double-click to focus the camera — plus phases 1–3 re-audited

The QA bug from the last entry is still unresolved. Set it aside and went elsewhere.

Camera focus:

Double-click anywhere in the 3D view and the camera animates onto that point — 200ms easeOutCubic, dollies to min(current distance, 5m). Raycasts against the scene; misses are silent. F still re-fits to the full plan. Closes the most-common navigation gap now that wall-drawing got cheap.

Eight-agent audit across phases 1–3:

• Branch IDOR + TOCTOU. Anyone could like/comment any draft via UUID guess. Branching trusted a pre-tx license read — source owner could flip license between gate and INSERT. Both closed with WHERE status='published' predicates inside the tx.
• Avatar URL traversal. HasPrefix accepted cdn/avatars/me/../them/foo.png. Now url-parses, rejects .., matches scheme + host.
• Sitemap race. Publish mid-fill clobbered the invalidate signal. Added an invalidatedAt snapshot; stale fills skip the cache write.
• Rate limits. Avatar PUT was unbounded; notification + templates GETs too. New heavy-read limiter (300/min/user); avatar mutations on the write budget.

~70 findings triaged across two commits. 494 frontend tests + every Go package green at -count=2.

The camera fix took the morning. The audits took the rest of the week.