security: harden credential handling, API auth, and archive extraction
- Control UI: switch token/password from query params to URL fragments (#token=...)
- Auto-strips after first load, never logged in server access logs
- Added defense-in-depth headers (Referrer-Policy, X-Frame-Options, CSP, nosniff)
- macOS: "Open Dashboard" now uses fragments instead of query params
- CLI/onboarding: emit fragment links instead of query param links
- Plugin HTTP: /api/** now requires Gateway auth (fixes unauthenticated Nostr API)
- Added config toggle gateway.plugins.http.protectApiPaths (default: true)
- Control UI: sends Authorization header for Nostr profile save/import
- Android hardening:
- WebView: disabled mixed content, multi-window, reduced file URL privileges
- A2UI bridge: origin validation + 64KB payload cap
- TLS: enabled hostname verification for DNS names
- Archive extraction: block path traversal + symlink/hardlink entries
- Dependencies: upgraded tar 7.5.7, hono 4.11.7, added overrides for vulnerabilities
Breaking: Old ?token=... dashboard links no longer auto-auth; use #token=... instead
cbbe9dd0a2