Add configurable host binding for external access

[crankycoder]

• New host config option — bind to 0.0.0.0 for external access (default: 127.0.0.1)
• Fix stale lock file silently preventing browser launch — now verifies the lock owner PID is alive before trusting the port
• Add CI workflow (stable + nightly Neovim) and lock semantics test suite

[selimacerbas]

Hey @crankycoder, thanks for this — the host config itself is clean and well-tested, and we just shipped the live-server.nvim side in v1.3.0.

Before merging this PR, could you split it into two? The reason: it bundles two independent feature sets, and they should be reviewable / revertable separately.

PR A: host config (this PR, scoped down)

• host config field
• lock.is_server_alive(host, port) signature change
• remote.send_event(host, port, ...) signature change
• Browser URL uses configured host
• The test harness (tests/host_config_test.lua)

PR B: browser opening improvements (new PR)

The changes in util.open_in_browser() are useful but unrelated to host config:

1. vim.notify URL always
2. vim.ui.open fallback
3. vim.fn.executable() checks
4. on_exit error handling

These are 4 separate improvements and they touch the same function that PR #14 (just merged) modified for WSL support — so you'll need to rebase regardless.

I'll happily merge both PRs. Splitting just keeps the history clean and makes it easier to land each piece without holding the other hostage.

Let me know if you'd prefer me to do the split for you (cherry-picking your commits into two branches) — happy to take that on if it's easier.

[crankycoder]

sorry for the long delay. i think this should be ok now - i've rebased and thinned out the PR.

[crankycoder]

hrm. couple minor issues i found that i'm working through rn

[crankycoder]

alright. fixed a stale lock bug and added a couple tests around that.

[crankycoder]

@selimacerbas ?

[selimacerbas]

Thanks @crankycoder, sorry for the delay on my side. The split looks great, the stale-lock fix is a good catch, and the tests are exactly what we needed (especially the port-reuse scenario in section 4 of lock_test.lua). Two small things before merge, plus context on a follow-up.

Before merge

1. README security warning. When a user sets host = "0.0.0.0", they expose more than the rendered preview. Anyone on the same network can:

• read content.md (the markdown buffer being edited)
• hit /__live/inject?event=reload&data=... to trigger reloads or inject scroll events into the user's browser tab (the endpoint has no auth)

Could you add a > [!WARNING] block in the Network section saying something like:

> [!WARNING]
> Binding to `0.0.0.0` exposes the preview server (and the current
> markdown buffer) to anyone on the same network. The live-reload
> control endpoints are currently unauthenticated. Only use this on
> trusted networks. Prefer a one-shot SSH tunnel otherwise.

2. Windows verification. The PID-aliveness check uses uv.kill(pid, 0). CI only runs on ubuntu-latest. libuv's uv_kill should handle signal 0 on Windows (it maps to OpenProcess + WaitForSingleObject), but I'd like to confirm before merging. Either add windows-latest to the matrix, or share a quick screen-grab from Windows nvim showing :lua print(vim.loop.kill(vim.fn.getpid(), 0)) returning 0 for alive.

Follow-up I'll handle separately

I'm going to add token auth in live-server.nvim, Jupyter style. Random 128-bit token at server start, embedded in index.html, gated on all sensitive endpoints, written to the lockfile (mode 0600) so secondary instances can still hit /__live/inject. That makes host = "0.0.0.0" actually safe to recommend. Bigger change, separate PR in the sibling repo, no churn for your PR here. When it lands I'll soften the README warning.

Once the warning is in and Windows is confirmed, this is good to go. Thanks again for the patience and the tests.