fix: set sameSite=none on sb_token cookie to allow cross-origin requests (#30)

test: rewrite service tests with beforeAll/afterAll isolation using supabase admin client (#29)

fix: wire addUser into signUp and googleAuth to persist Users rows on registration (#28)

fix: persist TheirStack jobs to Wishlist table after fetch (#27)

fix: remove dummyApiService and company routes backed by static data (#26)

fix: wire CORS_ORIGIN env var into app instead of hardcoding allowed origins (#25)

test: add integration tests for auth, jobs, and company endpoints (#24)

fix: use Anthropic tool_use for structured wishlist output (#23)

fix: guard THEIRSTACK_TOKEN and ANTHROPIC_API_KEY at startup (#22)

fix: revoke JWT server-side on logout via direct Supabase REST call (#21)

fix: add .js extensions to supabase imports for ESM compatibility (#20)

fix: remove hardcoded phone number PII from auth responses (#19)

fix: add allowlist validation for wishlist filter query params to prevent prompt injection (#18)

chore: add requireAuth middleware, Claude settings, and remove permissions.md

fix: replace in-memory wishlist with per-user DB-backed storage (#17)