- Fix duplicate clock-in: server-side BEGIN IMMEDIATE transaction + client-side punchInFlight guard
- Fix accumulating event listeners: switch persistent containers to onclick property assignment
- Remove insecure JWT_SECRET fallback; server refuses to start without it set
- Add escapeHtml and apply it throughout all innerHTML template literals (XSS prevention)
- Fix calendar iframe URL injection by assigning iframe.src directly
- Add status validation on time-off status update endpoint
- Add date range filtering to admin logs tab and employee time log
- Replace Konami code Easter egg with 7-tap logo trigger (works on all devices)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
chris
a8b1c68d97