chore: version 2.0.0-alpha.2 + changelog

Search view: read ?q from hash, call /api/search, group hits by kind
with rank + space_id; sidebar filters for kinds and space_id; updates
on Enter or filter change.

Bumps package.json + server.js VERSION to 2.0.0-alpha.2 and pins the
/health version assertion to match.

CHANGELOG: full Plan 2 entry covering API surface, capability tiering,
audit chain extension (approve/reject events), and the SPA shell.

Security: adds safeHref() to dom.js and applies it everywhere an
API-supplied URL becomes href / src (reference media block + reference
source_url anchor + resource url anchor). javascript: and other
non-http(s)/mailto schemes from agent-suggested content can no longer
execute in the owner's browser.

Plan 2 surface is feature-complete: 22/22 tasks landed, 185 tests
across 43 files, SPA renders end-to-end including the suggest -> approve
agent flow.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

public/views/resource.js

@@ -1,6 +1,6 @@
 // Resource detail: status header + dependencies + source docs + runbook pages + change history.
 import { api } from '../api.js';
-import { el, mount, clear } from '../dom.js';
+import { el, mount, clear, safeHref } from '../dom.js';
 
 function statusClass(s) {
   return s === 'running' ? 'ok' : s === 'stopped' ? 'warn' : s === 'down' ? 'bad' : 'idle';
@@ -114,7 +114,7 @@ export async function render(main, ctx) {
       ' · ', el('span', { class: 'status idle' }, res.runtime_type),
       res.host ? ' · ' + res.host : '',
       res.url ? ' · ' : '',
-      res.url ? el('a', { href: res.url, target: '_blank', rel: 'noopener noreferrer' }, res.url) : null
+      res.url ? el('a', { href: safeHref(res.url), target: '_blank', rel: 'noopener noreferrer' }, res.url) : null
     ),
     el('div', { class: 'row' },
       el('div', { class: 'card' },