fix: harden API, DB schema, and CLI safety

- Add 'reminder' to glyph CHECK constraint (was accepted by parser but
  rejected by DB)
- Default serve bind to 127.0.0.1, add --host flag for LAN access
- Validate card_data as JSON in Store.Create/Update/Promote
- Return pagination envelope {data,total,limit,offset} from list endpoint
- Append absorb breadcrumb to source entity before soft-delete
- Add Levenshtein fuzzy match to catch command typos before routing to add
- Replace DDL string-matching migrations with versioned schema_version table
- Update web UI and API tests for envelope response format

cmd/root.go

@@ -1,6 +1,7 @@
 package cmd
 
 import (
+	"fmt"
 	"os"
 	"strings"
 
@@ -26,6 +27,10 @@ func Execute() error {
 		isFlag := strings.HasPrefix(first, "-") && !strings.Contains(first, " ")
 		if first != "help" && first != "completion" &&
 			!isFlag && !isSubcommand(first) {
+			if near := nearSubcommand(first); near != "" {
+				fmt.Fprintf(os.Stderr, "unknown command %q — did you mean %q?\n", first, near)
+				os.Exit(1)
+			}
 			// "--" stops cobra from parsing glyph prefixes like "-" as flags
 			rootCmd.SetArgs(append([]string{"add", "--"}, os.Args[1:]...))
 		}
@@ -47,6 +52,56 @@ func isSubcommand(name string) bool {
 	return false
 }
 
+func nearSubcommand(name string) string {
+	for _, c := range rootCmd.Commands() {
+		if d := editDist(name, c.Name()); d > 0 && d <= 2 {
+			return c.Name()
+		}
+		for _, alias := range c.Aliases {
+			if d := editDist(name, alias); d > 0 && d <= 2 {
+				return alias
+			}
+		}
+	}
+	return ""
+}
+
+func editDist(a, b string) int {
+	la, lb := len(a), len(b)
+	if la == 0 {
+		return lb
+	}
+	if lb == 0 {
+		return la
+	}
+	prev := make([]int, lb+1)
+	for j := range prev {
+		prev[j] = j
+	}
+	for i := 1; i <= la; i++ {
+		curr := make([]int, lb+1)
+		curr[0] = i
+		for j := 1; j <= lb; j++ {
+			cost := 1
+			if a[i-1] == b[j-1] {
+				cost = 0
+			}
+			ins := curr[j-1] + 1
+			del := prev[j] + 1
+			sub := prev[j-1] + cost
+			curr[j] = ins
+			if del < curr[j] {
+				curr[j] = del
+			}
+			if sub < curr[j] {
+				curr[j] = sub
+			}
+		}
+		prev = curr
+	}
+	return prev[lb]
+}
+
 func init() {
 	rootCmd.AddCommand(addCmd)
 	rootCmd.AddCommand(lsCmd)

cmd/serve.go

@@ -19,6 +19,7 @@ var WebFS fs.FS
 
 var (
 	servePort int
+	serveHost string
 	serveDev  bool
 	tlsCert   string
 	tlsKey    string
@@ -32,6 +33,7 @@ var serveCmd = &cobra.Command{
 
 func init() {
 	serveCmd.Flags().IntVar(&servePort, "port", 0, "port to listen on (default 4444, or 4443 with TLS)")
+	serveCmd.Flags().StringVar(&serveHost, "host", "127.0.0.1", "address to bind to (default localhost only)")
 	serveCmd.Flags().BoolVar(&serveDev, "dev", false, "enable CORS for development")
 	serveCmd.Flags().StringVar(&tlsCert, "tls-cert", "", "path to TLS certificate file")
 	serveCmd.Flags().StringVar(&tlsKey, "tls-key", "", "path to TLS private key file")
@@ -70,7 +72,7 @@ func runServe(_ *cobra.Command, _ []string) error {
 		router = api.NewRouter(store, serveDev, WebFS)
 	}
 
-	addr := fmt.Sprintf(":%d", port)
+	addr := fmt.Sprintf("%s:%d", serveHost, port)
 	srv := &http.Server{
 		Addr:    addr,
 		Handler: router,
@@ -81,9 +83,9 @@ func runServe(_ *cobra.Command, _ []string) error {
 
 	go func() {
 		if useTLS {
-			fmt.Printf("nib serving on https://localhost%s\n", addr)
+			fmt.Printf("nib serving on https://%s\n", addr)
 		} else {
-			fmt.Printf("nib serving on http://localhost%s\n", addr)
+			fmt.Printf("nib serving on http://%s\n", addr)
 		}
 		if serveDev {
 			fmt.Println("  CORS enabled (dev mode)")