- Switched to secure httpOnly, SameSite=Strict cookies for JWT authentication.
- Refactored backend to use AppState for shared secrets and database pool caching.
- Modernized frontend with Svelte 5 runes ($state) and removed localStorage reliance.
- Gated destructive test endpoints behind debug_assertions and fixed unsafe test patterns.
- Enhanced CI pipeline with cargo clippy, cargo fmt, and pinned pnpm version.
- Updated documentation and implementation plans to match the hardened architecture.
- Add test-* and seed-demo Make targets to command reference
- Document TT_TEST_MODE, /health route, test_reset route module
- Expand admin subroutes list, add Testing and CI sections
- Fix SQLx contradiction (runtime queries, no DATABASE_URL needed)
- Rewrite GEMINI.md with full Claude parity
- Add root README.md with quickstart, stack, and doc links
