ColibotAI - Translate, summarize & explain any text on-device

Hi Product Hunt 👋 I'm Edoardo, from WebWakeUp. ColibotAI started as a simple "highlight‑and‑translate" extension. People liked it — but under the hood it had grown into something I wasn't comfortable shipping anymore. So for 0.8 we didn't patch it. We rewrote it from scratch. Here's the honest why. What was wrong with the old build 🔑 The API key was stored in chrome.storage.sync — i.e. synced to your Google account. There were "encryption" modules too, but they were dead code (and broken in a service worker). 🐛 A regex "sanitizer" was being run over the AI prompts themselves, quietly corrupting them. 🐦 A little hummingbird icon followed your cursor via a mousemove listener on every page. 📦 ~15 content scripts + 3 stylesheets were injected into every HTTPS page, even when the extension was off — and toggling it reloaded all your tabs. 🧱 No types, no bundler, no tests, a hardcoded model and a 500‑token cap. It worked, but it was fragile, leaky, and slow to evolve. What we did instead We rebuilt ColibotAI on a modern stack and a privacy‑first architecture: WXT + TypeScript + Vite (Manifest V3). WXT gives file‑based entrypoints, a generated MV3 manifest, typed messaging/storage, and — crucially — the in‑page UI now lives in an isolated Shadow DOM (createShadowRootUi) that can't clash with the page's CSS. UI is injected on demand (activeTab), not on every page. A hybrid AI engine. On‑device first (Chrome's built‑in Gemini Nano — free & private), with automatic fallback to your own key across OpenAI, Anthropic, Google and OpenRouter — plus a new Custom / Local option that points ColibotAI at any OpenAI‑compatible server (Ollama, LM Studio, llama.cpp, or your own gateway), so you can run open models fully local and free. There's no backend — your text goes straight from your browser to the provider you chose, to your own machine, or nowhere at all on‑device. Security & privacy as defaults. The key lives in chrome.storage.local only (never synced), with an optional session‑only mode; a one‑time migration moves any legacy synced key to local and deletes it from sync. AI output is rendered with marked + DOMPurify (no more regex‑sanitizer XSS surface). Minimal permissions; provider hosts are optional and requested only when you add a key. The little things that add up: typed end‑to‑end messages, EN/IT localization, light/dark, ESLint + Prettier + Vitest, a notes side panel with search and JSON export/import, API‑key validation on save (a zero‑token check so you know immediately if a key works), a debug mode, and a smart cache that reuses a saved answer for near‑identical selections so you don't spend tokens twice. Same idea, a much better tool. It's free, GDPR‑compliant, and Made in Switzerland. Would love your feedback — especially on the on‑device vs. bring‑your‑own‑key balance. 🙏