chore+fix: repo hygiene, code-review fixes, audit cleanup

Three independent code reviews + a security audit produced ~200 findings.
This commit lands the high-impact subset. Tests pass (53), typecheck
clean, eslint clean (3 minor exhaustive-deps warnings left).

REPO HYGIENE
- Add .editorconfig, .prettierrc.json, .prettierignore.
- Add ESLint flat config (.eslintrc.cjs) — correctness-focused, no style
  rules (Prettier owns formatting).
- Add `format` / `format:check` / `lint` npm scripts.
- Add CHANGELOG.md (Keep a Changelog format, back-filled to 0.1.x).
- Reformat all source via Prettier so future diffs stay small.

DATA SAFETY (src/main/store.ts)
- Atomic write (tmp + rename) with retry on transient EBUSY/EPERM —
  was non-atomic writeFileSync, vulnerable to truncation on power loss.
- On corrupt JSON, rename to `app-state.json.corrupt-<ts>` instead of
  silently overwriting the user's exercises/history with defaults.
- Validate parsed shape before merging — reject arrays/scalars where
  objects expected; per-field array checks.
- Strip `id` from incoming patches in updateExercise/updateChallenge —
  a runtime caller (IPC) could otherwise smuggle id changes through.
- clearHistory now refuses an unbounded wipe (no beforeTs => no-op);
  callers must pass an explicit boundary.
- unref() the debounce timer so it doesn't keep the event loop alive.

SECURITY (src/main/*)
- gsi-server: hard 256 KB body cap (was unbounded — local OOM vector),
  reject any Origin/Sec-Fetch-Site header (blocks browser CSRF from
  visited pages), require application/json Content-Type, generic 400
  on parse error (no error string echo to client), closeAllConnections
  + async close on stop.
- dota2: validate auth.token from payload with timingSafeEqual against
  the per-install token — was unauthenticated, any local process could
  forge match-end events. Narrow object shape before spread-merge to
  avoid throws on hostile payloads like {player:"x"}. Reset latest /
  prevState after match_end so the next match starts clean.
- ipc: gate `dev:simulateMatchEnd` registration behind `!app.isPackaged`
  so it does not exist in shipped builds.
- preload: gate the matching `simulateMatchEnd` export behind
  `import.meta.env.MODE !== 'production'` so the bundler dead-code-
  eliminates it from the production preload bundle.
- windows: shell.openExternal allowlist (http/https/mailto only) — was
  forwarding any URL, including file:/javascript:/custom URI handlers
  (some Windows handlers have been RCE vectors). will-navigate blocks
  navigation to anywhere except file:// or the dev URL.

CORRECTNESS (src/main/* + src/shared/*)
- shared/types.ts isQuietAt: fix wrap-around + day-of-week filter.
  With from=22:00 to=07:00 days=[Mon..Fri], the window started THE
  PREVIOUS DAY when we're in the AM half — old code checked today's
  day-of-week and got the wrong answer Sat 02:00 and Mon 01:00. Now
  the filter is evaluated against the window's START day. Also reject
  malformed HH:MM strings instead of producing NaN.
- scheduler: call broadcastState() after firing exercises so the
  renderer's Dashboard/Exercises pages don't show stale nextFireAt
  until the next state-changing IPC. Guard powerMonitor listeners
  against double-registration on dev hot-reload.
- dota2: fix `launchOptionStatus = steamRunning ? 'queued' : 'queued'`
  tautology — both branches now correctly read 'queued'.
- steam-launch-options: replace `require('node:fs')` inside atomicWrite
  with the top-level import; retry on transient EBUSY/EPERM.

CORRECTNESS (src/renderer/*)
- lib/history.ts: replace `today.getTime() - i * MS_DAY` arithmetic
  with `setDate(date - i)` calendar arithmetic in dailyRepsRange and
  currentStreak — DST transitions shift epoch math by ±1h and cause
  dayKey() to emit duplicate or missing days at the boundary.
- lib/icon.tsx: restrict name lookup to ICON_CHOICES set — an arbitrary
  string from a corrupted state file could otherwise resolve to
  unrelated Lucide exports and crash the renderer.
- lib/format.ts: guard formatCountdown against NaN/Infinity.
- i18n/index.ts: replace regex-based interpolation with split/join so
  variable values containing regex metacharacters interpolate
  literally; warn in dev on missing keys; clamp pluralRu(-N) via abs.
- ReminderApp: keyboard shortcuts moved INTO ExerciseReminder so Enter
  respects the stepper's `adjusted` flag (was always passing planned
  reps). Stepper capped at 5× planned. Don't hijack Space when a
  button is focused. `key={exercise.id+nextFireAt}` forces a fresh
  component for back-to-back reminders so stepper state resets. Match
  summary view gets Esc-to-close. Functional setMode in onMarkDone
  avoids races against stale `mode.done`.
- UpdaterCard: guard against NaN/Infinity in download-progress events
  (electron-updater fires early events with undefined fields).
- Games: gate DevPanel behind `import.meta.env.DEV` in addition to the
  main-side IPC gate, and narrow the `simulateMatchEnd` access.
- Add aria-labels for the +/- stepper buttons (i18n keys added).

TESTS
- +2 quiet-hours tests covering wrap-around + day-filter combo and
  malformed HH:MM fallback. Total 53 passing.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/renderer/src/lib/history.ts

@@ -1,7 +1,5 @@
 import type { Exercise, HistoryEntry } from '@shared/types'
 
-const MS_DAY = 24 * 60 * 60 * 1000
-
 /** YYYY-MM-DD in local time. */
 export function dayKey(ts: number): string {
   const d = new Date(ts)
@@ -16,6 +14,18 @@ export function todayKey(): string {
   return dayKey(Date.now())
 }
 
+/**
+ * Return a new Date offset by `dayDelta` calendar days from `base`, with the
+ * time-of-day preserved. Uses `setDate` (calendar arithmetic) rather than
+ * subtracting `n * 24h` of milliseconds — across DST transitions ms arithmetic
+ * drifts by ±1h and `dayKey` can emit the wrong day.
+ */
+function shiftDays(base: Date, dayDelta: number): Date {
+  const d = new Date(base.getTime())
+  d.setDate(d.getDate() + dayDelta)
+  return d
+}
+
 /**
  * Reps logged on a given local day. Uses `actualReps` if present, otherwise
  * looks up exercise's planned `reps`.
@@ -46,28 +56,27 @@ export function dailyRepsRange(
 ): { key: string; date: Date; reps: number }[] {
   const today = new Date()
   today.setHours(0, 0, 0, 0)
-  const buckets = new Map<string, number>()
+  const buckets = new Map<string, { date: Date; reps: number }>()
   const byId = new Map(exercises.map((e) => [e.id, e]))
 
-  // Seed all days with 0 so heatmap renders contiguous.
+  // Seed all days with 0 so heatmap renders contiguous. Use calendar arithmetic
+  // (setDate) — DST transitions would shift epoch-based math by ±1h, causing
+  // dayKey() to emit duplicate or missing days at the boundary.
   for (let i = days - 1; i >= 0; i--) {
-    const d = new Date(today.getTime() - i * MS_DAY)
-    buckets.set(dayKey(d.getTime()), 0)
+    const d = shiftDays(today, -i)
+    buckets.set(dayKey(d.getTime()), { date: d, reps: 0 })
   }
 
   for (const e of entries) {
     if (e.action !== 'done') continue
     const k = dayKey(e.ts)
-    if (!buckets.has(k)) continue
+    const bucket = buckets.get(k)
+    if (!bucket) continue
     const reps = e.actualReps ?? byId.get(e.exerciseId)?.reps ?? 0
-    buckets.set(k, (buckets.get(k) ?? 0) + reps)
+    bucket.reps += reps
   }
 
-  return Array.from(buckets, ([key, reps]) => ({
-    key,
-    date: new Date(`${key}T00:00:00`),
-    reps
-  }))
+  return Array.from(buckets, ([key, { date, reps }]) => ({ key, date, reps }))
 }
 
 /**
@@ -84,21 +93,22 @@ export function currentStreak(entries: HistoryEntry[]): number {
 
   const today = new Date()
   today.setHours(0, 0, 0, 0)
+  const yesterday = shiftDays(today, -1)
   const todayK = dayKey(today.getTime())
-  const yesterdayK = dayKey(today.getTime() - MS_DAY)
+  const yesterdayK = dayKey(yesterday.getTime())
 
   // Start from today if active today, else yesterday (grace), else 0.
-  let cursor = doneDays.has(todayK)
+  let cursor: Date | null = doneDays.has(todayK)
     ? today
     : doneDays.has(yesterdayK)
-      ? new Date(today.getTime() - MS_DAY)
+      ? yesterday
       : null
   if (!cursor) return 0
 
   let streak = 0
   while (doneDays.has(dayKey(cursor.getTime()))) {
     streak++
-    cursor = new Date(cursor.getTime() - MS_DAY)
+    cursor = shiftDays(cursor, -1)
   }
   return streak
 }