v0.7.9

• fix(pre-publish): resolve sweep findings + bump to 0.7.9 (a0404a0)
• fix(docs): bump README vitest count 169->170 to match code (A4 added a test) (b15dc43)
• fix(docs): repair broken intra-doc link to private mcp::authz::canonical_capability (f1240c7)
• fix(browser-ext): add missing extension icons so Chrome/Firefox actually load (7b66ce0)
• fix(browser-ext): close A4 channel forgery — HMAC-authenticate the ISOLATED<->MAIN bridge (608faf3)
• fix(security+ext): discovery-dir hardening, browser experimental label, extension manifest default_locale (18f680c)
• fix(security): re-audit batch — port overflow, watchdog timeout, CSS escapes, resource bounds, release-safe macro (8a2a478)
• test(security): exhaustive authz spec + command-policy side-effect tests + edge fixes (1376715)
• docs(changelog): record the GPT-5.5 audit-response security hardening (664dc80)
• fix(supply-chain+browser): npm consent + ci pin + browser trust-model honesty (d7a108b)
• fix(docs+core): honest release-cost claim, Firefox scope, port-overflow (audit B6/C4/C7) (e3d45c7)
• fix(browser): native-host hardening — token/discovery/ext-id/bounds (audit B5/C3/B9/C5) (479e04c)
• fix(security): resource privacy gate + empty-token + PRAGMA allowlist (audit B1/B2/C10) (b588aa0)
• fix(ci+watchdog+deps): release-pipeline + watchdog DoS hardening (audit A6/B12/D10) (13b1cfe)
• fix(security): centralized action-level authorization (audit A3/B4 + route.clear bypass) (fdae718)
• docs+feat: realign positioning to the eval-validated thesis + ghost-cmd since_ms window (3bebe3b)
• docs: make the compat claim honest + reproducible (46686ef)
• chore(vscode): sync extension to 0.7.8 (65e380a)