feat(sidebar): group + customize sidebar items, tabbed Settings

[NovakPAai]

Summary

• Sidebar reorganized into 3 collapsible sections — Workspace, Agents, Tools — with Install agents as a default-collapsed sub-section inside Tools. Each entry can be individually hidden via the new Settings → Sidebar tab.
• Settings page itself restructured into 4 sub-tabs (Appearance / Sidebar / Sessions / Integrations) using the same .ap-tabs visual pattern as the Add Project modal.
• All preferences persist locally (localStorage['codedash-sidebar-config'] v:1 + codedash-settings-tab). No server changes, no new endpoints, no network calls.

What's new

Surface	Change
Sidebar HTML	3 <div class="sidebar-group" data-section> blocks with <button> headers; nested install-agents sub-group
src/frontend/sidebar-config.js (new)	Pure UMD module: parseSidebarConfig / serializeSidebarConfig / isItemHidden / isSectionCollapsed / setItemHidden / setSectionCollapsed / loadFromStorage / saveToStorage / clearStorage / resetConfig + KNOWN_ITEM_KEYS allow-list
src/frontend/app.js	applySidebarConfig, section-header click handler, toggleSidebarItem, two-stage onResetSidebarClick, renderSidebarSettingsGroup, onSettingsTabKey (keyboard nav), _announceSidebar (aria-live), tabbed renderSettings
src/frontend/styles.css	.sidebar-group, .sidebar-section-header (32px min height), chevron rotation, .sidebar-subgroup indent, .settings-sidebar-* rows, .settings-tabs, .sr-only
Pre-paint script in index.html	Tiny IIFE applies persisted collapsed class before sidebar markup paints — prevents flash of expanded state
test/sidebar-config.test.js (new)	34 node:test cases — all green

Accessibility

• WAI-ARIA tablist with arrow-key navigation (Left/Right/Home/End), aria-controls, aria-labelledby, roving tabindex.
• aria-expanded on section headers; aria-live="polite" status region announces show/hide toggles.
• Settings entry is always visible — checkbox is disabled, isItemHidden short-circuits, setItemHidden refuses to write. Three-layer lockout protection.
• prefers-reduced-motion suppresses chevron transition.
• Section header contrast raised from --text-muted to --text-secondary (WCAG 1.4.3 AA).
• Touch targets ≥32px on top sections, ≥28px on sub-sections (WCAG 2.5.8).

Security

• localStorage payload capped at 64 KB (synchronous parse on init — DoS guard).
• __proto__ / constructor / prototype keys explicitly blocked in sanitizeMap.
• Config stores only booleans; item keys come from a hardcoded allow-list — no path lets user-controlled strings reach the DOM as markup or attribute-context JS.
• All <a target="_blank"> get rel="noopener noreferrer".

Spec-driven artifacts

• docs/design/sidebar-customization.md — SDD with full UX/a11y section
• specs/sidebar-customization.feature — 13 BDD scenarios (happy / empty / loading / error / keyboard / edge)
• tasks/2026-05-15-sidebar-customization/plan.md — implementation plan + risk register (all 10 risks closed)
• tasks/2026-05-15-sidebar-customization/smoke-report.md — automated smoke verdict

Deferred (tracked in commit message)

• Cache .sidebar-item NodeList in applySidebarConfig — premature optimization for ~30 elements
• Count badge on collapsed "Install agents · 7" — cosmetic, follow-up PR

Test plan

• node --test test/sidebar-config.test.js — 34/34 pass
• Open dashboard → sidebar shows 3 collapsible sections; Install agents collapsed by default
• Click "Workspace" header → collapses with chevron ▾→▸; reload → still collapsed
• Settings → Sidebar → uncheck Leaderboard → hides instantly; reload → still hidden
• Settings checkbox itself is disabled with tooltip "Settings is always visible"
• Reset to defaults → first click arms (red "Click again to confirm" + Cancel); auto-disarm after 6s; second click resets
• Hide every Workspace item → "All items hidden — manage in Settings" hint appears
• DevTools: localStorage['codedash-sidebar-config'] = '{garbage' → reload → default layout, no error UI
• Settings tab strip: Tab to focus, ← → Home End navigate between tabs; focus follows
• Visit #leaderboard while Leaderboard hidden → view renders, sidebar link stays hidden
• Tested in dark / light / monokai themes

[vakovalskii]

⚠️ Don't merge until rebased — GitHub shows mergeable but the actual diff against current main includes a lot of deletions that would silently undo recent merges.

git diff main pr216 --stat says this PR also removes:

• src/repo-refresh.js (-440), src/repo-refresh-routes.js (-174), src/atomic.js (-36), test/repo-refresh*.test.js (-698), test/atomic.test.js (-94) → all from feat: background git fetch for connected repos (auto-refresh v1) #213 ("background git fetch")
• test/frontend-escaping.test.js (-30), test/terminals-windows-launch.test.js (-35) → from fix: preserve Windows paths for Codex resume #214 ("Windows path fix")
• docs/ARCHITECTURE.md (-107), docs/design/repo-auto-refresh.md (-308), specs/repo-auto-refresh.feature (-216), tasks/2026-05-12-repo-auto-refresh/plan.md (-403)
• atomicWriteJson import + use in src/data.js

The branch looks like it was forked from main before #213/#214/#215/#217 landed (yesterday + this morning). Could you rebase onto current main and force-push?

git fetch origin
git rebase origin/main
# resolve conflicts (likely in src/frontend/app.js, index.html, styles.css since both PRs touch the sidebar / settings area)
git push --force-with-lease

Once the diff drops to just the sidebar work (+/- in app.js, index.html, styles.css, the new sidebar-config.js + tests + docs), I'll re-review. Should be quick after that — the actual code looks great (sidebar-config.js with allow-list + 64 KB cap + proto-pollution guard + 34 tests). 🙏