feat: v1.2.0 SRS flashcards, tone controls, test suite, and CI improvements

[olliemochi]

What does this PR do?

Delivers v1.2.0, a batch of features, hardening, and developer experience improvements across the extension, settings UI, CI, and docs.

Why?

The extension had no test coverage, no spaced repetition in flashcards, no data portability for custom cards, and several UX gaps (no theme override, no per-check controls, no keyboard shortcuts). CI was also missing security scanning and the test suite entirely. This PR closes all of those gaps in one release.

Module(s) changed

• Feed Sanitizer (content_scripts/feedSanitizer.js)
• Ad Blocker (content_scripts/maliciousAdBlocker.js)
• Writing Assistant (content_scripts/toneTranslator.js)
• Flashcards (content_scripts/flashcard.js)
• Config files (config/)
• UI (ui/)
• Server (server/)
• Tests (tests/)
• Docs / Translations (sources/, README.md)
• GitHub / repo files

Testing done

• npm test passes (43/43)
• Tested in Firefox
• Tested in Chrome
• Tested on: YouTube (feed sanitizer + flashcard overlay), Gmail (standalone tone translator panel), Flashcard Manager page (export/import, SRS badge), Settings page (theme toggle, writing checks, filter URL list)

Checklist

• PR title follows type: description format (feat / fix / chore / ci / docs / refactor / test / security)
• No new external dependencies added to the extension itself (jsdom and vitest are devDependencies only)
• No user data sent anywhere without opt-in
• Config changes are backwards-compatible (old keys still work new keys fall back to defaults)
• If CSS selectors changed: verified they work on the live site today
• CHANGELOG.md updated if this is a user-facing change

[Aster1630]

Went through all the key files good release overall. A few things worth tracking, none of them blockers.

flashcard.js

SRS logic is clean and the ARIA work is a nice touch. A few things:

• cardKey uses the first 40 chars of the question to build a storage key. Two cards with nearly identical questions would silently clobber each other's SRS data. A hash of the full question text would be safer.
• SRS data is stored in chrome.storage.sync which has a 100KB total quota. SRS state doesn't really need to sync across devices, and chrome.storage.local has a much higher limit. Sync failure here would silently break SRS tracking.
• No try/catch around the storage calls in getSRS, saveSRS, recordResult. A storage error fails silently.
• The card widget is hardcoded dark (#1a1a2e) but this PR also adds a theme picker in settings the flashcard doesn't respect that. Probably fine to leave as a follow-up but worth filing an issue.
• role="dialog" + aria-modal="true" with no focus trap. Tab can still escape the card. Should trap focus between the three buttons.

toneTranslator.js

The panel uses role="complementary" + aria-live="polite" on the whole panel. That means screen readers will announce every content update, which is going to be very noisy for anyone typing a long document. Would scope aria-live to just the suggestions element, not the entire panel.

maliciousAdBlocker.js

el.dataset.mtChecked = '1' means any element whose href or text changes dynamically after the first scan is never re-evaluated. This is a common SPA issue probably worth a comment or a follow-up issue since it's not a regression.

background.js

DEFAULTS is duplicated between background.js and popup.js with a "keep in sync" comment. That's a future footgun. Even a shared config/defaults.js import would be cleaner.

Tests

Tone analysis suite is solid. Missing coverage for:

• The SRS functions (cardKey, recordResult, pickCard); the most complex new logic in this PR
• The 30% integrity check in updateFilterLists() in background.js
• isMalicious() in maliciousAdBlocker.js

Would be good to file issues for those. Not blocking.

CodeQL failure is a known config issue with the file type, not a real problem. Everything else is green. Approving.