Changelog

• Single-purpose statement, no rhetorical welding. Cairn exports the active Claude conversation to a local file. The export is readable in any text editor or unzipped with any archive tool. The optional KnowledgeBank index keeps a local, encrypted list of what you have exported. The extension does nothing else.
• Threat-model conformance frozen. Pin 1 (host_permissions: none), Pin 2 (AES-256-GCM at-rest via Argon2id-derived key), Pin 3 (typed IPC with sender.id guard and 4 KB cap), Pin 4 (no nativeMessaging) — all enforced by cairn-verify.sh as a build gate.
• Reproducible build + SPDX 2.3 SBOM. Deterministic zip ordering, fixed mtime, no system metadata. Vendored hash-wasm 4.12.0 (Argon2id) declared with MIT attribution. Two consecutive builds produce identical SHA-256.
• Manifest bumped to 1.0.0. Same four permissions: activeTab, scripting, downloads, sidePanel. Install-time prompt unchanged from v0.3.1 — "manage your downloads" only.

SHA-256 6030b7706ddc70e04c58adbb53b803d333665f394bd1643d0190a04ee6738d98. SBOM checked into the upload package alongside the zip. Real license public key injected. Staged for CWS upload — submission gated on operator approval.

• Install-time permission prompt reduced to "manage your downloads" only. The "Read and change your data on claude.ai" line is gone — host_permissions dropped entirely.
• No auto-injecting content script. Nothing runs on any page until you click an export button — at which point chrome.scripting.executeScript injects the fetch into the active tab via activeTab's user-gesture grant.
• Fetch path unchanged — same single same-origin call to claude.ai, same authenticated endpoint. Privacy posture strictly stricter than v0.3.0.
• Inlined the interceptor into app.js; deleted src/content/interceptor.js. One fewer file to read on review.

Matches V1.0 threat-model Pin 1 (activeTab only) brought forward to the v0.3 line.

• One-click export from any claude.ai/chat/<id> or claude.ai/share/<id> page.
• Four formats: raw JSON, readable Markdown, Artefacts zip, Everything bundle.
• Side panel UI with format selector + status banner + diagnostic output.
• Artefact resolver walks the conversation's artifacts tool calls, resolves create/update/rewrite chains to final state, names each file with the correct extension via a MIME/language map.
• Markdown rendering preserves thinking blocks, tool calls, tool results, and inline attachments.
• Optional credential redaction: Anthropic, OpenAI, Google, AWS, GitHub, Stripe, Slack API keys; JWTs; bearer tokens; PEM private key blocks. Email-redaction is a second opt-in toggle.
• Permissions minimised: only activeTab, scripting, downloads, sidePanel, and host claude.ai.
• Zero network egress beyond the single authenticated fetch to claude.ai. No server, no telemetry, no analytics.

Initial public release. Submitted to the Chrome Web Store; pending review.