OAuth security hardening & bug fixes from PR review

[Copilot]

Addresses seven review comments on the OAuth Support PR covering CSRF exposure, insecure server binding, a broken settings save response, and related issues.

Security

• CSRF state validation – crypto.randomBytes(16).toString('hex') state token is now included in the authorization URL and validated in /callback before code exchange; missing/mismatched state → 400 + response_generic
• Localhost-only server – OAuth callback server bound to 127.0.0.1 instead of all interfaces; server.on('error', ...) added to handle EADDRINUSE gracefully
• Navigation lockdown – will-navigate/will-redirect now compare against the exact file://…/app/index.html URL rather than accepting any file:// path

Correctness

• createConnection guard – throws "Not connected to org: <id>" when the org is absent; all handlers moved to call it inside try/catch with conn?.limitInfo || {} in catch blocks; sf_logout uses delete sfConnections[org] instead of = null
• sf_save_settings response – was returning the saveSettings() boolean; now returns the saved settings object (minus consumerSecret). render.js updated to skip overwriting the secret field when absent from the response, so the form isn't cleared after a save

Docs & dependencies

• jest-environment-jsdom downgraded v30 → v29 to match jest v29
• ReadMe OAuth scope corrected to refresh_token (removes undocumented offline_access)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.