Browser Extension · Step 7 of 7

Troubleshooting

When the extension doesn’t appear or shows a red status, walk the install chain in order: policy applied → manifest reachable → .crx reachable → browser picks it up. The first broken link is your culprit.

🔍

Symptom: no Quilr icon after install The MSI / pkg ran clean, the extension shows in chrome://extensions as force-installed… but the Quilr icon never appears in the AI-site prompt box (Step 4 Test 1). 99% of these cases trace back to Step 1 — browser-policy “Blocked”. Run the check below first.

Step 1 · Browser policy verification

Visit chrome://policy, edge://policy, or brave://policy and search for “Quilr” or the extension ID piajhjohgigijkddhdpgbjdcfhmammbk. You should see:

An ExtensionSettings or ExtensionInstallForcelist entry
The tenant update URL https://quilr-extensions.quilr.ai/<TENANT-ID>/manifest.xml
Status column showing OK

If missing: reload policies, restart the browser, sync your MDM (Intune / ManageEngine), or run gpupdate /force for GPO environments.

Read the Status column carefully — it tells you exactly what is wrong:

Status seen on `chrome://policy`	What it means	Fix
OK — with an `ExtensionSettings` / `ExtensionInstallForcelist` row containing the Quilr extension ID	Policy was pushed and accepted. The browser will load the off-store extension. If the icon is still missing, jump to Step 2 (manifest reachability).	Continue to Step 2.
Blocked / Ignored / Conflict next to the Quilr policy row	The browser refused the policy — almost always because the device is not managed by MDM or Active Directory. Chrome / Edge will only honour `ExtensionInstallForcelist` when the policy is delivered through a recognised management channel (MDM payload on macOS, GPO / Intune CSP / Registry-under-managed-policies on Windows). Locally-set registry keys are flagged Blocked.	Enrol the device in your MDM (Intune / Jamf / Kandji / ManageEngine) or join it to AD, then have the MDM / GPO push the Quilr `ExtensionSettings` policy. Manual installation on an unmanaged device is not supported — the off-store extension cannot load without a managed-policy whitelist (Step 1 of Prerequisites).
No Quilr row at all under Extension Policies	The policy never reached the browser. Either the MDM payload was scoped to a different group, the MDM sync didn’t run yet, or for GPO the OU doesn’t target this machine.	Force a policy refresh: `gpupdate /force` (Windows + AD), `sudo profiles renew -type=enrollment` (macOS + Jamf/Kandji), or trigger a manual sync from Intune. Re-check `chrome://policy`.
Quilr row present with a tenant ID that doesn’t match your tenant in the manifest URL	The wrong tenant’s policy was pushed.	Update the `ExtensionSettings` payload in MDM / GPO with the correct `TENANT-ID`; resync.

Step 2 · Manifest reachability

PowerShell

$tid = '<TENANT-ID>'
Invoke-WebRequest "https://quilr-extensions.quilr.ai/$tid/manifest.xml" |
  Select-Object StatusCode, RawContentLength

bash

TENANT_ID="<TENANT-ID>"
curl -fsSL "https://quilr-extensions.quilr.ai/${TENANT_ID}/manifest.xml" | head -3

Expected: HTTP 200, non-zero bytes, XML starting <gupdate xmlns="http://www.google.com/update2/response"…>.

Failure	Remedy
403 / 404	Wrong tenant ID in the policy — contact support@quilr.ai
Connection timeout	Allowlist `quilr-extensions.quilr.ai`
SSL error	An upstream SWG is decrypting the host and presenting its own cert — add it to the SSL-bypass list

Step 3 · .crx package validation

The manifest’s codebase points to https://quilr-extensions.quilr.ai/<TENANT-ID>/vanguard.crx. HEAD it:

bash

TENANT_ID="<TENANT-ID>"
curl -sI "https://quilr-extensions.quilr.ai/${TENANT_ID}/vanguard.crx" \
  | grep -iE 'HTTP/|content-type|content-length'

Expected: HTTP 200 · Content-Type: application/x-chrome-extension · non-zero Content-Length.

ℹ️

A corporate SWG may strip the Chrome-extension content-type — confirm it isn’t being restricted.

Step 4 · Extension still not appearing

When policy, manifest, and .crx all validate but the extension is absent:

Restart the browser completely
Edge: go to edge://policy/, reload, close all windows, relaunch
Chrome: enable Developer mode, click Update, then reload policies

Step 5 · Extension visible but popup is red / yellow

🟡

Native agent not running The WebExtension and native agent are two separate installs. A red status means the quilr-native-messaging-agent process isn’t running — redeploy the MSI/pkg via your MDM. Re-confirm with the process check in Step 4.

Step 6 · File-upload issues — check the upload log

When a user uploads a file to an AI tool (drag-and-drop into ChatGPT / Claude / Copilot, etc.) but the upload event never shows up in the Quilr console, the extension picked the event up locally but the native-agent upload pipe choked. The per-user upload log captures every attempt — success or failure.

OS	Log directory
Windows	`%APPDATA%\sentinel\logs\` (= `C:\Users\<USER>\AppData\Roaming\sentinel\logs\`)
macOS	`~/Library/Logs/sentinel/` (confirm the exact filename with Quilr support if absent)

Open the most recent .log in the directory and grep for the upload attempt. Most failures fall into one of three buckets:

PowerShell

# Tail the most recently-modified log in the upload-log directory
$dir = "$env:APPDATA\sentinel\logs"
Get-ChildItem $dir -File | Sort LastWriteTime -Desc | Select -First 1 |
  ForEach-Object { "==> $($_.FullName)"; Get-Content $_.FullName -Tail 200 }

bash

tail -n 200 "$(ls -t ~/Library/Logs/sentinel/*.log 2>/dev/null | head -1)"

Pattern in the log	Root cause	Fix
`upload failed: 401` / `403`	The native-agent auth token has expired or the tenant doesn’t recognise this user persona.	Click the extension icon → confirm the popup still says Persona Active & Extension Enabled. If not, the persona didn’t refresh — restart the browser (or run `taskkill /IM quilr-native-messaging-agent.exe` and reopen the browser to let it restart).
`upload failed: timeout` / `connection reset` against `dlpone.quilr.ai` (or the env-specific DLP host)	A TLS-intercepting SWG re-signed the cert on the DLP host, or the DLP host is missing from the allow-list. The upload reaches the agent but the agent can’t POST it to the backend.	Re-run the Quick smoke test from Step 2 — the selected env’s DLP host must be `[OK]`. SSL-bypass the DLP host on the SWG.
`upload failed: 413 Payload Too Large`	File exceeded the tenant’s per-upload size cap.	Raise the cap in Quilr Console → Settings → Browser Extension → Deployment (DLP → Limits), or instruct the user to chunk the file. Per-file caps are enforced server-side.
No matching entry at all for the timestamp the user attempted the upload	The WebExtension’s content-script never matched the upload trigger on that page — the host isn’t covered by the tenant’s monitored-app list, or the page uses a non-standard upload widget.	Confirm the AI host is enabled under Settings → Browser Extension → Monitored Apps. If it is, capture the upload widget’s DOM with DevTools and escalate to support@quilr.ai — the trigger selector may need updating.

Step 7 · Deep dive — inspect the extension service worker

When the symptom doesn’t fit any of the above patterns — everything “looks” installed but the extension misbehaves quietly — the next stop is the Quilr extension’s own background service worker. It logs every API call, every native-agent ping, and every DLP verdict. The Console tab tells you why; the Network tab tells you where.

Opening the service worker DevTools

Visit chrome://extensions (or edge://extensions / brave://extensions).
Toggle Developer mode on (top-right).
Find the Quilr row (ID piajhjohgigijkddhdpgbjdcfhmammbk).
Click Inspect views: service worker — this is the link directly under the extension name on Chrome MV3.
A new DevTools window opens scoped to the background service worker. Most useful surfaces: Console + Network.

💡

Three different contexts — pick the right one The popup, the page’s content script, and the background service worker each have a separate Console / Network. Only the service worker shows the Quilr → backplane API traffic and the native-messaging handshake. The popup’s DevTools (right-click popup → Inspect) is useful for auth-status UI bugs only; the page’s own DevTools (F12 on the AI site) shows content-script interception of the user’s prompts — not the Quilr API calls.

Console — what a healthy startup looks like

Within ~5 seconds of opening the inspector, you should see these lines in order. Anything missing here points to the failure mode on the right.

Healthy log line	Proves
`[LOG] Starting Background script`	Service worker actually launched (MV3 sometimes evicts it; this re-fires on wake).
`[LOG] BootstrapService: selfHealthCheck`	Persona loaded, heartbeat loop ticking (re-fires every 20 s).
`[LOG] NativeAgentService: Connecting to native host com.quilr.sentinel.native`	The WebExtension found the native host manifest and opened a port.
`[LOG] ConstantsSyncService: Starting initialization`	Tenant config (monitored apps, DLP controls) is being pulled.
`[INFO] NetworkService: Making network request to …/dlp/v2/stream/detect`	First DLP check fired — the upload / paste pipe is wired up.

Console — failure lines and what they mean

Error line (filter Console on `[ERROR]`)	Root cause	Fix
`[ERROR] BootstrapService: Persona not found`	No auth token in extension storage — the persona never resolved.	Sign the user into the Quilr console in another tab; the extension picks up the cookie on next heartbeat. If it stays missing, the SSO → tenant Console handshake is broken (Step 1 & allow-list).
`[ERROR] NativeAgentService: Failed to connect to native host`	Either the MSI / pkg isn’t installed, or the native-messaging-host JSON manifest isn’t in the place the browser expects.	Re-run the MSI / pkg from Step 3. Confirm the `quilr-native-messaging-agent` process is running. Reload the extension and recheck.
`[ERROR] FetchOrgDomains: Missing Persona, No token data available`	Same as “Persona not found” but caught later in the org-domains call — usually means the persona expired mid-session.	Sign in again to the Quilr console; the next heartbeat will refresh the token.
`[ERROR] DLPService: Error in DLP service` followed by a timeout / 403	The selected env’s DLP host is unreachable or the SWG re-signed the TLS cert.	Re-run the Step 2 Quick smoke test — the env-specific `dlpone.` / `dlp-platform.` host must be `[OK]`. SSL-bypass on the SWG.
`[ERROR] EnvConfig: hydrate failed`	`discover.quilrai.dev` couldn’t be reached, so the extension never learned which backplane to talk to.	Allowlist `discover.quilrai.dev` on the firewall and SSL-bypass it on the SWG. Re-load the extension.

Network — the API calls you should see

In the same DevTools window, switch to the Network tab. The service worker continues making calls in the background — you don’t need to click anything on the page. Filter by /browser-extension/, /api/, /dlp/, or /playbook-service/ to see only the Quilr traffic.

Endpoint	When it fires	Healthy response
`GET /auth/auth/me`	Persona creation / refresh	200 · `{ emailaddress, token, tenant }`
`POST /browser-extension/browser/personas/heartbeat`	Every 2 min	200 · `{ success: true }`
`POST /browser-extension/browser/extension/fetch-user-details`	Startup + per-app	200 · `{ user_id, name, email }`
`GET /browser-extension/onboarding/org-domains`	Bootstrap + every 2 min	200 · `{ content: [domains] }`
`GET /playbook-service/controls/synctoui`	Policy pull	200 · `{ controls: [{ id, trigger_conditions }] }`
`POST /browser-extension/browser/interaction/log`	Every DLP block / prompt	200 · `{ success: true, id }`
`POST /browser-extension/browser/interaction/events`	Batched event upload	200 · `{ success: true }`
`GET /extension-api-service/extension/constants-config/v1`	Startup + sync interval	200 · `{ config: {…}, status: 200 }` (304 on no-change is also fine)
`POST {DLP_URL}/dlp/v2/stream/detect`	On every captured paste / prompt / upload	Streaming SSE chunked · `{ sensitive_data: […], verdict: "allowed" }`

🌐

Host varies by tenant environment The base host on the left of every endpoint comes from the env-config (Quilr Console env → app.quilr.ai / platform.quilrai.com / secure.quilr.ai / etc.). The DLP endpoint hits the env-specific dlpone.* or dlp-platform.* host. If the Network tab shows the wrong host, the extension hydrated the wrong env — check the EnvConfig: hydrate log line.

Native-messaging port — the silent one

The WebExtension ↔ native-agent channel is not HTTP — it’s a Chrome native-messaging port and won’t appear in the Network tab. The Console tab is the only place to confirm it:

Port name: com.quilr.sentinel.native
Healthy: a ping → pong handshake at startup, with the agent version echoed in data.
Broken: chrome.runtime.lastError set immediately, plus the NativeAgentService: Failed to connect error above.

Escalation

Contact support@quilr.ai with screenshots of the policy pages, your curl / PowerShell command outputs, and your OS, browser, and MDM platform. You can also use the “Report a Bug” link in the extension popup.

🎉

Both tracks complete With the Endpoint Agent and Browser Extension deployed and validated, your fleet is covered across native apps and all major browsers. Return to the Overview any time.

←BackVerify MDM Install Step 7 of 7 FinishBack to Overview✓