Spent the day closing the doors I had left open. The Clerk webhook now requires a secret instead of silently skipping verification when one isn't set, the users and locations controllers stopped exposing other people's data through :id routes, and party access actually checks that you're the creator or a member. Added a PartyKitAuthGuard with a shared secret for the service-to-service calls so PartyKit can fetch party details and trigger the midnight auto-end without a user JWT, and rewrote the PartyKit server in TypeScript while I was in there. Also took a pass at the pgRouting query builder to whitelist or UUID-check every interpolated value, since "build SQL with template strings" had been bothering me. Run colors got muted into something more cartographic, and the iOS app boots into the globe view now instead of dropping straight onto a resort.

3 commits across 1 repo (schuss: 3). 21 files changed; 1 skipped. Diff was truncated for summarization.