chore: version 2.0.0-alpha.2 + changelog

Search view: read ?q from hash, call /api/search, group hits by kind
with rank + space_id; sidebar filters for kinds and space_id; updates
on Enter or filter change.

Bumps package.json + server.js VERSION to 2.0.0-alpha.2 and pins the
/health version assertion to match.

CHANGELOG: full Plan 2 entry covering API surface, capability tiering,
audit chain extension (approve/reject events), and the SPA shell.

Security: adds safeHref() to dom.js and applies it everywhere an
API-supplied URL becomes href / src (reference media block + reference
source_url anchor + resource url anchor). javascript: and other
non-http(s)/mailto schemes from agent-suggested content can no longer
execute in the owner's browser.

Plan 2 surface is feature-complete: 22/22 tasks landed, 185 tests
across 43 files, SPA renders end-to-end including the suggest -> approve
agent flow.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

CHANGELOG.md

@@ -3,6 +3,62 @@
 All notable changes to Void 2.0 are documented here.
 Format: [Keep a Changelog](https://keepachangelog.com).
 
+## [2.0.0-alpha.2] — 2026-06-01
+
+### Added (Plan 2: API surface + UI shell)
+- REST routes for the full entity tree:
+  - `/api/spaces`, `/api/projects`, `/api/tasks` (with project + space scoping)
+  - `/api/pages` + page revisions + `/api/pages/:id/backlinks`
+  - `/api/refs` + `/api/refs/upsert`
+  - `/api/resources` + dependencies + change history
+  - `/api/resources/:id/source-docs` + `/api/source-docs/:id/resync` (gated by `ENABLE_RESYNC`)
+  - `/api/agents` (owner-only) + agent token mint/revoke
+  - `/api/conversations` + nested `/messages`
+  - `/api/tags` + entity-scoped attach/detach via `/api/:entity_type/:entity_id/tags`
+  - `/api/links` (POST/GET from|to/DELETE) for polymorphic entity links
+  - `/api/pending-changes` + approve/reject with dispatch table covering
+    page/project/task/ref/resource/source_doc × create/update/delete
+  - `/api/audit/entity/:type/:id` + `/api/audit/actor`
+  - `/api/search` unified FTS across pages, refs, source docs, messages
+- Agent bearer auth middleware + capability tiering: owner allow, agent
+  `write+scope` → allow, agent `suggest` → 202 + pending row, else 403.
+- Approve and reject emit explicit `approve` / `reject` entries in the
+  audit log with the original agent id preserved in the diff.
+- Static SPA shell served from `public/`:
+  - Three-column Cradle aesthetic (blackflame palette, Cinzel display
+    headings, Cormorant Garamond body)
+  - Hash-based router with views for home / space / project / page /
+    reference / resource / search / inbox / sacred valley
+  - `dom.js` safe builders — no `innerHTML` on API data anywhere; the
+    explicit `html:` opt-in is used only by the markdown editor's
+    preview pane, which sanitizes with DOMPurify
+  - Sidebar Spaces tree with lazy project expansion, bottom Navigate
+    section, pending-count badge shared with the topbar bell via a tiny
+    `state.js` event bus
+  - Topbar: brand, capture modal stub, global search (Enter →
+    `#/search?q=`), pending bell, owner toggle
+  - Page editor: split-pane markdown via marked + DOMPurify, save
+    PATCHes `/api/pages/:id`, backlinks card
+  - Reference detail: media block (image / YouTube embed / link),
+    summary, metadata table, tag attach/detach, linked-from list
+  - Resource detail: status header, dependencies + source docs +
+    runbook pages columns, change history
+  - Inbox: pending changes grouped by agent, approve → navigate to the
+    resulting entity
+- Test coverage: 185 tests across 43 files (113 new for Plan 2 routes +
+  search + GET / shell smoke).
+
+### Security follow-ups (deferred)
+- Polymorphic IDOR risk on entity_links / entity_tags / attachments —
+  acceptable today since the entire API is owner-token gated and there
+  is one tenant; see `docs/security-followups.md` for the tighten-now
+  vs defer decision.
+- `pending_changes.action` CHECK constraint blocks `'upsert'` /
+  `'add_dependency'` / `'remove_dependency'` actions emitted by some
+  routes' `divertToPending` paths. Latent — only fires when an agent at
+  suggest tier hits those specific endpoints. Mitigation options
+  documented in `docs/security-followups.md`.
+
 ## [Unreleased]
 
 ### Added