Security audit + hardening shipped
SecurityStripe webhook hardening with idempotent event log so duplicate Stripe deliveries can never double-charge or grant the wrong access. Twilio signature verification on every webhook so spoofed SMS callbacks are dropped. Security headers across the site (HSTS, CSP, COOP, X-Frame-Options). New welcome flow sends a one-time setup link instead of a plaintext password.