Add CI/CD pipeline, linting, debounced settings, and cleanup improvements

[Copilot]

Ten medium-priority improvements spanning data privacy, developer experience, performance, and dead code removal.

Data Privacy

• Logout now clears IndexedDB assets — previously, captured screenshots persisted after logout, visible to the next user on the same browser profile

Developer Experience

• ESLint v9 flat config with @typescript-eslint, eslint-plugin-react-hooks, eslint-plugin-react-refresh, and eslint-config-prettier
• Prettier config added (.prettierrc)
• lint and format scripts added to package.json
• CI workflow (.github/workflows/ci.yml) runs type-check and build on push/PR to main with minimal contents: read permissions

Bug Fixes

• Logo watermark path changed from a relative path (../../images/...) to chrome.runtime.getURL('images/Word-Logo-Bright-crop.png') — the relative path breaks if build output structure changes
• UploadService.completionCallbacks changed from Map<string, fn> (unbounded growth keyed by timestamp+random) to Set<fn>; onUploadComplete() now returns an unsubscribe function

Performance

• Settings save debounced at 300ms — opacity slider was triggering a chrome.storage.local write on every onChange event; state update is now immediate, storage write is debounced

Dead Code Removal

• AuthService: removed resetPassword(), updateUser(), deleteAccount() (never called; deleteAccount also had broken cleanup semantics)
• ApiClient: removed getPublic() and putWithAuth() (never called)

Environment Configuration

• apiUrl now reads import.meta.env.VITE_API_URL with the production URL as fallback
• enableLogging now uses import.meta.env.DEV ?? false — previously true unconditionally in production

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Feature][Medium] Add CI/CD pipeline, linting, debounced settings, and cleanup improvements</issue_title>
<issue_description>## Summary

Ten medium-priority improvements covering developer experience, code hygiene, reliability, and data privacy.

---

1. Logout Does Not Clear IndexedDB Assets (Data Leakage)

File: src/popup/popup.tsx:230-239

The handleLogout() function clears auth tokens but does not clear screenshot assets stored in IndexedDB. If another user logs in on the same browser profile, they can see the previous user's captured screenshots. This is especially concerning for a privacy/proof-focused extension.

Fix: Clear all IndexedDB assets during logout via indexedDBService.deleteAsset() for each stored asset.

---

2. No Linter or Formatter Configured

File: package.json

No ESLint, Prettier, or equivalent is configured. No lint/format scripts exist. TypeScript catches type errors but not code style, unused imports, or accessibility issues.

Fix: Add ESLint with TypeScript and React plugins, plus Prettier. Add lint and format scripts to package.json.

---

3. No CI/CD Pipeline for Quality Gates

File: Missing .github/workflows/ci.yml

No GitHub Actions workflow enforces type checking or build success on PRs. The type-check and build scripts exist but nothing prevents merging broken code.

Fix: Create a CI workflow running npm run type-check and npm run build on push/PR.

---

4. Hardcoded Relative Logo Path in Offscreen Document

File: src/offscreen/offscreen.ts:314

The logo watermark uses '../../images/Word-Logo-Bright-crop.png' — a relative path that breaks if the build output structure changes. Failures are silently swallowed.

Fix: Use chrome.runtime.getURL('images/Word-Logo-Bright-crop.png') for reliable path resolution.

---

5. Unused AuthService Methods

File: src/services/AuthService.ts:154-178

resetPassword(), updateUser(), and deleteAccount() are defined but never called. deleteAccount() also has broken semantics — it calls this.clearAuth() without clearing storage or IndexedDB.

Fix: Remove until UI supports them, or fix deleteAccount to properly clean up all data stores.

---

6. Unused ApiClient Methods

File: src/services/ApiClient.ts:248-283

getPublic() and putWithAuth() are never called anywhere in the codebase. They expand the API surface of a security-sensitive class.

Fix: Remove unused methods. They are thin wrappers that can be trivially re-added.

---

7. Completion Callback Map Grows Unboundedly (Memory Leak)

File: src/services/UploadService.ts:157-162

onUploadComplete() adds callbacks to a Map with unique keys but never removes them. During long sessions, this map grows indefinitely.

Fix: Use a Set instead of Map, and return an unsubscribe function from onUploadComplete().

---

8. Settings Saved on Every Slider Move (Excessive I/O)

File: src/options/options.tsx:472-489

Every control change (including slider drag) triggers an immediate chrome.storage.local write. The opacity slider generates dozens of writes per second.

Fix: Debounce the save operation with a 300ms delay to batch rapid changes.

---

9. Hardcoded API URL With No Environment Override

File: src/config/environment.ts:13-17

The API URL is hardcoded with no mechanism for staging/dev overrides. No .env support despite .env being in .gitignore.

Fix: Use import.meta.env.VITE_API_URL with a production fallback.

---

10. enableLogging Hardcoded to true in Production

File: src/config/environment.ts:15

enableLogging: true is set unconditionally with no build-time differentiation, meaning all ~99 console.log calls execute in production.

Fix: Use import.meta.env.DEV ?? false for the logging flag.

Impact

These improvements collectively address data privacy (logout cleanup), developer experience (linting, CI), performance (debounced settings), and maintainability (dead code removal, environment configuration).

Generated by Health Monitor with Omni</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Feature][Medium] Add CI/CD pipeline, linting, debounced settings, and cleanup improvements #23

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.