Cleanup, bug fixes, new features, and security improvements

[Chocapikk]

Hey! I stumbled on your project while looking for live coding tools from Strasbourg (allez Strasbourg 😄). I really dig what you guys do with CrashServer, the whole livecoding scene you've built there is sick.

I forked the repo and went through the codebase. Started with a quick lint pass and kept finding things to fix and improve. Here's what this PR covers:

Bug fixes

• XSS in player list - innerHTML with WebSocket data replaced with safe DOM methods (textContent + createElement)
• findIndex falsy bug in formatErrorMessage (index 0 was treated as false, now uses !== -1)
• markerUtils undefined - was referenced but never imported (dead code that crashed on Alt+1/2/3), now implemented
• Silent catch blocks - errors were swallowed without logging, now logged to console
• == instead of === in multiple places (foxdotAutocomplete, main, configPanel)
• window.onclick override in configPanel replaced with addEventListener to avoid clobbering
• Unused variables cleaned up (orange in getDurationColor, playersList import, unused e param, etc.)

New features

• Clear console button - ✕ button in the log panel to clear all output
• Line markers - Alt+1/2/3 for Red/Green/Blue, Alt+4 to reset (was dead code before, now functional)
• Synth/Fx descriptions in autocomplete - shows what each synth/effect does in the dropdown tooltip (new synth_definitions.py file)
• Error detection and colored log output - server-side pattern matching for errors (red), prompts (green), input (blue). Also captures stderr now, not just stdout
• Green-orange-red duration color transition for player duration display (was green-to-red, now smooth 3-step)
• Auto-detection of python executable (python3 vs python via shutil.which in resolve_python())

Security

• WebSocket origin check on the backend WS (port 1234) to prevent cross-origin code injection. Only accepts connections from localhost origins. Non-browser clients (no Origin header) are still allowed.

Refactoring

• Merged startup.py and startup-renardo.py into a single file that auto-detects FoxDot vs Renardo at runtime. startup-renardo.py is deleted.
• Deduplicated periodic senders - sendScale, sendRoot, sendBeat, sendChrono replaced with a single _send_loop method + getter functions
• camelCase -> snake_case in all Python code (isRunning -> is_running, playerCounter -> player_counter, wsPanel -> ws_panel, etc.)
• Centralized all WS sends in main.js through a single sendToServer() function with readyState guard. Removed stopClock, soloPlayer, unSoloPlayers, resetChrono from functionUtils.js (they all just wrapped wsServer.send)
• WebSocket auto-reconnect on all 3 connections (backend port 1234, FoxDot panel port 20000, FoxDot autocomplete) with 3s retry
• Cleaned up server.py - extracted HOST/WS_PORT constants, flattened nested handle_foxdot_output into top-level _read_stream, captures both stdout and stderr via asyncio.gather
• Removed unused wsServer param from saveEditorContent

Tooling

• ruff - added ruff.toml config, all Python files pass ruff check and ruff format with 0 errors. Runtime globals from FoxDot/Renardo are ignored via per-file config
• eslint - added eslint.config.js with recommended rules + eqeqeq, no-var, prefer-const. All JS files pass with 0 errors. Added eslint to devDependencies
• .gitignore updated with .ruff_cache/

Docs

• Updated README with new features list, shortcuts table, linting instructions, and updated roadmap (all items checked)
• Updated copyright to 2025-2026
• Updated config sample with resolve_python() usage
• Added synth_definitions.py to installation instructions (Python, Node.js, and Renardo sections)

Breaking changes / migration notes

• startup-renardo.py is deleted. If you were using it, switch to startup.py which now handles both FoxDot and Renardo automatically
• New file synth_definitions.py must be placed alongside startup.py in your FoxDot/Renardo Custom directory for autocomplete descriptions to work
• Python variable names changed (wsPanel -> ws_panel, timeInit -> time_init, etc.) - if you have custom scripts referencing the old names, update them

[CrashServer]

That's a great piece of work you've done, thank you so much for your contribution. I'll be doing the code review soon and integrating it into the main branch. I also think a large part of it will fit into the version we use when we play live. Hope to see you around sometime someday.