chris
a8b1c68d97
- Fix duplicate clock-in: server-side BEGIN IMMEDIATE transaction + client-side punchInFlight guard - Fix accumulating event listeners: switch persistent containers to onclick property assignment - Remove insecure JWT_SECRET fallback; server refuses to start without it set - Add escapeHtml and apply it throughout all innerHTML template literals (XSS prevention) - Fix calendar iframe URL injection by assigning iframe.src directly - Add status validation on time-off status update endpoint - Add date range filtering to admin logs tab and employee time log - Replace Konami code Easter egg with 7-tap logo trigger (works on all devices) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>