Changelog

Security Hardening

• API key storage moved to server-only. Keys are now stored exclusively in CosmosDB (AES-256-GCM encrypted via backend/crypto.js). All localStorage key persistence has been removed. Legacy keys are wiped on load.
• Azure Key Vault integration. New backend/keyVault.js module fetches the credential master key from Azure Key Vault at startup via DefaultAzureCredential. Falls back to environment variables when Key Vault is not configured.
• Bicep: optional Key Vault. infra/staging.bicep now accepts an optional keyVaultName parameter. When set, it creates a Key Vault, stores the master key as a secret, grants the Container App system-assigned identity the Key Vault Secrets User role, and injects KEY_VAULT_URL as an env var.
• Fixed false "key required" error. Users with a server-saved key no longer see a spurious error asking them to provide a key.

Canvas UX Improvements

• Zoom centers on viewport. Zoom in, zoom out, and reset now scale around the visible viewport center — content no longer drifts away.
• Vertical toolbar toggles. New panel toggle buttons: PanelLeft to show/hide the service catalog, FileText to show/hide diagram annotations.
• Properties panel collapsed label. The panel now shows "Properties" as vertical text when collapsed instead of a blank strip.
• Floating chevron buttons. Consistent w-6 h-6 rounded circle style for both catalog and Properties panel toggles. Properties chevron moved to the parent wrapper to fix clipping issues.
• Transparent shape fills. Rectangle, circle, and diamond shapes now default to transparent fill with #94a3b8 stroke instead of the old blue gradient.
• Toolbar tooltips fixed. All 7 toolbar tools now have accurate "Name — description" tooltips.

Copy/Paste & Image Paste (from v2.0.0)

• Ctrl+C / Ctrl+V / Ctrl+D + context menu Duplicate for canvas elements.
• Paste images from clipboard directly onto the canvas (max 400×400, centred).