docs: webext .xpi published/downloadable + tag-pinned release note (ref #532 )

README + wiki Browser-Extension: add the direct release download URL, document make_latest:false / tag-pinned design. TODO/WIP: mark the webext-v0.1.0 release published (downloadable, verified) and note the remaining board deploy of secubox-toolbox 2.6.14. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Merge pull request #541 from CyberMind-FR/feature/532-plan-browser-xpi-webextension-emancipate
2026-06-30 10:00:52 +00:00 · 2026-06-13 11:29:06 +02:00 · 2026-06-13 10:57:16 +02:00
4 changed files with 36 additions and 8 deletions
--- a/.claude/TODO.md
+++ b/.claude/TODO.md
@ -16,6 +16,9 @@
 - [x] **#532 browser extension** (`clients/webext-toolbox/`) — MV3 Firefox
  `.xpi`/Chromium; live tracker badge + popup mini Round-Eye graph over
  `/social/*`; `GET /wg/toolbox.xpi` + fetch helper + `build-webext.yml`.
+- [x] **#532 release** — tag `webext-v0.1.0` published the `.xpi`
+  (downloadable, verified 200). `make_latest:false` + tag-pinned URL so it
+  doesn't steal "Latest" from the Android APK release.
 - [ ] **release signing** — Android keystore + AMO `.xpi` signing secrets in CI
  for stable published fingerprints (currently unsigned sideload).
 - [ ] **#532 follow-ups** — optional `GET /social/live/{token}` SSE (replace the
--- a/.claude/WIP.md
+++ b/.claude/WIP.md
@ -21,11 +21,18 @@ le navigateur : badge live des traceurs + popup.
 - **Serve depuis la toolbox** (`2.6.14`) : `GET /wg/toolbox.xpi` (local
  sinon 302 → release), bouton `🧩 Extension navigateur` sur les 2
  panneaux onboard, helper `secubox-toolbox-fetch-xpi`, postinst dir.
- **CI** : `build-webext.yml` — `web-ext lint` + build, artifact, release
-  asset `secubox-toolbox-webext.xpi` sur tag `webext-v*`.
+- **CI** : `build-webext.yml` — `web-ext lint` (0 erreur, 2 warnings
+  bénins) + build, artifact, release asset sur tag `webext-v*`.
+- **Release** (PR #540 + #541, mergées) : tag `webext-v0.1.0` poussé →
+  CI a publié `secubox-toolbox-webext.xpi` (téléchargeable, vérifié 200).
+  `make_latest:false` + URL **tag-pinned** dans `/wg/toolbox.xpi` +
+  `secubox-toolbox-fetch-xpi` pour ne pas voler le pointeur "Latest" à la
+  release APK Android (dont l'endpoint résout via `/releases/latest/...`).
+  → bumper le tag dans la constante + le helper à chaque `webext-v*`.
 - **Reste à faire** : signature AMO (`.xpi` non signé = sideload/dev) ;
  endpoint SSE `/social/live/{token}` optionnel ; icône PNG Chromium ;
-  contrôle Poke/Emancipate par-site quand #525 (déception) arrive.
+  contrôle Poke/Emancipate par-site quand #525 (déception) arrive ;
+  déployer `secubox-toolbox 2.6.14` sur la board pour activer le bouton.

 ---

--- a/clients/webext-toolbox/README.md
+++ b/clients/webext-toolbox/README.md
@ -28,7 +28,13 @@ to your cabine over the R3 tunnel — no third-party calls.

 ## Install

-The toolbox serves the built extension:
+Published release `.xpi` (downloadable directly):
+
+```
+https://github.com/CyberMind-FR/secubox-deb/releases/download/webext-v0.1.0/secubox-toolbox-webext.xpi
+```
+
+The toolbox also serves it from the cabine:

 ```
 https://kbin.<board>.secubox.in/wg/toolbox.xpi
@ -36,7 +42,12 @@ https://kbin.<board>.secubox.in/wg/toolbox.xpi

 The kbin onboard panel exposes a **🧩 Extension navigateur (cartographie)**
 button. When a local build is present the cabine serves it; otherwise it
-302-redirects to the latest GitHub release asset `secubox-toolbox-webext.xpi`.
+302-redirects to the **tag-pinned** release asset above. The webext release
+is published `make_latest:false` so it does not steal the repo "Latest"
+pointer from the Android APK release (whose endpoint resolves via
+`/releases/latest/download/…`) — bump the tag in the `/wg/toolbox.xpi`
+endpoint constant + `secubox-toolbox-fetch-xpi` when a new `webext-v*`
+release is cut.

 - **Firefox** — open the `.xpi`. A permanent install needs an AMO-signed
  build (release CI step / `web-ext sign`); for development use
--- a/wiki/Browser-Extension.md
+++ b/wiki/Browser-Extension.md
@ -15,7 +15,13 @@ R3 tunnel — no third-party calls.

 ## Install

-The toolbox serves the built extension:
+Published release `.xpi` (downloadable directly):
+
+```
+https://github.com/CyberMind-FR/secubox-deb/releases/download/webext-v0.1.0/secubox-toolbox-webext.xpi
+```
+
+The toolbox also serves it from the cabine:

 ```
 https://kbin.<board>.secubox.in/wg/toolbox.xpi
@ -23,8 +29,9 @@ https://kbin.<board>.secubox.in/wg/toolbox.xpi

 The kbin onboard panel exposes a **🧩 Extension navigateur (cartographie)**
 button. When a local build is present the cabine serves it
-(`application/x-xpinstall`); otherwise it 302-redirects to the latest GitHub
-release asset `secubox-toolbox-webext.xpi`.
+(`application/x-xpinstall`); otherwise it 302-redirects to the **tag-pinned**
+release asset above. The webext release is published `make_latest:false` so it
+does not steal the repo "Latest" pointer from the Android APK release.

 - **Firefox** — open the `.xpi`. A permanent install needs an AMO-signed build
  (release CI / `web-ext sign`); for development use *about:debugging → Load