v1.31 - patch release (2026-06-03)

Two operator-impacting bugs fixed; no new features. Everything else
(LDAP/SAML SSO, plugin loader runtime, tool-level audit log, SIEM
forwarder, /metrics Prometheus endpoint) ships in the upcoming v2.0
release line.

Fixed:
- #48 OAuth client revoke returned HTTP 500 (session.username ->
  session.user on 4 lines in oauth_clients.py). Live-confirmed fix
  on a Rocky 9 OAuth backend.
- #51 verify_ssl = false now also enables OP_LEGACY_SERVER_CONNECT
  so OpenSSL 3.0 (RHEL 9 / Ubuntu 22.04+) can talk to older Zabbix
  HTTPS frontends doing legacy TLS renegotiation. Reported by
  @letran3691.

Verified: CRUD smoke 255/261 OK on release/v1.31, installer matrix
18/18 PASS across alma 8/9/10, debian 12/13, fedora, oracle 8/9/10,
rhel 8/9/10, suse 15, ubuntu 22/24, amazon 2023, minimal.

v1.30 - external feedback + pre-release polish

v1.29 - OAuth polish: consent screen, role cap, TTL config, IP allowl…

…ist, refresh-token reuse detection, wizard proxy step

v1.28 - OAuth 2.1 authorization server, per-token tools/list filterin…

…g, active-only problem filter

v1.27 - admin portal polish from v1.26 field testing

v1.26 - MCP 2025-11-25, raw_json policy, session-cookie auth, securit…

…y audit

v1.25 - field-test polish + on-blur duplicate-name validation

Live testing session immediately after v1.24 shipped uncovered a long
list of papercuts and one real connectivity-validator bug. v1.25
ships fixes for everything they hit, plus a real-time validation
layer so the operator sees most rejections before they hit Save.

Highlights:
- Last-admin protection (cannot self-demote, cannot remove last admin)
- On-blur duplicate-name check on every name input (tokens / users /
  servers, both create and edit)
- Installer credentials banner now matches the actual bind host
- Add Server merges Test + Save into one click; Test now actually
  validates the API token (host.get(limit=1), not just apiinfo.version)
- Sortable table headers actually sort
- Expired tokens render as Expired; past expiry rejected
- Card / page titles truncate long names with ellipsis instead of
  blowing out the page layout
- Visible "(testing...)" state on Test Connection while in flight
- Token edit rejects rename to an existing token's name with a clear
  duplicate-name error
- "Failed to add server: Key 'shit' already exists" no longer leaks
  tomlkit's internal "Key" wording
- Token success card auto-scrolls into view after creation

See CHANGELOG.md for the full list.

v1.24 - field-test feedback round + post-RC hardening (see CHANGELOG)

v1.23 - AI-assisted report template generation, visual editor shortcu…

…ts, 7 LLM providers

Release v1.22 - fix availability gauge + report preview + installer u…

…nbound var