chore: real ESLint setup across workspace, dedupe CI test workflow

[Shridharrrr]

1. Replaces 22 no-op lint scripts with real ESLint. Every package's "lint": "echo "[lint] x: stub"" was a placeholder - pnpm lint in CI always passed without checking anything, and there was no ESLint config anywhere in the repo. Adds a single flat eslint.config.js at the root (ESLint v9 + typescript-eslint), covering Node/TS packages, the browser extension context (chrome global), and plain browser JS served from apps/web/public.

Fixed everything the new linter caught:
i) removed dead code in scripts/set-version.mjs (unused groups array, duplicated literal)
disambiguated two regex literals in scripts/submit-packages.mjs per no-regex-spaces (verified byte-identical matching behavior - no functional change)
ii) added a scoped suppression for an intentional NUL-sentinel-byte regex in markdown.js (real technique for protecting inline code spans, not a bug)
iii) renamed one genuinely-unused catch (e) binding to _e in options.js

2. Removes the duplicate test.yml CI workflow. It was a strict subset of ci.yml's build job (same triggers, same install+test steps). Note: this file (and vu1nz-scan.yml) is tagged Managed by sh1pt Actions Fleet with a content hash - worth checking whatever syncs that so it doesn't get silently regenerated.

Verified locally (Node 24, pnpm 9.12.0): all 22 packages lint clean (warnings only - pre-existing any usage in services/api and one pre-existing stale eslint-disable in coinpay-oauth.ts, both left untouched as out of scope), pnpm typecheck passes, pnpm test passes.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	typescript-eslint@​8.62.0
	globals@​15.15.0
	@​eslint/​js@​9.39.4
	eslint@​9.39.4

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/typescript-eslint@8.62.0 → npm/@typescript-eslint/eslint-plugin@8.62.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.62.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm @humanfs/types Location: Package overview From: pnpm-lock.yaml → npm/eslint@9.39.4 → npm/@humanfs/types@0.15.0 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@humanfs/types@0.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[Shridharrrr]

Reviewed both Socket alerts - both look like false positives from added devDependencies, not actual risk:

@typescript-eslint/eslint-plugin@8.62.0 - "obfuscated code"
This is the official typescript-eslint package (100M+ weekly downloads on npm), maintained by jameshenry and bradzacher (typescript-eslint core team), repo at typescript-eslint/typescript-eslint. Checked the installed package directly:
No preinstall/postinstall/install lifecycle scripts (the actual attack vector in real incidents like the eslint-config-prettier supply-chain compromise)
dist/ is standard tsc-compiled CommonJS - readable, commented, descriptively-named, no eval, no string-splitting tricks, no dynamic require() construction
The flagged "obfuscation" signal is almost certainly the 273 generated lint-rule files in dist/rules/, which are dense and similarly-shaped by nature (one file per rule) - exactly the kind of pattern that trips heuristic/AI obfuscation classifiers on legitimate generated code

@humanfs/types@0.15.0 - "low adoption"
Transitive dependency pulled in by eslint@9.39.4 itself (the package we're adding directly). It's a small types-only sub-package from the official ESLint maintainer ecosystem - low download count is expected for a types-only package at this stage, not a sign of risk. @SocketSecurity ignore npm/@humanfs/types@0.15.0