fix: remove cash flow summary cards and restore area chart shading

Remove the 4 summary cards from the Cash Flow page as they don't properly represent the story over time. Increase gradient opacity on stacked area charts (cash flow and investment scenarios) from 0.3-0.4/0-0.05 to 0.6/0.15 for better visual shading. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Merge branch 'claude/reverent-moore' - Resend email integration
2026-03-17 20:41:13 -04:00 · 2026-03-17 18:33:17 -04:00 · 2026-03-17 18:29:20 -04:00 · 2026-03-17 18:04:14 -04:00 · 2026-03-17 17:51:34 -04:00 · 2026-03-17 07:53:16 -04:00
15 changed files with 603 additions and 141 deletions
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "hoa-ledgeriq-backend",
-  "version": "2026.3.11",
+  "version": "2026.3.17",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "hoa-ledgeriq-backend",
-      "version": "2026.3.11",
+      "version": "2026.3.17",
      "dependencies": {
        "@nestjs/common": "^10.4.15",
        "@nestjs/config": "^3.3.0",
@@ -36,6 +36,7 @@
        "pg": "^8.13.1",
        "qrcode": "^1.5.4",
        "reflect-metadata": "^0.2.2",
+        "resend": "^6.9.4",
        "rxjs": "^7.8.1",
        "stripe": "^20.4.1",
        "typeorm": "^0.3.20",
@@ -2791,6 +2792,12 @@
      "integrity": "sha512-Uy0+khmZqUrUGm5dmMqVlnvufZRSK0FbYzVgp0UMstm+F5+W2/jnEEQyc9vo1ZR/E5ZI/B1WjjoTqBqwJL6Krw==",
      "license": "MIT"
    },
+    "node_modules/@stablelib/base64": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@stablelib/base64/-/base64-1.0.1.tgz",
+      "integrity": "sha512-1bnPQqSxSuc3Ii6MhBysoWCg58j97aUjuCSZrGSmDxNqtytIi0k8utUenAwTZN4V5mXXYGsVUI9zeBqy+jBOSQ==",
+      "license": "MIT"
+    },
    "node_modules/@tokenizer/inflate": {
      "version": "0.2.7",
      "resolved": "https://registry.npmjs.org/@tokenizer/inflate/-/inflate-0.2.7.tgz",
@@ -5357,6 +5364,12 @@
      "integrity": "sha512-W+KJc2dmILlPplD/H4K9l9LcAHAfPtP6BY84uVLXQ6Evcz9Lcg33Y2z1IVblT6xdY54PXYVHEv+0Wpq8Io6zkA==",
      "license": "MIT"
    },
+    "node_modules/fast-sha256": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/fast-sha256/-/fast-sha256-1.3.0.tgz",
+      "integrity": "sha512-n11RGP/lrWEFI/bWdygLxhI+pVeo1ZYIVwvvPkW7azl/rOy+F3HYRZ2K5zeE9mmkhQppyv9sQFx0JM9UabnpPQ==",
+      "license": "Unlicense"
+    },
    "node_modules/fb-watchman": {
      "version": "2.0.2",
      "resolved": "https://registry.npmjs.org/fb-watchman/-/fb-watchman-2.0.2.tgz",
@@ -8723,6 +8736,12 @@
        "node": ">= 0.4"
      }
    },
+    "node_modules/postal-mime": {
+      "version": "2.7.3",
+      "resolved": "https://registry.npmjs.org/postal-mime/-/postal-mime-2.7.3.tgz",
+      "integrity": "sha512-MjhXadAJaWgYzevi46+3kLak8y6gbg0ku14O1gO/LNOuay8dO+1PtcSGvAdgDR0DoIsSaiIA8y/Ddw6MnrO0Tw==",
+      "license": "MIT-0"
+    },
    "node_modules/postgres-array": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/postgres-array/-/postgres-array-2.0.0.tgz",
@@ -9207,6 +9226,27 @@
      "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==",
      "license": "ISC"
    },
+    "node_modules/resend": {
+      "version": "6.9.4",
+      "resolved": "https://registry.npmjs.org/resend/-/resend-6.9.4.tgz",
+      "integrity": "sha512-/M3dsJzu5OgozqVsA4Psd/1L7EdePgOIIxClas453GOQYFG3VHc2ZyCHZFlvqsc9aZCCd2BJRRqZgWC8D9c7/g==",
+      "license": "MIT",
+      "dependencies": {
+        "postal-mime": "2.7.3",
+        "svix": "1.86.0"
+      },
+      "engines": {
+        "node": ">=20"
+      },
+      "peerDependencies": {
+        "@react-email/render": "*"
+      },
+      "peerDependenciesMeta": {
+        "@react-email/render": {
+          "optional": true
+        }
+      }
+    },
    "node_modules/resolve": {
      "version": "1.22.11",
      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.11.tgz",
@@ -9779,6 +9819,16 @@
      "integrity": "sha512-qoRRSyROncaz1z0mvYqIE4lCd9p2R90i6GxW3uZv5ucSu8tU7B5HXUP1gG8pVZsYNVaXjk8ClXHPttLyxAL48A==",
      "license": "MIT"
    },
+    "node_modules/standardwebhooks": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/standardwebhooks/-/standardwebhooks-1.0.0.tgz",
+      "integrity": "sha512-BbHGOQK9olHPMvQNHWul6MYlrRTAOKn03rOe4A8O3CLWhNf4YHBqq2HJKKC+sfqpxiBY52pNeesD6jIiLDz8jg==",
+      "license": "MIT",
+      "dependencies": {
+        "@stablelib/base64": "^1.0.0",
+        "fast-sha256": "^1.3.0"
+      }
+    },
    "node_modules/statuses": {
      "version": "2.0.2",
      "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
@@ -10037,6 +10087,29 @@
        "url": "https://github.com/sponsors/ljharb"
      }
    },
+    "node_modules/svix": {
+      "version": "1.86.0",
+      "resolved": "https://registry.npmjs.org/svix/-/svix-1.86.0.tgz",
+      "integrity": "sha512-/HTvXwjLJe1l/MsLXAO1ddCYxElJk4eNR4DzOjDOEmGrPN/3BtBE8perGwMAaJ2sT5T172VkBYzmHcjUfM1JRQ==",
+      "license": "MIT",
+      "dependencies": {
+        "standardwebhooks": "1.0.0",
+        "uuid": "^10.0.0"
+      }
+    },
+    "node_modules/svix/node_modules/uuid": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-10.0.0.tgz",
+      "integrity": "sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==",
+      "funding": [
+        "https://github.com/sponsors/broofa",
+        "https://github.com/sponsors/ctavan"
+      ],
+      "license": "MIT",
+      "bin": {
+        "uuid": "dist/bin/uuid"
+      }
+    },
    "node_modules/swagger-ui-dist": {
      "version": "5.17.14",
      "resolved": "https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-5.17.14.tgz",
--- a/backend/package.json
+++ b/backend/package.json
@@ -45,6 +45,7 @@
    "pg": "^8.13.1",
    "qrcode": "^1.5.4",
    "reflect-metadata": "^0.2.2",
+    "resend": "^6.9.4",
    "rxjs": "^7.8.1",
    "stripe": "^20.4.1",
    "typeorm": "^0.3.20",
--- a/backend/src/app.module.ts
+++ b/backend/src/app.module.ts
@@ -1,5 +1,5 @@
 import { Module, MiddlewareConsumer, NestModule } from '@nestjs/common';
-import { APP_GUARD } from '@nestjs/core';
+import { APP_GUARD, APP_INTERCEPTOR } from '@nestjs/core';
 import { ConfigModule, ConfigService } from '@nestjs/config';
 import { TypeOrmModule } from '@nestjs/typeorm';
 import { ThrottlerModule } from '@nestjs/throttler';
@@ -7,6 +7,7 @@ import { AppController } from './app.controller';
 import { DatabaseModule } from './database/database.module';
 import { TenantMiddleware } from './database/tenant.middleware';
 import { WriteAccessGuard } from './common/guards/write-access.guard';
+import { NoCacheInterceptor } from './common/interceptors/no-cache.interceptor';
 import { AuthModule } from './modules/auth/auth.module';
 import { OrganizationsModule } from './modules/organizations/organizations.module';
 import { UsersModule } from './modules/users/users.module';
@@ -95,6 +96,10 @@ import { ScheduleModule } from '@nestjs/schedule';
      provide: APP_GUARD,
      useClass: WriteAccessGuard,
    },
+    {
+      provide: APP_INTERCEPTOR,
+      useClass: NoCacheInterceptor,
+    },
  ],
 })
 export class AppModule implements NestModule {
--- a/backend/src/common/interceptors/no-cache.interceptor.ts
+++ b/backend/src/common/interceptors/no-cache.interceptor.ts
@@ -0,0 +1,16 @@
+import { Injectable, NestInterceptor, ExecutionContext, CallHandler } from '@nestjs/common';
+import { Observable } from 'rxjs';
+
+/**
+ * Prevents browsers and proxies from caching authenticated API responses
+ * containing sensitive financial data (account balances, transactions, PII).
+ */
+@Injectable()
+export class NoCacheInterceptor implements NestInterceptor {
+  intercept(context: ExecutionContext, next: CallHandler): Observable<any> {
+    const res = context.switchToHttp().getResponse();
+    res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, private');
+    res.setHeader('Pragma', 'no-cache');
+    return next.handle();
+  }
+}
--- a/backend/src/modules/auth/auth.controller.ts
+++ b/backend/src/modules/auth/auth.controller.ts
@@ -8,6 +8,8 @@ import {
  Get,
  Res,
  Query,
+  HttpCode,
+  ForbiddenException,
  BadRequestException,
 } from '@nestjs/common';
 import { ApiTags, ApiOperation, ApiBearerAuth } from '@nestjs/swagger';
@@ -23,6 +25,7 @@ import { AllowViewer } from '../../common/decorators/allow-viewer.decorator';

 const COOKIE_NAME = 'ledgeriq_rt';
 const isProduction = process.env.NODE_ENV === 'production';
+const isOpenRegistration = process.env.ALLOW_OPEN_REGISTRATION === 'true';

 function setRefreshCookie(res: Response, token: string) {
  res.cookie(COOKIE_NAME, token, {
@@ -49,9 +52,14 @@ export class AuthController {
  constructor(private authService: AuthService) {}

  @Post('register')
-  @ApiOperation({ summary: 'Register a new user' })
+  @ApiOperation({ summary: 'Register a new user (disabled unless ALLOW_OPEN_REGISTRATION=true)' })
  @Throttle({ default: { limit: 5, ttl: 60000 } })
  async register(@Body() dto: RegisterDto, @Res({ passthrough: true }) res: Response) {
+    if (!isOpenRegistration) {
+      throw new ForbiddenException(
+        'Open registration is disabled. Please use an invitation link to create your account.',
+      );
+    }
    const result = await this.authService.register(dto);
    if (result.refreshToken) {
      setRefreshCookie(res, result.refreshToken);
@@ -93,6 +101,7 @@ export class AuthController {

  @Post('logout')
  @ApiOperation({ summary: 'Logout and revoke refresh token' })
+  @HttpCode(200)
  async logout(@Request() req: any, @Res({ passthrough: true }) res: Response) {
    const rawToken = req.cookies?.[COOKIE_NAME];
    if (rawToken) {
@@ -104,6 +113,7 @@ export class AuthController {

  @Post('logout-everywhere')
  @ApiOperation({ summary: 'Revoke all sessions' })
+  @HttpCode(200)
  @ApiBearerAuth()
  @UseGuards(JwtAuthGuard)
  async logoutEverywhere(@Request() req: any, @Res({ passthrough: true }) res: Response) {
@@ -183,4 +193,51 @@ export class AuthController {
    // Stubbed — will be implemented when email service is ready
    return { success: true, message: 'If an account exists, a new activation link has been sent.' };
  }
+
+  // ─── Password Reset Flow ──────────────────────────────────────────
+
+  @Post('forgot-password')
+  @ApiOperation({ summary: 'Request a password reset email' })
+  @HttpCode(200)
+  @Throttle({ default: { limit: 3, ttl: 60000 } })
+  async forgotPassword(@Body() body: { email: string }) {
+    if (!body.email) throw new BadRequestException('Email is required');
+    await this.authService.requestPasswordReset(body.email);
+    // Always return same message to prevent account enumeration
+    return { message: 'If that email exists, a password reset link has been sent.' };
+  }
+
+  @Post('reset-password')
+  @ApiOperation({ summary: 'Reset password using a reset token' })
+  @HttpCode(200)
+  @Throttle({ default: { limit: 5, ttl: 60000 } })
+  async resetPassword(@Body() body: { token: string; newPassword: string }) {
+    if (!body.token || !body.newPassword) {
+      throw new BadRequestException('Token and newPassword are required');
+    }
+    if (body.newPassword.length < 8) {
+      throw new BadRequestException('Password must be at least 8 characters');
+    }
+    await this.authService.resetPassword(body.token, body.newPassword);
+    return { message: 'Password updated successfully.' };
+  }
+
+  @Patch('change-password')
+  @ApiOperation({ summary: 'Change password (authenticated)' })
+  @ApiBearerAuth()
+  @UseGuards(JwtAuthGuard)
+  @AllowViewer()
+  async changePassword(
+    @Request() req: any,
+    @Body() body: { currentPassword: string; newPassword: string },
+  ) {
+    if (!body.currentPassword || !body.newPassword) {
+      throw new BadRequestException('currentPassword and newPassword are required');
+    }
+    if (body.newPassword.length < 8) {
+      throw new BadRequestException('Password must be at least 8 characters');
+    }
+    await this.authService.changePassword(req.user.sub, body.currentPassword, body.newPassword);
+    return { message: 'Password changed successfully.' };
+  }
 }
--- a/backend/src/modules/auth/auth.service.ts
+++ b/backend/src/modules/auth/auth.service.ts
@@ -11,8 +11,9 @@ import { JwtService } from '@nestjs/jwt';
 import { ConfigService } from '@nestjs/config';
 import { DataSource } from 'typeorm';
 import * as bcrypt from 'bcryptjs';
-import { createHash } from 'crypto';
+import { randomBytes, createHash } from 'crypto';
 import { UsersService } from '../users/users.service';
+import { EmailService } from '../email/email.service';
 import { RegisterDto } from './dto/register.dto';
 import { User } from '../users/entities/user.entity';
 import { RefreshTokenService } from './refresh-token.service';
@@ -21,6 +22,7 @@ import { RefreshTokenService } from './refresh-token.service';
 export class AuthService {
  private readonly logger = new Logger(AuthService.name);
  private readonly inviteSecret: string;
+  private readonly appUrl: string;

  constructor(
    private usersService: UsersService,
@@ -28,8 +30,10 @@ export class AuthService {
    private configService: ConfigService,
    private dataSource: DataSource,
    private refreshTokenService: RefreshTokenService,
+    private emailService: EmailService,
  ) {
    this.inviteSecret = this.configService.get<string>('INVITE_TOKEN_SECRET') || 'dev-invite-secret';
+    this.appUrl = this.configService.get<string>('APP_URL') || 'http://localhost:5173';
  }

  async register(dto: RegisterDto) {
@@ -309,6 +313,105 @@ export class AuthService {
    return token;
  }

+  // ─── Password Reset Flow ──────────────────────────────────────────
+
+  /**
+   * Request a password reset. Generates a token, stores its hash, and sends an email.
+   * Silently succeeds even if the email doesn't exist (prevents enumeration).
+   */
+  async requestPasswordReset(email: string): Promise<void> {
+    const user = await this.usersService.findByEmail(email);
+    if (!user) {
+      // Silently return — don't reveal whether the account exists
+      return;
+    }
+
+    // Invalidate any existing reset tokens for this user
+    await this.dataSource.query(
+      `UPDATE shared.password_reset_tokens SET used_at = NOW()
+       WHERE user_id = $1 AND used_at IS NULL`,
+      [user.id],
+    );
+
+    // Generate a 64-byte random token
+    const rawToken = randomBytes(64).toString('base64url');
+    const tokenHash = createHash('sha256').update(rawToken).digest('hex');
+    const expiresAt = new Date(Date.now() + 15 * 60 * 1000); // 15 minutes
+
+    await this.dataSource.query(
+      `INSERT INTO shared.password_reset_tokens (user_id, token_hash, expires_at)
+       VALUES ($1, $2, $3)`,
+      [user.id, tokenHash, expiresAt],
+    );
+
+    const resetUrl = `${this.appUrl}/reset-password?token=${rawToken}`;
+    await this.emailService.sendPasswordResetEmail(user.email, resetUrl);
+  }
+
+  /**
+   * Reset password using a valid reset token.
+   */
+  async resetPassword(rawToken: string, newPassword: string): Promise<void> {
+    const tokenHash = createHash('sha256').update(rawToken).digest('hex');
+
+    const rows = await this.dataSource.query(
+      `SELECT id, user_id, expires_at, used_at
+       FROM shared.password_reset_tokens
+       WHERE token_hash = $1`,
+      [tokenHash],
+    );
+
+    if (rows.length === 0) {
+      throw new BadRequestException('Invalid or expired reset token');
+    }
+
+    const record = rows[0];
+
+    if (record.used_at) {
+      throw new BadRequestException('This reset link has already been used');
+    }
+
+    if (new Date(record.expires_at) < new Date()) {
+      throw new BadRequestException('This reset link has expired');
+    }
+
+    // Update password
+    const passwordHash = await bcrypt.hash(newPassword, 12);
+    await this.dataSource.query(
+      `UPDATE shared.users SET password_hash = $1, updated_at = NOW() WHERE id = $2`,
+      [passwordHash, record.user_id],
+    );
+
+    // Mark token as used
+    await this.dataSource.query(
+      `UPDATE shared.password_reset_tokens SET used_at = NOW() WHERE id = $1`,
+      [record.id],
+    );
+  }
+
+  /**
+   * Change password for an authenticated user (requires current password).
+   */
+  async changePassword(userId: string, currentPassword: string, newPassword: string): Promise<void> {
+    const user = await this.usersService.findById(userId);
+    if (!user || !user.passwordHash) {
+      throw new UnauthorizedException('User not found');
+    }
+
+    const isValid = await bcrypt.compare(currentPassword, user.passwordHash);
+    if (!isValid) {
+      throw new UnauthorizedException('Current password is incorrect');
+    }
+
+    const passwordHash = await bcrypt.hash(newPassword, 12);
+    await this.dataSource.query(
+      `UPDATE shared.users SET password_hash = $1, updated_at = NOW() WHERE id = $2`,
+      [passwordHash, userId],
+    );
+  }
+
+  // ─── Private Helpers ──────────────────────────────────────────────
+
  private async recordLoginHistory(
    userId: string,
    organizationId: string | null,
--- a/backend/src/modules/email/email.service.ts
+++ b/backend/src/modules/email/email.service.ts
@@ -1,50 +1,159 @@
 import { Injectable, Logger } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
 import { DataSource } from 'typeorm';
+import { Resend } from 'resend';

-/**
- * Stubbed email service — logs to console and stores in shared.email_log.
- * Replace internals with Resend/SendGrid when ready for production.
- */
@Injectable()
 export class EmailService {
  private readonly logger = new Logger(EmailService.name);
+  private resend: Resend | null = null;
+  private fromAddress: string;
+  private replyToAddress: string;

-  constructor(private dataSource: DataSource) {}
+  constructor(
+    private configService: ConfigService,
+    private dataSource: DataSource,
+  ) {
+    const apiKey = this.configService.get<string>('RESEND_API_KEY');
+    if (apiKey && !apiKey.includes('placeholder')) {
+      this.resend = new Resend(apiKey);
+      this.logger.log('Resend email service initialized');
+    } else {
+      this.logger.warn('Resend not configured — emails will be logged only (stub mode)');
+    }
+    this.fromAddress = this.configService.get<string>('RESEND_FROM_ADDRESS') || 'noreply@hoaledgeriq.com';
+    this.replyToAddress = this.configService.get<string>('RESEND_REPLY_TO') || '';
+  }
+
+  // ─── Public API ──────────────────────────────────────────────

  async sendActivationEmail(email: string, businessName: string, activationUrl: string): Promise<void> {
    const subject = `Activate your ${businessName} account on HOA LedgerIQ`;
-    const body = [
-      `Welcome to HOA LedgerIQ!`,
-      ``,
-      `Your organization "${businessName}" has been created.`,
-      `Please activate your account by clicking the link below:`,
-      ``,
-      activationUrl,
-      ``,
-      `This link expires in 72 hours.`,
-    ].join('\n');
+    const html = this.buildTemplate({
+      preheader: 'Your HOA LedgerIQ account is ready to activate.',
+      heading: 'Welcome to HOA LedgerIQ!',
+      body: `
+        <p>Your organization <strong>${this.esc(businessName)}</strong> has been created and is ready to go.</p>
+        <p>Click the button below to set your password and activate your account:</p>
+      `,
+      ctaText: 'Activate My Account',
+      ctaUrl: activationUrl,
+      footer: 'This activation link expires in 72 hours. If you did not sign up for HOA LedgerIQ, please ignore this email.',
+    });

-    await this.log(email, subject, body, 'activation', { businessName, activationUrl });
+    await this.send(email, subject, html, 'activation', { businessName, activationUrl });
  }

  async sendWelcomeEmail(email: string, businessName: string): Promise<void> {
+    const appUrl = this.configService.get<string>('APP_URL') || 'https://app.hoaledgeriq.com';
    const subject = `Welcome to HOA LedgerIQ — ${businessName}`;
-    const body = `Your account is active. Log in at http://localhost to get started.`;
-    await this.log(email, subject, body, 'welcome', { businessName });
+    const html = this.buildTemplate({
+      preheader: `${businessName} is all set up on HOA LedgerIQ.`,
+      heading: `You're all set!`,
+      body: `
+        <p>Your account for <strong>${this.esc(businessName)}</strong> is now active.</p>
+        <p>Log in to start managing your HOA's finances, assessments, and investments — all in one place.</p>
+      `,
+      ctaText: 'Go to Dashboard',
+      ctaUrl: `${appUrl}/dashboard`,
+      footer: 'If you have any questions, just reply to this email and we\'ll help you get started.',
+    });
+
+    await this.send(email, subject, html, 'welcome', { businessName });
  }

  async sendPaymentFailedEmail(email: string, businessName: string): Promise<void> {
-    const subject = `Payment failed for ${businessName} on HOA LedgerIQ`;
-    const body = `We were unable to process your payment. Please update your payment method.`;
-    await this.log(email, subject, body, 'payment_failed', { businessName });
+    const subject = `Action required: Payment failed for ${businessName}`;
+    const html = this.buildTemplate({
+      preheader: 'We were unable to process your payment.',
+      heading: 'Payment Failed',
+      body: `
+        <p>We were unable to process the latest payment for <strong>${this.esc(businessName)}</strong>.</p>
+        <p>Please update your payment method to avoid any interruption to your service.</p>
+      `,
+      ctaText: 'Update Payment Method',
+      ctaUrl: `${this.configService.get<string>('APP_URL') || 'https://app.hoaledgeriq.com'}/settings`,
+      footer: 'If you believe this is an error, please reply to this email and we\'ll look into it.',
+    });
+
+    await this.send(email, subject, html, 'payment_failed', { businessName });
  }

  async sendInviteMemberEmail(email: string, orgName: string, inviteUrl: string): Promise<void> {
    const subject = `You've been invited to ${orgName} on HOA LedgerIQ`;
-    const body = `You've been invited to join ${orgName}. Click here to accept: ${inviteUrl}`;
-    await this.log(email, subject, body, 'invite_member', { orgName, inviteUrl });
+    const html = this.buildTemplate({
+      preheader: `Join ${orgName} on HOA LedgerIQ.`,
+      heading: 'You\'re Invited!',
+      body: `
+        <p>You've been invited to join <strong>${this.esc(orgName)}</strong> on HOA LedgerIQ.</p>
+        <p>Click below to accept the invitation and set up your account:</p>
+      `,
+      ctaText: 'Accept Invitation',
+      ctaUrl: inviteUrl,
+      footer: 'This invitation link expires in 7 days. If you were not expecting this, please ignore this email.',
+    });
+
+    await this.send(email, subject, html, 'invite_member', { orgName, inviteUrl });
  }

+  async sendPasswordResetEmail(email: string, resetUrl: string): Promise<void> {
+    const subject = 'Reset your HOA LedgerIQ password';
+    const html = this.buildTemplate({
+      preheader: 'Password reset requested for your HOA LedgerIQ account.',
+      heading: 'Password Reset',
+      body: `
+        <p>We received a request to reset your password. Click the button below to choose a new one:</p>
+      `,
+      ctaText: 'Reset Password',
+      ctaUrl: resetUrl,
+      footer: 'This link expires in 1 hour. If you did not request a password reset, please ignore this email — your password will remain unchanged.',
+    });
+
+    await this.send(email, subject, html, 'password_reset', { resetUrl });
+  }
+
+  // ─── Core send logic ────────────────────────────────────────
+
+  private async send(
+    toEmail: string,
+    subject: string,
+    html: string,
+    template: string,
+    metadata: Record<string, any>,
+  ): Promise<void> {
+    // Always log to the database
+    await this.log(toEmail, subject, html, template, metadata);
+
+    if (!this.resend) {
+      this.logger.log(`📧 EMAIL STUB → ${toEmail}`);
+      this.logger.log(`   Subject: ${subject}`);
+      return;
+    }
+
+    try {
+      const result = await this.resend.emails.send({
+        from: this.fromAddress,
+        to: [toEmail],
+        replyTo: this.replyToAddress || undefined,
+        subject,
+        html,
+      });
+
+      if (result.error) {
+        this.logger.error(`Resend error for ${toEmail}: ${JSON.stringify(result.error)}`);
+        await this.updateLogStatus(toEmail, template, 'failed', result.error.message);
+      } else {
+        this.logger.log(`✅ Email sent to ${toEmail} (id: ${result.data?.id})`);
+        await this.updateLogStatus(toEmail, template, 'sent', result.data?.id);
+      }
+    } catch (err: any) {
+      this.logger.error(`Failed to send email to ${toEmail}: ${err.message}`);
+      await this.updateLogStatus(toEmail, template, 'failed', err.message);
+    }
+  }
+
+  // ─── Database logging ───────────────────────────────────────
+
  private async log(
    toEmail: string,
    subject: string,
@@ -52,10 +161,6 @@ export class EmailService {
    template: string,
    metadata: Record<string, any>,
  ): Promise<void> {
-    this.logger.log(`📧 EMAIL STUB → ${toEmail}`);
-    this.logger.log(`   Subject: ${subject}`);
-    this.logger.log(`   Body:\n${body}`);
-
    try {
      await this.dataSource.query(
        `INSERT INTO shared.email_log (to_email, subject, body, template, metadata)
@@ -66,4 +171,119 @@ export class EmailService {
      this.logger.warn(`Failed to log email: ${err}`);
    }
  }
+
+  private async updateLogStatus(toEmail: string, template: string, status: string, detail?: string): Promise<void> {
+    try {
+      await this.dataSource.query(
+        `UPDATE shared.email_log
+         SET metadata = metadata || $1::jsonb
+         WHERE to_email = $2 AND template = $3
+           AND created_at = (
+             SELECT MAX(created_at) FROM shared.email_log
+             WHERE to_email = $2 AND template = $3
+           )`,
+        [JSON.stringify({ send_status: status, send_detail: detail || '' }), toEmail, template],
+      );
+    } catch {
+      // Best effort — don't block the flow
+    }
+  }
+
+  // ─── HTML email template ────────────────────────────────────
+
+  private esc(text: string): string {
+    return text.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+  }
+
+  private buildTemplate(opts: {
+    preheader: string;
+    heading: string;
+    body: string;
+    ctaText: string;
+    ctaUrl: string;
+    footer: string;
+  }): string {
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${this.esc(opts.heading)}</title>
+  <!--[if mso]><noscript><xml><o:OfficeDocumentSettings><o:PixelsPerInch>96</o:PixelsPerInch></o:OfficeDocumentSettings></xml></noscript><![endif]-->
+</head>
+<body style="margin:0;padding:0;background-color:#f4f5f7;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;">
+  <!-- Preheader (hidden preview text) -->
+  <div style="display:none;max-height:0;overflow:hidden;">${this.esc(opts.preheader)}</div>
+
+  <table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background-color:#f4f5f7;padding:24px 0;">
+    <tr>
+      <td align="center">
+        <table role="presentation" width="600" cellpadding="0" cellspacing="0" style="max-width:600px;width:100%;">
+
+          <!-- Logo bar -->
+          <tr>
+            <td align="center" style="padding:24px 0 16px;">
+              <span style="font-size:22px;font-weight:700;color:#1a73e8;letter-spacing:-0.5px;">
+                HOA LedgerIQ
+              </span>
+            </td>
+          </tr>
+
+          <!-- Main card -->
+          <tr>
+            <td>
+              <table role="presentation" width="100%" cellpadding="0" cellspacing="0"
+                style="background-color:#ffffff;border-radius:8px;overflow:hidden;box-shadow:0 1px 3px rgba(0,0,0,0.08);">
+                <tr>
+                  <td style="padding:40px 32px;">
+                    <h1 style="margin:0 0 16px;font-size:24px;font-weight:700;color:#1a1a2e;">
+                      ${this.esc(opts.heading)}
+                    </h1>
+                    <div style="font-size:15px;line-height:1.6;color:#4a4a68;">
+                      ${opts.body}
+                    </div>
+
+                    <!-- CTA Button -->
+                    <table role="presentation" cellpadding="0" cellspacing="0" style="margin:28px 0 8px;">
+                      <tr>
+                        <td align="center" style="background-color:#1a73e8;border-radius:6px;">
+                          <a href="${opts.ctaUrl}"
+                            target="_blank"
+                            style="display:inline-block;padding:14px 32px;color:#ffffff;font-size:15px;font-weight:600;text-decoration:none;border-radius:6px;">
+                            ${this.esc(opts.ctaText)}
+                          </a>
+                        </td>
+                      </tr>
+                    </table>
+
+                    <!-- Fallback URL -->
+                    <p style="font-size:12px;color:#999;word-break:break-all;margin-top:16px;">
+                      If the button doesn't work, copy and paste this link into your browser:<br>
+                      <a href="${opts.ctaUrl}" style="color:#1a73e8;">${opts.ctaUrl}</a>
+                    </p>
+                  </td>
+                </tr>
+              </table>
+            </td>
+          </tr>
+
+          <!-- Footer -->
+          <tr>
+            <td style="padding:24px 32px;text-align:center;">
+              <p style="font-size:12px;color:#999;line-height:1.5;margin:0;">
+                ${this.esc(opts.footer)}
+              </p>
+              <p style="font-size:12px;color:#bbb;margin:12px 0 0;">
+                &copy; ${new Date().getFullYear()} HOA LedgerIQ &mdash; Smart Financial Management for HOAs
+              </p>
+            </td>
+          </tr>
+
+        </table>
+      </td>
+    </tr>
+  </table>
+</body>
+</html>`;
+  }
 }
--- a/db/migrations/016-password-reset-tokens.sql
+++ b/db/migrations/016-password-reset-tokens.sql
@@ -0,0 +1,25 @@
+-- Migration 016: Password Reset Tokens
+-- Adds table for password reset token storage (hashed, single-use, short-lived).
+
+CREATE TABLE IF NOT EXISTS shared.password_reset_tokens (
+    id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+    user_id UUID NOT NULL REFERENCES shared.users(id) ON DELETE CASCADE,
+    token_hash VARCHAR(255) UNIQUE NOT NULL,
+    expires_at TIMESTAMPTZ NOT NULL,
+    used_at TIMESTAMPTZ,
+    created_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_password_reset_tokens_hash ON shared.password_reset_tokens(token_hash);
+CREATE INDEX IF NOT EXISTS idx_password_reset_tokens_user ON shared.password_reset_tokens(user_id);
+
+-- Also ensure email_log table exists (may not exist if migration 015 hasn't been applied)
+CREATE TABLE IF NOT EXISTS shared.email_log (
+    id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+    to_email VARCHAR(255) NOT NULL,
+    subject VARCHAR(500) NOT NULL,
+    body TEXT,
+    template VARCHAR(100),
+    metadata JSONB,
+    sent_at TIMESTAMPTZ DEFAULT NOW()
+);
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -40,6 +40,25 @@ services:
      - NEW_RELIC_ENABLED=${NEW_RELIC_ENABLED:-false}
      - NEW_RELIC_LICENSE_KEY=${NEW_RELIC_LICENSE_KEY:-}
      - NEW_RELIC_APP_NAME=${NEW_RELIC_APP_NAME:-HOALedgerIQ_App}
+      - STRIPE_SECRET_KEY=${STRIPE_SECRET_KEY:-}
+      - STRIPE_WEBHOOK_SECRET=${STRIPE_WEBHOOK_SECRET:-}
+      - STRIPE_STARTER_PRICE_ID=${STRIPE_STARTER_PRICE_ID:-}
+      - STRIPE_PROFESSIONAL_PRICE_ID=${STRIPE_PROFESSIONAL_PRICE_ID:-}
+      - STRIPE_ENTERPRISE_PRICE_ID=${STRIPE_ENTERPRISE_PRICE_ID:-}
+      - GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID:-}
+      - GOOGLE_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET:-}
+      - GOOGLE_CALLBACK_URL=${GOOGLE_CALLBACK_URL:-https://app.hoaledgeriq.com/api/auth/google/callback}
+      - AZURE_CLIENT_ID=${AZURE_CLIENT_ID:-}
+      - AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET:-}
+      - AZURE_TENANT_ID=${AZURE_TENANT_ID:-}
+      - AZURE_CALLBACK_URL=${AZURE_CALLBACK_URL:-https://app.hoaledgeriq.com/api/auth/azure/callback}
+      - WEBAUTHN_RP_ID=${WEBAUTHN_RP_ID:-app.hoaledgeriq.com}
+      - WEBAUTHN_RP_ORIGIN=${WEBAUTHN_RP_ORIGIN:-https://app.hoaledgeriq.com}
+      - INVITE_TOKEN_SECRET=${INVITE_TOKEN_SECRET:-}
+      - APP_URL=${APP_URL:-https://app.hoaledgeriq.com}
+      - RESEND_API_KEY=${RESEND_API_KEY:-}
+      - RESEND_FROM_ADDRESS=${RESEND_FROM_ADDRESS:-noreply@hoaledgeriq.com}
+      - RESEND_REPLY_TO=${RESEND_REPLY_TO:-sales@hoaledgeriq.com}
    deploy:
      resources:
        limits:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -44,6 +44,10 @@ services:
      - WEBAUTHN_RP_ID=${WEBAUTHN_RP_ID:-localhost}
      - WEBAUTHN_RP_ORIGIN=${WEBAUTHN_RP_ORIGIN:-http://localhost}
      - INVITE_TOKEN_SECRET=${INVITE_TOKEN_SECRET:-dev-invite-secret}
+      - APP_URL=${APP_URL:-http://localhost}
+      - RESEND_API_KEY=${RESEND_API_KEY:-}
+      - RESEND_FROM_ADDRESS=${RESEND_FROM_ADDRESS:-noreply@hoaledgeriq.com}
+      - RESEND_REPLY_TO=${RESEND_REPLY_TO:-}
    volumes:
      - ./backend/src:/app/src
      - ./backend/nest-cli.json:/app/nest-cli.json
--- a/frontend/src/pages/board-planning/components/ProjectionChart.tsx
+++ b/frontend/src/pages/board-planning/components/ProjectionChart.tsx
@@ -89,20 +89,20 @@ export function ProjectionChart({ datapoints, title = 'Financial Projection', su
        <AreaChart data={chartData}>
          <defs>
            <linearGradient id="opCash" x1="0" y1="0" x2="0" y2="1">
-              <stop offset="5%" stopColor="#228be6" stopOpacity={0.3} />
-              <stop offset="95%" stopColor="#228be6" stopOpacity={0} />
+              <stop offset="5%" stopColor="#228be6" stopOpacity={0.6} />
+              <stop offset="95%" stopColor="#228be6" stopOpacity={0.15} />
            </linearGradient>
            <linearGradient id="opInv" x1="0" y1="0" x2="0" y2="1">
-              <stop offset="5%" stopColor="#74c0fc" stopOpacity={0.3} />
-              <stop offset="95%" stopColor="#74c0fc" stopOpacity={0} />
+              <stop offset="5%" stopColor="#74c0fc" stopOpacity={0.6} />
+              <stop offset="95%" stopColor="#74c0fc" stopOpacity={0.15} />
            </linearGradient>
            <linearGradient id="resCash" x1="0" y1="0" x2="0" y2="1">
-              <stop offset="5%" stopColor="#7950f2" stopOpacity={0.3} />
-              <stop offset="95%" stopColor="#7950f2" stopOpacity={0} />
+              <stop offset="5%" stopColor="#7950f2" stopOpacity={0.6} />
+              <stop offset="95%" stopColor="#7950f2" stopOpacity={0.15} />
            </linearGradient>
            <linearGradient id="resInv" x1="0" y1="0" x2="0" y2="1">
-              <stop offset="5%" stopColor="#b197fc" stopOpacity={0.3} />
-              <stop offset="95%" stopColor="#b197fc" stopOpacity={0} />
+              <stop offset="5%" stopColor="#b197fc" stopOpacity={0.6} />
+              <stop offset="95%" stopColor="#b197fc" stopOpacity={0.15} />
            </linearGradient>
          </defs>
          <CartesianGrid strokeDasharray="3 3" opacity={0.3} />
--- a/frontend/src/pages/cash-flow/CashFlowForecastPage.tsx
+++ b/frontend/src/pages/cash-flow/CashFlowForecastPage.tsx
@@ -1,10 +1,9 @@
 import { useState, useMemo } from 'react';
 import {
-  Title, Text, Stack, Card, Group, SimpleGrid, ThemeIcon,
+  Title, Text, Stack, Card, Group,
  SegmentedControl, Loader, Center, ActionIcon, Tooltip, Badge,
 } from '@mantine/core';
 import {
-  IconCash, IconBuildingBank, IconChartAreaLine,
  IconArrowLeft, IconArrowRight, IconCalendar,
 } from '@tabler/icons-react';
 import { useQuery } from '@tanstack/react-query';
@@ -108,30 +107,6 @@ export function CashFlowForecastPage() {
    return datapoints.slice(viewStartIndex, viewStartIndex + 12);
  }, [datapoints, viewStartIndex]);

-  // Compute summary stats for the current view
-  const summaryStats = useMemo(() => {
-    if (!viewData.length) return null;
-    const last = viewData[viewData.length - 1];
-    const first = viewData[0];
-
-    const totalOperating = last.operating_cash + last.operating_investments;
-    const totalReserve = last.reserve_cash + last.reserve_investments;
-    const totalAll = totalOperating + totalReserve;
-
-    const firstTotal = first.operating_cash + first.operating_investments +
-      first.reserve_cash + first.reserve_investments;
-    const netChange = totalAll - firstTotal;
-
-    return {
-      totalOperating,
-      totalReserve,
-      totalAll,
-      netChange,
-      periodStart: first.month,
-      periodEnd: last.month,
-    };
-  }, [viewData]);
-
  // Determine the first forecast month index within the view
  const forecastStartLabel = useMemo(() => {
    const idx = viewData.findIndex((d) => d.is_forecast);
@@ -181,65 +156,6 @@ export function CashFlowForecastPage() {
        />
      </Group>

-      {/* Summary Cards */}
-      {summaryStats && (
-        <SimpleGrid cols={{ base: 1, sm: 2, lg: 4 }}>
-          <Card withBorder p="md">
-            <Group gap="xs" mb={4}>
-              <ThemeIcon variant="light" color="blue" size="sm">
-                <IconCash size={14} />
-              </ThemeIcon>
-              <Text size="xs" c="dimmed" tt="uppercase" fw={700}>Operating Total</Text>
-            </Group>
-            <Text fw={700} size="xl" ff="monospace">
-              {fmt(summaryStats.totalOperating)}
-            </Text>
-          </Card>
-          <Card withBorder p="md">
-            <Group gap="xs" mb={4}>
-              <ThemeIcon variant="light" color="violet" size="sm">
-                <IconBuildingBank size={14} />
-              </ThemeIcon>
-              <Text size="xs" c="dimmed" tt="uppercase" fw={700}>Reserve Total</Text>
-            </Group>
-            <Text fw={700} size="xl" ff="monospace">
-              {fmt(summaryStats.totalReserve)}
-            </Text>
-          </Card>
-          <Card withBorder p="md">
-            <Group gap="xs" mb={4}>
-              <ThemeIcon variant="light" color="teal" size="sm">
-                <IconChartAreaLine size={14} />
-              </ThemeIcon>
-              <Text size="xs" c="dimmed" tt="uppercase" fw={700}>Combined Total</Text>
-            </Group>
-            <Text fw={700} size="xl" ff="monospace">
-              {fmt(summaryStats.totalAll)}
-            </Text>
-          </Card>
-          <Card withBorder p="md">
-            <Group gap="xs" mb={4}>
-              <ThemeIcon
-                variant="light"
-                color={summaryStats.netChange >= 0 ? 'green' : 'red'}
-                size="sm"
-              >
-                <IconCash size={14} />
-              </ThemeIcon>
-              <Text size="xs" c="dimmed" tt="uppercase" fw={700}>Period Change</Text>
-            </Group>
-            <Text
-              fw={700}
-              size="xl"
-              ff="monospace"
-              c={summaryStats.netChange >= 0 ? 'green' : 'red'}
-            >
-              {fmt(summaryStats.netChange)}
-            </Text>
-          </Card>
-        </SimpleGrid>
-      )}
-
      {/* Chart Navigation */}
      <Card withBorder p="lg">
        <Group justify="space-between" mb="md">
@@ -287,20 +203,20 @@ export function CashFlowForecastPage() {
          <AreaChart data={chartData} margin={{ top: 10, right: 30, left: 10, bottom: 0 }}>
            <defs>
              <linearGradient id="opCash" x1="0" y1="0" x2="0" y2="1">
-                <stop offset="5%" stopColor="#339af0" stopOpacity={0.4} />
-                <stop offset="95%" stopColor="#339af0" stopOpacity={0.05} />
+                <stop offset="5%" stopColor="#339af0" stopOpacity={0.6} />
+                <stop offset="95%" stopColor="#339af0" stopOpacity={0.15} />
              </linearGradient>
              <linearGradient id="opInv" x1="0" y1="0" x2="0" y2="1">
-                <stop offset="5%" stopColor="#74c0fc" stopOpacity={0.4} />
-                <stop offset="95%" stopColor="#74c0fc" stopOpacity={0.05} />
+                <stop offset="5%" stopColor="#74c0fc" stopOpacity={0.6} />
+                <stop offset="95%" stopColor="#74c0fc" stopOpacity={0.15} />
              </linearGradient>
              <linearGradient id="resCash" x1="0" y1="0" x2="0" y2="1">
-                <stop offset="5%" stopColor="#7950f2" stopOpacity={0.4} />
-                <stop offset="95%" stopColor="#7950f2" stopOpacity={0.05} />
+                <stop offset="5%" stopColor="#7950f2" stopOpacity={0.6} />
+                <stop offset="95%" stopColor="#7950f2" stopOpacity={0.15} />
              </linearGradient>
              <linearGradient id="resInv" x1="0" y1="0" x2="0" y2="1">
-                <stop offset="5%" stopColor="#b197fc" stopOpacity={0.4} />
-                <stop offset="95%" stopColor="#b197fc" stopOpacity={0.05} />
+                <stop offset="5%" stopColor="#b197fc" stopOpacity={0.6} />
+                <stop offset="95%" stopColor="#b197fc" stopOpacity={0.15} />
              </linearGradient>
            </defs>
            <CartesianGrid strokeDasharray="3 3" stroke="#e9ecef" />
--- a/frontend/src/pages/pricing/PricingPage.tsx
+++ b/frontend/src/pages/pricing/PricingPage.tsx
@@ -47,11 +47,12 @@ const plans = [
  {
    id: 'enterprise',
    name: 'Enterprise',
-    price: '$199',
-    period: '/month',
+    price: 'Custom',
+    period: '',
    description: 'For large communities and management firms',
    icon: IconCrown,
    color: 'orange',
+    externalUrl: 'https://www.hoaledgeriq.com/#preview-signup',
    features: [
      { text: 'Unlimited units', included: true },
      { text: 'Everything in Professional', included: true },
@@ -162,10 +163,10 @@ export function PricingPage() {
              </Group>

              <Group align="baseline" gap={4}>
-                <Text fw={800} size="xl" ff="monospace" style={{ fontSize: 36 }}>
-                  {plan.price}
+                <Text fw={800} size="xl" ff="monospace" style={{ fontSize: plan.externalUrl ? 28 : 36 }}>
+                  {plan.externalUrl ? 'Request Quote' : plan.price}
                </Text>
-                <Text size="sm" c="dimmed">{plan.period}</Text>
+                {plan.period && <Text size="sm" c="dimmed">{plan.period}</Text>}
              </Group>

              <List spacing="xs" size="sm" center>
@@ -193,10 +194,14 @@ export function PricingPage() {
                size="md"
                color={plan.color}
                variant={plan.popular ? 'filled' : 'light'}
-                loading={loading === plan.id}
-                onClick={() => handleSelectPlan(plan.id)}
+                loading={!plan.externalUrl ? loading === plan.id : false}
+                onClick={() =>
+                  plan.externalUrl
+                    ? window.open(plan.externalUrl, '_blank', 'noopener')
+                    : handleSelectPlan(plan.id)
+                }
              >
-                Get Started
+                {plan.externalUrl ? 'Request Quote' : 'Get Started'}
              </Button>
            </Stack>
          </Card>
--- a/nginx/host-production.conf
+++ b/nginx/host-production.conf
@@ -12,6 +12,9 @@
 #
 # Replace "app.yourdomain.com" with your actual hostname throughout this file.

+# Hide nginx version from Server header
+server_tokens off;
+
 # --- Rate limiting ---
 # 10 requests/sec per IP for API routes (shared memory zone: 10 MB ≈ 160k IPs)
 limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
@@ -49,6 +52,12 @@ server {
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

+    # Security headers — applied to all routes
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "no-referrer" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+
    # --- Proxy defaults ---
    proxy_http_version 1.1;
    proxy_set_header Host $host;
--- a/nginx/production.conf
+++ b/nginx/production.conf
@@ -8,6 +8,9 @@ upstream frontend {
    keepalive 16;
 }

+# Hide nginx version from Server header
+server_tokens off;
+
 # Shared proxy settings
 proxy_http_version 1.1;
 proxy_set_header Connection "";          # enable keepalive to upstreams
@@ -30,6 +33,12 @@ server {
    listen 80;
    server_name _;

+    # Security headers — applied to all routes at the nginx layer
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "no-referrer" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+
    # --- API routes → backend ---
    location /api/ {
        limit_req zone=api_limit burst=30 nodelay;
Author	SHA1	Message	Date
olsch01	5845334454	fix: remove cash flow summary cards and restore area chart shading Remove the 4 summary cards from the Cash Flow page as they don't properly represent the story over time. Increase gradient opacity on stacked area charts (cash flow and investment scenarios) from 0.3-0.4/0-0.05 to 0.6/0.15 for better visual shading. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-17 20:41:13 -04:00
olsch01	170461c359	Merge branch 'claude/reverent-moore' - Resend email integration Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-17 18:33:17 -04:00
olsch01	aacec1cce3	feat: integrate Resend for transactional email delivery Replace the stubbed email service with Resend API integration. Emails are sent with branded HTML templates including activation, welcome, payment failed, member invite, and password reset flows. - Install resend@6.9.4 in backend - Rewrite EmailService with Resend SDK + graceful fallback to stub mode when API key is not configured - Add branded HTML email template with CTA buttons, preheader text, and fallback URL for all email types - Add reply-to support (sales@hoaledgeriq.com in production) - Track send status (sent/failed) in shared.email_log metadata - Add RESEND_API_KEY, RESEND_FROM_ADDRESS, RESEND_REPLY_TO env vars to both docker-compose.yml and docker-compose.prod.yml - Add sendPasswordResetEmail() method for future use Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-17 18:29:20 -04:00
olsch01	6b12fcd7d7	Merge branch 'claude/reverent-moore'	2026-03-17 18:04:14 -04:00
olsch01	8e58d04568	fix: add APP_URL and missing env vars to Docker Compose configs APP_URL was never passed to the backend container, causing Stripe checkout success_url to redirect to http://localhost instead of the production domain. The prod overlay also completely replaced the base environment block, dropping all Stripe, SSO, WebAuthn, and invite token variables. - Add APP_URL to base docker-compose.yml (default: http://localhost) - Add all missing vars to docker-compose.prod.yml with production defaults (app.hoaledgeriq.com) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-17 17:51:34 -04:00
JoeBot	c2e52bee64	Merge pull request 'feat: enterprise pricing shows "Request Quote" linking to interest form' (#8 ) from claude/reverent-moore into main Reviewed-on: #8	2026-03-17 07:53:16 -04:00
olsch01	9cd641923d	feat: enterprise pricing shows "Request Quote" linking to interest form Enterprise plan no longer displays a fixed price. Instead it shows "Request Quote" and the CTA opens the interest form on hoaledgeriq.com in a new tab to capture leads for custom quotes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-17 07:47:19 -04:00
JoeBot	8abab40778	Merge pull request 'Security hardening: v2 assessment remediation' (#7 ) from claude/tender-murdock into main	2026-03-17 07:46:56 -04:00
olsch01	19fb2c037c	feat(security): address findings from v2 security assessment - L2: Add server_tokens off to nginx configs to hide version - M1: Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy headers to all nginx routes - L3: Add global NoCacheInterceptor (Cache-Control: no-store) on all API responses to prevent caching of sensitive financial data - C1: Disable open registration by default (ALLOW_OPEN_REGISTRATION env) - H3: Add logout endpoint with correct HTTP 200 status code - M2: Implement full password reset flow (forgot-password, reset-password, change-password) with hashed tokens, 15-min expiry, single-use - Reduce JWT access token expiry from 24h to 1h - Add EmailService stub (logs to shared.email_log) - Add DB migration 016 for password_reset_tokens table Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-17 07:46:11 -04:00