docs: rewrite README following 2026 OSS conventions

[LorcanChinnock]

Restructure with badges, why-this-exists framing, quickstart, concrete use cases (webhooks, mobile testing, demos, CORS shimming, header/body auth injection), compatibility table, and security disclosure pointer. Content unchanged in substance — surfacing it for new readers.

Summary by CodeRabbit

• Documentation
  • Updated README with clearer quickstart guide and scenario-based use cases (webhooks, mobile testing, prototyping)
  • Added configuration examples for CORS, request headers, and JSON body injection
  • Improved tunnel setup instructions with step-by-step guidance
  • Added configuration reference section and hot reload notes
  • Rewrote security documentation to clarify authentication and tunnel types

[coderabbitai]

📝 Walkthrough

Walkthrough

The README was restructured with an updated "Why this exists" introduction and streamlined "Quickstart" section, followed by scenario-based "Use cases" guidance for webhooks, mobile testing, and demoing. Configuration documentation was expanded with JSON parsing rules for body injection, CORS examples, and a new configuration reference table mapping appsettings files. Security and project layout sections were rewritten for clarity.

Changes

README Restructuring & Documentation Update

Layer / File(s)	Summary
Overview & Quickstart README.md (lines 1–41)	Added badges and refreshed project description. Replaced earlier "Prerequisites/Run it/Use it" structure with "Why this exists" framing and "Quickstart" setup instructions including devtunnel CLI installation.
Use Cases & Examples README.md (lines 42–101)	Expanded scenario-based guidance for webhooks, mobile testing, demoing with stable URLs, and CORS configuration. Added example JSON snippets and explicit notes on invalid configuration combinations.
Configuration & Injection Rules README.md (lines 102–140)	Updated auth header and JSON body injection documentation with detailed parsing rules (JSON-first parsing, string fallback, skip conditions) and example route/transform configurations.
Reference, Hot Reload & Security README.md (lines 141–176)	Added "Configuration reference" table mapping appsettings files, "Hot reload" behavior notes, rewrote "Security" section covering anonymous vs private tunnels and cross-origin behavior, and updated "Project layout" to tree-style format.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A tunnel now shines with clarity clear,
The docs hop along without fear!
Quick starts and scenarios, examples so bright,
Configuration reference—a beacon of light.
The README bounds forward with style and with grace! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs: rewrite README following 2026 OSS conventions' directly and specifically describes the main change: a comprehensive README restructuring to align with modern open-source documentation standards.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/readme-2026-rewrite

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.md`:
- Around line 106-117: Add a brief warning above the example stating not to
store plaintext secrets in appsettings.json and replace any hardcoded secret
values in the "Routes" -> "default" -> "Transforms" example (e.g., the
RequestHeader "X-Api-Key" "Set" value and any InjectJsonField:* examples) with
an environment/user-secrets placeholder (for example %UPSTREAM_API_KEY% or a
reference to user-secrets) and include a one-line note showing how to set that
env var or use dotnet user-secrets so readers know to inject secrets at runtime
instead of committing them.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a5be69a7-f2ae-457c-87b6-835ce0e281b5

📥 Commits

Reviewing files that changed from the base of the PR and between 9862850 and 4d9d81e.

📒 Files selected for processing (1)

• README.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid documenting plaintext secrets in appsettings.json examples.

The examples currently model putting credentials directly in config ("Set": "your-secret-here" and InjectJsonField:*). Please add a short warning and show env/user-secrets substitution so readers don’t accidentally commit real credentials.

Suggested doc tweak

 ### Inject auth headers before forwarding

 Public-facing tunnel, secret-bearing upstream. Use route transforms:
+⚠️ Do not store real secrets in committed `appsettings.json`.
+Prefer environment variables or .NET user-secrets for local development.

 ```jsonc
 "Routes": {
   "default": {
@@
-      { "RequestHeader": "X-Api-Key", "Set": "your-secret-here" },
+      { "RequestHeader": "X-Api-Key", "Set": "%UPSTREAM_API_KEY%" },
       { "RequestHeader": "X-Trace", "Append": "proxy" }
     ]
   }
 }

 ### Inject auth fields into JSON request bodies

 For upstreams that authenticate via body fields, not headers:
+⚠️ Keep injected auth values out of source control; load them from secret stores/env vars.

Also applies to: 125-137

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 106 - 117, Add a brief warning above the example
stating not to store plaintext secrets in appsettings.json and replace any
hardcoded secret values in the "Routes" -> "default" -> "Transforms" example
(e.g., the RequestHeader "X-Api-Key" "Set" value and any InjectJsonField:*
examples) with an environment/user-secrets placeholder (for example
%UPSTREAM_API_KEY% or a reference to user-secrets) and include a one-line note
showing how to set that env var or use dotnet user-secrets so readers know to
inject secrets at runtime instead of committing them.