Old prod DBs had verification_codes.phone (or email) as NOT NULL with no
default, so inserting a code via identifier-only failed silently — users
received an emailed code that was never stored, and verify always said
"Invalid or expired code." Drop the legacy columns in a migration and
stop swallowing the CreateVerificationCode error.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Log phone, IP, and user agent to sms_consents table before sending
verification SMS. Add disclosure text to login form.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When auth is enabled, admin pages require the logged-in user to be
the event owner — unauthorized visitors get redirected to the guest
view, and admin actions return 403. Also adds a copy-to-clipboard
button in the admin bar and a Makefile for common commands.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Auto-detect whether the user entered an email or phone number.
Email sends via Resend, phone sends via Twilio SMS. Users table
has nullable phone and email columns; verification_codes uses a
generic identifier field.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace email-based auth (Resend) with phone-based auth (Twilio SMS).
Add BBQ_FEATURES env var for toggling features at deploy time — when
auth is disabled, no login routes are registered and the app works
as before.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>