feat: security hardening, production roadmap, admin panel v1

Client security fixes (cmd/tailscale-tray/main.go):
- SSRF protection in Add Server dialog (validateControlURL): reject
  private/loopback/link-local/cloud-metadata IPs via DNS resolution
- RCE gate on AuthURL/BrowseToURL exec paths (validateAuthURL)
- Sanitized URL logging (sanitizeURLForLog drops query auth tokens)
- Error handling on exec.Command with user-facing showError()

Admin panel security (web-admin):
- Bcrypt password hashing (replaces SHA256)
- Rate limiting: 5 failed logins → 15-min lockout
- Session + login attempt cleanup goroutine (hourly)
- url.QueryEscape / encodeURIComponent for all API params
- Fail-hard startup when no TLS and non-loopback bind
- ADMIN_PASSWORD required (no default), password min 12 chars
- Username regex whitelist

Installer hardening (Setup.wxs):
- util:PermissionEx restricts SCM access: only Administrators +
  SYSTEM can start/stop/reconfigure service. Authenticated Users
  limited to QueryStatus/QueryConfig/Interrogate
- Vital="yes" on ServiceInstall

Docs & roadmap:
- PRODUCTION_ROADMAP.md: 5-milestone plan (security + features +
  distribution + ops) with granular tasks, effort, done-when
- CLIENT_SECURITY_AUDIT.md, SECURITY_FIXES.md, DEPLOYMENT.md
- AI assistant rules (.cursorrules, .antigravityrules, etc.)

Build & distribution:
- build-msi.ps1, deploy-and-sign.ps1, sign-release.ps1
- redeploy.ps1, tray-deploy.ps1, test-msi.ps1
- installer/msi/ alternative WXS setup
- Restored .github/workflows/ removed in mirror cleanup

.gitignore hardened: *.pfx, *.p12, *.key, *.pem, .env*

.cursorrules

@@ -0,0 +1,86 @@
+# Antigravity Agent Kit — Cursor Rules
+
+> This workspace has an AI toolkit at `.agent/`. Read `.agent/ARCHITECTURE.md` first.
+
+## System Overview
+
+- **Agents** (`.agent/agents/*.md`): Specialist AI personas — read the matching agent file before responding
+- **Skills** (`.agent/skills/*/SKILL.md`): Domain knowledge modules — read selectively based on task
+- **Workflows** (`.agent/workflows/*.md`): Step-by-step procedures for slash commands
+
+## Agent Routing (MANDATORY)
+
+Before writing any code:
+1. Identify the domain (Frontend, Backend, Security, etc.)
+2. Read the matching agent file from `.agent/agents/`
+3. Load skills listed in the agent's `skills:` frontmatter field
+4. Apply agent rules when generating code
+
+Quick reference:
+- Web UI → `frontend-specialist.md` (skills: frontend-design, react-best-practices)
+- API/Backend → `backend-specialist.md` (skills: api-patterns, nodejs-best-practices)
+- Database → `database-architect.md` (skills: database-design)
+- Mobile → `mobile-developer.md` (skills: mobile-design)
+- Security → `security-auditor.md` (skills: vulnerability-scanner)
+- Testing → `test-engineer.md` (skills: testing-patterns, webapp-testing)
+- Debugging → `debugger.md` (skills: systematic-debugging)
+- Planning → `project-planner.md` (skills: brainstorming, plan-writing)
+- Complex/multi-domain → `orchestrator.md` (skills: parallel-agents)
+
+## Skill Loading
+
+Read `SKILL.md` inside the skill folder. Only read sections relevant to current task.
+Global mandatory: `.agent/skills/clean-code/SKILL.md` — applies to ALL code.
+
+Skill structure:
+```
+.agent/skills/{name}/
+├── SKILL.md        # Main instructions (read first)
+├── scripts/        # Validation scripts (optional)
+├── references/     # Templates (optional)
+```
+
+## Workflow Annotations
+
+When reading `.agent/workflows/*.md`, recognize these markers:
+- `$ARGUMENTS` — placeholder for user input after the slash command
+- `// turbo` — next step can auto-execute without confirmation
+- `// turbo-all` — all subsequent steps in this section can auto-execute
+
+## Rules Priority
+
+P0 (this file / GEMINI.md) > P1 (agent .md) > P2 (skill SKILL.md)
+
+## Code Standards
+
+- ALL code follows `clean-code` skill rules
+- English for code/comments/variables; respond in user's language
+- Check file dependencies before modifying; update all affected files together
+
+## Paths
+
+```
+.agent/
+├── ARCHITECTURE.md     # READ FIRST
+├── agents/             # 20 agents
+├── skills/             # 38 skills
+├── workflows/          # 16 workflows
+├── rules/              # IDE instruction files
+└── scripts/            # Validation scripts
+```
+
+## 🛡️ Auto-Protection (Always Active)
+
+**Scout Block — NEVER read:** `node_modules/`, `.git/`, `dist/`, `build/`, `out/`, `bin/`, `obj/`, `packages/`, `.vs/`, `__pycache__/`, `.next/`, `vendor/`, `coverage/`
+→ Use `package.json`/`*.csproj` for deps. Use `git` CLI for version control. Read source not outputs.
+
+**Privacy — ASK before reading:** `.env`, `*.key`, `*.pem`, `*secret*`, `appsettings.*.json`, `Web.config`, `launchSettings.json`, `*.pfx`
+→ Never echo passwords/API keys. Replace with `[REDACTED]`.
+
+**Post-Edit** — After 5+ file edits, suggest complexity/duplication review.
+
+**Context Efficiency** — Grep before read. Don't re-read. Read ranges (50-100 lines). Batch parallel reads. Use `package.json`/`*.csproj`/`*.sln` instead of exploring deps.
+
+**Naming** — C#: `PascalCase`. JS/TS: `kebab-case`. Components: `PascalCase`. Match existing project convention.
+
+**Coding Level** — Default: Senior. Auto-detect from user signals. Beginner=explain, Expert=pure code zero explanation.