Fix clearAll() data loss risk and createdAt type mismatch in synthetic assets

[Copilot]

StorageService.clearAll() wipes all of chrome.storage.local — including user settings, Hunt Mode config, and notification state — making it dangerous to call in any logout flow. Separately, synthetic Asset objects used for share prompts set createdAt to an ISO string instead of a Unix timestamp number, breaking IndexedDB's numeric sort order and violating the Asset interface.

Changes

src/services/StorageService.ts

• Renamed clearAll() → dangerousClearAll() to make the destructive intent explicit at the call site
• Added warning comment clarifying what gets wiped and directing logout flows to clearAuth() instead

src/popup/popup.tsx

• Fixed both synthetic Asset objects (pending share prompt on load + live upload completion) to use createdAt: Date.now() instead of new Date().toISOString()
• Added missing required Asset fields (type: 'image', mimeType: '') so the objects conform to the interface without as any casts

// Before – wrong type, missing fields, suppressed with `as any`
setSharePromptAsset({
  id: 'pending',
  uri: '',
  status: 'uploaded',
  createdAt: new Date().toISOString(), // string, not number
  metadata: { nid: pendingNid },
} as any);

// After – correct type, all required fields present
setSharePromptAsset({
  id: 'pending',
  uri: '',
  type: 'image',
  mimeType: '',
  status: 'uploaded',
  createdAt: Date.now(),
  metadata: { nid: pendingNid },
});

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Feature][Medium] clearAll() data loss risk and createdAt type inconsistency</issue_title>
<issue_description>## Summary

Two medium-priority feature findings affecting data integrity and developer safety.

Finding 1: clearAll() Destroys User Settings, Not Just Auth Data

Files: src/services/StorageService.ts lines 253-256; src/services/NumbersApiManager.ts lines 87-90

StorageService.clearAll() calls chrome.storage.local.clear(), wiping everything — user settings (watermark preferences, Hunt Mode config, capture format, location toggle), upload queue IDs, and notification dismissal state. While NumbersApiManager.clearAuth() correctly clears only auth keys, the clearAll() method exists as a public API and could be accidentally called in logout flows, causing complete settings loss.

Fix:

• Remove or make clearAll() private with a warning comment
• If a full wipe is needed (e.g., account deletion), rename to dangerousClearAll() and require explicit confirmation
• Ensure all logout flows exclusively use clearAuth()
• Add settings export/import functionality for recovery

Finding 2: createdAt Type Mismatch Between Real and Synthetic Assets

Files: src/popup/popup.tsx lines 89, 260, 565; src/services/IndexedDBService.ts line 18

The Asset interface defines createdAt as number (Unix timestamp ms). The service worker correctly stores captureTime.getTime(). However, synthetic assets in popup.tsx use new Date().toISOString() (a string) via as any casts. The AssetThumbnail component does new Date(asset.createdAt), which accepts both types, but numeric sorting (as IndexedDB does on line 140) will produce incorrect results for string values.

Fix:

• Change synthetic asset creation to use Date.now() instead of new Date().toISOString()
• Define a proper type for share prompt data instead of using as any casts
• Add a type guard or assertion to prevent future type drift

Differentiation from Existing Issues

• Finding 1: No existing issue addresses the clearAll() data loss risk or settings persistence across login cycles
• Finding 2: [Feature][High] Add IndexedDB recovery, upload retry with backoff, and fix type divergence #22 mentions "fix type divergence" for IndexedDB/upload retry, not the specific createdAt type inconsistency between real and synthetic Asset objects

---

Generated by Health Monitor with Omni</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Feature][Medium] clearAll() data loss risk and createdAt type inconsistency #38

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.