🔥 Remove unused config options from init command

[Robdel12]

Summary

Cleans up the init command configuration output by removing dead code and improving security practices.

Changes

• Removed apiKey comment that encouraged storing tokens in config files (security improvement)
• Removed screenshotPath option - completely unused (endpoint is hardcoded at /screenshot)
• Updated tests to verify removed options are not present
• Updated documentation to reflect clean config schema

Why?

1. Security: We should never encourage storing API tokens in config files that might be committed to git
2. Dead code: screenshotPath is defined but never used anywhere in the codebase - the endpoint is hardcoded in src/services/screenshot-server.js:50
3. Clarity: Config output should only show actually-used options

Testing

✅ All 558 tests pass
✅ No remaining references to removed options (verified with grep)
✅ Init command generates clean, minimal config

Files Changed

• src/commands/init.js - init command output
• src/utils/config-loader.js - default config
• vizzly.config.js - project config
• docs/api-reference.md - documentation
• README.md - example config
• tests/commands/init.spec.js - test updates

[claude]

Code Review - PR #46: Remove unused config options from init command

Summary

This is an excellent cleanup PR that improves both security posture and code maintainability. The changes are well-justified, thoroughly tested, and properly documented.

✅ Strengths

1. Security Improvement

• Removing the apiKey comment from generated configs is a significant security win
• The PR correctly encourages environment variable usage (VIZZLY_TOKEN) instead of config file storage
• This prevents accidental token commits to version control
• The showNextSteps() method (src/commands/init.js:86) properly demonstrates the secure approach

2. Dead Code Removal

• Verified that screenshotPath is indeed unused - the endpoint is hardcoded to /screenshot in:
  • src/services/screenshot-server.js:50
  • src/server/http-server.js:399
  • src/client/index.js:116
  • src/sdk/index.js:261
• No references to config.server.screenshotPath exist in the codebase (verified with grep)

3. Comprehensive Changes

• Updated all relevant files: commands, config loader, documentation, examples, and tests
• Test coverage includes negative assertions to ensure removed options don't reappear
• Documentation updates in both README.md and docs/api-reference.md are consistent

4. Code Quality

• Clean, focused changes with clear intent
• No regression risk - removed options were genuinely unused
• Tests properly verify the absence of removed options (tests/commands/init.spec.js:156-167)

🔍 Minor Observations

1. Potential Documentation Enhancement
Consider adding a brief comment in the config file explaining why API tokens should use env vars:

```javascript
export default {
// Note: Set VIZZLY_TOKEN environment variable for API authentication
// (tokens should never be stored in config files)

// Server configuration (for run command)
server: {
port: 47392,
timeout: 30000
},
// ...
}
```

However, this is optional - the current approach of keeping the config minimal is also valid.

2. Config Validation
The codebase handles the apiKey via config-loader.js:7 which reads from environment variables. If a user somehow manually adds apiKey to their config file (pre-existing configs), it would still work due to config merging. This is good backward compatibility.

🎯 Test Coverage

• ✅ Tests verify removed options are not present (negative assertions)
• ✅ Tests verify remaining config sections are still generated
• ✅ All 558 tests passing (per PR description)

🔒 Security Assessment

• ✅ Removes encouragement to store secrets in config files
• ✅ Promotes environment variable usage
• ✅ No new security concerns introduced
• ✅ Follows security best practices from CLAUDE.md

📊 Performance & Architecture

• ✅ No performance impact (pure removal of unused code)
• ✅ Aligns with service-oriented design principles
• ✅ Maintains clean separation between config and runtime values

🎓 Best Practices Alignment

Per the repository's CLAUDE.md:

• ✅ Configuration priority correctly maintained (CLI flags → env vars → config file → defaults)
• ✅ Dogfooding principle upheld (project's own config updated)
• ✅ Follows TDD workflow patterns

Recommendation

APPROVE ✅ - This PR is ready to merge.

The changes are well-executed, improve security posture, remove dead code, and include comprehensive test coverage. No blocking issues identified.

Files Reviewed

• ✅ src/commands/init.js
• ✅ src/utils/config-loader.js
• ✅ tests/commands/init.spec.js
• ✅ docs/api-reference.md
• ✅ README.md
• ✅ vizzly.config.js

Great work @Robdel12! 🎉