chore: bump ds-spring-user-framework to 3.5.0; add error.html to unprotected URIs; expand .claude permissions

- Update implementation dependency to com.digitalsanctuary:ds-spring-user-framework:3.5.0 in build.gradle
- Add error.html to user.unprotectedURIs in application.yml so the error page is publicly accessible
- Add GitHub CLI (gh) and git checkout related Bash permissions to .claude/settings.local.json

Author: devondragon

.claude/settings.local.json

@@ -18,8 +18,13 @@
       "Bash(./fix-mockbean-deprecation.sh:*)",
       "mcp__zen__debug",
       "Bash(git commit:*)",
-      "mcp__zen__codereview"
+      "mcp__zen__codereview",
+      "Bash(gh pr view:*)",
+      "Bash(gh pr diff:*)",
+      "Bash(gh issue view:*)",
+      "Bash(gh pr checkout:*)",
+      "Bash(git checkout:*)"
     ],
     "deny": []
   }
-}
+}

build.gradle

@@ -39,9 +39,7 @@ repositories {
 
 dependencies {
     // DigitalSanctuary Spring User Framework
-    // implementation 'com.digitalsanctuary:ds-spring-user-framework:3.4.1' // new
-    // implementation 'com.digitalsanctuary:ds-spring-user-framework:3.2.2' // old
-    implementation 'com.digitalsanctuary:ds-spring-user-framework:3.2.3-SNAPSHOT'
+    implementation 'com.digitalsanctuary:ds-spring-user-framework:3.5.0'
 
     // Spring Boot starters
     implementation 'org.springframework.boot:spring-boot-starter-actuator'

src/main/resources/application.yml

@@ -117,7 +117,7 @@ user:
     bcryptStrength: 12 # The bcrypt strength to use for password hashing.  The higher the number, the longer it takes to hash the password.  The default is 12.  The minimum is 4.  The maximum is 31.
     testHashTime: true # If true, the test hash time will be logged to the console on startup.  This is useful for determining the optimal bcryptStrength value.
     defaultAction: deny # The default action for all requests.  This can be either deny or allow.
-    unprotectedURIs: /,/index.html,/favicon.ico,/apple-touch-icon-precomposed.png,/css/*,/js/*,/js/user/*,/js/event/*,/img/**,/user/registration,/user/resendRegistrationToken,/user/resetPassword,/user/registrationConfirm,/user/changePassword,/user/savePassword,/oauth2/authorization/*,/login,/user/login,/user/login.html,/swagger-ui.html,/swagger-ui/**,/v3/api-docs/**,/event/,/event/list.html,/event/**,/about.html # A comma delimited list of URIs that should not be protected by Spring Security if the defaultAction is deny.
+    unprotectedURIs: /,/index.html,/favicon.ico,/apple-touch-icon-precomposed.png,/css/*,/js/*,/js/user/*,/js/event/*,/img/**,/user/registration,/user/resendRegistrationToken,/user/resetPassword,/user/registrationConfirm,/user/changePassword,/user/savePassword,/oauth2/authorization/*,/login,/user/login,/user/login.html,/swagger-ui.html,/swagger-ui/**,/v3/api-docs/**,/event/,/event/list.html,/event/**,/about.html,error.html # A comma delimited list of URIs that should not be protected by Spring Security if the defaultAction is deny.
     protectedURIs: /protected.html # A comma delimited list of URIs that should be protected by Spring Security if the defaultAction is allow.
     disableCSRFdURIs: /no-csrf-test # A comma delimited list of URIs that should not be protected by CSRF protection. This may include API endpoints that need to be called without a CSRF token.