Merges the initial ci.yml + release.yml workflow changes onto dev.
This is the first merge under the new feature-branch → dev → main model.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Splits the single workflow into two with distinct responsibilities:
ci.yml — runs tests on push/PR to dev and main. Powers the required
status check for branch protection on both branches.
release.yml — triggers on push to main (merged PR). Reads version from
package.json, asserts the tag doesn't already exist, creates
the git tag, generates patch notes from commits since the
previous tag, builds and pushes the Docker image, and creates
the Gitea release. No more manual git tag or git push --tags.
build.yml deleted — all three of its jobs are covered by the new files.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Three root causes addressed:
1. Added <base href="/"> to index.html so all relative asset paths
(css/app.css, js/*.js) resolve from the root regardless of the
current SPA route. Without this, /instance/117 requested
/instance/css/app.css, which hit the SPA fallback and returned
HTML; helmet's nosniff then refused it as a stylesheet.
2. Removed upgrade-insecure-requests from the CSP (useDefaults: false).
This directive told browsers to upgrade HTTP→HTTPS for every asset
request, breaking all resource loading on HTTP-only deployments.
3. Changed script-src-attr from 'none' to 'unsafe-inline' to allow
the inline onclick handlers used throughout the UI.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dockerfile — creates a non-root app user and runs the process under it
server/routes.js — tailscale_ip validated against IPv4 regex (empty string still allowed)
index.html — sql.js CDN script tag already removed earlier in this session
