Disable source maps in production builds to prevent TypeScript source exposure

[Copilot]

Source maps were unconditionally generated and included in the npm package, making the original TypeScript source fully readable via jsDelivr CDN (/npm/@numbersprotocol/capture-eye@latest/dist/capture-eye.bundled.js.map).

Changes

• rollup.config.js: Conditionally generate source maps based on MODE env var — consistent with the pattern already used by web-dev-server.config.js and web-test-runner.config.js:

  // Before
  sourcemap: true,
  // After
  sourcemap: process.env.MODE !== 'prod',

• .github/workflows/production-release.yml: All three build jobs (publish-github, publish-npm, publish-s3) now invoke MODE=prod npm run build, ensuring no .js.map files are produced or included in published artifacts.

dev-release.yml (staging) is intentionally unchanged — the staging deploy script only uploads the .js file, and source maps remain useful there for debugging.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security][Medium] Source maps always deployed to CDN, exposing original TypeScript source and embedded secrets</issue_title>
<issue_description>## Summary

The Rollup build configuration has sourcemap: true unconditionally, meaning .js.map files are generated and deployed alongside the production bundle to the CDN. This exposes the original TypeScript source code, including all hardcoded constants, API endpoints, and the cryptographic material in interaction-tracker.ts.

Affected Files

• rollup.config.js, line 13:

  output: {
    file: 'dist/capture-eye.bundled.js',
    format: 'esm',
    sourcemap: true,  // Always enabled, even for production
  },

• scripts/deploy-release.sh and scripts/deploy-staging.sh: These deploy the entire dist/ directory to S3, which includes the .map files.

Impact

• Original TypeScript source is fully readable by anyone who downloads the source map from the CDN
• Internal API structure, endpoint URLs, and code organization are exposed
• The AES-GCM encryption material in interaction-tracker.ts is more easily discoverable (though it is already in the minified bundle, source maps make it trivial)
• Potential attackers gain a clearer understanding of the codebase for vulnerability research

Suggested Approach

Option A (Recommended): Conditionally disable source maps for production builds:

output: {
  file: 'dist/capture-eye.bundled.js',
  format: 'esm',
  sourcemap: process.env.MODE !== 'prod',
},

Option B: Strip .map files from the deploy scripts before uploading to S3:

find dist -name '*.map' -delete

Option C: Upload source maps to a private location for debugging, but exclude them from the public CDN deployment.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security][Medium] Source maps always deployed to CDN, exposing original TypeScript source and embedded secrets #86

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.