v1.0.1

Security: bind HTTP server to loopback, scrub private path, harden JXA

- Bind the web UI + /mcp endpoint to 127.0.0.1 instead of all interfaces, and
  restrict CORS to localhost origins. The endpoints are unauthenticated and can
  read AND write Apple Notes via osascript, so they must never be LAN-reachable;
  also drop the cloudflared 'expose publicly' suggestion.
- Remove the ~/dev/central/.env OPENAI_API_KEY fallback (read key from env only).
- Escape the note title in update-note's error path via JSON.stringify.

Bump to 1.0.1.