v2.2.0 — Regen wave, Cloudflare Access on /debug & 4-attempt pipeline

A quality-regeneration wave (12 specs re-rolled end-to-end on Sonnet, ~3.5× throughput vs. v2.1.0), two coverage gaps filled, a 4th repair attempt added to the impl pipeline, and /debug moved behind Cloudflare Access. No breaking changes.

🔁 Regen wave

12 specs regenerated through impl-generate / review / repair / merge — same plot types, fresh code, higher quality scores. Daily-regen now runs on Claude Sonnet (#5452) and skips the 20:00–24:00 Berlin window (#5517).

✅ Coverage filled

• network-basic: 8/9 → 9/9
• area-mountain-panorama: bokeh added (highcharts still in-flight)

🔐 Cloudflare Access on /debug

/debug is gated behind Cloudflare Access with a service-token fallback for CI (#5522). Same-origin /api proxy fixes the cookie scope (#5551), and a hard-reload on TypeError fires the page-gate cleanly when the JWT lapses (#5552).

🔧 Pipeline

• Repair budget bumped 3 → 4 attempts with cascading thresholds (90/80/70/60/50).
• ADMIN_TOKEN PAT for impl-merge so --admin bypasses the main-branch ruleset (#5523, #5521).

🧰 Tooling

• /Regen command for unattended library regeneration.
• /audit framework split into per-agent files; 7 new auditors added (#5413/#5451). Critical/High findings applied across multiple waves.
• Mandatory PR follow-through codified in CLAUDE.md (#5553).

⬆️ Dependencies

8 Dependabot bumps landed: uvicorn, setuptools, sqlalchemy, cloud-sql-python-connector, matplotlib, react-router-dom, plus npm-minor / python-minor / actions groups.

Full Changelog: v2.1.0...v2.2.0