chris
cdaf79ac71
Security: - Replace raw password cookie with HMAC-derived session token + constant-time compare - Add rate limiting (5 attempts / 15 min) to admin login - Atomic JSON writes via file-utils to prevent corruption on crash - Tighten CSP headers; add Square CDN to style-src and font-src - WebP conversion + 20 MB limit on admin image uploads Checkout reliability: - Delayed capture flow: pre-auth → calendar write → capture (never charge without booking) - Derive payment idempotency key from SHA-256(nonce) to prevent nonce/key mismatch on retry - Idempotency key persisted in localStorage; auto-retry on network failure - Idempotent CalDAV writes using orderId-based UIDs; treat 412 as success - User-friendly Square error messages instead of raw API detail strings UX: - Welcome modal + 5-step guided tour with spotlight and scroll-into-view - Balloon release agreement checkbox required before payment - 24-hour lead time enforced server-side in both delivery and pickup slot generators - Fix Square card form race condition with double-rAF before attach() - Tour hides Bulma modal-background for bright, unobscured modal steps Notifications: - Improved SMTP error logging; re-throw on failure so callers see it Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>