v1.1.0 — PKCE: no more Client Secret

Security release: Discord OAuth now uses PKCE — the Client Secret is gone.

⚠️ One-time setup change for existing users

Open your Discord application → OAuth2 tab → enable Public Client → Save Changes. Without it, connecting fails with a clear "enable Public Client" error.

That's all: on next launch the app deletes the now-obsolete Client Secret from Windows Credential Manager automatically, and your existing connection keeps working (re-authorization happens automatically if needed).

Changed

• Discord OAuth migrated to PKCE (RFC 7636) — closes #1. The app no longer asks for, transmits, or stores a Client Secret:
  • AUTHORIZE carries an S256 code_challenge + per-request state
  • Token exchange and refresh prove possession of the code_verifier instead of a secret
  • The Client Secret field is removed from Settings (both UIs)
  • A secret stored by an older version is removed from the OS credential store on launch; a plaintext one in a legacy config.json is discarded
• README setup flow simplified: no more "Reset Secret" step.

Why this matters

A desktop app can't keep a Client Secret secret — any same-user process could read it from the credential store, and it was sent over the network on every token exchange. PKCE eliminates the shared secret entirely: each authorization is protected by a one-time cryptographic challenge, so a stolen authorization code is useless without the matching verifier that never leaves the running process.

Verified live end-to-end: full PKCE authorize, secret-less token refresh, and the credential-store cleanup.

Full Changelog: v1.0.1...v1.1.0