fix: resolve issues #63, #64, #66, #67, #68 + CVE-2026-33228 (flatted)

[comphy-bot]

Summary

Fixes five open issues and one high-severity security advisory in a single branch.

---

Changes

#63 — Harden scripts/deploy.sh strict-mode + CLI validation

• Refactored livereload-port assignment to a guarded branch (safe under set -euo pipefail)
• Added explicit validation for -p|--port and --host (missing arg, flag-as-value, non-numeric port)
• IPv6 host URLs now emitted in bracketed form
• Added tests/test_deploy_args.sh smoke tests covering all new paths

#64 — Fail fast in validate-content-rules for missing files and bad headings

• Added reusable file-existence guard; emits clear message and exits non-zero
• Unknown month names now treated as hard validation failures
• Month headings before any year context now rejected
• Error messages include offending heading/line for debuggability

#66 — Remove non-standard CSS selectors and fix token drift

• Replaced :contains() / :has(...:contains(...)) patterns with class-based equivalents
• Tag styling standardised to .tags ... class-based patterns
• Fixed undefined CSS custom property references

#67 — Expand teaching markdown CI gate

• CI lint scope extended to _teaching/**/*.md and assets/images/teaching/README.md
• Both prettier --check and markdownlint now run on this scope
• Local one-liner command documented in contributor docs

#68 — Stale-result regression tests for command palette async search

• Added query-token guard so only the latest search request updates rendered results
• Added targeted tests simulating out-of-order async completions

Security — CVE-2026-33228 (flatted ≤ 3.4.1, prototype pollution)

• Added "flatted": "^3.4.2" to package.json overrides
• package-lock.json updated; both eslint and stylelint transitive paths now resolve flatted@3.4.2
• Resolves Dependabot alert 📝 Add docstrings to SEO-and-paper-update #24

---

Closes

Closes #63
Closes #64
Closes #66
Closes #67
Closes #68