Auction end times, visual flair, and pre-launch cleanup

Auction handling:
- Capture itemEndDate from eBay Browse API and ending_date from ZenMarket
  (Yahoo JP); plumb through results.ends_at column. Permissive ZenMarket
  parser (multiple layouts, JST when offset missing).
- Per-row "Ends" countdown column + "Ending soon" banner on results pages,
  live-ticked by flair.js with urgent/critical tinting under 1h/5m.
- Backfill ends_at for known auctions when their URL reappears in a poll
  (dedup hit no longer drops the new end time).
- Hide ended auctions from result listings by default via
  ResultsQuery.ExcludeEnded; rows stay in the DB.

Visual flair:
- Glassy backdrop-blur v-cards with gradient-mask borders and hover-lift.
- htmx swap fade-in via transient .v-just-swapped class.
- Count-up animation on dashboard stats. All animations gated behind
  prefers-reduced-motion.

eBay condition + region filters (auctions-style scoping):
- items.condition and items.region columns; threaded through item form,
  CreateItem/UpdateItem, scheduler eBay plan input, and previewKey so
  cache invalidates when these change.
- ebay.SearchParams gains conditionIds and itemLocationCountry filters.

Run Now reload + countdown engine:
- Run Now now sets HX-Refresh: true (non-htmx fallback: 303 redirect) so
  the entire results view — best price, chart, badge, last polled —
  reflects the new poll, instead of swapping just one partial.

Pre-launch hardening (P1 set):
- auth.EqualizeLoginTiming on no-such-user branch.
- (*App).serverError centralizes 500s; replaces err.Error() leaks across
  results/settings/items/users/dashboard handlers.
- main.go server: ReadTimeout 30s / WriteTimeout 60s / IdleTimeout 120s
  alongside the existing ReadHeaderTimeout.
- noListFS wrapper blocks static directory listings.
- Credential fields in settings no longer render value=; blank submission
  preserves the saved value, with per-field "Saved in settings / Set in
  config.toml / Not set" status indicator.

Misc:
- -debug flag wires slog to LevelDebug; raw ZenMarket items logged for
  format diagnosis.
- /healthz public endpoint for reverse-proxy probes.
- deploy/veola.service systemd unit template (hardening flags, single
  ReadWritePaths=/var/lib/veola).
- handlers_test.go covers /healthz, setup-gate redirect, auth gate, and
  /login render with httptest + in-memory sqlite.
- best_price_currency on items; templates pick the right symbol per row.
- .gitignore now excludes *.log / veola-debug.log.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/handlers/settings.go

@@ -26,6 +26,40 @@ var settingsKeys = []string{
 	"match_confidence_threshold",
 }
 
+// secretSettingsKeys are credential fields. Their values are never rendered
+// back into the form, so a blank submission means "leave unchanged" rather
+// than "clear" — see PostSettings.
+var secretSettingsKeys = map[string]bool{
+	"apify_api_key":      true,
+	"ebay_client_id":     true,
+	"ebay_client_secret": true,
+	"ntfy_token":         true,
+}
+
+// credentialStatus reports, per secret key, whether a value is saved in the
+// settings table, inherited from config.toml, or absent — without exposing
+// the secret itself.
+func (a *App) credentialStatus(values map[string]string) map[string]string {
+	configVals := map[string]string{
+		"apify_api_key":      a.Cfg.Apify.APIKey,
+		"ebay_client_id":     a.Cfg.Ebay.ClientID,
+		"ebay_client_secret": a.Cfg.Ebay.ClientSecret,
+		"ntfy_token":         "",
+	}
+	status := make(map[string]string, len(secretSettingsKeys))
+	for k := range secretSettingsKeys {
+		switch {
+		case strings.TrimSpace(values[k]) != "":
+			status[k] = "Saved in settings"
+		case strings.TrimSpace(configVals[k]) != "":
+			status[k] = "Set in config.toml"
+		default:
+			status[k] = "Not set"
+		}
+	}
+	return status
+}
+
 func (a *App) settingsData(r *http.Request) (templates.SettingsData, error) {
 	values, err := a.Store.GetAllSettings(r.Context())
 	if err != nil {
@@ -38,19 +72,20 @@ func (a *App) settingsData(r *http.Request) (templates.SettingsData, error) {
 	cur := auth.CurrentUserFromRequest(r)
 	ebayUsed, ebayLimit := a.Scheduler.EbayUsage(r.Context())
 	return templates.SettingsData{
-		Page:           a.page(r, "Settings", "settings"),
-		Values:         values,
-		IsAdmin:        cur != nil && cur.Role == models.RoleAdmin,
-		Users:          users,
-		EbayUsedToday:  ebayUsed,
-		EbayDailyLimit: ebayLimit,
+		Page:             a.page(r, "Settings", "settings"),
+		Values:           values,
+		CredentialStatus: a.credentialStatus(values),
+		IsAdmin:          cur != nil && cur.Role == models.RoleAdmin,
+		Users:            users,
+		EbayUsedToday:    ebayUsed,
+		EbayDailyLimit:   ebayLimit,
 	}, nil
 }
 
 func (a *App) GetSettings(w http.ResponseWriter, r *http.Request) {
 	d, err := a.settingsData(r)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		a.serverError(w, r, err)
 		return
 	}
 	render(w, r, templates.Settings(d))
@@ -68,8 +103,14 @@ func (a *App) PostSettings(w http.ResponseWriter, r *http.Request) {
 	}
 	for _, k := range settingsKeys {
 		v := strings.TrimSpace(r.PostFormValue(k))
+		// Secret fields are never rendered back into the form, so a blank
+		// submission is the normal state and means "leave unchanged" — not
+		// "clear". (To clear a stored credential, edit the settings table.)
+		if v == "" && secretSettingsKeys[k] {
+			continue
+		}
 		if err := a.Store.SetSetting(r.Context(), k, v); err != nil {
-			http.Error(w, err.Error(), http.StatusInternalServerError)
+			a.serverError(w, r, err)
 			return
 		}
 	}
@@ -92,7 +133,7 @@ func (a *App) PostPasswordChange(w http.ResponseWriter, r *http.Request) {
 
 	d, err := a.settingsData(r)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		a.serverError(w, r, err)
 		return
 	}
 
@@ -115,7 +156,7 @@ func (a *App) PostPasswordChange(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if err := a.Store.UpdateUserPassword(r.Context(), cur.ID, hash); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		a.serverError(w, r, err)
 		return
 	}
 	d.PasswordMsg = "Password updated"
@@ -130,7 +171,7 @@ func (a *App) PostTestNtfy(w http.ResponseWriter, r *http.Request) {
 	}
 	d, err := a.settingsData(r)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		a.serverError(w, r, err)
 		return
 	}
 	baseURL := strings.TrimSpace(d.Values["ntfy_base_url"])
@@ -164,7 +205,7 @@ func (a *App) PostTestApify(w http.ResponseWriter, r *http.Request) {
 	}
 	d, err := a.settingsData(r)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		a.serverError(w, r, err)
 		return
 	}
 	apiKey := strings.TrimSpace(d.Values["apify_api_key"])
@@ -210,7 +251,7 @@ func (a *App) PostTestEbay(w http.ResponseWriter, r *http.Request) {
 	}
 	d, err := a.settingsData(r)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		a.serverError(w, r, err)
 		return
 	}
 	// Settings-table values win over config.toml. Both paths are trimmed: