Sync Firefox manifest with v2.1.0 hardening and include loader

- Bump Firefox manifest to 2.1.0 alongside Chrome
- Switch Firefox interceptor injection to loader pattern so the nonce
  handoff to content.js works (MAIN-world content script alone has no
  documentElement nonce, causing all findings to be rejected)
- Add CSP and web_accessible_resources entries to match Chrome
- Include js/interceptor-loader.js in build.sh shared files
- Ignore dist/ build output

.gitignore

@@ -2,6 +2,7 @@
 *.crx
 *.pem
 *.zip
+dist/
 .idea/
 .vscode/
 *.swp

manifest.firefox.json

@@ -1,7 +1,7 @@
 {
   "name": "KeyFinder",
-  "description": "Passively discovers API keys, tokens, and secrets leaked in page scripts, DOM, network responses, and browser storage.",
-  "version": "2.0.0",
+  "description": "Passively discovers API keys, tokens, and secrets leaked in page scripts, DOM, network responses, and browser storage. Available for Chrome and Firefox.",
+  "version": "2.1.0",
   "manifest_version": 3,
   "browser_specific_settings": {
     "gecko": {
@@ -34,14 +34,22 @@
     },
     {
       "matches": ["<all_urls>"],
-      "js": ["js/interceptor.js"],
+      "js": ["js/interceptor-loader.js"],
       "run_at": "document_start",
-      "world": "MAIN",
       "all_frames": true
     }
   ],
+  "content_security_policy": {
+    "extension_pages": "script-src 'self'; object-src 'self'"
+  },
   "background": {
     "scripts": ["js/background.js"]
   },
+  "web_accessible_resources": [
+    {
+      "resources": ["js/interceptor.js"],
+      "matches": ["<all_urls>"]
+    }
+  ],
   "permissions": ["activeTab", "storage"]
 }

scripts/build.sh

@@ -12,6 +12,7 @@ SHARED_FILES=(
   js/background.js
   js/content.js
   js/interceptor.js
+  js/interceptor-loader.js
   js/patterns.js
   js/popup.js
   js/results.js