- Fix duplicate clock-in: server-side BEGIN IMMEDIATE transaction + client-side punchInFlight guard
- Fix accumulating event listeners: switch persistent containers to onclick property assignment
- Remove insecure JWT_SECRET fallback; server refuses to start without it set
- Add escapeHtml and apply it throughout all innerHTML template literals (XSS prevention)
- Fix calendar iframe URL injection by assigning iframe.src directly
- Add status validation on time-off status update endpoint
- Add date range filtering to admin logs tab and employee time log
- Replace Konami code Easter egg with 7-tap logo trigger (works on all devices)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds the ability for admins to archive individual time log entries.
- Adds an 'Archive' button to the detailed logs table in the admin UI.
- Adds a new API endpoint to handle the
archiving of a single log entry.
- Updates the frontend to call the new endpoint when the 'Archive'
button is clicked.
