Prepare first stable release gates

[slideep]

Summary

• clear the website npm audit gate by overriding esbuild to 0.28.1, refreshing the lockfile, and picking up @astrojs/starlight 0.39.3
• add stable-release notes for the first non-prerelease workflow
• document the current view --share-bind raw TCP trust boundary in CLI help
• replace the stale branded selector example in the repo-local Luotsi agent skill with a generic sample selector
• make the portable CI bash tutorial test prefer Git Bash on Windows instead of the WSL shim

Validation

• dotnet restore .\Luotsi.sln --locked-mode
• dotnet build .\Luotsi.sln --configuration Release --no-restore --warnaserror
• dotnet test .\Luotsi.Cli.Tests\Luotsi.Cli.Tests.csproj --filter "FullyQualifiedName~Command_Reference_Documents_Known_Command_And_Help_Surfaces|FullyQualifiedName~Website_Documentation_Links_Resolve|FullyQualifiedName~Website_Documentation_Sidebar_Slugs_Resolve"
• dotnet test .\Luotsi.Cli.Tests\Luotsi.Cli.Tests.csproj --configuration Release --filter "FullyQualifiedName~Portable_Ci_Bash_Script_Preserves_Run_Failure_And_Appends_Checked_Run_Summary"
• dotnet test .\Luotsi.sln --configuration Release --no-build
• dotnet list .\Luotsi.sln package --vulnerable --include-transitive
• cd website; cmd.exe /c npm.cmd ci
• cd website; cmd.exe /c npm.cmd audit
• cd website; cmd.exe /c npm.cmd run check
• cd website; cmd.exe /c npm.cmd run build
• dotnet run --project .\Luotsi.Cli\Luotsi.Cli.csproj -- help view | Select-String -Pattern "share-bind|raw TCP|TLS|authentication|untrusted" -Context 1,2

Notes:

• Website audit is now clean locally. GitHub still reports the low-severity default-branch esbuild Dependabot alert until this reaches main.
• Website check/build pass, with a non-failing Astro deprecation notice for markdown plugin config.

Remaining first stable release gates

• merge this PR to main
• create/tag the stable release, likely v0.1.0, from green main
• let the release workflow publish the stable assets
• verify https://github.com/digablesolutions/luotsi/releases/latest/download/luotsi-install.ps1 and .sh return 200 after the stable release exists

Signing secret check was run separately against GitHub Actions secrets; the expected Android release signing secret names are present.

[Copilot]

Pull request overview

This PR prepares the repo for the first stable (non-prerelease) release by tightening “release gate” hygiene across the website dependency audit, CLI help/security documentation, release notes, and CI/docs validation.

Changes:

• Website: add an esbuild override and refresh the lockfile (including @astrojs/starlight + related transitive updates) to satisfy npm audit gates.
• CLI/help + notes: document the view --share-bind raw TCP trust boundary and add stable release notes used by the release workflow.
• Tests/docs tooling: update the portable CI bash tutorial test to prefer Git Bash on Windows and refresh the repo-local agent skill selector example.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
website/package.json	Adds an npm override to pin esbuild for audit gating.
website/package-lock.json	Lockfile refresh to apply the override and dependency bumps.
Luotsi.Cli/Cli/Help.cs	Documents --share-bind sharing trust boundary in help view.
Luotsi.Cli.Tests/TutorialDocumentationTests.cs	Prefers portable Git Bash on Windows for the portable CI bash script test.
.github/release-notes/stable.md	Adds stable-release notes consumed by the release workflow.
.codex/skills/luotsi-agent/references/agent-loop.md	Replaces a branded selector example with a generic one.

Files not reviewed (1)

• website/package-lock.json: Generated file