JoeShade
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 1 addition & 1 deletion b/‎AGENTS.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 3 additions & 2 deletions b/‎CHANGELOG.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 190 additions & 104 deletions b/‎README.md‎
Lines changed: 190 additions & 104 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 1 addition & 4 deletions b/‎SECURITY.md‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎contributing.md‎
Lines changed: 36 additions & 0 deletions b/‎contributing.md‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎docs/architecture-notes.md‎
Lines changed: 2 additions & 4 deletions b/‎docs/architecture-notes.md‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎docs/assets/readme/PopupPreview.png‎
227 KB b/‎docs/assets/readme/PopupPreview.png‎
227 KB
diff --git a/‎docs/assets/readme/ReadmeHeader.png‎
86.9 KB b/‎docs/assets/readme/ReadmeHeader.png‎
86.9 KB
diff --git a/‎docs/assets/readme/SupportedPage.png‎
237 KB b/‎docs/assets/readme/SupportedPage.png‎
237 KB
@@ -4,6 +4,7 @@ node_modules/
 coverage/
 docs/easy-ecad-downloader-architecture.drawio
 docs/professional-grade-review.md
+*.psd
 
 # Local secrets and environment files
 .env
 
@@ -7,7 +7,7 @@ This repository is a compact browser extension that detects supported distributo
 - `src/content_script.js`: page detection for EasyEDA/LCSC and SamacSys-backed Mouser/Farnell contexts
 - `src/popup.js`: popup UI state, settings interaction, preview requests, and export requests
 - `src/service_worker.js`: thin background entrypoint that registers the runtime
-- `src/service_worker_runtime.js`: provider routing, runtime gating, auth-refresh orchestration, and worker dependency composition
+- `src/service_worker_runtime.js`: provider routing, runtime gating, response shaping, and worker dependency composition
 - `src/core/`: shared worker helpers for settings, downloads, preview data, export artifacts, and storage-backed libraries
 - `src/sources/`: EasyEDA and SamacSys source adapters and upstream fetch/archive helpers
 - `src/kicad_converter.js` and `src/kicad/`: EasyEDA-to-KiCad conversion and OBJ-to-WRL conversion
 
@@ -11,7 +11,7 @@ This section summarizes the current `Development` branch compared with `main` as
 - Added Mouser SamacSys support for part detection, preview loading, upstream KiCad ZIP download, and KiCad library or loose-file export.
 - Added Farnell SamacSys support through the shared SamacSys distributor flow.
 - Added Firefox SamacSys relay support for preview and export requests through a user-managed relay URL.
-- Added SamacSys authentication settings for relay auth, upstream username/password Basic auth generation, manual upstream `Authorization` override, captured Firefox upstream auth reuse, and one automatic Firefox auth-refresh retry after ZIP `401` responses.
+- Added SamacSys authentication settings for relay auth and upstream username/password Basic auth generation.
 - Added a configurable Downloads-relative KiCad library folder.
 - Added runtime ZIP extraction for SamacSys archives, including KiCad symbols, footprints, STEP models, and WRL files already present in the archive.
 - Added `systemDesign.md`, architecture notes, Firefox relay documentation, contribution guidance, and security reporting documentation.
@@ -28,9 +28,10 @@ This section summarizes the current `Development` branch compared with `main` as
 - Split the oversized service-worker regression file into focused core, EasyEDA, direct SamacSys, and Firefox SamacSys test files backed by a shared harness.
 - Reworked the popup into a provider-aware UI that shows fixed manufacturer metadata plus source-specific part metadata and advanced SamacSys/Firefox settings.
 - Moved persistent download layout, Firefox relay, and SamacSys auth settings from the popup into a dedicated extension settings page.
-- Grouped Firefox helper and captured-sign-in controls into a Firefox-only advanced settings menu.
+- Grouped Firefox helper controls into a Firefox-only advanced settings menu.
 - Added explicit `Save` and `Discard` controls to the settings page.
 - Made helper tokens and SamacSys passwords session-only by default, with explicit remember-on-this-device opt-ins and warning copy.
+- Removed hidden upstream `Authorization` capture, manual override handling, and automatic Firefox auth-refresh retry behavior.
 - Updated the manifest for Chrome service-worker operation and Firefox background-document fallback on Firefox `121+`.
 - Updated README and project docs to describe supported providers, setup, settings, auth behavior, browser support, validation, and repository layout.
 
 
@@ -26,12 +26,9 @@ The extension stores ordinary settings in `chrome.storage.local`. That storage c
 
 - the optional Firefox SamacSys relay URL
 - remember-on-this-device flags for optional secrets
-- an optional manual upstream SamacSys `Authorization` override
 - accumulated KiCad symbol-library text used for library-mode exports
 
-The optional Firefox helper password/token and optional SamacSys username/password are stored in `chrome.storage.session` by default, so they are kept only for the current browser session. They are copied to `chrome.storage.local` only when the user explicitly ticks the matching `Remember ... on this device` box after reading the warning in the settings page.
-
-The latest Firefox-captured upstream SamacSys `Authorization` header is stored in `chrome.storage.session` and treated as short-lived session data. The extension ignores captured auth values older than one hour.
+The optional Firefox authentication token and optional SamacSys username/password are stored in `chrome.storage.session` by default, so they are kept only for the current browser session. They are copied to `chrome.storage.local` only when the user explicitly ticks the matching `Remember ... on this device` box after reading the warning in the settings page.
 
 Relay auth and upstream SamacSys auth are intentionally separate. The relay auth header is sent only to the configured user-managed relay. Upstream SamacSys auth is sent only to SamacSys or inside a relay payload that asks the relay to contact SamacSys.
 
 
@@ -27,11 +27,47 @@ For SamacSys-backed pages, note whether previews worked, whether ZIP export fail
 
 ## Development setup
 
+Use Node `22.13.0+` recommended, Node `20.19.0+`, or Node `24+`. Node `21.x` is not supported by the current Vitest/Vite/jsdom stack.
+
 1. Clone the repository.
 2. Install dependencies with `npm install`.
 3. Load the extension unpacked in Chrome or temporarily in Firefox.
 4. Run `npm run validate` before finalizing changes.
 
+The repository includes `.nvmrc` for the recommended Node version.
+
+## Manual extension loading
+
+Chrome:
+
+1. Open `chrome://extensions`.
+2. Enable `Developer mode`.
+3. Click `Load unpacked`.
+4. Select the repository root that contains `manifest.json`.
+
+Firefox:
+
+1. Open `about:debugging#/runtime/this-firefox`.
+2. Click `Load Temporary Add-on`.
+3. Select `manifest.json` from the repository root.
+
+The development manifest expects Firefox `121+` so Firefox can use the background-document fallback while Chrome uses the Manifest V3 service worker.
+
+## Local validation
+
+Run the local checks with:
+
+```bash
+npm install
+npm run lint
+npm test
+npm run validate
+```
+
+`npm run validate` runs linting, the Vitest regression suite, a moderate-severity dependency audit, and whitespace checks. CI uses `npm ci` and the same validation script on the supported Node lines.
+
+The Vitest suite includes a history-wide security hygiene check. It is meant for full validation, CI, security cleanup, and before sharing pushed history; it does not need to be run manually for every intermediate local commit while iterating.
+
 Use `README.md` for the operator-facing overview. Use `systemDesign.md` for the implemented design and `docs/architecture-notes.md` for short implementation notes.
 
 ## Change guidelines
 
@@ -8,7 +8,7 @@ This file records short implementation notes that supplement, but do not replace
 - `src/popup.js`: popup UI state, preview requests, Firefox SamacSys relay gating, settings-page launch, and export requests
 - `src/settings_page.js`: persistent download layout plus session-first SamacSys auth settings and Firefox-only advanced helper settings
 - `src/service_worker.js`: thin runtime entrypoint only
-- `src/service_worker_runtime.js`: provider routing, runtime gating, Firefox SamacSys auth capture, automatic auth-refresh orchestration, response shaping, and composition of worker dependencies
+- `src/service_worker_runtime.js`: provider routing, runtime gating, response shaping, and composition of worker dependencies
 - `src/core/*.js`: shared worker business logic for settings, downloads, storage-backed symbol-library handling, shared export artifact writing, and common normalization
 - `src/sources/*.js`: source adapters plus source-specific fetch/parse/export helpers
   - `src/sources/samacsys_distributor_adapter.js` is the shared backend adapter for Mouser and Farnell
@@ -35,12 +35,10 @@ This file records short implementation notes that supplement, but do not replace
 - SamacSys distributor support is still Chrome-first, but Firefox can opt into a user-managed relay through the advanced Firefox settings menu.
 - Chrome direct SamacSys ZIP export now retries once with configured upstream auth after a `401`, but preview requests still use the normal direct browser session without preemptive auth headers.
 - Firefox relay mode forwards matching `componentsearchengine.com` cookies so authenticated SamacSys ZIP downloads can reuse the browser session instead of teaching the relay to log in.
-- Firefox relay mode can also generate the upstream SamacSys HTTP Basic auth header locally from optional username/password credentials, avoiding any dependency on a browser-captured header when the user prefers that setup.
+- Firefox relay mode can also generate the upstream SamacSys HTTP Basic auth header locally from optional username/password credentials.
 - Optional helper tokens and SamacSys passwords are session-only by default; the settings page requires explicit opt-in before remembering them in browser local storage.
-- Firefox now stores the latest observed upstream SamacSys `Authorization` header through `webRequest` as short-lived session data and reuses it for proxied Firefox requests until a newer one is captured or it expires.
 - Relay auth and upstream SamacSys auth are separate: relay auth is sent only on the Worker POST, while upstream auth is forwarded inside the relay payload.
 - SamacSys ZIP-export `401` responses are mapped to a sign-in-required error because upstream authentication can be stricter for downloads than for previews.
-- On Firefox relay mode, one failed SamacSys ZIP export can trigger a single auth-refresh attempt, then a single retry with the newly captured upstream auth.
 - SamacSys ZIP extraction treats `KiCad/` and `3D/` directories as valid whether they appear at the archive root or under a part-specific parent folder.
 - The current repository is intentionally compact; add new sources through focused adapters or distributor detection changes rather than introducing a broader application framework.
 - The manifest intentionally declares both `background.service_worker` and `background.scripts` so Chrome can run the service worker while Firefox falls back to a background document on Firefox 121+.