Store a HMAC with the encrypted symmetric key instead of just the wrapped key and verify that the HMAC matches before unwrapping. Test that normal getting works and a tampered payload/HMAC fails but succeeds on restoring the correct HMAC.
Get rid of get/setInfo on ClientEngine and ClientStore and expose functions to read/modify client data: stats, clearCommands, sendCommand. Also expose the local client information as local[ID,Name,Type,Commands] and rework the storage to use these instead of trying to keep the JS object clients entry in sync with prefs, etc. Update users of the old interface (service/tabs/chrome) to use the new local*. Set the client type based on app id instead of from each app's overlay.
Get rid of Filters and automatically JSON.stringify PUT/POST data that aren't strings, so plain Records can be passed in to PUT and POST. This leverages toJSON of Records to provide an object that can be serialized. Fix up client record serialize/deserialize to still escape/unescape non-ASCII.
Make sure we generate ASCII data for upload by escaping on serialize and unescaping on deserialize. Test to make sure serialized data is ASCII and the original records aren't modified by serialize.
