Harden security and brighten dashboard TUI

[paddo]

Summary

Security

• Collab join auth bypass: Err(_) branch in collaborator check now fails closed instead of silently proceeding
• Recipient filtering: load_recipients_authorized filters .pub files against authorized list during add and refresh, skipping and warning about unauthorized recipients
• Recursive secret scan: team add now uses WalkDir for recursive scanning of dotfiles/ subdirectories, with warnings on unreadable entries
• Cross-platform secure writes: Centralized write_owner_only helper sets 0o600 on Unix and restricts ACLs via icacls on Windows. Migrated cache_key, cache_identity, store_identity, and write_decrypted to use it

Dashboard TUI

• Brighter palette: Replaced DarkGray with Gray for all secondary text, borders, timestamps, metadata, and inactive tabs
• Selection highlights: Indexed(240) for row selection backgrounds, works on both dark and light terminals

Test plan

• cargo clippy --all-targets -- -D warnings passes clean
• cargo test — 214 tests pass
• tether collab join with insufficient GitHub token scope should fail with verification error
• tether collab refresh should skip recipients not in collaborators list
• tether team add should detect secrets in nested subdirectories
• Dashboard is readable on both dark and light terminal themes

[paddo]

/songify

[diffbeats]

🎵 DiffBeats just dropped a track for this PR!

"Tether Tuneup"

🎧 Listen now →

Lyrics

Collab join is busted, a bug we did find
Err underscore, now closed, a better design
Recipient filters, a list we must trust
Dot pub files checked, to avoid the dust

[Chorus]
Tether's the name, security's the game
Scanning the depths, whispering each name
Walk dir to the core, secrets galore
Writing it right, and asking for more

Team add is here, Walk Dir's the key
Dotfiles scanned now, for the world to see
Secure writes for all, cross-platform ease
Zero oh six zero zero, if you please

[Chorus]
Tether's the name, security's the game
Scanning the depths, whispering each name
Walk dir to the core, secrets galore
Writing it right, and asking for more

Clippy's all clear, warnings be gone
Two hundred and fourteen tests, carrying on
Insufficient GitHub scope, it will fail
Secrets detected, through the veil

[Chorus]
Tether's the name, security's the game
Scanning the depths, whispering each name
Walk dir to the core, secrets galore
Writing it right, and asking for more

[paddo]

/songify

[diffbeats]

🎵 DiffBeats just dropped a track for this PR!

"The Brightening Dashboard Samba"

🎧 Listen now →

Lyrics

Here's a fix, a brand new P-R,
To make our tether nice and secure.
A collab check, that now will fail,
If the secret key won't unveil.

[Chorus]
Oh, the dashboard's glowing, a brighter hue,
With Gray replacing Dark Gray, it's true.
Recipients filtered, the secrets scanned,
Security tightened across the land.

We're writing safe, across the O-S,
Protecting cache-key, more or less.
Dotfiles checked, in a deeper dive,
Team add working, keeping secrets alive.

[Chorus]
Oh, the dashboard's glowing, a brighter hue,
With Gray replacing Dark Gray, it's true.
Recipients filtered, the secrets scanned,
Security tightened across the land.

Selection highlighted, Indexed two-forty,
Tests all passing, what a party!
From warnings cleared, to tests complete,
The tether's sturdy, can't be beat.

[Chorus]
Oh, the dashboard's glowing, a brighter hue,
With Gray replacing Dark Gray, it's true.
Recipients filtered, the secrets scanned,
Security tightened across the land.