Explains why NAT already blocks external access by default, what never
to do (port forwarding, reverse proxy, cloud VPS), how to verify from
outside the network, optional binding to local IP only, and Linux ufw
firewall rules. Renumbers old security notes to Part 8.
https://claude.ai/code/session_01JuRTR5Xjx8emQsyerBgGU7
Existing .venv without packages caused ModuleNotFoundError. pip install
is a no-op when everything is already up to date, so always running it
is safe and ensures deps are present.
https://claude.ai/code/session_01JuRTR5Xjx8emQsyerBgGU7
Creates .venv on first run, installs dependencies, then starts the server.
Subsequent runs skip straight to starting. Avoids externally-managed-environment
errors on Debian/Ubuntu 12+.
https://claude.ai/code/session_01JuRTR5Xjx8emQsyerBgGU7
Auth system
- staff_accounts table: name, username, bcrypt password, role (staff|admin)
- Session tokens in memory (8-hour TTL), httpOnly cookie
- POST /auth/login, /auth/logout, GET /auth/me
- All API endpoints now require a valid session
- Default admin account seeded on first run (admin/admin), printed to console
- Staff name for transactions comes from the session, no more dropdown
Currency input fix
- Amount inputs are now decimal (step=0.01); users enter 1.00 not 100
- Frontend multiplies by cfg.currency_divisor before POSTing
- TopupRequest/ChargeRequest no longer include staff_name (from session)
Admin area (4th tab, admin role only)
- App Settings: club name, currency symbol, major/minor unit names,
divisor, min/max topup, max charge, receipt footer, allow overdraft
- Settings persisted in app_settings DB table; merged with CONFIG defaults
at startup and refreshed after each save
- Staff Accounts: list with edit modal (name, username, password, role,
active flag) and delete; Add Account inline form
- /admin/settings GET/POST, /admin/staff-accounts CRUD
- /config endpoint exposes live settings to frontend on every page load
receipt_footer field rendered on both receipt and statement print views
https://claude.ai/code/session_01JuRTR5Xjx8emQsyerBgGU7
Removed product search field, results list, barProductLookup(),
and selectProduct() from the bar view in index.html, bar.html,
app.js, and bar.js. Backend /products endpoints are unchanged.
https://claude.ai/code/session_01JuRTR5Xjx8emQsyerBgGU7
- / now serves index.html (three-view SPA: Members, Cashier, Bar)
- /cashier and /bar remain as standalone pages (unchanged)
- Members view: Edit button on every row opens a modal to update
name, member number, and optionally PIN. Delete button only appears
when balance is exactly 0; confirmation dialog before deletion removes
the member and their ledger entries.
- PUT /members/{id}: updates any combination of name/member_number/pin;
guards against duplicate member numbers.
- DELETE /members/{id}: rejects with 400 if balance != 0, otherwise
deletes ledger entries then member row.
- Modal styles added to style.css; app.js rebuilt as combined SPA script
(loads common.js for shared helpers).
https://claude.ai/code/session_01JuRTR5Xjx8emQsyerBgGU7
Fix 1: Replace free-text staff name with a dropdown populated from staff.json
via GET/POST/DELETE /staff endpoints. Staff management panel on cashier page
(type name, Add button, chip list with × remove). Dropdown remembers last
selection per session via sessionStorage.
Fix 2: Split single-page app into /cashier (register + top-up + member list +
staff management) and /bar (charge only). Each page is its own HTML file
with two plain <a> nav links; / redirects to /cashier. Shared helpers
extracted to common.js; page logic in cashier.js and bar.js.
Fix 3: Statement view gains an A4/A5 radio toggle that rewrites a dynamic
<style> @page rule before the browser print dialog opens. Defaults to A4.
Fix 4: POST /topup and POST /charge now return entry_id. Each successful
transaction opens /receipt/{entry_id} in a new tab — server-rendered HTML
showing member name/number, type, amount, balance-after (computed as running
sum up to that entry), staff, note, timestamp. Same A4/A5 print toggle.
https://claude.ai/code/session_01JuRTR5Xjx8emQsyerBgGU7
