rules, same behavior. The v1.13.1 release was tagged but its Release workflow failed at the unit-test step because the [Unreleased] reference link at the bottom of CHANGELOG.md still pointed at v1.13.0...HEAD after the bump. The tests/unit/changelog-links.test.mjs guard correctly flagged the drift, which blocked the AMO publish step from running. AMO therefore stayed on v1.11.0.

Fixed

• Release pipeline: [Unreleased] link in CHANGELOG.md now tracks the latest released tag, satisfying the changelog-links test that gates the Release workflow. Without this, every bump that forgot to update the link would silently skip AMO publish.

Added

• Popup now surfaces when MUGA preserved a third-party creator's affiliate tag on the current URL. New "Creator referral preserved" badge inside the preview section, with a tooltip explaining the policy. Fires regardless of whether the URL was otherwise modified — including on URLs MUGA leaves untouched. Wedge of "fair to creators" made tangible. New cleaner result field preservedAffiliate exposing { param, value, store, group }. Independent of the existing notifyForeignAffiliate toast preference: this is a passive UI signal, not a notification. New i18n keys preview_preserved_creator and preview_preserved_creator_hint in en/es/pt/de. (#327)
• New collaborative report link in the popup: "Still see tracking? Help us improve" (i18n key report_unclean_url). Visible only when MUGA modified the URL and showReportButton is on, alongside the existing "Report a problem with this URL" link. Opens a pre-filled GitHub issue tagged unclean-url with hostname, version, browser and the params MUGA already removed — never the full URL or query string. Same zero-network, no-new-permissions model as the broken-site report. Feeds the remote-rules catalog with real-world misses. (#271)

Changed

• Options page: the "Remote rule updates" section now appears before the "Advanced" block, so Advanced remains the last section on the page.
• Remote-rules copy softened to reflect the on-wake refresh model introduced in 1.10.1: "Enable rule updates" (toggle) and "Periodically checks for signed updates… about once a week, while you browse" (description). No behavioral change — the max cadence is still ~7 days.

Added

• Popup now reacts live to settings changes. Toggling MUGA on/off, or adding the current domain to the per-domain-disable list (blacklist entries of the form domain::disabled), updates the preview without reopening the popup. The trigger is both an optimistic in-popup re-render on the enabled-toggle click AND a chrome.storage.onChanged listener that catches changes made from the Options page in another tab.
• Distinct popup status when MUGA is globally active but the current site is on the per-domain-disable list. Previously only "MUGA is disabled" (global) was shown; now "MUGA is disabled on this site" surfaces the per-domain state. New i18n key muga_disabled_for_domain in all four locales.

Changed

• Remote rule updates no longer require the alarms permission. The weekly refresh now piggybacks on natural service-worker wake events (browser startup, page visits, popup messages) and is throttled by a stored fetchedAt timestamp — at most one fetch per 7 days, short-circuited immediately when the feature is off. This drops one permission from the manifest without changing the opt-in default or the privacy posture.

Removed

• alarms permission from manifest.json and manifest.v2.json.

Added

• Optional weekly updates for the tracking parameter list, off by default. Ed25519-signed payloads fetched from a public GitHub Pages endpoint (https://yocreoquesi.github.io/muga/rules/v1/params.json). Enable in Settings → Remote rule updates. Zero outbound requests on a default install. See docs/transparency.html. (#270)

Fixed

• Firefox TDZ: _contentPrefs declarations hoisted to top of the content script IIFE so early-firing event handlers (copy, click, runtime.onMessage) can no longer reference them before initialization (#298)
• Security: navigate() now enforces the 2000-char URL length cap before parsing
• Security: hostname extraction in the affiliate toast wrapped in safeHostname() — malformed URLs no longer throw inside event handlers

Added

• Static-analysis regression tests asserting _contentPrefs / _contentPrefsPending declarations stay above any reader and within the first 120 lines of cleaner.js

Fixed

• Security: add URL payload length limit, reject non-HTTP schemes, harden sanitizeHTML
• Robustness: cache version counter prevents stale prefs, time-based rewrite loop eviction
• Firefox MV2: shim chrome.runtime.sendMessage, deduplicate browser-polyfill loading
• MutationObserver ping blocking debounced via requestAnimationFrame
• Document silent .catch() handlers in content scripts
• Safe manifest swap script with trap-based restoration

Added

• Automated Firefox AMO submission on tag push
• Automated Chrome Web Store submission on tag push
• README: Chrome Web Store install badge (no longer "Coming soon")

Version 1.9.6

Fixes:
- Click handler no longer intercepts all link clicks. Only intercepts clicks to affiliate store domains. Non-affiliate clicks pass through unmodified, preserving SPA navigation on YouTube, forums, and all other sites.
- Click, copy, and self-clean handlers now check if the extension is enabled before any interception. Extension is fully inert when disabled.
- Prefs loaded eagerly at content script init for synchronous access.

852 passing tests. No permission changes.

Version 1.9.4

Changes in this version:
- Consent gate: extension is now fully disabled (no URL processing, popup blocked, options redirected) until the user accepts the Terms of Use in onboarding. Enforcement points: service-worker.js (handleProcessUrl), popup.js (consent-gate overlay), options.js (redirect), content/cleaner.js (ping blocking).
- 120+ new domain-specific tracking parameters (Amazon, Facebook, TikTok, Google, LinkedIn, Reddit, eBay, YouTube, Spotify, Netflix, NYTimes, BBC, AliExpress, Bing, Yahoo, Twitter/X, Etsy). Sourced from ClearURLs, AdGuard Filter 17, Neat-URL, and Mozilla's built-in strip list.
- 5 new Shopify recommendation tracking params (pr_prod_strat, pr_rec_id, pr_ref_pid, pr_rec_pid, pr_seq) added to global tracking list.
- Fixed: double onboarding tab caused by both onInstalled and fallback IIFE opening tabs. Now uses a dedup flag (openOnboardingOnce).
- Fixed: Promise shim (shimChromePromises in storage.js) was probing each API call by invoking it without a callback. For side-effectful methods like chrome.tabs.create, this executed the action twice. Now detects environment once at startup.

Version 1.9.2

Changes in this version:
- Redesigned onboarding (privacy-first messaging, 3 features)
- Affiliate redirect unwrapping (Awin, Admitad, ShareASale, VigLink, Tradedoubler)
- Strip awc/wt_mc from redirect-based affiliate networks
- Fix collapsible store groups in Settings
- Rename "Report broken site" to "Report a bug or suggest an improvement"
- 730 passing tests

No permission changes from previous version