Prepare v2.0.0 — CI hardening, installer auto-latest, security & UX polish

[smouj]

Motivation

• Prepare a production-ready v2.0.0 release with a green CI pipeline (lint, format, tests, smoke).
• Fix installer 404s by making the stable installer auto-detect the latest release and make release creation deterministic.
• Harden security (redaction, CORS, config validation) and improve UI/UX/accessibility for a polished, secure local dashboard.

Description

• CI / lint / format: add folder-aware ESLint overrides for browser vs node (eslint.config.mjs), add .prettierrc and .prettierignore, add format:write, run Prettier across repo, and switch CI to npm ci for reproducible installs; release workflow now runs lint/format/tests/smoke before packaging assets.
• Installer & release: scripts/install-remote.sh now auto-detects the latest stable release (via GitHub API/redirect) and fails with clear messages if assets/checksums are missing, and scripts/build-release.sh packages MIGRATION.md and RELEASE_NOTES.md into the tarball; added .github/workflows/release.yml improvements.
• Security & robustness: added loopback-only CORS allowlist middleware (server/security/cors.js), extended redaction patterns for bearer/api keys, redact sensitive data before logging, improved config validation (including configVersion, profiles and allowedOrigins), and made smoke test use a dynamic port + real healthcheck.
• UX / accessibility / polish: unified style tokens, improved contrast and spacing, visible focus states and ARIA attributes on tabs/buttons, keyboard navigation for main tabs, toast queueing and debouncing for log filter, and small layout/spacing refinements in CSS/JS.
• Misc: bumped package.json to 2.0.0, added MIGRATION.md, RELEASE_NOTES.md, updated CHANGELOG.md and README.md, and adjusted server/install scripts to write/read the new profiles layout while remaining backward compatible with legacy gateway block.

Testing

• npm run lint — passed (ESLint now correctly applies browser/node overrides). ✅
• npm run format and npm run format:write — Prettier checks and autofix completed and repo formatted. ✅
• npm test — all Vitest tests passed after making getUsageSnapshot testable and mocking runner/capabilities. ✅
• npm run smoke — smoke test (dynamic port + health check) completed successfully. ✅

All CI steps (lint/format/tests/smoke) were executed locally and passed; workflows were updated to run the same steps on release/tag events.

---

Codex Task

---

Continue Tasks: ▶️ 1 queued — View all

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f14f4da76f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Handle IPv6 loopback origin formatting in CORS allowlist

When app.host is ::1, browsers send the Origin header as http://[::1]:<port> (bracketed IPv6). The allowlist currently adds http://::1:<port> instead, so requests from the local UI on IPv6 loopback will be rejected with 403 even though ::1 is explicitly allowed elsewhere. Consider adding the bracketed IPv6 form (or normalizing IPv6 hosts) to avoid blocking local clients bound to ::1.

Useful? React with 👍 / 👎.