fix: hygiene + security follow-ups (closes #33, #34, #35, #39)

[paperhurts]

Summary

• HTML duplication across extension shells (Chrome + Firefox + shared) #33 — Single-source HTML in `@gitmarks/extension-shared`; shells copy via `copy-html.mjs` prebuild script. Duplicates removed; gitignored.
• Type-position chrome.* refs still leak into extension-shared after browser.* migration #34 — 5 `chrome.` type-position refs migrated to `Bookmarks.` / `Runtime.*` from `webextension-polyfill`; `@types/chrome` dropped from all three extension packages.
• Test assertions target chrome.bookmarks.* while production calls browser.bookmarks.* #35 — All `chrome.X` API references in test assertions rewritten to `browser.X` to match production calls; `globals.d.ts` repurposed to declare `browser` ambient global.
• Defense-in-depth security follow-ups from web UI v2 audit #39 — Defense-in-depth security:
  • CSP meta tag on `packages/web/index.html` (`connect-src https://api.github.com\` allowlist).
  • Explicit `content_security_policy.extension_pages` on both extension manifests.
  • Sign out button in web UI Layout (clears `localStorage`, navigates to `/setup`).
  • PAT-lifecycle / revocation notes in root README + both extension READMEs.
  • Unsafe URL scheme filter at the extension's `apply-remote` boundary (`javascript:`, `data:` skipped + warned).

Closes #33, #34, #35, #39.

Test plan

• Full monorepo green: 286 unit + component tests, typecheck clean, all 5 packages build.
• Manual smoke: `pnpm e2e` runs against real Chromium (the corrected `pree2e` hook now wires HTML copy + vite build).
• Manual smoke: load both extensions; web UI's CSP doesn't break dev or built preview; Sign out clears settings + returns to /setup.
• Manual smoke: edit a remote `bookmarks.json` to add a `javascript:` entry → the extension's poll skips it (console.warn) and never creates the bookmark in the native tree.

Implementation notes

• Plan: `docs/superpowers/plans/2026-05-26-gitmarks-hygiene-and-hardening.md` (8 tasks, subagent-driven).
• Inline fix during review: the original `pretest:e2e` hook would only fire before a script literally named `test:e2e` (which didn't exist). Renamed to `pree2e` + added `pree2e:headed` so `pnpm e2e` reliably copies HTML + builds before Playwright runs.

🤖 Generated with Claude Code

[paperhurts]

Review-driven fixes — 13 of 15 findings addressed

8243d32 — URL safety consistency (findings #1, #2, #3, #8, #9, #10):

• `listeners.ts applyBatch`: filter create + update events with unsafe URLs (closes the SW write path bypass).
• `reconcile.ts`: filter `remoteByUrl` construction (kills phantom idMap entries) + filter `localOnly` upload loop (closes the cold-start upload bypass).
• `apply-remote.ts`: removed the unreachable inner `isSafeBookmarkUrl` guard from `applyRemoteEdit`; wrapped tombstone-branch `suppress(bm.url)` in the URL check.
• Test "skips a remote edit with unsafe URL scheme" renamed + assertion updated to reflect what it actually tests; `browser.bookmarks.get` mock setup removed.
• +8 new tests covering each filter.

ad0c065 — CSP + test type narrowing (findings #4, #5, #7):

• `packages/web/index.html`: removed the unenforceable `frame-ancestors 'none'` directive (meta CSP can't enforce it per CSP3) and moved CSP injection to a Vite `transformIndexHtml` plugin scoped to `apply: 'build'`. Dev mode now serves no CSP meta tag, so Vite HMR works again.
• `extension-shared/test/globals.d.ts`: narrowed `var browser: typeof Browser` to a runtime-shape interface (`Browser.Bookmarks.Static` etc.) so future test code can no longer typecheck against capitalized namespace re-exports that crash at runtime.

503a0e3 — misc (findings #6, #11, #12, #15):

• `listeners.ts` onChanged: added a load-bearing WHY comment explaining that `title === undefined` is needed at runtime despite the polyfill type declaring it required, and cast accordingly.
• Both extension manifests: `connect-src 'self' https://api.github.com\` (added `'self'` so future extension-internal fetches aren't blocked).
• Both `copy-html.mjs` scripts: per-file existence check with informative error.
• `Layout` got a `busy?: boolean` prop that disables the Sign out button while a write is in flight; all three pages thread their `writing` state through.

Deferred (DX only, not bugs):

• Document TDD discipline in CONTRIBUTING.md #13 `copy-html.mjs` doesn't watch shared HTML — would need a Vite plugin; restart-dev is the workaround.
• docs: spell out TDD red-green-refactor loop in CONTRIBUTING #14 e2e files not in `tsc` include — was never in CI's typecheck path; only affects IDE hints.

Test posture: 294 unit + component tests (77 core + 108 ext-shared + 109 web), typecheck + build clean on all 5 packages.

Verified REFUTED during review (not bugs):

• The `pree2e:headed` colon-script hook DOES fire (empirically tested).
• Chrome MV3 DOES enforce `connect-src` in `extension_pages` CSP (per official Chrome docs).

[paperhurts]

Browser smoke test — all checks pass

Playwright e2e (`pnpm --filter @gitmarks/extension-chrome e2e`): 4 passed, 2 skipped (same posture as before the PR — no regressions). The renamed `pree2e` hook fired correctly: `[chrome] copied popup.html + options.html from extension-shared` appeared before vite build, confirming the colon-script-hook fix landed.

Web UI (`pnpm --filter @gitmarks/web build && vite preview` against http://localhost:4173/):

• ✅ Build-only CSP: opened the preview, confirmed the production `<meta http-equiv="Content-Security-Policy">` tag is injected by the Vite plugin and includes `connect-src https://api.github.com\`, with `frame-ancestors` correctly absent.
• ✅ Setup gate: navigating to `/` redirected to `#/setup` (RequireSettings working).
• ✅ List page: with settings + mocked GitHub fetch, the list rendered 3 bookmarks. Hacker News and the arXiv paper rendered as anchor links; the malicious `javascript:alert(1)` entry rendered as a non-clickable `` (italic, magenta) with `title="unsafe URL scheme — not clickable"` — the BookmarkRow URL safety guard works as designed.
• ✅ Sign out flow: clicked Sign out → URL changed to `#/setup`, "Set up gitmarks" heading visible, `localStorage.getItem('gitmarks:web:settings')` returned `null`.
• ✅ No CSP violations in the console during the entire flow.

Test plan now:

• Full monorepo green: 290 unit + component tests, typecheck + build clean on all 5 packages.
• `pnpm e2e` runs against real Chromium (4/6 passing, 2 long-skipped).
• Web UI's CSP doesn't break dev or built preview; Sign out clears settings + returns to /setup.
• (Unit-tested) edit a remote `bookmarks.json` to add a `javascript:` entry → the extension's poll skips it and never creates the bookmark.

Three smoke-test screenshots delivered out-of-band: setup page → list page (note the italic non-clickable EVIL row) → post-sign-out setup page.