Security:
- rooms: rate-limit /invite-email (SMTP spam relay), validate share
target user exists, guard timingSafeEqual against length mismatch
in the presentation route (500 -> 403)
- analytics: verify callback token before parsing the 5mb body so
unauthenticated callers cannot buffer large payloads
- caldav: rate-limit failed Basic-Auth attempts (token brute force),
lowercase email lookup, case-insensitive principal check
- auth: fall back to the in-memory rate-limit store when Redis is
unavailable; previously every rate-limited endpoint (incl. login)
returned 500 when the Redis connection was down
UI/copy:
- Home: factual hero copy and feature cards (6 instead of 9), fix
double-rendered feature icon, remove fake stats row and pill badge;
keep the background gradient and card layout
- i18n: consistent informal tone, drop trailing exclamation marks
from status toasts, remove emoji from transactional emails
- new favicon (logo.svg), restore theme-based default brand logo
Chore:
- gitignore SQLite WAL/SHM files
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Michelle