Hack-Pair Stable 0.2.6

Here are all changes from v0.2.2 → v0.2.5:
Tunneling (ngrok → Cloudflare)

• Replaced ngrok (manual CLI) with Cloudflare Quick Tunnels — fully automatic, no account/token needed
• cloudflared binary auto-downloads via npm — user never interacts with it
• Room creator gets a https://*.trycloudflare.com URL automatically on room creation
• Graceful fallback to local LAN IP if tunnel fails
  Security Fixes
• CORS hardened: origin: true → dynamic allow-list (localhost, LAN IPs, *.trycloudflare.com only)
• Invite code bias fixed: modulo bias removed — rejection sampling for uniform distribution
• Memory leak fixed: duplicate Socket.IO event listeners on reconnect — single setupListeners() with proper cleanup
• Env leak fixed: server child process no longer gets full process.env — only PORT, CLOUDFLARED_*, NODE_ENV, PATH
• Same CORS fix applied to dashboard-tool
  Dependency Cleanup
• Removed 6 unused deps from server: @fastify/static, lib0, uuid, zod, pino-pretty, @hacksync/shared
• Moved socket.io-client from devDependencies → dependencies (correct semantic placement)
• Aligned fastify version between server and dashboard-tool
  Infrastructure
• Added .vscode/settings.json — forces VS Code to use workspace TypeScript (5.9.3) instead of built-in version (fixes false red squiggles)
• Extension README.md added (shows in VS Code marketplace)
• Root README.md updated with Cloudflare tunnel docs
• Version bumped from 0.2.2 → 0.2.5

UPDATE
Server startup fixed — startServer() now:

• Polls the health endpoint (/api/health) until the server actually responds
• Waits up to 8 seconds (was a blind 3-second timeout that resolved even if server failed)
• Shows the actual server error output on failure instead of generic "fetch failed"
• Captures stderr from the server process and surfaces it in the error message
• Rejects with a clear message like "Server error: EADDRINUSE port 3001" or "Server exited unexpectedly"