L5/Q4 (factory iter 2): CHANGELOG Unreleased updated for CSP-RULEID, ERRLOG-PERF, WORKSPACES-INIT

Closes the iter-2 cycle:
- CSP-RULEID: sequential DNR ruleId allocation (commit before)
- ERRLOG-PERF: debounced error-log save (commit before)
- WORKSPACES-INIT: _initPromise try/finally clear (commit before)

Unreleased now accumulates 7 hardening items across iter-1+2 (LR-001
through LR-003 + CSP-RULEID + ERRLOG-PERF + WORKSPACES-INIT + the
D-phase dep cleanup). A v3.12.0 release cut is warranted once a
feature ships or on explicit --release flag.

45 test files, 769 cases green. tsc strict clean. background.js 19,598
lines.

tasks_remaining in .factory/large-repo-state.yaml is down to 2:
  - XHR-PRIVACY (P1, multi-day Chrome 131+ migration)
  - DNS-REBIND  (P2, multi-week post-fetch IP verification)
Both exceed the per-run LR cap; they need dedicated focused sessions.

Author: SysAdminDoc

CHANGELOG.md

@@ -8,7 +8,10 @@ All notable changes to ScriptVault will be documented in this file.
 - **LR-002** ResourceCache concurrent-fetch dedup. Two scripts requesting the same `@require` URL simultaneously used to both miss the cache, both call `fetch()`, and race on `cache.set` — wasting bandwidth and producing last-write-wins on the persisted dataUri. Added `_pendingFetches: Map<url, Promise<text>>` so concurrent callers share the in-flight promise. Failed fetch clears the entry so retries aren't poisoned. 3 new regression cases in `tests/resources.test.js` (dedup, failure-recovery, cache-hit-short-circuit).
 - **LR-003** AST analyzer detectors for three obfuscation patterns the literal-`eval` detector misses: indirect-eval (`(0, eval)(x)` SequenceExpression shape, invokes eval in global scope bypassing closure isolation), dynamic-property-call on globals (`window[<computed>](args)`, gated to known global receivers to avoid noise), and Function-constructor via `.apply`/`.call`/`.bind` (catches `Function.apply(null, ['return x'])` which the `new Function()` detector misses). 26 new regression cases in `tests/analyzer-ast-detectors.test.js` (positive + negative + malformed-AST + array integrity).
 - **D-phase** `npm audit fix` clears 4 advisories (1 high, 3 moderate) in transitive devDependencies (basic-ftp/ip-address from puppeteer-core; postcss/ws from vitest tooling). None ship in the extension bundle.
-- Tests: 44 test files, 756/756 green. `tsc --noEmit` strict clean. background.js 19,542 lines.
+- **CSP-RULEID** `pages/dashboard-csp.js` switches DNR rule-ID allocation from hash-mod-100K (birthday-paradox collision at ~373 hostnames in 100K pool, >99% by ~1500) to sequential allocation in a 100M-id pool, derived on load from the max stored ruleId so it survives SW restarts collision-free. Entries persist their assigned ruleId in `chrome.storage.local`. First applyBypassRule per host allocates + persists BEFORE issuing the DNR update. `_reconcileLegacyRules()` one-shot sweep cleans pre-fix hash-allocated orphan rules. Legacy `_legacyHashRuleId` retained only for migration grace on removeBypassRule. 7 new regression cases.
+- **ERRLOG-PERF** `modules/error-log.js` debounces save by 200ms. Pre-fix: every `log()` call serialized the full 500-entry log (~150KB) to `chrome.storage.local`; bursty load (100 errors/sec) issued 100 storage writes/sec of largely-identical payloads. Now: `log()` schedules a save and returns; the actual `storage.local.set` fires once per debounce window. `clear()` and new public `flush()` bypass the debounce for caller-initiated immediate persistence. 3 new regression cases pin the contract.
+- **WORKSPACES-INIT** `bg/workspaces.js` `_init()` now clears `_initPromise` in a try/finally on both success and failure (mirrors `modules/storage.js` init pattern). Pre-fix: the resolved promise stuck around forever; a subsequent `_cache = null` (factory reset, test isolation) found the stale promise still cached and no-op'd the next `_init()` without re-reading from storage, leaving the cache null and crashing every subsequent caller via `this._cache!.list`. 3 new regression cases.
+- Tests: 45 test files, 769/769 green. `tsc --noEmit` strict clean. background.js 19,598 lines.
 
 ## [v3.11.0] — Storage & persistence rollback hardening + Phase 38 parity wave (2026-05-19)