fix: address remaining PR #3 review feedback

Resolve critical, high, medium, and low priority findings from PR review.

Critical: fix .vscodeignore packaging gaps, remove dual lock file,
move bundled deps to devDependencies, fix double build in release.

High: add path traversal validation in editor panel, cap unbounded
error arrays in Zustand stores.

Medium: fix tr role="button" accessibility violation, remove dead
@shared/* path alias, fix double build in .releaserc.json.

Low: use crypto.randomBytes for CSP nonce, extract duplicated
toKebabCase to shared utility, align USER_STORY_REGEX across parsers,
replace hardcoded header prefix length, add debug logging to silent
catch blocks.

Author: Vincent M.

.gitignore

@@ -2,6 +2,7 @@
 
 # Dependencies
 node_modules
+package-lock.json
 .pnp
 .pnp.js
 

.releaserc.json

@@ -18,7 +18,7 @@
     [
       "@semantic-release/exec",
       {
-        "prepareCmd": "pnpm build && pnpm vscode:package"
+        "prepareCmd": "pnpm vscode:package"
       }
     ],
     [

.vscodeignore

@@ -1,3 +1,6 @@
+# Ensure bundled output is always included
+!out/**
+
 # Source and config (only bundled output is needed)
 src/**
 **/*.test.ts
@@ -15,11 +18,14 @@ node_modules/**
 .github/**
 .releaserc.json
 vite.config.ts
+vitest.config.ts
 tsconfig*.json
 vitest.setup.ts
 eslint.config.*
 .prettierrc*
 .gitignore
+pnpm-lock.yaml
+.vscode-test.mjs
 coverage/**
 
 # BMAD project artifacts (not part of the extension)