From 6a6cb72cadd09b31e0e21ccb2b51d0fe22621d7f Mon Sep 17 00:00:00 2001
From: semantic-release-bot <semantic-release-bot@martynus.net>
Date: Mon, 4 May 2026 13:25:41 +0000
Subject: [PATCH 1/3] chore(release): 1.11.0-dev.3 [skip ci]

# [1.11.0-dev.3](https://github.com/codebridger/subturtle-extension-apps/compare/v1.11.0-dev.2...v1.11.0-dev.3) (2026-05-04)

### Bug Fixes

* persist anonymous tokens and stop logout-cascade on anon sessions ([825db93](https://github.com/codebridger/subturtle-extension-apps/commit/825db93ddf441d9c1791ae45016d85e98360e856))
---
 CHANGELOG-DEV.md     | 7 +++++++
 package.json         | 2 +-
 static/manifest.json | 4 ++--
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG-DEV.md b/CHANGELOG-DEV.md
index fa4fb7d..b110289 100644
--- a/CHANGELOG-DEV.md
+++ b/CHANGELOG-DEV.md
@@ -1,3 +1,10 @@
+# [1.11.0-dev.3](https://github.com/codebridger/subturtle-extension-apps/compare/v1.11.0-dev.2...v1.11.0-dev.3) (2026-05-04)
+
+
+### Bug Fixes
+
+* persist anonymous tokens and stop logout-cascade on anon sessions ([825db93](https://github.com/codebridger/subturtle-extension-apps/commit/825db93ddf441d9c1791ae45016d85e98360e856))
+
 # [1.11.0-dev.2](https://github.com/codebridger/subturtle-extension-apps/compare/v1.11.0-dev.1...v1.11.0-dev.2) (2026-05-03)
 
 
diff --git a/package.json b/package.json
index 675305f..a22fb49 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "subturtle-extension",
-  "version": "1.11.0-dev.2",
+  "version": "1.11.0-dev.3",
   "private": true,
   "scripts": {
     "dev": "webpack --watch",
diff --git a/static/manifest.json b/static/manifest.json
index 23a725b..9be5264 100644
--- a/static/manifest.json
+++ b/static/manifest.json
@@ -1,7 +1,7 @@
 {
 	"name": "Subturtle",
 	"description": "Turn video subtitles into English lessons. Learn new vocabulary in context as you watch on YouTube and Netflix.",
-	"version": "1.11.0.2",
+	"version": "1.11.0.3",
 	"manifest_version": 3,
 	"icons": {
 		"128": "/assets/logo-128.png",
@@ -80,5 +80,5 @@
 			]
 		}
 	],
-	"version_name": "1.11.0-dev.2"
+	"version_name": "1.11.0-dev.3"
 }

From 838451e9ad10d3a3755691b4ca586a0d3815a008 Mon Sep 17 00:00:00 2001
From: Navid Shad <navidshad72@gmail.com>
Date: Wed, 6 May 2026 14:10:18 +0300
Subject: [PATCH 2/3] fix: #86exgqfpu skip token writes to host LS on dashboard
 origins
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The extension's content scripts (nibble, console-crane) inject @modular-rest/client into every page. Because content scripts share localStorage with the host, modular-rest's saveSession (and our explicit cache write) was overwriting the dashboard's own `token` localStorage key on subturtle.app and localhost:3000 — wiping the user's session and forcing them back to /auth/login on the next reload or new tab.

Patch Storage.prototype.setItem/removeItem at module load (before @modular-rest/client is imported) to no-op on `token` writes when the host is the dashboard. Extension auth still works via chrome.storage.sync; we only lose the per-page LS cache on dashboard origins (one extra /user/loginAnonymous call per content-script mount, which is negligible).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/plugins/modular-rest.ts | 40 +++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/src/plugins/modular-rest.ts b/src/plugins/modular-rest.ts
index 299acf7..acdb4e0 100644
--- a/src/plugins/modular-rest.ts
+++ b/src/plugins/modular-rest.ts
@@ -1,3 +1,43 @@
+// IMPORTANT: must precede any import that may touch localStorage at module load.
+// Content scripts run in an "isolated world" that shares localStorage with the
+// host page. The dashboard at *.subturtle.app and localhost:3000 (dev) uses
+// `token` as its own localStorage key for the user's session — when the
+// extension's modular-rest client (or our explicit cache write below) writes
+// the extension's anonymous token there, it clobbers the dashboard user's
+// session and bounces them to /auth/login on the next reload or new tab.
+//
+// Block 'token' writes/removes from the content-script side on those origins.
+// The extension already persists tokens to chrome.storage.sync via the
+// background script, so losing the per-page localStorage cache only costs
+// one extra /user/loginAnonymous call per content-script mount on dashboard
+// origins — it does NOT break extension auth.
+function isDashboardOrigin(): boolean {
+  if (typeof window === "undefined") return false;
+  const host = window.location.hostname;
+  const port = window.location.port;
+  return (
+    (host === "localhost" && port === "3000") ||
+    host === "subturtle.app" ||
+    host === "www.subturtle.app" ||
+    host === "dashboard.subturtle.app" ||
+    host === "www.dashboard.subturtle.app"
+  );
+}
+
+if (typeof Storage !== "undefined" && isDashboardOrigin()) {
+  const origSet = Storage.prototype.setItem;
+  const origRm = Storage.prototype.removeItem;
+  Storage.prototype.setItem = function (k: string, v: string) {
+    // Only suppress writes to localStorage on the dashboard, never sessionStorage.
+    if (this === window.localStorage && k === "token") return;
+    return origSet.call(this, k, v);
+  };
+  Storage.prototype.removeItem = function (k: string) {
+    if (this === window.localStorage && k === "token") return;
+    return origRm.call(this, k);
+  };
+}
+
 import { GlobalOptions, authentication } from "@modular-rest/client";
 
 import { sendMessage, sendMessageToTabs } from "../common/helper/massage";

From 335ecbd99220734edf4ee7f39470cbc14dc408cd Mon Sep 17 00:00:00 2001
From: semantic-release-bot <semantic-release-bot@martynus.net>
Date: Wed, 6 May 2026 11:14:35 +0000
Subject: [PATCH 3/3] chore(release): 1.11.0-dev.4 [skip ci]

# [1.11.0-dev.4](https://github.com/codebridger/subturtle-extension-apps/compare/v1.11.0-dev.3...v1.11.0-dev.4) (2026-05-06)

### Bug Fixes

* [#86](https://github.com/codebridger/subturtle-extension-apps/issues/86)exgqfpu skip token writes to host LS on dashboard origins ([838451e](https://github.com/codebridger/subturtle-extension-apps/commit/838451e9ad10d3a3755691b4ca586a0d3815a008)), closes [#86exgqfpu](https://github.com/codebridger/subturtle-extension-apps/issues/86exgqfpu)
---
 CHANGELOG-DEV.md     | 7 +++++++
 package.json         | 2 +-
 static/manifest.json | 4 ++--
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG-DEV.md b/CHANGELOG-DEV.md
index b110289..0cbd677 100644
--- a/CHANGELOG-DEV.md
+++ b/CHANGELOG-DEV.md
@@ -1,3 +1,10 @@
+# [1.11.0-dev.4](https://github.com/codebridger/subturtle-extension-apps/compare/v1.11.0-dev.3...v1.11.0-dev.4) (2026-05-06)
+
+
+### Bug Fixes
+
+* [#86](https://github.com/codebridger/subturtle-extension-apps/issues/86)exgqfpu skip token writes to host LS on dashboard origins ([838451e](https://github.com/codebridger/subturtle-extension-apps/commit/838451e9ad10d3a3755691b4ca586a0d3815a008)), closes [#86exgqfpu](https://github.com/codebridger/subturtle-extension-apps/issues/86exgqfpu)
+
 # [1.11.0-dev.3](https://github.com/codebridger/subturtle-extension-apps/compare/v1.11.0-dev.2...v1.11.0-dev.3) (2026-05-04)
 
 
diff --git a/package.json b/package.json
index a22fb49..38e1b73 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "subturtle-extension",
-  "version": "1.11.0-dev.3",
+  "version": "1.11.0-dev.4",
   "private": true,
   "scripts": {
     "dev": "webpack --watch",
diff --git a/static/manifest.json b/static/manifest.json
index 9be5264..c1fb0d5 100644
--- a/static/manifest.json
+++ b/static/manifest.json
@@ -1,7 +1,7 @@
 {
 	"name": "Subturtle",
 	"description": "Turn video subtitles into English lessons. Learn new vocabulary in context as you watch on YouTube and Netflix.",
-	"version": "1.11.0.3",
+	"version": "1.11.0.4",
 	"manifest_version": 3,
 	"icons": {
 		"128": "/assets/logo-128.png",
@@ -80,5 +80,5 @@
 			]
 		}
 	],
-	"version_name": "1.11.0-dev.3"
+	"version_name": "1.11.0-dev.4"
 }