- Dashboard auto-refresh rendered the full layout into its own
refresh container, producing a duplicate sidebar every 60s; it now
renders only the body partial.
- 'Run Now' runs synchronously with a bounded timeout and returns
refreshed results plus success/error feedback, instead of
firing-and-forgetting with no signal.
- Price-history chart data moved from a <script> block to a data-
attribute: templ does not interpolate expressions inside <script>
element content, so the JSON was emitted literally.
- The htmx indicator spinner was permanently visible due to CSS
source order; the indicator rules now follow .v-spinner.
Also refreshes README for this session's changes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The session cookie now sets the Secure attribute (server.secure_cookies, default true). Adds chi RealIP and Recoverer middleware plus a securityHeaders middleware that emits a Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy on every response. HSTS is intentionally left to the TLS-terminating proxy.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
eBay marketplaces are now polled through eBay's official Buy > Browse API (client-credentials OAuth2) instead of an Apify scraper actor; Apify still handles Yahoo JP and Mercari. Browse API calls are tracked per day in a new ebay_api_usage table and capped (default 5000, configurable) on eBay's Pacific-time reset clock, so polling halts before the limit is hit. Credentials live in config.toml [ebay] and are overridable via /settings, which also surfaces the day's running call count.
Also carries the server.secure_cookies config plumbing (field, accessor, example) consumed by the following commit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
