refactor: comprehensive code quality, security, and release readiness improvements

Security: tighten CORS defaults, add webhook rate limiting, fix XSS in
automations, guard WebSocket JSON.parse, validate ADB address input,
seal debug exception leak, URL-encode WS tokens, CSS.escape in selectors.

Code quality: add Pydantic models for brightness/power endpoints, fix
thread safety and name uniqueness in DeviceStore, immutable update
pattern, split 6 oversized files into 16 focused modules, enable
TypeScript strictNullChecks (741→102 errors), type state variables,
add dom-utils helper, migrate 3 modules from inline onclick to event
delegation, ProcessorDependencies dataclass.

Performance: async store saves, health endpoint log level, command
palette debounce, optimized entity-events comparison, fix service
worker precache list.

Testing: expand from 45 to 293 passing tests — add store tests (141),
route tests (25), core logic tests (42), E2E flow tests (33), organize
into tests/api/, tests/storage/, tests/core/, tests/e2e/.

DevOps: CI test pipeline, pre-commit config, Dockerfile multi-stage
build with non-root user and health check, docker-compose improvements,
version bump to 0.2.0.

Docs: rewrite CLAUDE.md (202→56 lines), server/CLAUDE.md (212→76),
create contexts/server-operations.md, fix .js→.ts references, fix env
var prefix in README, rewrite INSTALLATION.md, add CONTRIBUTING.md and
.env.example.

server/tests/api/routes/test_webhooks_routes.py

@@ -0,0 +1,67 @@
+"""Tests for webhook routes — trigger, validation, rate limiting."""
+
+import time
+from unittest.mock import AsyncMock, MagicMock, patch
+
+import pytest
+
+from wled_controller.api.routes.webhooks import _check_rate_limit, _rate_hits
+
+
+# ---------------------------------------------------------------------------
+# Rate limiter unit tests (pure function, no HTTP)
+# ---------------------------------------------------------------------------
+
+
+class TestRateLimiter:
+    def setup_method(self):
+        """Clear rate-limit state between tests."""
+        _rate_hits.clear()
+
+    def test_allows_under_limit(self):
+        for _ in range(29):
+            _check_rate_limit("1.2.3.4")  # should not raise
+
+    def test_rejects_at_limit(self):
+        for _ in range(30):
+            _check_rate_limit("1.2.3.4")
+        from fastapi import HTTPException
+        with pytest.raises(HTTPException) as exc_info:
+            _check_rate_limit("1.2.3.4")
+        assert exc_info.value.status_code == 429
+
+    def test_separate_ips_independent(self):
+        for _ in range(30):
+            _check_rate_limit("10.0.0.1")
+        # Different IP should still be allowed
+        _check_rate_limit("10.0.0.2")  # should not raise
+
+    def test_window_expiry(self):
+        """Timestamps outside the 60s window are pruned."""
+        old_time = time.time() - 120  # 2 minutes ago
+        _rate_hits["1.2.3.4"] = [old_time] * 30
+        # Old entries should be pruned, allowing new requests
+        _check_rate_limit("1.2.3.4")  # should not raise
+
+
+# ---------------------------------------------------------------------------
+# Webhook payload validation
+# ---------------------------------------------------------------------------
+
+
+class TestWebhookPayload:
+    def test_valid_payload_model(self):
+        from wled_controller.api.routes.webhooks import WebhookPayload
+
+        p = WebhookPayload(action="activate")
+        assert p.action == "activate"
+
+        p2 = WebhookPayload(action="deactivate")
+        assert p2.action == "deactivate"
+
+    def test_arbitrary_action_accepted_by_model(self):
+        """The model accepts any string; validation is in the route handler."""
+        from wled_controller.api.routes.webhooks import WebhookPayload
+
+        p = WebhookPayload(action="bogus")
+        assert p.action == "bogus"