- Add auth HTTP handlers (login, me, logout) with proper JSON responses
- Enforce HS256 via jwt.WithValidMethods to prevent algorithm confusion attacks
- Add context helpers for extracting operator ID and role from JWT claims
- Add comprehensive auth test suite (11 unit tests + 6 integration tests)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Clock API routes: start, pause, resume, advance, rewind, jump, get, warnings
- Role-based access control (floor+ for mutations, any auth for reads)
- Clock state persistence callback to DB on meaningful changes
- Blind structure levels loaded from DB on clock start
- Clock registry wired into HTTP server and cmd/leaf main
- 25 tests covering: state machine, countdown, pause/resume, auto-advance,
jump, rewind, hand-for-hand, warnings, overtime, crash recovery, snapshot
- Fix missing crypto/rand import in auth/pin.go (Rule 3 auto-fix)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- ChipSetService with full CRUD, duplication, builtin protection
- BlindStructure service with level validation and CRUD
- PayoutStructure service with bracket/tier nesting and 100% sum validation
- BuyinConfig service with rake split validation and all rebuy/addon fields
- TournamentTemplate service with FK validation and expanded view
- WizardService generates blind structures from high-level inputs
- API routes: /chip-sets, /blind-structures, /payout-structures, /buyin-configs, /tournament-templates
- All mutations require admin role, reads require floor+
- Wired template routes into server protected group
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
