Resolve all README FIXMEs and enforce truncation safety

- Update Architecture tree to match actual src/ structure
- Fix settings button to have border and hover state (Clickable Affordance)
- Cap truncateMiddle to remove at most 10 chars (anti-spoofing guard)
- Raise caller floor from 10 to 32 chars for address display
- Fill in default RPC URL (ethereum-rpc.publicnode.com)
- Fix dependencies table intro (four runtime libs, not two)
- Clean up TODO section: remove all completed items

src/popup/views/helpers.js

@@ -131,9 +131,18 @@ function balanceLinesForAddress(addr, trackedTokens, showZero) {
     return html;
 }
 
+// Truncate the middle of a string, replacing removed characters with "…".
+// Safety: refuses to truncate more than 10 characters, which is the maximum
+// that still prevents address spoofing attacks (see Display Consistency in
+// README).  Callers that need to display less should use a different UI
+// approach rather than silently making addresses insecure.
 function truncateMiddle(str, maxLen) {
     if (str.length <= maxLen) return str;
-    if (maxLen < 5) return str.slice(0, maxLen);
+    const removed = str.length - maxLen + 1; // +1 for the ellipsis char
+    if (removed > 10) {
+        maxLen = str.length - 10 + 1;
+    }
+    if (maxLen >= str.length) return str;
     const half = Math.floor((maxLen - 1) / 2);
     return str.slice(0, half) + "\u2026" + str.slice(-(maxLen - 1 - half));
 }