Release 1.0.8 with platform, security, and UI hardening.

Adds API filter registry, style theme registry, SW bitmask cache clear, KV namespacing, session expiry checks, accessibility improvements, and expanded test coverage.

Co-authored-by: Cursor <cursoragent@cursor.com>

test/api-security-policy.test.js

@@ -0,0 +1,52 @@
+import { describe, test } from 'node:test';
+import assert from 'node:assert';
+import { ApiSecurityPolicy } from '../src/security/policy/ApiSecurityPolicy.js';
+import { Permit, Session, User } from '../src/security/model/index.js';
+import { SECURITY_RIGHTS } from '../src/security/model/rights.js';
+
+describe('ApiSecurityPolicy permit evaluation', () => {
+  test('evaluateSync matches permits by principal, not path alone', () => {
+    const policy = new ApiSecurityPolicy({});
+    policy.cache.user = new User({ id: 'user-1', role_ids: ['role-a'] });
+    policy.cache.session = new Session({ jwt_token: 'jwt-test' });
+
+    policy.cache.permits = [
+      new Permit({
+        principal_type: 'user',
+        principal_id: 'other-user',
+        resource_path: '/app',
+        effect: 'allow',
+        rights: SECURITY_RIGHTS.read
+      })
+    ];
+
+    const denied = policy.evaluateSync('user-1', 'read', '/app');
+    assert.strictEqual(denied.allowed, false);
+
+    policy.cache.permits = [
+      new Permit({
+        principal_type: 'user',
+        principal_id: 'user-1',
+        resource_path: '/app',
+        effect: 'allow',
+        rights: SECURITY_RIGHTS.read
+      })
+    ];
+
+    const allowed = policy.evaluateSync('user-1', 'read', '/app');
+    assert.strictEqual(allowed.allowed, true);
+
+    policy.cache.permits = [
+      new Permit({
+        principal_type: 'role',
+        principal_id: 'role-a',
+        resource_path: '/app',
+        effect: 'allow',
+        rights: SECURITY_RIGHTS.read
+      })
+    ];
+
+    const roleAllowed = policy.evaluateSync('user-1', 'read', '/app');
+    assert.strictEqual(roleAllowed.allowed, true);
+  });
+});