feat: production hardening v1.2.0

Phase 1 - Licensing & Compliance:
- Add MIT LICENSE file
- Add copyright headers to server/index.js, poller.js, config.js,
  sanitizeError.js, and new loadSecrets.js

Phase 2 - Security Hardening:
- Add server/utils/loadSecrets.js: Docker secrets support via _FILE
  env var pattern (COOKIE_SECRET_FILE, EMBY_API_KEY_FILE, etc.)
- Add SSRF/URL validation in config.js: validates all configured
  service instance URLs for scheme and well-formedness at startup
- Add SIGTERM/SIGINT graceful shutdown: stops poller, drains HTTP
  connections, 10s force-exit fallback
- Warn at startup if COOKIE_SECRET is shorter than 32 characters
- Validate EMBY_URL scheme at startup
- Improve sanitizeError: redact host:port from axios error URLs
  while preserving path/query for other redaction patterns

Phase 3 - Config Robustness:
- Weak COOKIE_SECRET warning (< 32 chars)
- EMBY_URL validated via validateInstanceUrl on startup

Phase 4 - Docker & Deployment:
- .dockerignore: add tests/, coverage/, vitest.config.js,
  CHANGELOG.md, SECURITY.md, LICENSE, .markdownlint.json
- docker-compose.yaml: add commented Option B (Docker secrets
  _FILE pattern) alongside existing plain-env Option A

Phase 5 - Docs & Release Readiness:
- Add CHANGELOG.md with entries from v1.0.0 to v1.2.0
- Update SECURITY.md: supported versions table, fix Docker secrets
  note to reflect _FILE support now implemented
- Add public/.well-known/security.txt for responsible disclosure
- Bump version to 1.2.0

server/utils/config.js

@@ -1,5 +1,28 @@
+// Copyright (c) 2025 Gordon Bolton. MIT License.
 const { logToFile } = require('./logger');
 
+// Validate that a configured service URL is well-formed and uses http(s).
+// Emits a warning (never throws) so a misconfigured instance degrades
+// gracefully rather than crashing the whole server.
+function validateInstanceUrl(url, instanceId) {
+  if (!url || typeof url !== 'string') {
+    logToFile(`[Config] WARNING: instance "${instanceId}" has no URL configured`);
+    return false;
+  }
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    logToFile(`[Config] WARNING: instance "${instanceId}" has an invalid URL: "${url}"`);
+    return false;
+  }
+  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+    logToFile(`[Config] WARNING: instance "${instanceId}" URL must use http or https, got "${parsed.protocol}"`);
+    return false;
+  }
+  return true;
+}
+
 function parseInstances(envVar, legacyUrl, legacyKey, legacyUsername, legacyPassword) {
   // Try to parse JSON array format first
   if (envVar) {
@@ -9,10 +32,11 @@ function parseInstances(envVar, legacyUrl, legacyKey, legacyUsername, legacyPass
       const instances = JSON.parse(cleaned);
       if (Array.isArray(instances) && instances.length > 0) {
         logToFile(`[Config] Parsed ${instances.length} instances from JSON array`);
-        return instances.map((inst, idx) => ({
-          ...inst,
-          id: inst.name || `instance-${idx + 1}`
-        }));
+        return instances.map((inst, idx) => {
+          const id = inst.name || `instance-${idx + 1}`;
+          validateInstanceUrl(inst.url, id);
+          return { ...inst, id };
+        });
       }
     } catch (err) {
       logToFile(`[Config] Failed to parse JSON array: ${err.message}`);
@@ -22,6 +46,7 @@ function parseInstances(envVar, legacyUrl, legacyKey, legacyUsername, legacyPass
   // Fall back to legacy single-instance format
   if (legacyUrl && legacyKey) {
     logToFile(`[Config] Using legacy single-instance format`);
+    validateInstanceUrl(legacyUrl, 'default');
     return [{
       id: 'default',
       name: 'Default',
@@ -74,5 +99,6 @@ module.exports = {
   getSonarrInstances,
   getRadarrInstances,
   getQbittorrentInstances,
-  parseInstances
+  parseInstances,
+  validateInstanceUrl
 };