Browser Extension

Inject Hatch scores directly on Four.meme token pages.

Source: packages/extension/. Manifest v3, zero dependencies, Chrome/Edge/Firefox compatible.

What it does

Visit any Four.meme token page with the extension installed and a small Hatch badge appears inline next to the token title. Click the badge → open the full score page on gohatch.fun.

Badge states:

• Green / amber / red — band colors match the score.
• Preliminary — yellow border, small warning icon, indicates hasStubs: true.
• Not scored — grey pill, "Score it" CTA → opens /launch?address=….

Install

Chrome / Edge / Brave

1. Build the extension locally:

   pnpm --filter @hatch/extension build
   

2. Chrome → chrome://extensions → "Load unpacked" → select packages/extension/dist/.

Firefox

1. Build as above.
2. about:debugging#/runtime/this-firefox → "Load Temporary Add-on" → pick packages/extension/dist/manifest.json.

Production install (planned)

Chrome Web Store listing lands after J.1 (already live) + icon finalisation (still pending — icons icon-{16,32,48,128}.png need to be generated in packages/extension/src/).

How it works

Four.meme page loads
     │
     ▼
content.js injects → observes DOM for token address
     │
     ▼
fetches https://api.gohatch.fun/api/v1/score/<address> (anonymous, free tier)
     │
     ▼
either renders badge inline OR renders "Score it" CTA

Anonymous fetch — no API key bundled. Free tier (60/min/IP) is enough for the average browsing session.

Popup

Click the extension icon → popup opens with:

• Address input: paste any token address to look it up.
• Links: /launch, /leaderboards/today, Hatch community.

Popup logic is in packages/extension/src/popup.{html,js}.

Content script injection rules

• Only runs on four.meme/* and fourmeme.com/* (manifest matches).
• Observes DOM mutations; re-runs on SPA route changes.
• No script injection into iframes or non-Four.meme pages.

Privacy

• No analytics. We don't know who has the extension installed.
• No background data collection. Requests only fire on four.meme domains.
• No cookies set or read by the extension.
• Fetches are anonymous (no bearer).

Rate limiting

Anonymous tier is 60 req/min per IP. At typical browsing speed, this is plenty. If you somehow blow through it, the badge shows a muted "rate limited" state for the next minute.

Development

# Watch mode (simple src → dist copy)
pnpm --filter @hatch/extension build

# After editing src/content.js, reload the extension in chrome://extensions

Tests are DOM-driven and live in packages/extension/tests/ (planned).

Scope boundaries

• Extension does not sign transactions.
• Extension does not enroll creators.
• Extension does not see wallet state — it's a read-only reader.

Mutations happen on gohatch.fun, not in the extension.

Reporting issues

GitHub issues tagged extension, or Telegram. For security issues, email security@gohatch.fun — the extension is in-scope for the bug bounty.