docs: webext .xpi published/downloadable + tag-pinned release note (ref #532)

README + wiki Browser-Extension: add the direct release download URL,
document make_latest:false / tag-pinned design. TODO/WIP: mark the
webext-v0.1.0 release published (downloadable, verified) and note the
remaining board deploy of secubox-toolbox 2.6.14.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.claude/TODO.md

@@ -16,6 +16,9 @@
 - [x] **#532 browser extension** (`clients/webext-toolbox/`) — MV3 Firefox
   `.xpi`/Chromium; live tracker badge + popup mini Round-Eye graph over
   `/social/*`; `GET /wg/toolbox.xpi` + fetch helper + `build-webext.yml`.
+- [x] **#532 release** — tag `webext-v0.1.0` published the `.xpi`
+  (downloadable, verified 200). `make_latest:false` + tag-pinned URL so it
+  doesn't steal "Latest" from the Android APK release.
 - [ ] **release signing** — Android keystore + AMO `.xpi` signing secrets in CI
   for stable published fingerprints (currently unsigned sideload).
 - [ ] **#532 follow-ups** — optional `GET /social/live/{token}` SSE (replace the

.claude/WIP.md

@@ -21,11 +21,18 @@ le navigateur : badge live des traceurs + popup.
 - **Serve depuis la toolbox** (`2.6.14`) : `GET /wg/toolbox.xpi` (local
   sinon 302 → release), bouton `🧩 Extension navigateur` sur les 2
   panneaux onboard, helper `secubox-toolbox-fetch-xpi`, postinst dir.
-- **CI** : `build-webext.yml` — `web-ext lint` + build, artifact, release
+- **CI** : `build-webext.yml` — `web-ext lint` (0 erreur, 2 warnings
-  asset `secubox-toolbox-webext.xpi` sur tag `webext-v*`.
+  bénins) + build, artifact, release asset sur tag `webext-v*`.
+- **Release** (PR #540 + #541, mergées) : tag `webext-v0.1.0` poussé →
+  CI a publié `secubox-toolbox-webext.xpi` (téléchargeable, vérifié 200).
+  `make_latest:false` + URL **tag-pinned** dans `/wg/toolbox.xpi` +
+  `secubox-toolbox-fetch-xpi` pour ne pas voler le pointeur "Latest" à la
+  release APK Android (dont l'endpoint résout via `/releases/latest/...`).
+  → bumper le tag dans la constante + le helper à chaque `webext-v*`.
 - **Reste à faire** : signature AMO (`.xpi` non signé = sideload/dev) ;
   endpoint SSE `/social/live/{token}` optionnel ; icône PNG Chromium ;
-  contrôle Poke/Emancipate par-site quand #525 (déception) arrive.
+  contrôle Poke/Emancipate par-site quand #525 (déception) arrive ;
+  déployer `secubox-toolbox 2.6.14` sur la board pour activer le bouton.
 
 ---
 

clients/webext-toolbox/README.md

@@ -28,7 +28,13 @@ to your cabine over the R3 tunnel — no third-party calls.
 
 ## Install
 
-The toolbox serves the built extension:
+Published release `.xpi` (downloadable directly):
+
+```
+https://github.com/CyberMind-FR/secubox-deb/releases/download/webext-v0.1.0/secubox-toolbox-webext.xpi
+```
+
+The toolbox also serves it from the cabine:
 
 ```
 https://kbin.<board>.secubox.in/wg/toolbox.xpi
@@ -36,7 +42,12 @@ https://kbin.<board>.secubox.in/wg/toolbox.xpi
 
 The kbin onboard panel exposes a **🧩 Extension navigateur (cartographie)**
 button. When a local build is present the cabine serves it; otherwise it
-302-redirects to the latest GitHub release asset `secubox-toolbox-webext.xpi`.
+302-redirects to the **tag-pinned** release asset above. The webext release
+is published `make_latest:false` so it does not steal the repo "Latest"
+pointer from the Android APK release (whose endpoint resolves via
+`/releases/latest/download/…`) — bump the tag in the `/wg/toolbox.xpi`
+endpoint constant + `secubox-toolbox-fetch-xpi` when a new `webext-v*`
+release is cut.
 
 - **Firefox** — open the `.xpi`. A permanent install needs an AMO-signed
   build (release CI step / `web-ext sign`); for development use

wiki/Browser-Extension.md

@@ -15,7 +15,13 @@ R3 tunnel — no third-party calls.
 
 ## Install
 
-The toolbox serves the built extension:
+Published release `.xpi` (downloadable directly):
+
+```
+https://github.com/CyberMind-FR/secubox-deb/releases/download/webext-v0.1.0/secubox-toolbox-webext.xpi
+```
+
+The toolbox also serves it from the cabine:
 
 ```
 https://kbin.<board>.secubox.in/wg/toolbox.xpi
@@ -23,8 +29,9 @@ https://kbin.<board>.secubox.in/wg/toolbox.xpi
 
 The kbin onboard panel exposes a **🧩 Extension navigateur (cartographie)**
 button. When a local build is present the cabine serves it
-(`application/x-xpinstall`); otherwise it 302-redirects to the latest GitHub
+(`application/x-xpinstall`); otherwise it 302-redirects to the **tag-pinned**
-release asset `secubox-toolbox-webext.xpi`.
+release asset above. The webext release is published `make_latest:false` so it
+does not steal the repo "Latest" pointer from the Android APK release.
 
 - **Firefox** — open the `.xpi`. A permanent install needs an AMO-signed build
   (release CI / `web-ext sign`); for development use *about:debugging → Load