When "Walk-in" is selected on the new order form, an optional name input
now appears. If filled, a new customer is created and linked to the order;
if left blank, the order remains a nameless walk-in as before.
Adds a new Restock page that lists all products with their current stock
and lets the user enter quantities to add in bulk, using the existing
PATCH /products/:id/stock endpoint.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use timing-safe comparisons for HMAC verification and password checks
- Add login rate limiting (5 attempts/minute per IP)
- Lock down CORS to Vite dev origin only (not needed in production)
- Derive signing key from APP_PASSWORD instead of using it directly
- Replace hand-rolled cookie parsing with cookie-parser middleware
- Wrap all order mutations in SQLite transactions
- Fix TOCTOU race on stock with atomic UPDATE...WHERE quantity >= ?
- Fix APP_SECERT typo in .env (gitignored, local fix only)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
