Release Notes - v1.4

Highlights

Major release expanding the extension from a basic secret scanner into
a full-featured security toolkit with severity classification, smart
validation, live key verification, and persistent false-positive
management.

New Features

Severity & Classification
- Severity levels for every finding: critical, high, medium, low, info.
- Color-coded severity badges with filtering in the Findings UI.

Active API Key Verification
- Live verification of detected keys via real HTTP requests.
- Supports 10 providers: Google, GitHub, GitLab, Slack, Stripe,
SendGrid, Telegram, npm, Cloudflare, and more.
- Automatic severity upgrade to "high" on confirmed-valid keys.
- Rate-limited to avoid provider throttling.
- Per-finding Verify button and status badges.

LLM-Based Validation
- OpenAI-compatible API integration for intelligent false-positive
detection.
- Configurable endpoint, model, and API key (stored securely).
- Auto-validate new findings or validate on demand (single / bulk).
- Connection test button in Settings.

Heuristic Pre-Filter
- Catches placeholder values, low-entropy strings, and documentation
examples before storing findings. Toggleable in Settings.

False-Positive Allowlist
- Persistent suppression of known false positives across re-scans.
- Per-origin or global scope.
- Manual mark as false-positive / confirmed from the Findings UI.
- Bulk delete, export, and import of the allowlist.

In-Tab Alerts
- Replaced OS notifications with in-tab JavaScript alerts.
- Configurable minimum severity threshold.
- 1-hour deduplication per origin.

AI / LLM Context File Scanning
- Active probes for AGENTS.md, CLAUDE.md, llms.txt, .cursor/, .claude/,
and other AI-related exposure points.

Detection Expansion

• Pattern count: 35 -> 99 (95 secrets + 4 vulnerabilities).
• New providers: ElevenLabs, DeBounce, Square (prod and sandbox),
  Discord (Bot token and Webhook), Cloudinary, Databricks, Instagram,
  Contentful, Postman, Figma, Airtable, Flutterwave, Razorpay, HubSpot,
  Pulumi, Age encryption keys, Artifactory, Branch.io, Sentry DSN, New
  Relic, Algolia, Supabase (multiple key types), GitHub Fine-Grained
  PAT, Google Service Account JSON, AWS Session Tokens, and DB
  connection strings (MongoDB, PostgreSQL, Redis, MySQL).
• Vulnerability detection skipped for JS files to reduce noise.

Improvements

• Wildcard support in origin deny list at any position
  (e.g. .domain.com, .gov., app.example.com).
• .gov. added to the default deny list.
• Rescan disabled on extension and denied pages.
• Lazy pattern compilation for improved performance.
• Debug Mode page showing cached origins and live settings.

Fixes

• Fixed browser notifications handling.
• Multiple stability and correctness improvements.

v1.1.3 - add Supabase Key detection and optional JWT detect toggle

• Added Debug Console for troubleshooting
• Reduced false positives on JavaScript files
• Improved scanning status feedback
• Fixed various UI bugs