- Public wishlist now renders as responsive 3-col grid instead of list
- Subtitle supports line breaks (whitespace-pre-line)
- claimingEnabled and showQuantity moved to global site settings (not per-item); toggled in admin Configurações panel; claim API enforces server-side
- Admin dashboard shows admin access link with copy button
- Settings API exposes and persists the two new boolean settings
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Single-wishlist apps no longer need two separate edit sections.
Both siteTitle/homepageSubtext and wishlist fields now save together
in one action from a unified Configurações card.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- reorder route used async callback with better-sqlite3 (sync driver),
causing "Transaction function cannot return a promise" — converted to sync
- home page now redirects unauthenticated visitors to the wishlist slug
instead of getting stuck on the loading screen
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cookies were set with secure flag based solely on NODE_ENV, causing
401 errors when accessing over HTTP with NODE_ENV=production.
- Add COOKIE_SECURE env var for explicit control
- Auto-detect HTTPS via X-Forwarded-Proto header in production
- Extract isSecureCookie() utility to lib/auth/utils.ts
- Document COOKIE_SECURE in README and .env.example
Fixes#39
