v0.3.0 — FOSS release readiness

Open Swarm 0.3.0

First release after the comprehensive FOSS-readiness overhaul. Test suite: 867 passed / 0 failed (from 616 with broken tooling).

Security

• Removed testuser/testpass auto-login bypass (now explicit dev-only flag + per-boot random password)
• Production refuses to boot without DJANGO_SECRET_KEY, API_AUTH_TOKEN, DJANGO_ALLOWED_HOSTS
• CSRF restored on mutating endpoints; open-redirect validation; sandboxed subprocess wrapper
• Replaced a CI workflow that published to PyPI on every push with timestamp versions

Features

• Websocket chat now works: ASGI routing created (channels/daphne were declared deps that were never wired)
• Agent memory (mem0) wired into the blueprint run loop, opt-in per config
• Teams JSON API (/v1/teams/); React SPA pages run on live APIs with zero mock data; token auth UX; ChatPage
• Blueprint discovery fix (stewie was invisible under its old module name)

Hygiene

• node_modules (69 MB) untracked; uv sync repaired; dead code removed (8 orphaned blueprints + 5 module trees); duplicate implementations consolidated behind deprecation shims; 22 community/agent branches triaged and merged
• Honest docs: README rewrite, nested ROADMAP.md, FEATURE_STATUS.md evidence table, USER_JOURNEY.md with real screenshots, CONTRIBUTING.md

Known gaps (tracked in ROADMAP.md)

• Wagtail marketplace + SAML IdP scaffolding: decision made to drop; removal pending
• React SPA: agent-creator/settings pages not yet ported; Django templates UI remains the supported one
• ENABLE_MCP_SERVER flag is aspirational (docs/mcp_server_mode.md)