audit: full codebase audit and fixes Build: - Fix Stripe API version mismatch (2024-12-18.acacia → 2026-01-28.clover) - Install missing deps: @stripe/react-stripe-js, react-hot-toast, stripe - Fix server component onClick errors (not-found.tsx, offline/page.tsx) Routing: - Fix /(authenticated)/dashboard → /dashboard in middleware, callback, login, verify-email - Fix /profile → /worker/profile/build in bottom-nav and not-found Security: - CRITICAL: Remove HttpOnly from CSRF cookie (was blocking client-side double-submit) - Add auth check to generate-profile API (prevents unauthenticated AI credit consumption) - Add CSRF protection to messages/start route - Add rate limiting to messages/start and messages/[id]/send routes - Add input sanitization to message content (5000 char limit) - Replace custom timingSafeEqual with Node.js crypto built-in - Remove dangerous skipValidation option from withCSRFProtection UI/UX: - Strip duplicate header/nav from authenticated layout (pages own their chrome) - Remove duplicate meta tags from root layout (already in metadata export) - Fix hardcoded colors in verify-email page → theme tokens - Fix unescaped apostrophes in verify-email page Dead code & cleanup: - Delete unused components: ErrorDisplay.tsx, LoadingState.tsx, loading-error.tsx - Remove debug console.log from worker signup flow - Convert webhook console.log to console.warn for production - Guard rate-limit cleanup log behind NODE_ENV=development - Remove debug console.log from ABN lookup Co-Authored-By: Claude Opus 4.6