Skip to content

SysAdminDoc/ScriptVault

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

286 Commits
.github/workflows
.github/workflows
 
 
_locales
_locales
 
 
bg
bg
 
 
docs
docs
 
 
images
images
 
 
lib
lib
 
 
modules
modules
 
 
pages
pages
 
 
scripts
scripts
 
 
shared
shared
 
 
src
src
 
 
tests
tests
 
 
.env.example
.env.example
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CWS_COOKIES_JUSTIFICATION.md
CWS_COOKIES_JUSTIFICATION.md
 
 
FIREFOX-PORT.md
FIREFOX-PORT.md
 
 
LICENSE
LICENSE
 
 
PRIVACY.md
PRIVACY.md
 
 
README.md
README.md
 
 
RESEARCH_FEATURE_PLAN.md
RESEARCH_FEATURE_PLAN.md
 
 
RESEARCH_FEATURE_PLAN_PASS2.md
RESEARCH_FEATURE_PLAN_PASS2.md
 
 
ROADMAP.md
ROADMAP.md
 
 
TODO.md
TODO.md
 
 
background.core.js
background.core.js
 
 
background.js
background.js
 
 
build-firefox.sh
build-firefox.sh
 
 
build.sh
build.sh
 
 
content.js
content.js
 
 
cws-setup.sh
cws-setup.sh
 
 
esbuild.config.mjs
esbuild.config.mjs
 
 
manifest-firefox.json
manifest-firefox.json
 
 
manifest-firefox.transformations.json
manifest-firefox.transformations.json
 
 
manifest.json
manifest.json
 
 
offscreen.html
offscreen.html
 
 
offscreen.js
offscreen.js
 
 
pack-crx.mjs
pack-crx.mjs
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
publish.sh
publish.sh
 
 
ts-source-promotion.json
ts-source-promotion.json
 
 
tsconfig.json
tsconfig.json
 
 
vitest.config.mjs
vitest.config.mjs
 
 

Repository files navigation

ScriptVault

ScriptVault

A powerful, open-source userscript manager built on Chrome Manifest V3

Version Manifest V3 License Chrome 130+

Chrome Web StoreFeaturesInstallationQuick StartSecurityContributing

Features

GM API — 35+ Functions

Full Greasemonkey/Tampermonkey API compatibility with promise-based GM.* async variants.

Storage Network UI Utilities
GM_getValue GM_xmlhttpRequest GM_addStyle GM_info
GM_setValue GM_download GM_notification GM_log
GM_deleteValue GM_webRequest GM_registerMenuCommand GM_setClipboard
GM_listValues GM_unregisterMenuCommand GM_openInTab
GM_getValues GM_getMenuCommands GM_getResourceText
GM_setValues GM_addElement GM_getResourceURL
GM_deleteValues GM_head GM_loadScript GM_cookie
GM_addValueChangeListener GM_audio GM_focusTab
GM_removeValueChangeListener GM_closeTab

Plus GM_getTab, GM_saveTab, GM_getTabs for cross-tab state, window.close, window.focus, window.onurlchange grants, @top-level-await, @delay, and @nodownload support.

Script Management

  • Auto-detect installation — Navigate to any .user.js URL
  • One-click toggle — Enable/disable scripts individually or globally
  • Auto-updates — Configurable update intervals with notifications
  • Per-script update check — Check and apply updates for individual scripts inline
  • Version tracking — Installed vs. available version comparison
  • Tags & search — Organize and filter scripts by name, description, or metadata
  • Popup quick-edit — Click any script in the toolbar popup to jump straight into the editor
  • Find Scripts — Search and install userscripts from Greasy Fork and other sources directly in the dashboard
  • Bulk operations — Select multiple scripts to enable, disable, update, reset, or delete with progress tracking
  • Per-script export — Export individual scripts as .user.js files
  • Script templates — 6 starter templates (blank, page modifier, CSS injector, API interceptor, SPA script, cross-site request)
  • Version rollback — Auto-saves last 3 versions on update; one-click rollback from info panel
  • Storage quota monitor — Visual quota bar with warning when approaching Chrome's 10MB limit
  • Tag filtering — Filter scripts by @tag metadata in the dashboard dropdown
  • Drag-and-drop install — Drop .user.js or .zip files onto the dashboard to install
  • Shift+click multi-select — Select ranges of scripts with Shift+click
  • Library browser — Search and add CDN libraries (@require) from cdnjs directly in the editor
  • Advanced filters — Filter scripts by grant type, error status, update URL, scope breadth, or tags
  • Code snippets — Insert GM API templates directly from the editor toolbar
  • Keyboard shortcuts — Ctrl+N new, Alt+1-5 switch tabs, Ctrl+W close tab, Ctrl+Tab cycle tabs
  • Script pinning — Pin favorite scripts to the top of the list
  • Pattern tester — Test any URL to see which scripts would run on it
  • Activity log — Timestamped log of all installs, updates, and errors
  • Script health — Visual indicators for scripts with errors or stale updates
  • Tampermonkey import — Import from Tampermonkey's .txt backup format
  • Batch URL install — Paste multiple .user.js URLs to install at once
  • Script notes — Personal notes per script, saved with settings
  • Version diff view — Compare any previous version against current code
  • Script folders — Organize scripts into color-coded folders with drag-and-drop
  • Workspaces — Named snapshots of enabled/disabled script states for quick context switching
  • Command palette — Ctrl+K to fuzzy-search actions, scripts, and settings
  • Execution profiling — Per-script timing stats with color-coded performance badges
  • Performance budgets — Configurable time budget per script with visual over-budget indicators
  • Column visibility — Toggle which columns appear in the script table
  • Full-text search — Prefix with code: to search inside script source code
  • Copy install URL — One-click clipboard copy of script download/update URL

Advanced URL Matching

  • Full @match, @include, @exclude, @exclude-match support
  • User overrides — Add custom match patterns without editing script code
  • Per-pattern toggles — Disable individual original patterns per-script
  • Glob and regex pattern support

Per-Site Control

ScriptVault has three independent layers for stopping scripts from running on a given site, all reachable from Settings (and the popup's "Run only on this domain" / "Do not run on this domain" quick actions):

Layer Behavior Setting
Denied hosts Block every script on listed hosts. Highest priority — overrides script @match patterns. deniedHosts (array of hostnames)
Blacklist mode (default) Run scripts everywhere except on URLs listed in blacklistedPages (one per line, glob-style patterns). pageFilterMode: 'blacklist' + blacklistedPages
Whitelist mode Run scripts only on URLs listed in whitelistedPages. Nothing else triggers a script. pageFilterMode: 'whitelist' + whitelistedPages

Per-script @match/@include/@exclude still apply on top of these global gates. The popup chip flips a single domain in or out of the active list in one click.

Cloud Sync

Sync scripts across devices with 5 providers:

Provider Method
WebDAV Self-hosted or any WebDAV server
Google Drive OAuth2 integration
Dropbox App folder sync
OneDrive Microsoft account integration
S3-compatible AWS S3, Cloudflare R2, MinIO, Backblaze B2, and other S3 endpoints

Two additional zero-config flows ship as separate modules: Easy Cloud for one-click Google Drive sync via chrome.identity, and GitHub Gist import/export/sync via a personal access token.

Monaco Editor

  • Monaco Editor — Same editor that powers VS Code, loaded in a sandboxed iframe
  • Tabbed editing — Open multiple scripts simultaneously with browser-style tabs (middle-click to close)
  • Unsaved indicators — Visual dot on tabs with pending changes
  • 4 editor themes — Dark, Light, Catppuccin Mocha, OLED
  • Status bar — Line count and cursor position display
  • IntelliSense — Autocomplete for GM API functions and @metadata directives
  • Code folding, bracket matching, bracket pair colorization, auto-close
  • Search & replace (Ctrl+F / Ctrl+H)
  • Real-time userscript metadata linting
  • Code beautifier — One-click indentation normalization
  • Snippet insert — 7 GM API code templates from the toolbar
  • Open in vscode.dev for external editing

DevTools Panel

  • Network inspector — View all GM_xmlhttpRequest + fetch/XHR/WebSocket/sendBeacon calls from userscripts
  • Execution profiler — See run count, avg/total time, and errors per script
  • HAR export — Export network log in standard HAR format
  • Auto-refreshes every 3 seconds

Side Panel

  • Persistent companion panel — Always visible alongside the active page (Chrome 114+)
  • Shows scripts running on the current page with toggles, timing badges, and error dots
  • Live updates on tab navigation
  • Quick access to dashboard and script creation

Script Signing (Ed25519)

  • Cryptographic signing — Sign scripts with your Ed25519 keypair
  • Signature verification — Verify integrity of installed scripts
  • Trust store — Manage trusted author public keys
  • @signature metadata tag embedded in script header

Static Analysis

  • AST-based analyzer — 31 risk pattern detectors using Acorn parser
  • Zero false positives — AST walk ignores comments and strings
  • Risk scoring — Color-coded risk level (minimal/low/medium/high)
  • Categories: execution, data access, network, fingerprinting, obfuscation, mining, DOM hijacking
  • Shown on install page before script installation

Security

  • Script isolationUSER_SCRIPT world via chrome.userScripts API, per-script worldId (Chrome 133+)
  • Static analysis — AST-based risk scoring with 31 pattern detectors on every install
  • Script signing — Ed25519 cryptographic signatures with trust store
  • Blacklist system — Remote + manual blacklists
  • Permission analysis — Visual @grant permission breakdown on install
  • @connect validation — Restrict XHR domains
  • SRI verification@require URLs with #sha256= hash are verified after fetch
  • CSP handling — Works on sites with strict Content Security Policies
  • Zero telemetry — No phone home, all data stays local

Import & Export

  • ZIP — Full backup with scripts + settings
  • JSON — Text-based backup
  • File import — Drag and drop .user.js or .zip files anywhere on the dashboard
  • URL import — Install directly from any URL
  • Clipboard import — Paste script code directly

Internationalization

Available in 8 languages:

English • German • Spanish • French • Japanese • Portuguese • Russian • Chinese

v2.0 — New Features

Click to expand all v2.0 features (58 major features)

Discovery & Store

  • Built-in Script Store — Search, browse, and install scripts from Greasy Fork directly in the dashboard
  • OpenUserJS Integration — Additional script source alongside Greasy Fork
  • Script Collections — Group scripts into installable bundles with 4 built-in packs
  • Recommendations Panel — Heuristic script suggestions derived from installed scripts and Greasy Fork categories
  • Script Sharing — QR code generation, data URL encoding, standalone HTML export

Linting & Diff

  • Advanced Linter — Rule-driven @grant/metadata linter with one-click auto-fix
  • Script Diff Tool — Side-by-side and unified diff with LCS algorithm and merge support

Monitoring

  • Activity Heatmap — 365-day GitHub-style contribution grid
  • Error Log — 500-entry structured log with JSON/CSV/text export
  • CSP Compatibility Reporter — Track which sites block scripts with workaround suggestions

Debugging & Development

  • Script Debugger — Per-script console capture, live reload, variable inspector, error timeline
  • DevTools Network Panel — Capture of every GM_xmlhttpRequest plus fetch/XHR/WebSocket/sendBeacon call, with HAR export
  • Visual Pattern Builder — Construct @match patterns by decomposing URLs
  • 30+ Code Snippets — Searchable library across 8 categories with editor integration
  • Custom Templates — Save/share script templates with variable substitution wizard

UX & Customization

  • Card View — Grid layout alternative with site favicons and status indicators
  • 10 Theme Presets — Custom theme editor ships with Dark, Light, Catppuccin, OLED, Nord, Dracula, Solarized Dark, Solarized Light, Monokai, and Gruvbox starting points
  • Custom Theme Editor — 21 CSS variable pickers with live preview and import/export
  • Keyboard Navigation — Full keyboard-first nav with optional Vim keybindings
  • What's New Modal — Changelog shown once per version update
  • Gamification — Achievements, streaks, user levels, shareable profile cards

Sync & Backup

  • Zero-Config Cloud Sync — One-click Google Drive sync via chrome.identity
  • GitHub Gist Integration — Import/export/sync scripts with GitHub Gists
  • Automated Backups — Scheduled daily/weekly backups with configurable retention
  • Multi-Profile Support — Different script configurations for different contexts
  • Violentmonkey/Greasemonkey Import — Import from VM JSON and GM4 backup formats

Platform & Architecture

  • UserStyles/CSS Support.user.css files with variable editor, Stylus import
  • Script Chaining — Visual pipeline builder for sequential script execution
  • npm Package Resolution@require npm:lodash with CDN fallback chain
  • Script Scheduling — Time/day/date-based execution with visual picker
  • Public Extension API — External message API with rate limiting and webhooks
  • Firefox Compatibility Layer — Polyfills for cross-browser v2.0 module support
  • Lazy Module Loading — Dashboard loads 7 eager scripts, defers 30+ until needed
  • Automatic Migration — Seamless v1.x → v2.0 data migration
  • Storage Quota Manager — Auto-cleanup when approaching Chrome's 10MB limit

Quality & Testing

  • 600+ Vitest Tests — Coverage for parser, utilities, storage, update flows, UI modules, accessibility, and security boundaries
  • JSDoc Type Annotations — @ts-check compatible on critical functions
  • esbuild Build System — Modern bundler with minification and source maps
  • Accessibility (WCAG 2.1 AA) — ARIA labels, focus trapping, high contrast, reduced motion

Installation

From Source (Developer Mode)

  1. Clone or download this repository:

    git clone https://github.com/SysAdminDoc/ScriptVault.git
cd ScriptVault

  2. Open Chrome and navigate to chrome://extensions

  3. Enable Developer mode (toggle in top right), then click Load unpacked and select the repository folder.

  4. Enable userscript execution for your Chrome version:

    • Chrome 138+: Click ScriptVault's Details button and enable Allow User Scripts.
    • Chrome 120-137: Keep the global Developer mode toggle enabled.

If the toggle is off, the popup and dashboard show a setup banner. After enabling the required toggle, reopen the popup or click Refresh in dashboard runtime diagnostics; ScriptVault re-probes chrome.userScripts and configures the USER_SCRIPT world without requiring a browser restart. If Chrome keeps the API unavailable in the current extension context, use the Reload button on ScriptVault's chrome://extensions details page and refresh status again.

Chrome Web Store

Install ScriptVault from the Chrome Web Store

Firefox / AMO Validation Build

Firefox is still a validation target, not a published AMO listing. The current package targets Firefox 140+ desktop and produces AMO-ready artifacts:

npm run firefox:package

Artifacts are written to firefox-artifacts/: the Firefox package ZIP, a source-review ZIP, and web-ext-lint.json. The gate currently passes with 0 linter errors and 0 notices. Monaco is omitted from the Firefox package until the dedicated editor-loading pass lands, so the editor falls back to the textarea adapter; OAuth cloud providers are deferred because Firefox does not support identity as an optional permission.

Browser Support Matrix

Last generated: 2026-05-24 with npm run support:matrix. Version source: manifest.json / manifest-firefox.json 3.11.0.

Browser Support level Tested version / target Last successful verification Verification evidence Unsupported or deferred APIs
Chrome / Chromium Tier 1 published target Chrome 130+ MV3 2026-05-24 npm run smoke:dashboard, npm run cws:check, Chrome ZIP packaging in CI Chrome 138+ requires per-extension Allow User Scripts; per-script worldId is Chrome 133+ and feature-gated
Microsoft Edge Tier 1 compatible package; separate store automation pending Edge 130+ Chromium MV3 package 2026-05-24 package/manifests; no separate Edge CI smoke yet Same ZIP as Chrome; smoke harness can run with Edge via SCRIPT_VAULT_CHROME_PATH Edge Add-ons package/publish path is not automated yet
Firefox Desktop AMO validation target, not a published listing Firefox 140.0+ MV3 2026-05-24 npm run firefox:package; web-ext lint 0 errors / 0 notices / 138 warnings sidePanel, offscreen, identity OAuth, and some userScripts.execute flows are unsupported/deferred; Firefox package omits Monaco until the Firefox editor-loading pass
Firefox for Android Manifest validation target Firefox for Android 142.0+ 2026-05-24 package/manifests; no Android device smoke yet manifest-firefox.json gecko_android target plus Firefox source/package ZIP Same Firefox API deferrals; no side panel; Android device smoke is not wired
Brave / Vivaldi / Opera / Arc Chromium derivative watchlist Chrome 130+ package may load Not release-verified No CI smoke or store package for these browsers Store policy, shields/sidebar behavior, and extension UI chrome are unverified
Orion / Safari Not supported Not a current target Not verified No build, smoke, or package path Requires separate WebKit/Orion validation and likely native Safari extension work

Permission and Privacy Review

ScriptVault has broad extension permissions because it is a userscript manager: users can install scripts for user-chosen sites, run them in the browser USER_SCRIPT world, sync backups through configured providers, and expose script APIs such as GM_download, GM_xmlhttpRequest, clipboard, and tab helpers. The reviewer-facing permission justifications live in docs/store-listing-copy.md and the privacy policy keeps the same manifest inventory in PRIVACY.md.

Before release, run:

npm run store-copy:check

The check compares manifest.json and manifest-firefox.json against the privacy policy, store copy, release runbook, package scripts, and CI so a new permission cannot ship without matching user-facing explanation.

Quick Start

Installing Scripts

Method Steps
Direct URL Navigate to any .user.js URL — ScriptVault auto-detects it
Find Scripts Dashboard → click Find Scripts → search → one-click install
File drop Drag and drop a .user.js file onto the dashboard
Dashboard import Dashboard → Utilities → paste URL or code → Import
Create new Dashboard → click + → write script → Ctrl+S

Managing Scripts

Action How
Toggle Click the switch next to any script
Edit Click the script name — opens in a tab (multiple scripts at once)
Update Click the refresh icon on any script to check for updates
Export Click the download icon to export a single script
Delete Click the trash icon
View storage Click the database icon to inspect GM_getValue data
Bulk actions Select multiple scripts via checkboxes → choose action from dropdown

Keyboard Shortcuts

Shortcut Action
Alt+Shift+S Open ScriptVault popup
Alt+Shift+D Open Dashboard
Alt+Shift+E Toggle all scripts on/off
Ctrl+S Save script (in editor)
Ctrl+F Find in editor
Ctrl+H Find and replace
Ctrl+G Go to line

Omnibox Search

Type sv followed by a script name (or tag) in the browser's address bar to fuzzy-search your installed scripts. Press Enter on a suggestion to open that script in the dashboard editor.

Supported Metadata

// ==UserScript==
// @name           Script Name
// @namespace      https://example.com
// @version        1.0.0
// @description    What the script does
// @author         Your Name
// @match          https://example.com/*
// @include        http://example.org/*
// @exclude        *://example.com/private/*
// @exclude-match  *://admin.example.com/*
// @grant          GM_getValue
// @grant          GM_setValue
// @grant          GM_xmlhttpRequest
// @require        https://code.jquery.com/jquery-3.6.0.min.js
// @resource       myCSS https://example.com/style.css
// @icon           https://example.com/icon.png
// @run-at         document-end
// @connect        api.example.com
// @downloadURL    https://example.com/script.user.js
// @updateURL      https://example.com/script.meta.js
// @supportURL     https://github.com/user/repo/issues
// @homepageURL    https://github.com/user/repo
// @license        MIT
// @antifeature    tracking
// @tag            productivity
// @priority       10
// @inject-into    auto
// @compatible     chrome
// @incompatible   firefox Needs polyfill
// @contributionURL https://example.com/donate
// @webRequest     {"selector":"*ad*","action":"cancel"}
// @top-level-await
// ==/UserScript==

@run-at Options

Value Timing
document-start Before DOM loads
document-body When <body> exists
document-end When DOM is complete (default)
document-idle When page is fully loaded
context-menu On right-click context menu

Security Model

Layer Protection
Script isolation Scripts run in isolated USER_SCRIPT world via chrome.userScripts API
Permission transparency Installation page shows all requested @grant permissions
Network restrictions @connect domains are validated before XHR requests
Blacklist protection Remote + manual blacklists block known malicious scripts
Zero telemetry No data collection, no phone home — everything stays local

Comparison

Feature ScriptVault Tampermonkey ViolentMonkey
Manifest V3 Yes Yes Yes
Full GM API (35+) Yes Yes Yes
Monaco Editor (VS Code) Yes No No
DevTools Panel Yes No No
Side Panel Yes No No
Script Signing (Ed25519) Yes No No
AST Static Analysis (31 detectors) Yes No No
Cloud Sync (WebDAV, Google Drive, Dropbox, OneDrive, S3) Yes Yes Yes
3-Way Sync Merge Yes No No
Tabbed Multi-Script Editor Yes No No
Built-in Script Search Yes No No
Script Templates 6 No No
Version Rollback Yes (3) No No
CDN Library Browser Yes No No
Workspaces Yes No No
Script Folders Yes No No
Command Palette (Ctrl+K) Yes No No
Drag-and-Drop Install Yes Yes No
Tag Filtering Yes No No
Script Pinning Yes No No
Pattern Tester Yes No No
Version Diff View Yes No No
Network Request Log + HAR Yes No No
Execution Profiling Yes No No
Performance Budgets Yes No No
Storage Quota Monitor Yes No No
Bulk Operations w/ Progress Yes Yes No
4 UI Themes Yes No Yes
Open Source MIT No Yes
Free Yes Freemium Yes

Project Structure

ScriptVault/
├── manifest.json              # Chrome MV3 manifest
├── manifest-firefox.json      # Firefox MV3 manifest
├── esbuild.config.mjs         # Cross-platform build pipeline
├── .env.example               # Safe template for Chrome Web Store publishing credentials
├── background.js              # Service worker (built from source modules)
├── background.core.js         # Main service worker logic (~5500 lines)
├── content.js                 # Content script bridge (USER_SCRIPT <-> background)
├── offscreen.html/js          # Offscreen document (AST analysis, 3-way merge)
├── build.sh                   # Packages CWS-ready ZIP
├── bg/
│   ├── analyzer.js            # AST-based static analysis engine
│   ├── netlog.js              # Network request logger
│   ├── signing.js             # Ed25519 script signing
│   └── workspaces.js          # Workspace state manager
├── modules/
│   ├── storage.js             # Settings, scripts, values, folders
│   ├── sync-providers.js      # WebDAV, Google Drive, Dropbox, OneDrive
│   ├── resources.js           # @resource/@require cache
│   ├── xhr.js                 # XHR abort tracking
│   └── i18n.js                # Inline translations (8 languages)
├── shared/
│   └── utils.js               # escapeHtml, generateId, sanitizeUrl, formatBytes
├── pages/
│   ├── dashboard.html/js      # Main dashboard + Monaco editor (~5000 lines)
│   ├── popup.html/js          # Toolbar popup
│   ├── install.html/js        # Script installation page
│   ├── sidepanel.html/js      # Persistent side panel (Chrome 114+)
│   ├── devtools.html          # DevTools registration
│   ├── devtools-panel.html/js # DevTools network + profiling UI
│   ├── editor-sandbox.html    # Sandboxed Monaco editor iframe
│   └── monaco-adapter.js      # CodeMirror-to-Monaco API bridge
├── lib/
│   ├── codemirror/            # CodeMirror (lint only)
│   ├── acorn.min.js           # Acorn JS parser for AST analysis
│   ├── diff.min.js            # diff.js for 3-way merge
│   └── fflate.js              # ZIP compression
├── images/                    # Extension icons
└── _locales/                  # 8 language translations

Contributing

Contributions are welcome. Feel free to open a Pull Request.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/my-feature)
  3. Commit your changes
  4. Push to the branch (git push origin feature/my-feature)
  5. Open a Pull Request

License

MIT License — see LICENSE for details.

Acknowledgments

  • Tampermonkey — Setting the standard in userscript management
  • ViolentMonkey — Manifest V3 inspiration
  • Monaco Editor — The VS Code editor powering the script editor
  • Acorn — JavaScript parser for AST-based static analysis
  • jsdiff — Text diffing for 3-way sync merge
  • fflate — Fast ZIP compression

ScriptVault v3.11.0
Your scripts, your rules — locked down and loaded

About

A powerful, modern userscript manager built with Manifest V3. Feature-rich yet lightweight, with Tampermonkey-inspired functionality.

Topics

javascript chrome-extension tampermonkey manifest-v3 userscript-manager

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 15

ScriptVault v3.11.0 Latest
May 24, 2026
+ 14 releases

Packages

 
 
 

Contributors

Languages