BotGentz — corrected build
===========================

WHAT WAS BROKEN
---------------
Scripts matched the URL but never ran on strict sites. The old injector.js
created a <script> element and appended it to the page. That inline script
executes in the page's MAIN world and is therefore blocked by the page's
Content-Security-Policy (e.g. "script-src 'self'"). The URL "detected", the
element was appended, but the browser refused to EXECUTE the code — so
createUI() (and everything else in the script) never ran. Sites with no CSP
worked; strict sites didn't. Tampermonkey avoids this by using the browser's
User Scripts API instead of a DOM <script> tag.

WHAT CHANGED
------------
- injector.js  -> removed. Replaced by bridge.js.
- background.js -> now registers enabled scripts with chrome.userScripts.
  Those run in a browser-injected MAIN world that the page CSP cannot block.
  The GM_* shim is prepended to every script and actually reaches the code now.
- bridge.js (new, ISOLATED world) -> relays GM_xmlhttpRequest / GM_openInTab
  from the MAIN-world shim to the service worker, and triggers the badge count.
- manifest.json -> added the "userScripts" permission, swapped injector.js for
  bridge.js, added minimum_chrome_version. Removed the now-unused "scripting".
- dashboard.js / dashboard.html / popup.js / popup.html -> unchanged.

REQUIRED ONE-TIME STEP (or nothing runs)
----------------------------------------
The User Scripts API needs an explicit toggle:
  1. Go to chrome://extensions
  2. Open BotGentz' "Details" page
  3. Turn ON "Allow User Scripts"   (Chrome 138+)
     On older Chrome, enable "Developer mode" instead.
Until this is on, chrome.userScripts is unavailable and no scripts inject.
The background console will print a reminder if it's off.

NOTES
-----
- Scripts run in the MAIN world (page context), matching Tampermonkey's
  default @grant none behavior, so they can read the page's own variables.
- @match, @include, @exclude, @exclude-match and @run-at are honored.
- The icons in /icons are placeholders — replace with your own if you have them.
- If a script needs eval() on a site that blocks 'unsafe-eval', switch that
  script's world to 'USER_SCRIPT' in background.js and configure its CSP via
  chrome.userScripts.configureWorld(); MAIN world can't override page CSP for eval.
