v0.4.0: Interactive connection control complete

All 4 phases delivered — delete .idea/ roadmap directory.

New in v0.4.0:
- eBPF kprobe on tcp_v4_connect tracks outbound connection attempts
- Unknown apps detected, aggregated over 5s window, then reported
- Desktop notifications with action buttons (Always Allow / Allow Once / Deny)
- `afw pending` shows blocked apps with suggested commands
- `afw approve <binary>` permanently allows based on detected ports
- `afw allow-once <binary>` adds temporary rules (removed on exit)
- `afw deny <binary>` permanently blocks and suppresses notifications
- IGNORED_BINARIES blocklist for short-lived CLI tools
- Session detection for sending notifications as the desktop user

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

v0.3.0: Fix connection stability, batch nft ops, reduce rule churn

- Batch rule deletion: all handles removed in one atomic nft -f call
  instead of N separate subprocess invocations
- Reverted bounded channel (caused daemon blocking under load)
- Moved short-lived CLI tool ports (SSH, git, FTP, rsync) to base config
  to eliminate nftables rule churn from gitstatusd, curl, etc.
- Removed git/curl/wget/ssh/scp/rsync/pip/npm/cargo/go/python3/node
  from dynamic tracking — their ports are always open via base rules
- Fixes SSE/WebSocket stream drops (e.g. claude.ai thinking freeze)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Bump version to 0.2.0

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Bump version to 0.2.0

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>