Full repo review: bugs, dead code, docs, and hardening

[TsekNet]

Summary

Full codebase review identified 27 findings across bugs, dead code, documentation drift, and hardening opportunities.

Key fixes

Priority	Finding
HIGH	Validate() double-escapes HTML on repeated calls (queue drain path)
HIGH	quoteArg drops backslashes not followed by a quote on Windows broadcast
HIGH	Broadcast temp file unreadable by target user sessions (0600 SYSTEM-owned)
HIGH	loadFromArg silently rejects inline YAML args
MEDIUM	Deferred timer callback TOCTOU race can launch UI for completed notification
MEDIUM	ApplyEscalation assumes sorted steps but doesn't enforce it
MEDIUM	waitForDND loops forever in local mode with no timeout cap
MEDIUM	launchSubprocess doesn't isolate child process group (SIGINT kills UI)
MEDIUM	Deprecated LoadJSON alias still used in 5 production call sites
MEDIUM	ParseDeadline recompiles regex on every call
MEDIUM	Priority default (5) duplicated in EnqueueOffline and ApplyDefaults
MEDIUM	Platform default duplicated in app.New and app.NewWithGRPC

Dead code removed

• init() in motd.go (redundant compile-time assertion)
• Ping() in client.go (only called from tests)
• Classify() wrapper in action.go (only ClassifyOn used)

Documentation fixes

• Added motd subcommand to usage.md
• Fixed --port/--db flag scope (missing stop, inbox, motd)
• Fixed esc_value default description
• Fixed window positioning algorithm (docs described 5-step with origin probe, code uses 3-step)
• Fixed google/deck description ("structured" -> "leveled")
• Merged macOS/Linux positioning rows (identical in code)

Frontend

• Enter key now targets .btn-primary[data-value] (skips dropdown triggers without data-value)

[TsekNet]

Fixed in #3