fix(web): renaming column ignored

fix(api): avoid checksum query params in presigned S3 uploads

fix(web): use column.id in task move popover (crash on project select)

fix: apps/api/Dockerfile to reduce vulnerabilities

feat: add mcp

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-UPSTREAM-NODE-14975915
- https://snyk.io/vuln/SNYK-UPSTREAM-NODE-14928492
- https://snyk.io/vuln/SNYK-ALPINE319-MUSL-8720640
- https://snyk.io/vuln/SNYK-ALPINE319-MUSL-8720640
- https://snyk.io/vuln/SNYK-ALPINE319-OPENSSL-7895536

`getStatusLabel` falls back to `toDisplayCase(status)`, which always
returns a non-empty string for any non-empty input. The previous
`getStatusLabel(column.id) || column.name` therefore made `column.name`
unreachable, so users saw a slug-derived label like "Qa Review" instead
of the configured column name like "QA / Review".

Swap the precedence in both the dropdown items and the
`selectedStatusLabel` lookup to show the actual column name first and
only fall back to the i18n status label when the name is empty.

The /tasks API returns project columns as { id: slug, name, isFinal, tasks }
with no `slug` property. TaskMovePopover referenced `column.slug` which was
always undefined, causing every status match to fail silently and ultimately
crashing when the Select rendered items: `getStatusLabel(undefined)` reaches
toDisplayCase, which calls `.replace` on undefined.

Fixes "Cannot read properties of undefined (reading 'replace')" on opening
the task move popover and picking a destination project.

feat(i18n): add Russian and Ukrainian locales

fix: persist project icon from general settings

feat(web): show exact comment timestamp on relative time hover

fix: use refs for comment submit/cancel shortcuts in TipTap handler

feat: separate github sso and integration

- Use validateCustomConfigPathInput in custom branch; throw on failure
- Type INSTALL_TARGETS with as const satisfies readonly InstallTarget[]

- Log mergeMcpServerEntry failures with message and stack; exit 1
- Validate custom --output with shared rules (absolute .json path)
- Parse empty existing MCP JSON as invalid via null-only guard
- Derive valid --target IDs from INSTALL_TARGETS registry
- Add test for empty-string existing config

- Pass config path into overwrite prompt; only swallow ENOENT on read
- Fail merge on invalid JSON; use null-prototype mcpServers map and reject reserved server names
- Validate device code response fields and normalize numeric interval/expires_in

- Optional DEVICE_AUTH_CLIENT_IDS docs; prepublishOnly via pnpm
- Install: flag parsing, merge-all-then-write, resilient JSON parse
- Auth: fail-open comment; device poll timeout after fetch
- Tools: partial update_project; stable MCP text results; tests AAA
- Web: add nanostores for better-auth org client resolution in Vite

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Stale closures in handleKeyDown kept initial empty content when using Cmd+Enter.