Spent most of this week on hygiene rather than features. The extension’s manifest.json was still requesting tabs permission from an old feature prototype — removed. Content Security Policy on the website was allowing unsafe-inline for scripts; that’s now locked down with a nonce-based policy.
Dependency audit via npm audit surfaced one moderate severity issue in a transitive package. Bumped the parent dep and verified the fix. We also rotated the Cloudflare API token used in CI — the old one had broader permissions than the deploy job needed. No evidence of misuse, just tightening the surface. Boring work, but the kind that matters.