docs: fix inconsistencies between markdown docs and codebase

- README.md: correct "group-by-due-date" to "group-by-date" (field is
  group_by_date, not tied to due dates)
- docs/DEVELOPMENT.md: remove "Add migration logic if needed" step —
  project is pre-alpha with no migration policy; remove CHANGELOG.md
  references (file does not exist)
- docs/API.md: clarify load_credentials returns Zeroizing<String> not
  plain String; fix legacy credential migration description (unscoped
  format, not dot-separated format)

https://claude.ai/code/session_01KgXnipZEAHUwTp5wX4PFj9

README.md

@@ -46,7 +46,7 @@ onyx/
 - Workspace management (init, add, list, switch, remove, retarget, migrate)
 - Task list management (create, show, delete)
 - Task operations (add, complete, delete, edit)
-- Group-by-due-date toggle
+- Group-by-date toggle
 - WebDAV sync (setup, push, pull, status)
 
 ### GUI (`apps/tauri/`)
@@ -59,7 +59,7 @@ onyx/
 - Due date picker/editor with optional time
 - Subtask hierarchy with three-panel slide navigation
 - Move tasks between lists
-- List rename, group-by-due-date toggle, delete completed tasks
+- List rename, group-by-date toggle, delete completed tasks
 - Keyboard shortcuts (Escape priority chain)
 - WebDAV setup flow with credential auto-population
 - File watcher (auto-reloads on external changes)

docs/API.md

@@ -335,7 +335,7 @@ let status = get_sync_status(Path::new("/home/user/tasks"))?;
 
 Credentials are stored in the platform keychain (Windows Credential Manager, macOS Keychain, Linux Secret Service).
 
-**Core library** (`onyx-core::webdav`): Keyring service keys use the format `com.onyx.webdav.<domain>::<username>` — the `::` separator prevents key collisions when usernames contain dots. On first load, credentials stored in the legacy `.`-separated format are automatically migrated.
+**Core library** (`onyx-core::webdav`): The username is stored under service key `com.onyx.webdav.<domain>` and the password under `com.onyx.webdav.<domain>::<username>` — the `::` separator scopes the password per-username and prevents collisions when usernames contain dots. On first load, credentials stored in the legacy unscoped format (password stored without the username suffix) are automatically migrated to the scoped format.
 
 ```rust
 use onyx_core::webdav::{store_credentials, load_credentials, delete_credentials};
@@ -343,7 +343,7 @@ use onyx_core::webdav::{store_credentials, load_credentials, delete_credentials}
 // Store credentials
 store_credentials("nextcloud.example.com", "username", "password")?;
 
-// Load credentials
+// Load credentials (returns Zeroizing<String> wrappers that wipe memory on drop)
 let (username, password) = load_credentials("nextcloud.example.com")?;
 
 // Delete credentials

docs/DEVELOPMENT.md

@@ -248,9 +248,8 @@ fn test_with_temp_dir() {
 1. Update `Task` struct in `models.rs`
 2. Update `TaskFrontmatter` in `storage.rs`
 3. Update markdown parsing/writing in `storage.rs`
-4. Add migration logic if needed
-5. Update tests
-6. Update documentation
+4. Update tests
+5. Update documentation
 
 ### Adding a New CLI Command
 
@@ -293,11 +292,10 @@ We follow [Semantic Versioning](https://semver.org/):
 ### Creating a Release
 
 1. Update version in all `Cargo.toml` files
-2. Update `CHANGELOG.md`
-3. Create git tag: `git tag v0.1.0`
-4. Build release binaries: `cargo build --release`
-5. Test release binaries
-6. Push tag: `git push origin v0.1.0`
+2. Create git tag: `git tag v0.1.0`
+3. Build release binaries: `cargo build --release`
+4. Test release binaries
+5. Push tag: `git push origin v0.1.0`
 
 ## Troubleshooting
 
@@ -346,7 +344,6 @@ cargo run -p onyx-cli -- init ~/test-tasks --name test
 3. Lint code: `cargo clippy`
 4. Update documentation
 5. Add tests for new features
-6. Update CHANGELOG.md
 
 ### Commit Messages