- Switched to secure httpOnly, SameSite=Strict cookies for JWT authentication.
- Refactored backend to use AppState for shared secrets and database pool caching.
- Modernized frontend with Svelte 5 runes ($state) and removed localStorage reliance.
- Gated destructive test endpoints behind debug_assertions and fixed unsafe test patterns.
- Enhanced CI pipeline with cargo clippy, cargo fmt, and pinned pnpm version.
- Updated documentation and implementation plans to match the hardened architecture.
- Add IF NOT EXISTS to all migration DDL for idempotency
- Support PORT env var in backend (for compose flexibility)
- Support HOST_PORT env var in docker-compose
- Improve seed-demo to apply migrations before seeding
- Gitignore .claude/ session cache
