fix: Mobile hamburger menu and iPad sidebar visibility

Mobile fixes:
- Add click toggle handler for hamburger menu (was hover-only)
- Menu now opens/closes on tap and closes when clicking outside
- Keep hover support for desktop

iPad fixes:
- Sidebar content now visible on touch devices (901-1280px)
- Added (hover: hover) media query to prevent hide-on-hover on tablets

Security improvements:
- Replace exec.CommandContext with go-git library for git operations
- Add path traversal and command injection prevention
- Fix race condition in template hot reload
- Add environment-based cookie Secure flag

Code quality:
- Add constants.go for magic numbers
- Remove unused code (ParsePreferenceToggleRequest, DomainError)
- Add FOUC prevention with inline critical CSS
- Add Makefile dev/run/clean targets
- Fix README git clone URL
- Add doc/DECISIONS.md for architectural decisions

Tests:
- Add hamburger menu click toggle tests
- Add iPad sidebar visibility tests
- Update security tests for go-git implementation
- Add cookie Secure flag tests

internal/middleware/preferences.go

@@ -3,6 +3,7 @@ package middleware
 import (
 	"context"
 	"net/http"
+	"os"
 )
 
 // contextKey is a private type for context keys to avoid collisions
@@ -146,10 +147,16 @@ func SetPreferenceCookie(w http.ResponseWriter, name string, value string) {
 		MaxAge:   365 * 24 * 60 * 60, // 1 year
 		HttpOnly: true,
 		SameSite: http.SameSiteStrictMode,
-		Secure:   false, // Set to true in production with HTTPS
+		Secure:   isProductionMode(), // Secure in production with HTTPS
 	})
 }
 
+// isProductionMode checks if the application is running in production
+func isProductionMode() bool {
+	env := os.Getenv("GO_ENV")
+	return env == "production" || env == "prod"
+}
+
 // getPreferenceCookie gets a preference cookie value, returns default if not found
 func getPreferenceCookie(r *http.Request, name string, defaultValue string) string {
 	cookie, err := r.Cookie(name)